diff options
Diffstat (limited to 'docs')
89 files changed, 18612 insertions, 1564 deletions
diff --git a/docs/NT4_PlainPassword.reg b/docs/NT4_PlainPassword.reg new file mode 100644 index 00000000000..b30db150c24 --- /dev/null +++ b/docs/NT4_PlainPassword.reg @@ -0,0 +1,11 @@ +REGEDIT4
+
+;Contributor: Tim Small (tim.small@virgin.net)
+;Updated: 20 August 1997
+;Status: Current
+;
+;Subject: Registry file to enable plain text passwords in NT4-SP3 and later
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
+"EnablePlainTextPassword"=dword:00000001
+
diff --git a/docs/THANKS b/docs/THANKS index 6405da3f9f4..19c11dc432f 100644 --- a/docs/THANKS +++ b/docs/THANKS @@ -20,9 +20,11 @@ please contact Andrew.Tridgell@anu.edu.au, or via normal mail at Lee Fisher (leefi@microsoft.com) Charles Fox (cfox@microsoft.com) Dan Perry (danp@exchnge.microsoft.com) +Paul Leach (paulle@microsoft.com) +Isaac Heizer (isaache@microsoft.com) These Microsoft people have been very helpful and supportive of - the development of Samba. + the development of Samba over some years. Lee very kindly supplied me with a copy of the X/Open SMB specs. These have been invaluable in getting the details of the @@ -43,6 +45,11 @@ Dan Perry (danp@exchnge.microsoft.com) NT browsing spec, which will help a lot in the development of the Samba browser code. + Paul was responsible for Microsoft paying my flight to Seattle for the + first CIFS conference (see http://samba.anu.edu.au/cifs) and has been + generally helpful and cooperative as the SMB community moves towards + an Internet-ready specification. Isaac has regularly provided help on + the behaviour of NT networks. Bruce Perens (bruce@pixar.com) @@ -93,7 +100,7 @@ Steve Kennedy (steve@gbnet.net) John Terpstra (jht@aquasoft.com.au) - Aquasoft are a speciaist consulting company whose Samba using + Aquasoft are a specialist consulting company whose Samba-using customers span the world. Aquasoft have been avid supporters of the Samba project. As a @@ -117,3 +124,14 @@ Steve Withers (swithers@vnet.IBM.COM) OS/2 Warp installed. I hope this will allow me to finally fix up those annoying OS/2 related Samba bugs that I have been receiving reports of. + +Keith Wilkins (wilki1k@nectech.co.uk) + + Keith from NEC in England very generously supplied a PC to + Luke Leighton to help with his nmbd development work. At the + same time Keith offered to help me with some new hardware, and + he sent me a pentium motherboard with 32MB of ram + onboard. This was very helpful as it allowed me to upgrade + my aging server to be a very powerful system. Thanks! + + diff --git a/docs/Win95_PlainPassword.reg b/docs/Win95_PlainPassword.reg new file mode 100644 index 00000000000..9dd3103689c --- /dev/null +++ b/docs/Win95_PlainPassword.reg @@ -0,0 +1,4 @@ +REGEDIT4
+
+[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
+"EnablePlainTextPassword"=dword:00000001
diff --git a/docs/announce b/docs/announce index f761320f43e..7bc0aa8c4c3 100644 --- a/docs/announce +++ b/docs/announce @@ -4,21 +4,31 @@ What is Samba? -------------- -Samba is a Unix based SMB file server. This allows a Unix host to -act as a file and print server for SMB clients. This includes -Lan-Manager compatible clients such as LanManager for DOS, Windows for -Workgroups, Windows NT, Windows 95, OS/2, Pathworks and many more. +Samba is a SMB file server that runs on Unix and other operating +systems. It allows these operating systems (currently Unix, Netware, +OS/2 and AmigaDOS) to act as a file and print server for SMB and CIFS +clients. There are many Lan-Manager compatible clients such as +LanManager for DOS, Windows for Workgroups, Windows NT, Windows 95, +Linux smbfs, OS/2, Pathworks and more. -The package also includes a Unix SMB client and a netbios nameserver. +The package also includes a SMB client for accessing other SMB servers, +and an advanced netbios/WINS nameserver for browsing support. What can it do for me? ---------------------- If you have any PCs running SMB clients, such as a PC running Windows -for Workgroups, then you can mount file space or printers from a unix -host, so that directories, files and printers on the unix host are +for Workgroups, then you can mount file space or printers on a Samba +host, so that directories, files and printers on the host are available on the PC. +If you have any SMB servers such as Windows NT Server, Warp Server or +Pathworks you may be able to replace them by or supplement them with +Samba. One of Samba's big strengths is integration, so you can use it +to tie together your Unix (or VMS etc) hosts and PC clients. If you +are tired of the insecurity, expense and instability of PCNFS then Samba +may be for you. + The client part of the package will also allow you to attach to other SMB-based servers (such as windows NT and windows for workgroups) so that you can copy files to and from your unix host. The client also @@ -26,16 +36,16 @@ allows you to access a SMB printer (such as one attached to an OS/2 or WfWg server) from Unix, using an entry in /etc/printcap, or by explicitly specifying the command used to print files. -What are it's features? +What are its features? ------------------------ Samba supports many features that are not supported in other SMB -implementations (all of which are commercial). Some of it's features -include host as well as username/password security, a unix client, -automatic home directory exporting, automatic printer exporting, dead -connection timeouts, umask support, guest connections, name mangling -and hidden and system attribute mapping. Look at the man pages -included with the package for a full list of features. +implementations (all of which are commercial). These include host as +well as username/password security, a client, automatic home directory +exporting, automatic printer exporting, dead connection timeouts, +umask support, guest connections, name mangling and hidden and system +attribute mapping. Look at the FAQs included with the package for +a full list of features. What's new since 1.8? --------------------- @@ -47,8 +57,9 @@ Where can I get a client for my PC? There is a free client for MS-DOS based PCs available from ftp.microsoft.com in the directory bussys/Clients/MSCLIENT/. Please -read the licencing information before downloading. The built in -Windows for Workgroups client is also very good. +read the licencing information before downloading. The add-on 32-bit +TCP/IP Windows for Workgroups client is also very good. Windows 95, +Windows NT and OS/2 come with suitable clients by default. What network protocols are supported? ------------------------------------- @@ -66,7 +77,7 @@ Samba software is free software. It is available under the GNU Public licence in source code form at no cost. Please read the file COPYING that comes with the package for more information. -What flavours of unix does it support? +What operating systems does it support? --------------------------------------- The code has been written to be as portable as possible. It has been @@ -76,10 +87,12 @@ unixes: Linux, SunOS, Solaris, SVR4, Ultrix, OSF1, AIX, BSDI, NetBSD, Sequent, HP-UX, SGI, FreeBSD, NeXT, ISC, A/UX, SCO, Intergraph, -Domain/OS and DGUX. +Silicon Graphics Inc., Domain/OS and DGUX. Some of these have received more testing than others. If it doesn't -work with your unix then it should be easy to fix. +work with your unix then it should be easy to fix. It has also been ported +to Netware, OS/2 and the Amiga. A VMS port is available too. See the web site +for more details. Who wrote it? ------------- @@ -93,8 +106,8 @@ on who did what bits. Where can I get it? ------------------- -The package is available via anonymous ftp from nimbus.anu.edu.au in -the directory pub/tridge/samba/. +The package is available via anonymous ftp from samba.anu.edu.au in +the directory pub/samba/. What about SMBServer? --------------------- @@ -123,7 +136,7 @@ There is also often quite a bit of discussion about Samba on the newsgroup comp.protocols.smb. A WWW site with lots of Samba info can be found at -http://lake.canberra.edu.au/pub/samba/ +http://samba.anu.edu.au/samba/ -Andrew Tridgell (Contact: samba-bugs@anu.edu.au) -January 1995 +The Samba Team (Contact: samba-bugs@samba.anu.edu.au) +June 1996 diff --git a/docs/faq/Samba-Server-FAQ-1.html b/docs/faq/Samba-Server-FAQ-1.html new file mode 100644 index 00000000000..0bf7f046109 --- /dev/null +++ b/docs/faq/Samba-Server-FAQ-1.html @@ -0,0 +1,77 @@ +<HTML> +<HEAD> +<TITLE> Samba Server FAQ: What is Samba?</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="Samba-Server-FAQ-2.html">Next</A> +<A HREF="Samba-Server-FAQ.html#toc1">Table of Contents</A> +<HR> +<H2><A NAME="s1">1. What is Samba?</A></H2> + +<P> +<A NAME="WhatIsSamba"></A> +</P> +<P>See the +<A HREF="Samba-meta-FAQ.html#introduction">meta FAQ introduction</A> if you don't have any idea what Samba does.</P> +<P>Samba has many features that are not supported in other CIFS and SMB +implementations, all of which are commercial. It approaches some +problems from a different angle.</P> +<P>Some of its features include: +<UL> +<LI>extremely dynamic runtime configuration</LI> +<LI>host as well as username/password security</LI> +<LI>scriptable SMB client</LI> +<LI>automatic home directory exporting</LI> +<LI>automatic printer exporting</LI> +<LI>intelligent dead connection timeouts</LI> +<LI>guest connections</LI> +</UL> +</P> +<P>Look at the +<A HREF="samba-man-index.html">manual pages</A> included with the package for a full list of +features. The components of the suite are (in summary):</P> +<P> +<DL> + +<DT><B>smbd</B><DD><P>the SMB server. This handles actual connections from clients, +doing all the interfacing with the +<A HREF="Samba-meta-FAQ.html#DomainModeSecurity">authentication database</A> for file, permission and username work.</P> + +<DT><B>nmbd</B><DD><P>the NetBIOS name server, which helps clients locate servers, +maintaining the +<A HREF="Samba-meta-FAQ.html#BrowseAndDomainDefs">authentication database</A> doing the browsing work and managing +domains as this capability is being built into Samba.</P> + +<DT><B>smbclient</B><DD><P>the scriptable commandline SMB client program. +Useful for automated work, printer filters and testing purposes. It is +more CIFS-compliant than most commercial implementations. Note that this +is not a filesystem. The Samba team does not supply a network filesystem +driver, although the smbfs filesystem for Linux is derived from +smbclient code.</P> + +<DT><B>smbrun</B><DD><P>a little 'glue' program to help the server run +external programs.</P> + +<DT><B>testprns</B><DD><P>a program to test server access to printers</P> + +<DT><B>testparms</B><DD><P>a program to test the Samba configuration file +for correctness</P> + +<DT><B>smb.conf</B><DD><P>the Samba configuration file</P> + +<DT><B>examples</B><DD><P>many examples have been put together for the different +operating systems that Samba supports.</P> + +<DT><B>Documentation!</B><DD><P>DON'T neglect to read it - you will save a great +deal of time!</P> + +</DL> +</P> + +<HR> +Previous +<A HREF="Samba-Server-FAQ-2.html">Next</A> +<A HREF="Samba-Server-FAQ.html#toc1">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-Server-FAQ-2.html b/docs/faq/Samba-Server-FAQ-2.html new file mode 100644 index 00000000000..731391a9987 --- /dev/null +++ b/docs/faq/Samba-Server-FAQ-2.html @@ -0,0 +1,500 @@ +<HTML> +<HEAD> +<TITLE> Samba Server FAQ: How do I get the CIFS, SMB and NetBIOS protocols?</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-Server-FAQ-1.html">Previous</A> +Next +<A HREF="Samba-Server-FAQ.html#toc2">Table of Contents</A> +<HR> +<H2><A NAME="s2">2. How do I get the CIFS, SMB and NetBIOS protocols?</A></H2> + +<P> +<A NAME="ServerProtocols"></A> +</P> +<P>See the +<A HREF="Samba-meta-FAQ.html#CifsSmb">meta FAQ on CIFS and SMB</A> if you don't have any idea what these protocols are.</P> +<P>CIFS and SMB are implemented by the main Samba fileserving daemon, smbd. +<F>.....</F></P> +<P>nmbd speaks a limited amount of CIFS (...) but is mostly concerned with +NetBIOS. NetBIOS is <F>....</F></P> +<P>RFC1001, RFC1002 <F>...</F></P> +<P>So, provided you have got Samba correctly installed and running you have +all three of these protocols. Some operating systems already come with +stacks for all or some of these, such as SCO Unix, OS/2 and <F>...</F> In this +case you must <F>...</F></P> + +<H2><A NAME="ss2.1">2.1 What server operating systems are supported?</A></H2> + +<P> +<A NAME="PortInfo"></A> +</P> +<P>At the last count, Samba runs on about 40 operating systems! This +section looks at general questions about running Samba on the different +platforms. Issues specific to particular operating systems are dealt +with in elsewhere in this document.</P> +<P>Many of the ports have been done by people outside the Samba team keen +to get the advantages of Samba. The Samba team is currently trying to +bring as many of these ports as possible into the main source tree and +integrate the documentation. Samba is an integration tool, and so it has +been made as easy as possible to port. The platforms most widely used +and thus best tested are Linux and SunOS.</P> +<P>This migration has not been completed yet. This means that some +documentation is on web sites <F>...</F></P> +<P>There are two main families of Samba ports, Unix and other. The Unix +ports cover anything that remotely resembles Unix and includes some +extremely old products as well as best-sellers, tiny PCs to massive +multiprocessor machines supporting hundreds of thousands of users. Samba +has been run on more than 30 Unix and Unix-like operating systems.</P> + +<H3>Running Samba on a Unix or Unix-like system</H3> + +<P> +<A NAME="OnUnix"></A> +</P> +<P> +<A HREF="../UNIX-SMB.txt">../UNIX-SMB.txt</A> describes some of the issues that confront a +SMB implementation on unix, and how Samba copes with them. They may help +people who are looking at unix<->PC interoperability.</P> +<P>There is great variation between Unix implementations, especially those +not adhering to the Common Unix Specification agreed to in 1996. Things +that can be quite tricky are <F>.....</F></P> +<P>There are also some considerable advantages conferred on Samba running +under Unix compared to, say, Windows NT or LAN Server. Unix has <F>...</F></P> +<P>At time of writing, the Makefile claimed support for: +<UL> +<LI> A/UX 3.0</LI> +<LI> AIX</LI> +<LI> Altos Series 386/1000</LI> +<LI> Amiga</LI> +<LI> Apollo Domain/OS sr10.3</LI> +<LI> BSDI </LI> +<LI> B.O.S. (Bull Operating System)</LI> +<LI> Cray, Unicos 8.0</LI> +<LI> Convex</LI> +<LI> DGUX. </LI> +<LI> DNIX.</LI> +<LI> FreeBSD</LI> +<LI> HP-UX</LI> +<LI> Intergraph. </LI> +<LI> Linux with/without shadow passwords and quota</LI> +<LI> LYNX 2.3.0</LI> +<LI> MachTen (a unix like system for Macintoshes)</LI> +<LI> Motorola 88xxx/9xx range of machines</LI> +<LI> NetBSD</LI> +<LI> NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach).</LI> +<LI> OS/2 using EMX 0.9b</LI> +<LI> OSF1</LI> +<LI> QNX 4.22</LI> +<LI> RiscIX. </LI> +<LI> RISCOs 5.0B</LI> +<LI> SEQUENT. </LI> +<LI> SCO (including: 3.2v2, European dist., OpenServer 5)</LI> +<LI> SGI.</LI> +<LI> SMP_DC.OSx v1.1-94c079 on Pyramid S series</LI> +<LI> SONY NEWS, NEWS-OS (4.2.x and 6.1.x)</LI> +<LI> SUNOS 4</LI> +<LI> SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later')</LI> +<LI> Sunsoft ISC SVR3V4</LI> +<LI> SVR4</LI> +<LI> System V with some berkely extensions (Motorola 88k R32V3.2).</LI> +<LI> ULTRIX.</LI> +<LI> UNIXWARE</LI> +<LI> UXP/DS</LI> +</UL> +</P> + + +<H3>Running Samba on systems unlike Unix</H3> + +<P> +<A NAME="OnUnlikeUnix"></A> +</P> +<P>More recently Samba has been ported to a number of operating systems +which can provide a BSD Unix-like implementation of TCP/IP sockets. +These include OS/2, Netware, VMS, StratOS, Amiga and MVS. BeOS, +Windows NT and several others are being worked on but not yet available +for use.</P> +<P>Home pages for these ports are:</P> +<P><F>... </F></P> + + +<H2><A NAME="ss2.2">2.2 Exporting server resources with Samba</A></H2> + +<P> +<A NAME="Exporting"></A> +</P> +<P>Files, printers, CD ROMs and other local devices. Network devices, +including networked filesystems and remote printer queues. Other devices +such as <F>....</F></P> +<P>1.4) Configuring SHARES +1.4.1) Homes service +1.4.2) Public services +1.4.3) Application serving +1.4.4) Team sharing a Samba resource</P> +<P>1.5) Printer configuration +1.5.1) Berkeley LPR/LPD systems +1.5.2) ATT SysV lp systems +1.5.3) Using a private printcap file +1.5.4) Use of the smbprint utility +1.5.5) Printing from Windows to Unix +1.5.6) Printing from Unix to Windows</P> + + +<H2><A NAME="ss2.3">2.3 Name Resolution and Browsing</A></H2> + +<P> +<A NAME="NameBrowsing"></A> +</P> +<P>See also +<A HREF="../BROWSING.txt">../BROWSING.txt</A></P> +<P>1.6) Name resolution issues +1.6.1) LMHOSTS file and when to use it +1.6.2) configuring WINS (support, server, proxy) +1.6.3) configuring DNS proxy</P> +<P>1.7) Problem Diagnosis +1.8) What NOT to do!!!!</P> +<P>3.2) Browse list managment +3.3) Name resolution mangement</P> + + + +<H2><A NAME="ss2.4">2.4 Handling SMB Encryption</A></H2> + +<P> +<A NAME="SMBEncryptionSteps"></A> +</P> +<P>SMB encryption is ...</P> +<P>...in +<A HREF="../ENCRYPTION.txt">../ENCRYPTION.txt</A> there is...</P> +<P>Samba compiled with libdes - enabling encrypted passwords</P> + + +<H3>Laws in different countries affecting Samba</H3> + +<P> +<A NAME="CryptoLaws"></A> +</P> + +<H3>Relationship between encryption and Domain Authentication</H3> + + + + +<H2><A NAME="ss2.5">2.5 Files and record locking</A> 3.1.1) Old DOS clients 3.1.2) Opportunistic locking and the consequences 3.1.3) Files caching under Windows for Workgroups, Win95 and NT Some of the foregoing links into Client-FAQ</H2> + + +<H2><A NAME="ss2.6">2.6 Managing Samba Log files</A></H2> + +<P> +<A NAME="LogFiles"></A> +</P> + + +<H2><A NAME="ss2.7">2.7 I can't see the Samba server in any browse lists!</A></H2> + +<P> +<A NAME="no_browse"></A> + +See +<A HREF="ftp://samba.anu.edu.au/pub/samba/BROWSING.txt">BROWSING.txt</A> +for more information on browsing. Browsing.txt can also be found +in the docs directory of the Samba source.</P> +<P>If your GUI client does not permit you to select non-browsable +servers, you may need to do so on the command line. For example, under +Lan Manager you might connect to the above service as disk drive M: +thusly: +<BLOCKQUOTE><CODE> +<PRE> + net use M: \\mary\fred +</PRE> +</CODE></BLOCKQUOTE> + +The details of how to do this and the specific syntax varies from +client to client - check your client's documentation.</P> + + +<H2><A NAME="ss2.8">2.8 Some files that I KNOW are on the server doesn't show up when I view the files from my client! </A></H2> + +<P> +<A NAME="missing_files"></A> + +See the next question.</P> + + +<H2><A NAME="ss2.9">2.9 Some files on the server show up with really wierd filenames when I view the files from my client! </A></H2> + +<P> +<A NAME="strange_filenames"></A> + +If you check what files are not showing up, you will note that they +are files which contain upper case letters or which are otherwise not +DOS-compatible (ie, they are not legal DOS filenames for some reason).</P> +<P>The Samba server can be configured either to ignore such files +completely, or to present them to the client in "mangled" form. If you +are not seeing the files at all, the Samba server has most likely been +configured to ignore them. Consult the man page smb.conf(5) for +details of how to change this - the parameter you need to set is +"mangled names = yes".</P> + + +<H2><A NAME="ss2.10">2.10 My client reports "cannot locate specified computer" or similar</A></H2> + +<P> +<A NAME="cant_see_server"></A> + +This indicates one of three things: You supplied an incorrect server +name, the underlying TCP/IP layer is not working correctly, or the +name you specified cannot be resolved.</P> +<P>After carefully checking that the name you typed is the name you +should have typed, try doing things like pinging a host or telnetting +to somewhere on your network to see if TCP/IP is functioning OK. If it +is, the problem is most likely name resolution.</P> +<P>If your client has a facility to do so, hardcode a mapping between the +hosts IP and the name you want to use. For example, with Man Manager +or Windows for Workgroups you would put a suitable entry in the file +LMHOSTS. If this works, the problem is in the communication between +your client and the netbios name server. If it does not work, then +there is something fundamental wrong with your naming and the solution +is beyond the scope of this document.</P> +<P>If you do not have any server on your subnet supplying netbios name +resolution, hardcoded mappings are your only option. If you DO have a +netbios name server running (such as the Samba suite's nmbd program), +the problem probably lies in the way it is set up. Refer to Section +Two of this FAQ for more ideas.</P> +<P>By the way, remember to REMOVE the hardcoded mapping before further +tests :-) </P> + + +<H2><A NAME="ss2.11">2.11 My client reports "cannot locate specified share name" or similar</A></H2> + +<P> +<A NAME="cant_see_share"></A> + +This message indicates that your client CAN locate the specified +server, which is a good start, but that it cannot find a service of +the name you gave.</P> +<P>The first step is to check the exact name of the service you are +trying to connect to (consult your system administrator). Assuming it +exists and you specified it correctly (read your client's doco on how +to specify a service name correctly), read on:</P> +<P> +<UL> +<LI> Many clients cannot accept or use service names longer than eight characters.</LI> +<LI> Many clients cannot accept or use service names containing spaces.</LI> +<LI> Some servers (not Samba though) are case sensitive with service names.</LI> +<LI> Some clients force service names into upper case.</LI> +</UL> +</P> + + +<H2><A NAME="ss2.12">2.12 My client reports "cannot find domain controller", "cannot log on to the network" or similar </A></H2> + +<P> +<A NAME="cant_see_net"></A> + +Nothing is wrong - Samba does not implement the primary domain name +controller stuff for several reasons, including the fact that the +whole concept of a primary domain controller and "logging in to a +network" doesn't fit well with clients possibly running on multiuser +machines (such as users of smbclient under Unix). Having said that, +several developers are working hard on building it in to the next +major version of Samba. If you can contribute, send a message to +<A HREF="mailto:samba-bugs@anu.edu.au">samba-bugs@anu.edu.au</A> !</P> +<P>Seeing this message should not affect your ability to mount redirected +disks and printers, which is really what all this is about.</P> +<P>For many clients (including Windows for Workgroups and Lan Manager), +setting the domain to STANDALONE at least gets rid of the message.</P> + + +<H2><A NAME="ss2.13">2.13 Printing doesn't work :-(</A></H2> + +<P> +<A NAME="no_printing"></A> + </P> +<P>Make sure that the specified print command for the service you are +connecting to is correct and that it has a fully-qualified path (eg., +use "/usr/bin/lpr" rather than just "lpr", if you happen to be using +Unix).</P> +<P>Make sure that the spool directory specified for the service is +writable by the user connected to the service. </P> +<P>Make sure that the user specified in the service is permitted to use +the printer.</P> +<P>Check the debug log produced by smbd. Search for the printer name and +see if the log turns up any clues. Note that error messages to do with +a service ipc$ are meaningless - they relate to the way the client +attempts to retrieve status information when using the LANMAN1 +protocol.</P> +<P>If using WfWg then you need to set the default protocol to TCP/IP, not +Netbeui. This is a WfWg bug.</P> +<P>If using the Lanman1 protocol (the default) then try switching to +coreplus. Also not that print status error messages don't mean +printing won't work. The print status is received by a different +mechanism.</P> + + +<H2><A NAME="ss2.14">2.14 My programs install on the server OK, but refuse to work properly</A></H2> + +<P> +<A NAME="programs_wont_run"></A> + +There are numerous possible reasons for this, but one MAJOR +possibility is that your software uses locking. Make sure you are +using Samba 1.6.11 or later. It may also be possible to work around +the problem by setting "locking=no" in the Samba configuration file +for the service the software is installed on. This should be regarded +as a strictly temporary solution.</P> +<P>In earlier Samba versions there were some difficulties with the very +latest Microsoft products, particularly Excel 5 and Word for Windows +6. These should have all been solved. If not then please let Andrew +Tridgell know via email at +<A HREF="mailto:samba-bugs@anu.edu.au">samba-bugs@anu.edu.au</A>.</P> + + +<H2><A NAME="ss2.15">2.15 My "server string" doesn't seem to be recognised</A></H2> + +<P> +<A NAME="bad_server_string"></A> + +OR My client reports the default setting, eg. "Samba 1.9.15p4", instead +of what I have changed it to in the smb.conf file.</P> +<P>You need to use the -C option in nmbd. The "server string" affects +what smbd puts out and -C affects what nmbd puts out.</P> +<P>Current versions of Samba (1.9.16 +) have combined these options into +the "server string" field of smb.conf, -C for nmbd is now obsolete.</P> + + +<H2><A NAME="ss2.16">2.16 My client reports "This server is not configured to list shared resources" </A></H2> + +<P> +<A NAME="cant_list_shares"></A> + +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in smbd. Check that your guest account is +valid.</P> +<P>See also 'guest account' in smb.conf man page.</P> + + +<H2><A NAME="ss2.17">2.17 Issues specific to Unix and Unix-like systems</A></H2> + +<P> +<A NAME="UnixIssues"></A> +</P> + +<H3>Printing doesn't work with my Unix Samba server</H3> + +<P> +<A NAME="no_printing"></A> + </P> +<P>The user "nobody" often has problems with printing, even if it worked +with an earlier version of Samba. Try creating another guest user other +than "nobody".</P> + +<H3>Log message "you appear to have a trapdoor uid system" </H3> + +<P> +<A NAME="trapdoor_uid"></A> + +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535.</P> +<P>It might also mean that your OS has a trapdoor uid/gid system :-)</P> +<P>This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems.</P> +<P>The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user.</P> +<P>Complain to your OS vendor and ask them to fix their system.</P> +<P>Note: the reason why 65535 is a VERY bad choice of uid and gid is that +it casts to -1 as a uid, and the setreuid() system call ignores (with +no error) uid changes to -1. This means any daemon attempting to run +as uid 65535 will actually run as root. This is not good!</P> + + +<H2><A NAME="ss2.18">2.18 Issues specific to IBM OS/2 systems</A></H2> + +<P> +<A NAME="OS2Issues"></A> +</P> +<P> +<A HREF="http://carol.wins.uva.nl/~leeuw/samba/samba2.html">Samba for OS/2</A></P> + + +<H2><A NAME="ss2.19">2.19 Issues specific to IBM MVS systems</A></H2> + +<P> +<A NAME="MVSIssues"></A> +</P> +<P> +<A HREF="ftp://ftp.mks.com/pub/samba/">Samba for OS/390 MVS</A></P> + + +<H2><A NAME="ss2.20">2.20 Issues specific to Digital VMS systems</A></H2> + +<P> +<A NAME="VMSIssues"></A> +</P> + + +<H2><A NAME="ss2.21">2.21 Issues specific to Amiga systems</A></H2> + +<P> +<A NAME="AmigaIssues"></A> +</P> +<P> +<A HREF="http://www.gbar.dtu.dk/~c948374/Amiga/Samba/">Samba for Amiga</A></P> +<P>There is a mailing list for Samba on the Amiga.</P> +<P>Subscribing.</P> +<P>Send an email to rask-samba-request@kampsax.dtu.dk with the word subscribe +in the message. The list server will use the address in the Reply-To: or +From: header field, in that order.</P> +<P>Unsubscribing.</P> +<P>Send an email to rask-samba-request@kampsax.dtu.dk with the word +unsubscribe in the message. The list server will use the address in the +Reply-To: or From: header field, in that order. If you are unsure which +address you are subscribed with, look at the headers. You should see a +"From " (no colon) or Return-Path: header looking something like</P> +<P>rask-samba-owner-myname=my.domain@kampsax.dtu.dk</P> +<P>where myname=my.domain gives you the address myname@my.domain. This also +means that I will always be able to find out which address is causing +bounces, for example. +List archive.</P> +<P>Messages sent to the list are archived in HTML. See the mailing list home +page at +<A HREF="http://www.gbar.dtu.dk/~c948374/Amiga/Samba/mailinglist/">http://www.gbar.dtu.dk/~c948374/Amiga/Samba/mailinglist/</A></P> + + +<H2><A NAME="ss2.22">2.22 Issues specific to Novell IntraNetware systems</A></H2> + +<P> +<A NAME="NetwareIssues"></A> +</P> + + +<H2><A NAME="ss2.23">2.23 Issues specific to Stratos VOS systems</A></H2> + +<P> +<A NAME="NetwareIssues"></A> +</P> +<P> +<A HREF="ftp://ftp.stratus.com/pub/vos/tools/">Samba for Stratus VOS</A></P> + + +<HR> +<A HREF="Samba-Server-FAQ-1.html">Previous</A> +Next +<A HREF="Samba-Server-FAQ.html#toc2">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-Server-FAQ.html b/docs/faq/Samba-Server-FAQ.html new file mode 100644 index 00000000000..eadc3e26ede --- /dev/null +++ b/docs/faq/Samba-Server-FAQ.html @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<HTML> +<HEAD> +<TITLE> Samba Server FAQ</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="Samba-Server-FAQ-1.html">Next</A> +Table of Contents +<HR> +<H1> Samba Server FAQ</H1> + +<H2>Dan Shearer & Paul Blackman, <CODE>ictinus@samba.anu.edu.au</CODE></H2>v 0.3, 7 Oct '97 +<P><HR><EM> This is the <EM>Server</EM> Frequently Asked Questions (FAQ) +document for Samba, the free and very popular SMB and CIFS server +product. A general +<A HREF="Samba-meta-FAQ.html">meta FAQ</A> +exists and also a companion +<A HREF="Samba-Client-FAQ.html">Client FAQ</A>, together with more detailed HOWTO documents on +topics to do with Samba software. This is current to Samba version +1.9.17. Please send any corrections to the author. </EM><HR></P> +<P> +<H2><A NAME="toc1">1.</A> <A HREF="Samba-Server-FAQ-1.html">What is Samba?</A></H2> + +<P> +<H2><A NAME="toc2">2.</A> <A HREF="Samba-Server-FAQ-2.html">How do I get the CIFS, SMB and NetBIOS protocols?</A></H2> +<UL> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.1">2.1 What server operating systems are supported?</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.2">2.2 Exporting server resources with Samba</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.3">2.3 Name Resolution and Browsing</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.4">2.4 Handling SMB Encryption</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.5">2.5 Files and record locking</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.6">2.6 Managing Samba Log files</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.7">2.7 I can't see the Samba server in any browse lists!</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.8">2.8 Some files that I KNOW are on the server doesn't show up when I view the files from my client! </A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.9">2.9 Some files on the server show up with really wierd filenames when I view the files from my client! </A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.10">2.10 My client reports "cannot locate specified computer" or similar</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.11">2.11 My client reports "cannot locate specified share name" or similar</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.12">2.12 My client reports "cannot find domain controller", "cannot log on to the network" or similar </A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.13">2.13 Printing doesn't work :-(</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.14">2.14 My programs install on the server OK, but refuse to work properly</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.15">2.15 My "server string" doesn't seem to be recognised</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.16">2.16 My client reports "This server is not configured to list shared resources" </A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.17">2.17 Issues specific to Unix and Unix-like systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.18">2.18 Issues specific to IBM OS/2 systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.19">2.19 Issues specific to IBM MVS systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.20">2.20 Issues specific to Digital VMS systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.21">2.21 Issues specific to Amiga systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.22">2.22 Issues specific to Novell IntraNetware systems</A> +<LI><A HREF="Samba-Server-FAQ-2.html#ss2.23">2.23 Issues specific to Stratos VOS systems</A> +</UL> + + +<HR> +Previous +<A HREF="Samba-Server-FAQ-1.html">Next</A> +Table of Contents +</BODY> +</HTML> diff --git a/docs/faq/Samba-Server-FAQ.sgml b/docs/faq/Samba-Server-FAQ.sgml new file mode 100644 index 00000000000..020d5322811 --- /dev/null +++ b/docs/faq/Samba-Server-FAQ.sgml @@ -0,0 +1,492 @@ +<!doctype linuxdoc system> <!-- -*- SGML -*- --> +<!-- + v 0.1 23 Aug 1997 Dan Shearer + Original Samba-Client-FAQ.sgml from Paul's sambafaq.sgml + v 0.2 25 Aug 1997 Dan + v 0.3 7 Oct 1997 Paul, changed email address from ictinus@lake... to ictinus@samba.anu +--> + + +<article> + +<title> Samba Server FAQ + +<author>Dan Shearer & Paul Blackman, <tt>ictinus@samba.anu.edu.au</tt> + +<date>v 0.3, 7 Oct '97 + +<abstract> This is the <em>Server</em> Frequently Asked Questions (FAQ) +document for Samba, the free and very popular SMB and CIFS server +product. A general <url url="Samba-meta-FAQ.html" name="meta FAQ"> +exists and also a companion <url url="Samba-Client-FAQ.html" +name="Client FAQ">, together with more detailed HOWTO documents on +topics to do with Samba software. This is current to Samba version +1.9.17. Please send any corrections to the author. + +</abstract> + +<toc> + +<sect>What is Samba?<p><label id="WhatIsSamba"> + +See the <url url="Samba-meta-FAQ.html#introduction" name="meta FAQ +introduction"> if you don't have any idea what Samba does. + +Samba has many features that are not supported in other CIFS and SMB +implementations, all of which are commercial. It approaches some +problems from a different angle. + +Some of its features include: +<itemize> +<item>extremely dynamic runtime configuration +<item>host as well as username/password security +<item>scriptable SMB client +<item>automatic home directory exporting +<item>automatic printer exporting +<item>intelligent dead connection timeouts +<item>guest connections +</itemize> + +Look at the <url url="samba-man-index.html" name="manual pages"> included with the package for a full list of +features. The components of the suite are (in summary): + +<descrip> + +<tag/smbd/ the SMB server. This handles actual connections from clients, +doing all the interfacing with the <url +url="Samba-meta-FAQ.html#DomainModeSecurity" name="authentication +database"> for file, permission and username work. + +<tag/nmbd/ the NetBIOS name server, which helps clients locate servers, +maintaining the <url url="Samba-meta-FAQ.html#BrowseAndDomainDefs" +name="authentication database"> doing the browsing work and managing +domains as this capability is being built into Samba. + +<tag/smbclient/ the scriptable commandline SMB client program. +Useful for automated work, printer filters and testing purposes. It is +more CIFS-compliant than most commercial implementations. Note that this +is not a filesystem. The Samba team does not supply a network filesystem +driver, although the smbfs filesystem for Linux is derived from +smbclient code. + +<tag/smbrun/ a little 'glue' program to help the server run +external programs. + +<tag/testprns/ a program to test server access to printers + +<tag/testparms/ a program to test the Samba configuration file +for correctness + +<tag/smb.conf/ the Samba configuration file + +<tag/examples/ many examples have been put together for the different +operating systems that Samba supports. + +<tag/Documentation!/ DON'T neglect to read it - you will save a great +deal of time! + +</descrip> + +<sect>How do I get the CIFS, SMB and NetBIOS protocols?<p><label id="ServerProtocols"> + +See the <url url="Samba-meta-FAQ.html#CifsSmb" name="meta FAQ +on CIFS and SMB"> if you don't have any idea what these protocols are. + +CIFS and SMB are implemented by the main Samba fileserving daemon, smbd. +[.....] + +nmbd speaks a limited amount of CIFS (...) but is mostly concerned with +NetBIOS. NetBIOS is [....] + +RFC1001, RFC1002 [...] + +So, provided you have got Samba correctly installed and running you have +all three of these protocols. Some operating systems already come with +stacks for all or some of these, such as SCO Unix, OS/2 and [...] In this +case you must [...] + +<sect1>What server operating systems are supported?<p><label id="PortInfo"> + +At the last count, Samba runs on about 40 operating systems! This +section looks at general questions about running Samba on the different +platforms. Issues specific to particular operating systems are dealt +with in elsewhere in this document. + +Many of the ports have been done by people outside the Samba team keen +to get the advantages of Samba. The Samba team is currently trying to +bring as many of these ports as possible into the main source tree and +integrate the documentation. Samba is an integration tool, and so it has +been made as easy as possible to port. The platforms most widely used +and thus best tested are Linux and SunOS. + +This migration has not been completed yet. This means that some +documentation is on web sites [...] + +There are two main families of Samba ports, Unix and other. The Unix +ports cover anything that remotely resembles Unix and includes some +extremely old products as well as best-sellers, tiny PCs to massive +multiprocessor machines supporting hundreds of thousands of users. Samba +has been run on more than 30 Unix and Unix-like operating systems. + +<sect2>Running Samba on a Unix or Unix-like system<p><label id="OnUnix"> + +<url url="../UNIX-SMB.txt"> describes some of the issues that confront a +SMB implementation on unix, and how Samba copes with them. They may help +people who are looking at unix<->PC interoperability. + +There is great variation between Unix implementations, especially those +not adhering to the Common Unix Specification agreed to in 1996. Things +that can be quite tricky are [.....] + +There are also some considerable advantages conferred on Samba running +under Unix compared to, say, Windows NT or LAN Server. Unix has [...] + +At time of writing, the Makefile claimed support for: +<itemize> +<item> A/UX 3.0 +<item> AIX +<item> Altos Series 386/1000 +<item> Amiga +<item> Apollo Domain/OS sr10.3 +<item> BSDI +<item> B.O.S. (Bull Operating System) +<item> Cray, Unicos 8.0 +<item> Convex +<item> DGUX. +<item> DNIX. +<item> FreeBSD +<item> HP-UX +<item> Intergraph. +<item> Linux with/without shadow passwords and quota +<item> LYNX 2.3.0 +<item> MachTen (a unix like system for Macintoshes) +<item> Motorola 88xxx/9xx range of machines +<item> NetBSD +<item> NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach). +<item> OS/2 using EMX 0.9b +<item> OSF1 +<item> QNX 4.22 +<item> RiscIX. +<item> RISCOs 5.0B +<item> SEQUENT. +<item> SCO (including: 3.2v2, European dist., OpenServer 5) +<item> SGI. +<item> SMP_DC.OSx v1.1-94c079 on Pyramid S series +<item> SONY NEWS, NEWS-OS (4.2.x and 6.1.x) +<item> SUNOS 4 +<item> SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later') +<item> Sunsoft ISC SVR3V4 +<item> SVR4 +<item> System V with some berkely extensions (Motorola 88k R32V3.2). +<item> ULTRIX. +<item> UNIXWARE +<item> UXP/DS +</itemize> + + +<sect2>Running Samba on systems unlike Unix<p><label id="OnUnlikeUnix"> + +More recently Samba has been ported to a number of operating systems +which can provide a BSD Unix-like implementation of TCP/IP sockets. +These include OS/2, Netware, VMS, StratOS, Amiga and MVS. BeOS, +Windows NT and several others are being worked on but not yet available +for use. + +Home pages for these ports are: + +[... ] + +<sect1>Exporting server resources with Samba<p><label id="Exporting"> + +Files, printers, CD ROMs and other local devices. Network devices, +including networked filesystems and remote printer queues. Other devices +such as [....] + + 1.4) Configuring SHARES + 1.4.1) Homes service + 1.4.2) Public services + 1.4.3) Application serving + 1.4.4) Team sharing a Samba resource + + 1.5) Printer configuration + 1.5.1) Berkeley LPR/LPD systems + 1.5.2) ATT SysV lp systems + 1.5.3) Using a private printcap file + 1.5.4) Use of the smbprint utility + 1.5.5) Printing from Windows to Unix + 1.5.6) Printing from Unix to Windows + +<sect1>Name Resolution and Browsing<p><label id="NameBrowsing"> + +See also <url url="../BROWSING.txt"> + + 1.6) Name resolution issues + 1.6.1) LMHOSTS file and when to use it + 1.6.2) configuring WINS (support, server, proxy) + 1.6.3) configuring DNS proxy + + 1.7) Problem Diagnosis + 1.8) What NOT to do!!!! + + 3.2) Browse list managment + 3.3) Name resolution mangement + + +<sect1>Handling SMB Encryption<p><label id="SMBEncryptionSteps"> + +SMB encryption is ... + +...in <url url="../ENCRYPTION.txt"> there is... + +Samba compiled with libdes - enabling encrypted passwords + + +<sect2>Laws in different countries affecting Samba<p><label id="CryptoLaws"> + +<sect2>Relationship between encryption and Domain Authentication<p> + +<sect1> Files and record locking + + 3.1.1) Old DOS clients + 3.1.2) Opportunistic locking and the consequences + 3.1.3) Files caching under Windows for Workgroups, Win95 and NT + + Some of the foregoing links into Client-FAQ + +<sect1>Managing Samba Log files<p><label id="LogFiles"> + +<sect1>I can't see the Samba server in any browse lists!<p><label id="no_browse"> + See <url url="ftp://samba.anu.edu.au/pub/samba/BROWSING.txt" name="BROWSING.txt"> + for more information on browsing. Browsing.txt can also be found + in the docs directory of the Samba source. + +If your GUI client does not permit you to select non-browsable +servers, you may need to do so on the command line. For example, under +Lan Manager you might connect to the above service as disk drive M: +thusly: +<tscreen><verb> + net use M: \\mary\fred +</verb></tscreen> +The details of how to do this and the specific syntax varies from +client to client - check your client's documentation. + +<sect1>Some files that I KNOW are on the server doesn't show up when I view the files from my client! <p> <label id="missing_files"> +See the next question. + +<sect1>Some files on the server show up with really wierd filenames when I view the files from my client! <p> <label id="strange_filenames"> +If you check what files are not showing up, you will note that they +are files which contain upper case letters or which are otherwise not +DOS-compatible (ie, they are not legal DOS filenames for some reason). + +The Samba server can be configured either to ignore such files +completely, or to present them to the client in "mangled" form. If you +are not seeing the files at all, the Samba server has most likely been +configured to ignore them. Consult the man page smb.conf(5) for +details of how to change this - the parameter you need to set is +"mangled names = yes". + +<sect1>My client reports "cannot locate specified computer" or similar<p><label id="cant_see_server"> +This indicates one of three things: You supplied an incorrect server +name, the underlying TCP/IP layer is not working correctly, or the +name you specified cannot be resolved. + +After carefully checking that the name you typed is the name you +should have typed, try doing things like pinging a host or telnetting +to somewhere on your network to see if TCP/IP is functioning OK. If it +is, the problem is most likely name resolution. + +If your client has a facility to do so, hardcode a mapping between the +hosts IP and the name you want to use. For example, with Man Manager +or Windows for Workgroups you would put a suitable entry in the file +LMHOSTS. If this works, the problem is in the communication between +your client and the netbios name server. If it does not work, then +there is something fundamental wrong with your naming and the solution +is beyond the scope of this document. + +If you do not have any server on your subnet supplying netbios name +resolution, hardcoded mappings are your only option. If you DO have a +netbios name server running (such as the Samba suite's nmbd program), +the problem probably lies in the way it is set up. Refer to Section +Two of this FAQ for more ideas. + +By the way, remember to REMOVE the hardcoded mapping before further +tests :-) + +<sect1>My client reports "cannot locate specified share name" or similar<p> <label id="cant_see_share"> +This message indicates that your client CAN locate the specified +server, which is a good start, but that it cannot find a service of +the name you gave. + +The first step is to check the exact name of the service you are +trying to connect to (consult your system administrator). Assuming it +exists and you specified it correctly (read your client's doco on how +to specify a service name correctly), read on: + +<itemize> +<item> Many clients cannot accept or use service names longer than eight characters. +<item> Many clients cannot accept or use service names containing spaces. +<item> Some servers (not Samba though) are case sensitive with service names. +<item> Some clients force service names into upper case. +</itemize> + +<sect1>My client reports "cannot find domain controller", "cannot log on to the network" or similar <p> <label id="cant_see_net"> +Nothing is wrong - Samba does not implement the primary domain name +controller stuff for several reasons, including the fact that the +whole concept of a primary domain controller and "logging in to a +network" doesn't fit well with clients possibly running on multiuser +machines (such as users of smbclient under Unix). Having said that, +several developers are working hard on building it in to the next +major version of Samba. If you can contribute, send a message to +<htmlurl url="mailto:samba-bugs@anu.edu.au" name="samba-bugs@anu.edu.au"> ! + +Seeing this message should not affect your ability to mount redirected +disks and printers, which is really what all this is about. + +For many clients (including Windows for Workgroups and Lan Manager), +setting the domain to STANDALONE at least gets rid of the message. + +<sect1>Printing doesn't work :-(<p> <label id="no_printing"> + +Make sure that the specified print command for the service you are +connecting to is correct and that it has a fully-qualified path (eg., +use "/usr/bin/lpr" rather than just "lpr", if you happen to be using +Unix). + +Make sure that the spool directory specified for the service is +writable by the user connected to the service. + +Make sure that the user specified in the service is permitted to use +the printer. + +Check the debug log produced by smbd. Search for the printer name and +see if the log turns up any clues. Note that error messages to do with +a service ipc$ are meaningless - they relate to the way the client +attempts to retrieve status information when using the LANMAN1 +protocol. + +If using WfWg then you need to set the default protocol to TCP/IP, not +Netbeui. This is a WfWg bug. + +If using the Lanman1 protocol (the default) then try switching to +coreplus. Also not that print status error messages don't mean +printing won't work. The print status is received by a different +mechanism. + +<sect1>My programs install on the server OK, but refuse to work properly<p><label id="programs_wont_run"> +There are numerous possible reasons for this, but one MAJOR +possibility is that your software uses locking. Make sure you are +using Samba 1.6.11 or later. It may also be possible to work around +the problem by setting "locking=no" in the Samba configuration file +for the service the software is installed on. This should be regarded +as a strictly temporary solution. + +In earlier Samba versions there were some difficulties with the very +latest Microsoft products, particularly Excel 5 and Word for Windows +6. These should have all been solved. If not then please let Andrew +Tridgell know via email at <htmlurl url="mailto:samba-bugs@anu.edu.au" name="samba-bugs@anu.edu.au">. + +<sect1>My "server string" doesn't seem to be recognised<p><label id="bad_server_string"> +OR My client reports the default setting, eg. "Samba 1.9.15p4", instead +of what I have changed it to in the smb.conf file. + +You need to use the -C option in nmbd. The "server string" affects +what smbd puts out and -C affects what nmbd puts out. + +Current versions of Samba (1.9.16 +) have combined these options into +the "server string" field of smb.conf, -C for nmbd is now obsolete. + +<sect1>My client reports "This server is not configured to list shared resources" <p> <label id="cant_list_shares"> +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in smbd. Check that your guest account is +valid. + +See also 'guest account' in smb.conf man page. + +<sect1>Issues specific to Unix and Unix-like systems<p><label id="UnixIssues"> + +<sect2>Printing doesn't work with my Unix Samba server<p> <label id="no_printing"> + +The user "nobody" often has problems with printing, even if it worked +with an earlier version of Samba. Try creating another guest user other +than "nobody". + +<sect2>Log message "you appear to have a trapdoor uid system" <p><label id="trapdoor_uid"> +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535. + +It might also mean that your OS has a trapdoor uid/gid system :-) + +This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems. + +The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user. + +Complain to your OS vendor and ask them to fix their system. + +Note: the reason why 65535 is a VERY bad choice of uid and gid is that +it casts to -1 as a uid, and the setreuid() system call ignores (with +no error) uid changes to -1. This means any daemon attempting to run +as uid 65535 will actually run as root. This is not good! + +<sect1>Issues specific to IBM OS/2 systems<p><label id="OS2Issues"> + +<url url="http://carol.wins.uva.nl/~leeuw/samba/samba2.html" name="Samba for OS/2"> + +<sect1>Issues specific to IBM MVS systems<p><label id="MVSIssues"> + +<url url="ftp://ftp.mks.com/pub/samba/" name="Samba for OS/390 MVS"> + +<sect1>Issues specific to Digital VMS systems<p><label id="VMSIssues"> + +<sect1>Issues specific to Amiga systems<p><label id="AmigaIssues"> + +<url url="http://www.gbar.dtu.dk/~c948374/Amiga/Samba/" name="Samba for Amiga"> + +There is a mailing list for Samba on the Amiga. + + Subscribing. + + Send an email to rask-samba-request@kampsax.dtu.dk with the word subscribe +in the message. The list server will use the address in the Reply-To: or +From: header field, in that order. + + Unsubscribing. + + Send an email to rask-samba-request@kampsax.dtu.dk with the word +unsubscribe in the message. The list server will use the address in the +Reply-To: or From: header field, in that order. If you are unsure which +address you are subscribed with, look at the headers. You should see a +"From " (no colon) or Return-Path: header looking something like + + rask-samba-owner-myname=my.domain@kampsax.dtu.dk + +where myname=my.domain gives you the address myname@my.domain. This also +means that I will always be able to find out which address is causing +bounces, for example. + List archive. + + Messages sent to the list are archived in HTML. See the mailing list home +page at <URL url="http://www.gbar.dtu.dk/~c948374/Amiga/Samba/mailinglist/"> + +<sect1>Issues specific to Novell IntraNetware systems<p><label id="NetwareIssues"> + +<sect1>Issues specific to Stratos VOS systems<p><label id="NetwareIssues"> + +<url url="ftp://ftp.stratus.com/pub/vos/tools/" name="Samba for Stratus VOS"> + +</article> diff --git a/docs/faq/Samba-meta-FAQ-1.html b/docs/faq/Samba-meta-FAQ-1.html new file mode 100644 index 00000000000..80610fb59ed --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-1.html @@ -0,0 +1,160 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: Quick Reference Guides to Samba Documentation</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="Samba-meta-FAQ-2.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc1">Table of Contents</A> +<HR> +<H2><A NAME="s1">1. Quick Reference Guides to Samba Documentation</A></H2> + +<P> +<A NAME="quickref"></A> +</P> +<P>We are endeavouring to provide links here to every major class of +information about Samba or things related to Samba. We cannot list every +document, but we are aiming for all documents to be at most two +referrals from those listed here. This needs constant maintaining, so +please send the author your feedback.</P> + +<H2><A NAME="ss1.1">1.1 Samba for the Impatient</A></H2> + +<P> +<A NAME="impatient"></A> +</P> +<P>You know you should read the documentation but can't wait to start? What +you need to do then is follow the instructions in the following +documents in the order given. This should be enough to get a fairly +simple site going quickly. If you have any problems, refer back to this +meta-FAQ and follow the links to find more reading material.</P> +<P> +<DL> +<P> +<A NAME="ImpGet"></A> +</P> +<DT><B>Getting Samba:</B><DD><P>The fastest way to get Samba +going is and install it is to have an operating system for which the +Samba team has put together an installation package. To see if your OS +is included have a look at the directory +/pub/samba/Binary_Packages/"OS_Vendor" on your nearest +<A HREF="../MIRRORS">mirror site</A>. If it is included follow the +installation instructions in the README file there and then do some +<A HREF="#ImpTest">basic testing</A>. If you are not so fortunate, follow the normal +<A HREF="Samba-meta-FAQ-2.html#WhereFrom">download instructions</A> and then continue with +<A HREF="#ImpInst">building and installing Samba</A>.</P> +<P> +<A NAME="ImpInst"></A> +</P> +<DT><B>Building and Installing Samba:</B><DD><P>At the moment +there are two kinds of Samba server installs besides the prepackaged +binaries mentioned in the previous step. You need to decide if you have a +<A HREF="../UNIX_INSTALL.txt">Unix or close relative</A> or +<A HREF="Samba-Server-FAQ.html#PortInfo">other supported operating system</A>.</P> +<P> +<A NAME="ImpTest"></A> +</P> +<DT><B>Basic Testing:</B><DD><P>Try to connect using the +supplied smbclient command-line program. You need to know the IP +hostname of your server. A service name must be defined in smb.conf, as +given in the examples (under many operating systems if there is a +<F>homes</F> service you can just use a valid username.) Then type +<CODE>smbclient \\hostname\servicename</CODE> +Under most Unixes you will need to put the parameters within quotation +marks. If this works, try connecting from one of the SMB clients you +were planning to use with Samba.</P> +<P> +<A NAME="ImpDebug"></A> +</P> +<DT><B>Debug sequence:</B><DD><P>If you think you have completed the +previous step and things aren't working properly work through +<A HREF="../DIAGNOSIS.txt">the diagnosis recipe.</A></P> +<P> +<A NAME="ImpExp"></A> +</P> +<DT><B>Exporting files to SMB clients:</B><DD><P>You should read the manual pages +for smb.conf, but here is a +<A HREF="Samba-Server-FAQ.html#Exporting">quick answer guide.</A></P> +<P> +<A NAME="ImpControl"></A> +</P> +<DT><B>Controlling user access:</B><DD><P>the quickest and dirtiest way of sharing +resources is to use +<A HREF="Samba-meta-FAQ-4.html#ShareModeSecurity">share level security.</A> If you want to spend more time and have a proper username +and password database you must read the paragraph on +<A HREF="Samba-meta-FAQ-4.html#DomainModeSecurity">domain mode security.</A> If you want +encryption (eg you are using Windows NT clients) follow the +<A HREF="Samba-Server-FAQ.html#SMBEncryptionSteps">SMB encryption instructions.</A></P> +<P> +<A NAME="ImpBrowse"></A> +</P> +<DT><B>Browsing:</B><DD><P>if you are happy to type in "\\samba-server\sharename" +at the client end then do not read any further. Otherwise you need to +understand the +browsing terminology</A> +and read +<A HREF="Samba-Server-FAQ.html#NameBrowsing">Samba-Server-FAQ.html#NameBrowsing</A>. </P> +<P> +<A NAME="ImpPrint"></A> +</P> +<DT><B>Printing:</B><DD><P>See the +<A HREF="Samba-Server-FAQ.html#Printing">printing quick answer guide.</A></P> + +</DL> +</P> +<P>If you have got everything working to this point, you can expect Samba +to be stable and secure: these are its greatest strengths. However Samba +has a great deal to offer and to go further you must do some more +reading. Speed and security optimisations, printer accounting, network +logons, roving profiles, browsing across multiple subnets and so on are +all covered either in this document or in those it refers to.</P> + + +<H2><A NAME="ss1.2">1.2 All Samba Documentation</A></H2> + +<P> +<A NAME="AllDocs"></A> +</P> +<P> +<UL> +<LI> Meta-FAQ. This is the mother of all documents, and is the one you +are reading now. The latest version is always at +<A HREF="http://samba.anu.edu.au/[.....]">http://samba.anu.edu.au/[.....]</A> but there is probably a much +nearer +<A HREF="../MIRRORS">mirror site</A> which you should use +instead. +</LI> +<LI> +<A HREF="Samba-Server-FAQ.html">Samba-Server-FAQ.html</A> is the best starting point for +information about server-side issues. Includes configuration tips and +pointers for Samba on particular operating systems (with 40 to choose +from...) +</LI> +<LI> +<A HREF="Samba-Client-FAQ.html">Samba-Client-FAQ.html</A> is the best starting point for +information about client-side issues, includes a list of all clients +that are known to work with Samba. +</LI> +<LI> +<A HREF="samba-man-index.html">manual pages</A> contains +descriptions of and links to all the Samba manual pages, in Unix man and +postscript format. +</LI> +<LI> +<A HREF="samba-txt-index.html">samba-txt-index.html</A> has descriptions of and links to +a large number of text files have been contributed to samba covering +many topics. These are gradually being absorbed into the FAQs and HOWTOs +but in the meantime you might find helpful answers here. +</LI> +<LI> +</LI> +</UL> +</P> + + +<HR> +Previous +<A HREF="Samba-meta-FAQ-2.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc1">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ-2.html b/docs/faq/Samba-meta-FAQ-2.html new file mode 100644 index 00000000000..ac760380067 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-2.html @@ -0,0 +1,384 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: General Information</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-meta-FAQ-1.html">Previous</A> +<A HREF="Samba-meta-FAQ-3.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc2">Table of Contents</A> +<HR> +<H2><A NAME="s2">2. General Information</A></H2> + +<P> +<A NAME="general_info"></A> +</P> +<P>All about Samba - what it is, how to get it, related sources of +information, how to understand the numbering scheme, pizza +details.</P> + +<H2><A NAME="ss2.1">2.1 What is Samba?</A></H2> + +<P> +<A NAME="introduction"></A> +</P> +<P>Samba is a suite of programs which work together to allow clients to +access to a server's filespace and printers via the SMB (Server Message +Block) and CIFS (Common Internet Filesystem) protocols. Initially +written for Unix, Samba now also runs on Netware, OS/2, VMS, StratOS and +Amigas. Ports to BeOS and other operating systems are underway. Samba +gives the capability for these operating systems to behave much like a +LAN Server, Windows NT Server or Pathworks machine, only with added +functionality and flexibility designed to make life easier for +administrators. </P> +<P>This means that using Samba you can share a server's disks and printers +to many sorts of network clients, including Lan Manager, Windows for +Workgroups, Windows NT, Linux, OS/2, and AIX. There is also a generic +client program supplied as part of the Samba suite which gives a user on +the server an ftp-like interface to access filespace and printers on any +other SMB/CIFS servers.</P> +<P>SMB has been implemented over many protocols, including XNS, NBT, IPX, +NetBEUI and TCP/IP. Samba only uses TCP/IP. This is not likely to change +although there have been some requests for NetBEUI support.</P> +<P>Many users report that compared to other SMB implementations Samba is +more stable, faster, and compatible with more clients. Administrators of +some large installations say that Samba is the only SMB server available +which will scale to many tens of thousands of users without crashing. +The easy way to test these claims is to download it and try it for +yourself!</P> +<P>The suite is supplied with full source code under the +<A HREF="../COPYING">GNU Public License</A>. The GPL means that you can +use Samba for whatever purpose you wish (including changing the source +or selling it for money) but under all circumstances the source code +must be made freely available. A copy of the GPL must always be included +in any copy of the package.</P> +<P>The primary creator of the Samba suite is Andrew Tridgell. Later +versions incorporate much effort by many net.helpers. The man pages +and this FAQ were originally written by Karl Auer.</P> + + +<H2><A NAME="ss2.2">2.2 What is the current version of Samba?</A></H2> + +<P> +<A NAME="current_version"></A> +</P> +<P>At time of writing, the current version was 1.9.17. If you want to be +sure check the bottom of the change-log file. +<A HREF="ftp://samba.anu.edu.au/pub/samba/alpha/change-log">ftp://samba.anu.edu.au/pub/samba/alpha/change-log</A></P> +<P>For more information see +<A HREF="#version_nums">What do the version numbers mean?</A></P> + + +<H2><A NAME="ss2.3">2.3 Where can I get it? </A></H2> + +<P> +<A NAME="WhereFrom"></A> +</P> +<P>The Samba suite is available via anonymous ftp from samba.anu.edu.au and +many +<A HREF="../MIRRORS">mirror</A> sites. You will get much +faster performance if you use a mirror site. The latest and greatest +versions of the suite are in the directory:</P> +<P>/pub/samba/</P> +<P>Development (read "alpha") versions, which are NOT necessarily stable +and which do NOT necessarily have accurate documentation, are available +in the directory:</P> +<P>/pub/samba/alpha</P> +<P>Note that binaries are NOT included in any of the above. Samba is +distributed ONLY in source form, though binaries may be available from +other sites. Most Linux distributions, for example, do contain Samba +binaries for that platform. The VMS, OS/2, Netware and Amiga and other +ports typically have binaries made available.</P> +<P>A special case is vendor-provided binary packages. Samba binaries and +default configuration files are put into packages for a specific +operating system. RedHat Linux and Sun Solaris (Sparc and x86) is +already included, and others such as OS/2 may follow. All packages are +in the directory:</P> +<P>/pub/samba/Binary_Packages/"OS_Vendor"</P> + + +<H2><A NAME="ss2.4">2.4 What do the version numbers mean?</A></H2> + +<P> +<A NAME="version_nums"></A> +</P> +<P>It is not recommended that you run a version of Samba with the word +"alpha" in its name unless you know what you are doing and are willing +to do some debugging. Many, many people just get the latest +recommended stable release version and are happy. If you are brave, by +all means take the plunge and help with the testing and development - +but don't install it on your departmental server. Samba is typically +very stable and safe, and this is mostly due to the policy of many +public releases.</P> +<P>How the scheme works:</P> +<P> +<OL> +<LI>When major changes are made the version number is increased. For +example, the transition from 1.9.16 to 1.9.17. However, this version +number will not appear immediately and people should continue to use +1.9.15 for production systems (see next point.) +</LI> +<LI>Just after major changes are made the software is considered +unstable, and a series of alpha releases are distributed, for example +1.9.16alpha1. These are for testing by those who know what they are +doing. The "alpha" in the filename will hopefully scare off those who +are just looking for the latest version to install. +</LI> +<LI>When Andrew thinks that the alphas have stabilised to the point +where he would recommend new users install it, he renames it to the +same version number without the alpha, for example 1.9.17. +</LI> +<LI>Inevitably bugs are found in the "stable" releases and minor patch +levels are released which give us the pXX series, for example 1.9.17p2. +</LI> +</OL> +</P> +<P>So the progression goes:</P> +<P> +<PRE> + 1.9.16p10 (production) + 1.9.16p11 (production) + 1.9.17alpha1 (test sites only) + : + 1.9.17alpha20 (test sites only) + 1.9.17 (production) + 1.9.17p1 (production) +</PRE> +</P> +<P>The above system means that whenever someone looks at the samba ftp +site they will be able to grab the highest numbered release without an +alpha in the name and be sure of getting the current recommended +version.</P> + + +<H2><A NAME="ss2.5">2.5 Where can I go for further information?</A></H2> + +<P> +<A NAME="more"></A> +</P> +<P>There are a number of places to look for more information on Samba, +including:</P> +<P> +<UL> +<LI>Two mailing lists devoted to discussion of Samba-related matters. +See below for subscription information. +</LI> +<LI>The newsgroup comp.protocols.smb, which has a great deal of +discussion about Samba. +</LI> +<LI>The WWW site 'SAMBA Web Pages' at +<A HREF="http://samba.anu.edu.au/samba/">http://samba.anu.edu.au/samba/</A> includes: + +<UL> +<LI>Links to man pages and documentation, including this FAQ</LI> +<LI>A comprehensive survey of Samba users</LI> +<LI>A searchable hypertext archive of the Samba mailing list</LI> +<LI>Links to Samba source code, binaries, and mirrors of both</LI> +<LI>This FAQ and the rest in its family</LI> +</UL> + +</LI> +</UL> +</P> + + +<H2><A NAME="ss2.6">2.6 How do I subscribe to the Samba Mailing Lists?</A></H2> + +<P> +<A NAME="mailinglist"></A> +</P> +<P>Send email to +<A HREF="mailto:listproc@samba.anu.edu.au">listproc@samba.anu.edu.au</A>. Make sure the subject line is blank, +and include the following two lines in the body of the message:</P> +<P> +<BLOCKQUOTE><CODE> +<PRE> +subscribe samba Firstname Lastname +subscribe samba-announce Firstname Lastname +</PRE> +</CODE></BLOCKQUOTE> +</P> +<P>Obviously you should substitute YOUR first name for "Firstname" and +YOUR last name for "Lastname"! Try not to send any signature, it +sometimes confuses the list processor.</P> +<P>The samba list is a digest list - every eight hours or so it sends a +single message containing all the messages that have been received by +the list since the last time and sends a copy of this message to all +subscribers. There are thousands of people on this list.</P> +<P>If you stop being interested in Samba, please send another email to +<A HREF="mailto:listproc@samba.anu.edu.au">listproc@samba.anu.edu.au</A>. Make sure the subject line is blank, and +include the following two lines in the body of the message:</P> +<P> +<BLOCKQUOTE><CODE> +<PRE> +unsubscribe samba +unsubscribe samba-announce +</PRE> +</CODE></BLOCKQUOTE> +</P> +<P>The <B>From:</B> line in your message <EM>MUST</EM> be the same +address you used when you subscribed.</P> + + +<H2><A NAME="ss2.7">2.7 Something's gone wrong - what should I do?</A></H2> + +<P> +<A NAME="wrong"></A> +</P> +<P><B><F>#</F> *** IMPORTANT! *** <F>#</F></B></P> + +<P>DO NOT post messages on mailing lists or in newsgroups until you have +carried out the first three steps given here!</P> +<P> +<OL> +<LI> See if there are any likely looking entries in this FAQ! +If you have just installed Samba, have you run through the checklist in +<A HREF="ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt">DIAGNOSIS.txt</A>? It can save you a lot of time and effort. +DIAGNOSIS.txt can also be found in the docs directory of the Samba +distribution. +</LI> +<LI> Read the man pages for smbd, nmbd and smb.conf, looking for +topics that relate to what you are trying to do. +</LI> +<LI> If there is no obvious solution to hand, try to get a look at +the log files for smbd and/or nmbd for the period during which you +were having problems. You may need to reconfigure the servers to +provide more extensive debugging information - usually level 2 or +level 3 provide ample debugging info. Inspect these logs closely, +looking particularly for the string "Error:". +</LI> +<LI> If you need urgent help and are willing to pay for it see +<A HREF="#PaidSupport">Paid Support</A>. +</LI> +</OL> +</P> +<P>If you still haven't got anywhere, ask the mailing list or newsgroup. In +general nobody minds answering questions provided you have followed the +preceding steps. It might be a good idea to scan the archives of the +mailing list, which are available through the Samba web site described +in the previous section. When you post be sure to include a good +description of your environment and your problem.</P> +<P>If you successfully solve a problem, please mail the FAQ maintainer a +succinct description of the symptom, the problem and the solution, so +that an explanation can be incorporated into the next version.</P> + + +<H2><A NAME="ss2.8">2.8 How do I submit patches or bug reports?</A></H2> + + +<P>If you make changes to the source code, <EM>please</EM> submit these patches +so that everyone else gets the benefit of your work. This is one of +the most important aspects to the maintainence of Samba. Send all +patches to +<A HREF="mailto:samba-bugs@samba.anu.edu.au">samba-bugs@samba.anu.edu.au</A>. Do not send patches to Andrew Tridgell or any +other individual, they may be lost if you do.</P> +<P>Patch format +------------</P> +<P>If you are sending a patch to fix a problem then please don't just use +standard diff format. As an example, samba-bugs received this patch from +someone:</P> +<P>382a +#endif +.. +381a +#if !defined(NEWS61)</P> +<P>How are we supposed to work out what this does and where it goes? These +sort of patches only work if we both have identical files in the first +place. The Samba sources are constantly changing at the hands of multiple +developers, so it doesn't work.</P> +<P>Please use either context diffs or (even better) unified diffs. You +get these using "diff -c4" or "diff -u". If you don't have a diff that +can generate these then please send manualy commented patches to I +know what is being changed and where. Most patches are applied by hand so +the info must be clear.</P> +<P>This is a basic guideline that will assist us with assessing your problem +more efficiently :</P> +<P>Machine Arch: +Machine OS: +OS Version: +Kernel:</P> +<P>Compiler: +Libc Version:</P> +<P>Samba Version:</P> +<P>Network Layout (description):</P> +<P>What else is on machine (services, etc):</P> +<P>Some extras :</P> +<P> +<UL> +<LI> what you did and what happened +</LI> +<LI> relevant parts of a debugging output file with debuglevel higher. +If you can't find the relevant parts, please ask before mailing +huge files. +</LI> +<LI> anything else you think is useful to trace down the bug +</LI> +</UL> +</P> + + +<H2><A NAME="ss2.9">2.9 What if I have an URGENT message for the developers?</A></H2> + + +<P>If you have spotted something very serious and believe that it is +important to contact the developers quickly send a message to +samba-urgent@samba.anu.edu.au. This will be processed more quickly than +mail to samba-bugs. Please think carefully before using this address. An +example of its use might be to report a security hole.</P> +<P>Examples of things <EM>not</EM> to send to samba-urgent include problems +getting Samba to work at all and bugs that cannot potentially cause damage.</P> + + +<H2><A NAME="ss2.10">2.10 What if I need paid-for support?</A></H2> + +<P> +<A NAME="PaidSupport"></A> +</P> +<P>Samba has a large network of consultants who provide Samba support on a +commercial basis. The list is included in the package in +<A HREF="../Support.txt">../Support.txt</A>, and the latest version will always be on the main +samba ftp site. Any company in the world can request that the samba team +include their details in Support.txt so we can give no guarantee of +their services.</P> + + +<H2><A NAME="ss2.11">2.11 Pizza supply details</A></H2> + +<P> +<A NAME="pizza"></A> + +Those who have registered in the Samba survey as "Pizza Factory" will +already know this, but the rest may need some help. Andrew doesn't ask +for payment, but he does appreciate it when people give him +pizza. This calls for a little organisation when the pizza donor is +twenty thousand kilometres away, but it has been done.</P> +<P> +<OL> +<LI> Ring up your local branch of an international pizza chain +and see if they honour their vouchers internationally. Pizza Hut do, +which is how the entire Canberra Linux Users Group got to eat pizza +one night, courtesy of someone in the US. +</LI> +<LI>Ring up a local pizza shop in Canberra and quote a credit +card number for a certain amount, and tell them that Andrew will be +collecting it (don't forget to tell him.) One kind soul from Germany +did this. +</LI> +<LI>Purchase a pizza voucher from your local pizza shop that has +no international affiliations and send it to Andrew. It is completely +useless but he can hang it on the wall next to the one he already has +from Germany :-) +</LI> +<LI>Air freight him a pizza with your favourite regional +flavours. It will probably get stuck in customs or torn apart by +hungry sniffer dogs but it will have been a noble gesture. +</LI> +</OL> +</P> + + +<HR> +<A HREF="Samba-meta-FAQ-1.html">Previous</A> +<A HREF="Samba-meta-FAQ-3.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc2">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ-3.html b/docs/faq/Samba-meta-FAQ-3.html new file mode 100644 index 00000000000..63adff35f92 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-3.html @@ -0,0 +1,101 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: About the CIFS and SMB Protocols</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-meta-FAQ-2.html">Previous</A> +<A HREF="Samba-meta-FAQ-4.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc3">Table of Contents</A> +<HR> +<H2><A NAME="s3">3. About the CIFS and SMB Protocols</A></H2> + +<P> +<A NAME="CifsSmb"></A> +</P> + +<H2><A NAME="ss3.1">3.1 What is the Server Message Block (SMB) Protocol?</A></H2> + +<P>SMB is a filesharing protocol that has had several maintainers and +contributors over the years including Xerox, 3Com and most recently +Microsoft. Names for this protocol include LAN Manager and Microsoft +Networking. Parts of the specification has been made public at several +versions including in an X/Open document, as listed at +<A HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/">ftp://ftp.microsoft.com/developr/drg/CIFS/</A>. No specification +releases were made between 1992 and 1996, and during that period +Microsoft became the SMB implementor with the largest market share. +Microsoft developed the specification further for its products but for +various reasons connected with developer's workload rather than market +strategy did not make the changes public. This culminated with the +"Windows NT 0.12" version released with NT 3.5 in 1995 which had significant +improvements and bugs. Because Microsoft client systems are so popular, +it is fair to say that what Microsoft with Windows affects all suppliers +of SMB server products.</P> +<P>From 1994 Andrew Tridgell began doing some serious work on his +Smbserver (now Samba) product and with some helpers started to +implement more and more of these protocols. Samba began to take +a significant share of the SMB server market.</P> + + +<H2><A NAME="ss3.2">3.2 What is the Common Internet Filesystem (CIFS)?</A></H2> + +<P>The initial pressure for Microsoft to document their current SMB +implementation came from the Samba team, who kept coming across things +on the wire that Microsoft either didn't know about or hadn't documented +anywhere (even in the sourcecode to Windows NT.) Then Sun Microsystems +came out with their WebNFS initiative, designed to replace FTP for file +transfers on the Internet. There are many drawbacks to WebNFS (including +its scope - it aims to replace HTTP as well!) but the concept was +attractive. FTP is not very clever, and why should it be harder to get +files from across the world than across the room? </P> +<P>Some hasty revisions were made and an Internet Draft for the Common +Internet Filesystem (CIFS) was released. Note that CIFS is not an +Internet standard and is a very long way from becoming one, BUT the +protocol specification is in the public domain and ongoing discussions +concerning the spec take place on a public mailing list according to the +rules of the Internet Engineering Task Force. For more information and +pointers see +<A HREF="http://samba.anu.edu.au/cifs/">http://samba.anu.edu.au/cifs/</A></P> +<P>The following is taken from +<A HREF="http://www.microsoft.com/intdev/cifs/">http://www.microsoft.com/intdev/cifs/</A></P> +<P> +<PRE> + CIFS defines a standard remote file system access protocol for use + over the Internet, enabling groups of users to work together and + share documents across the Internet or within their corporate + intranets. CIFS is an open, cross-platform technology based on the + native file-sharing protocols built into Microsoft® Windows® and + other popular PC operating systems, and supported on dozens of + other platforms, including UNIX®. With CIFS, millions of computer + users can open and share remote files on the Internet without having + to install new software or change the way they work." +</PRE> +</P> +<P>If you consider CIFS as a backwardsly-compatible refinement of SMB that +will work reasonably efficiently over the Internet you won't be too far +wrong.</P> +<P>The net effect is that Microsoft is now documenting large parts of their +Windows NT fileserver protocols. The security concepts embodied in +Windows NT are part of the specification, which is why Samba +documentation often talks in terms of Windows NT. However there is no +reason why a site shouldn't conduct all its file and printer sharing +with CIFS and yet have no Microsoft products at all.</P> + + +<H2><A NAME="ss3.3">3.3 What is Browsing? </A></H2> + +<P>The term "Browsing" causes a lot of confusion. It is the part of the +SMB/CIFS protocol which allows for resource discovery. For example, in +the Windows NT Explorer it is possible to see a "Network Neighbourhood" +of computers in the same SMB workgroup. Clicking on the name of one of +these machines brings up a list of file and printer resources for +connecting to. In this way you can cruise the network, seeing what +things are available. How this scales to the Internet is a subject for +debate. Look at the CIFS list archives to see what the experts think.</P> + + +<HR> +<A HREF="Samba-meta-FAQ-2.html">Previous</A> +<A HREF="Samba-meta-FAQ-4.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc3">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ-4.html b/docs/faq/Samba-meta-FAQ-4.html new file mode 100644 index 00000000000..73a9eea8471 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-4.html @@ -0,0 +1,215 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: Designing A SMB and CIFS Network</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-meta-FAQ-3.html">Previous</A> +<A HREF="Samba-meta-FAQ-5.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc4">Table of Contents</A> +<HR> +<H2><A NAME="s4">4. Designing A SMB and CIFS Network</A></H2> + + +<P>The big issues for installing any network of LAN or WAN file and print +servers are </P> +<P> +<UL> +<LI>How and where usernames, passwords and other security information +is stored +</LI> +<LI>What method can be used for locating the resources that users have +permission to use +</LI> +<LI>What protocols the clients can converse with +</LI> +</UL> + </P> +<P>If you buy Netware, Windows NT or just about any other LAN fileserver +product you are expected to lock yourself into the product's preferred +answers to these questions. This tendancy is restrictive and often very +expensive for a site where there is only one kind of client or server, +and for sites with a mixture of operating systems it often makes it +impossible to share resources between some sets of users.</P> +<P>The Samba philosophy is to make things as easy as possible for +administators, which means allowing as many combinations of clients, +servers, operating systems and protocols as possible.</P> + +<H2><A NAME="ss4.1">4.1 Workgroups, Domains, Authentication and Browsing</A></H2> + + +<P>From the point of view of networking implementation, Domains and +Workgroups are <EM>exactly</EM> the same, except for the client logon +sequence. Some kind of distributed authentication database is associated +with a domain (there are quite a few choices) and this adds so much +flexibility that many people think of a domain as a completely different +entity to a workgroup. From Samba's point of view a client connecting to +a service presents an authentication token, and it if it is valid they +have access. Samba does not care what mechanism was used to generate +that token in the first place.</P> +<P>The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +However the network browsing functionality of domains and workgroups is +identical and is explained in +<A HREF="../BROWSING.txt">../BROWSING.txt</A>.</P> +<P>There are some implementation differences: Windows 95 can be a member of +both a workgroup and a domain, but Windows NT cannot. Windows 95 also +has the concept of an "alternative workgroup". Samba can only be a +member of a single workgroup or domain, although this is due to change +with a future version when nmbd will be split into two daemons, one for +WINS and the other for browsing ( +<A HREF="../NetBIOS.txt">../NetBIOS.txt</A> explains +what WINS is.)</P> + +<H3>Defining the Terms</H3> + +<P> +<A NAME="BrowseAndDomainDefs"></A> +</P> +<P> +<DL> + +<DT><B>Workgroup</B><DD><P>means a collection of machines that maintain a common +browsing database containing information about their shared resources. +They do not necessarily have any security information in common (if they +do, it gets called a Domain.) The browsing database is dynamic, modified +as servers come and go on the network and as resources are added or +deleted. The term "browsing" refers to a user accessing the database via +whatever interface the client provides, eg the OS/2 Workplace Shell or +Windows 95 Explorer. SMB servers agree between themselves as to which +ones will maintain the browsing database. Workgroups can be anywhere on +a connected TCP/IP network, including on different subnets or even on +the Interet. This is a very tricky part of SMB to implement.</P> + +<DT><B>Master Browsers</B><DD><P>are machines which holds the master browsing +database for a workgroup or domain. There are two kinds of Master Browser:</P> +<P> +<UL> +<LI> Domain Master Browser, which holds the master browsing +information for an entire domain, which may well cross multiple TCP/IP +subnets. +</LI> +<LI> Local Master Browser, which holds the master browsing database +for a particular subnet and communicates with the Domain Master Browser +to get information on other subnets. +</LI> +</UL> +</P> +<P>Subnets are differentiated because browsing is based on broadcasts, and +broadcasts do not pass through routers. Subnets are not routed: while it +is possible to have more than one subnet on a single network segment +this is regarded as very bad practice.</P> +<P>Master Browsers (both Domain and Local) are elected dynamically +according to an algorithm which is supposed to take into account the +machine's ability to sustain the browsing load. Samba can be configured +to always act as a master browser, ie it always wins elections under all +circumstances, even against systems such as a Windows NT Primary Domain +Controller which themselves expect to win. </P> +<P>There are also Backup Browsers which are promoted to Master Browsers in +the event of a Master Browser disappearing from the network.</P> +<P>Alternative terms include confusing variations such as "Browse Master", +and "Master Browser" which we are trying to eliminate from the Samba +documentation. </P> + +<DT><B>Domain Controller</B><DD><P>is a term which comes from the Microsoft and IBM +etc implementation of the LAN Manager protocols. It is tied to +authentication. There are other ways of doing domain authentication, but +the Windows NT method has a large market share. The general issues are +discussed in +<A HREF="../DOMAIN.txt">../DOMAIN.txt</A> and a Windows NT-specific +discussion is in +<A HREF="../DOMAIN_CONTROL.txt">../DOMAIN_CONTROL.txt</A>.</P> + +</DL> +</P> + +<H3>Sharelevel (Workgroup) Security Services</H3> + +<P> +<A NAME="ShareModeSecurity"></A> +</P> +<P>With the Samba setting "security = SHARE", all shared resources +information about what password is associated with them but only hints +as to what usernames might be valid (the hint can be 'all users', in +which case any username will work. This is usually a bad idea, but +reflects both the initial implementations of SMB in the mid-80s and +its reincarnation with Windows for Workgroups in 1992. The idea behind +workgroup security was that small independant groups of people could +share information on an ad-hoc basis without there being an +authentication infrastructure present or requiring them to do more than +fill in a dialogue box.</P> + +<H3>Authentication Domain Mode Services</H3> + +<P> +<A NAME="DomainModeSecurity"></A> +</P> +<P>With the Samba settings "security = USER" or "security = SERVER" +accesses to all resources are checked for username/password pair matches +in a more rigorous manner. To the client, this has the effect of +emulating a Microsoft Domain. The client is not concerned whether or not +Samba looks up a Windows NT SAM or does it in some other way.</P> + + +<H2><A NAME="ss4.2">4.2 Authentication Schemes</A></H2> + + +<P>In the simple case authentication information is stored on a single +server and the user types a password on connecting for the first time. +However client operating systems often require a password before they +can be used at all, and in addition users usually want access to more +than one server. Asking users to remember many different passwords in +different contexts just does not work. Some kind of distributed +authentication database is needed. It must cope with password changes +and provide for assigning groups of users the same level of access +permissions. This is why Samba installations often choose to implement a +Domain model straight away.</P> +<P>Authentication decisions are some of the biggest in designing a network. +Are you going to use a scheme native to the client operating system, +native to the server operating system, or newly installed on both? A +list of options relevant to Samba (ie that make sense in the context of +the SMB protocol) follows. Any experiences with other setups would be +appreciated. <F>refer to server FAQ for "passwd chat" passwd program +password server etc etc...</F></P> + +<H3>NIS</H3> + + +<P>For Windows 95, Windows for Workgroups and most other clients Samba can +be a domain controller and share the password database via NIS +transparently. Windows NT is different. +<A HREF="http://www.dcs.qmw.ac.uk/~williams">Free NIS NT client</A></P> + +<H3>Kerberos</H3> + + +<P>Kerberos for US users only: +<A HREF="http://www.cygnus.com/product/unifying-security.html">Kerberos overview</A> +<A HREF="http://www.cygnus.com/product/kerbnet-download.html">Download Kerberos</A></P> + +<H3>FTP</H3> + + +<P>Other NT w/s logon hack via NT</P> + +<H3>Default Server Method</H3> + + + +<H3>Client-side Database Only</H3> + + + + +<H2><A NAME="ss4.3">4.3 Post-Authentication: Netlogon, Logon Scripts, Profiles</A></H2> + + +<P>See +<A HREF="../DOMAIN.txt">../DOMAIN.txt</A></P> + + +<HR> +<A HREF="Samba-meta-FAQ-3.html">Previous</A> +<A HREF="Samba-meta-FAQ-5.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc4">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ-5.html b/docs/faq/Samba-meta-FAQ-5.html new file mode 100644 index 00000000000..ad528b0a975 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-5.html @@ -0,0 +1,30 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: Cross-Protocol File Sharing</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-meta-FAQ-4.html">Previous</A> +<A HREF="Samba-meta-FAQ-6.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc5">Table of Contents</A> +<HR> +<H2><A NAME="s5">5. Cross-Protocol File Sharing</A></H2> + + +<P>Samba is an important tool for...</P> +<P>It is possible to...</P> +<P>File protocol gateways...</P> +<P>"Setting up a Linux File Server" http://vetrec.mit.edu/people/narf/linux.html</P> +<P>Two free implementations of Appletalk for Unix are Netatalk, +<A HREF="http://www.umich.edu/~rsug/netatalk/">http://www.umich.edu/~rsug/netatalk/</A>, and CAP, +<A HREF="http://www.cs.mu.oz.au/appletalk/atalk.html">http://www.cs.mu.oz.au/appletalk/atalk.html</A>. What Samba offers MS +Windows users, these packages offer to Macs. For more info on these +packages, Samba, and Linux (and other UNIX-based systems) see +<A HREF="http://www.eats.com/linux_mac_win.html">http://www.eats.com/linux_mac_win.html</A> 3.5) Sniffing your nework</P> + + +<HR> +<A HREF="Samba-meta-FAQ-4.html">Previous</A> +<A HREF="Samba-meta-FAQ-6.html">Next</A> +<A HREF="Samba-meta-FAQ.html#toc5">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ-6.html b/docs/faq/Samba-meta-FAQ-6.html new file mode 100644 index 00000000000..f8cd7817d69 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ-6.html @@ -0,0 +1,30 @@ +<HTML> +<HEAD> +<TITLE> Samba meta FAQ: Miscellaneous</TITLE> +</HEAD> +<BODY> +<A HREF="Samba-meta-FAQ-5.html">Previous</A> +Next +<A HREF="Samba-meta-FAQ.html#toc6">Table of Contents</A> +<HR> +<H2><A NAME="s6">6. Miscellaneous</A></H2> + +<P> +<A NAME="miscellaneous"></A> +</P> +<H2><A NAME="ss6.1">6.1 Is Samba Year 2000 compliant?</A></H2> + +<P> +<A NAME="Year2000Compliant"></A> + +The CIFS protocol that Samba implements +negotiates times in various formats, all of which +are able to cope with dates beyond 2000.</P> + + +<HR> +<A HREF="Samba-meta-FAQ-5.html">Previous</A> +Next +<A HREF="Samba-meta-FAQ.html#toc6">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ.html b/docs/faq/Samba-meta-FAQ.html new file mode 100644 index 00000000000..5a70808867b --- /dev/null +++ b/docs/faq/Samba-meta-FAQ.html @@ -0,0 +1,102 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<HTML> +<HEAD> +<TITLE> Samba meta FAQ</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="Samba-meta-FAQ-1.html">Next</A> +Table of Contents +<HR> +<H1> Samba meta FAQ</H1> + +<H2>Dan Shearer & Paul Blackman, <CODE>ictinus@samba.anu.edu.au</CODE></H2>v 0.3, 7 Oct '97 +<P><HR><EM> This is the meta-Frequently Asked Questions (FAQ) document +for Samba, the free and very popular SMB and CIFS server product. It +contains overview information for the Samba suite of programs, a +quick-start guide, and pointers to all other Samba documentation. Other +FAQs exist for specific client and server issues, and HOWTO documents +for more extended topics to do with Samba software. Current to version +Samba 1.9.17. Please send any corrections to the author. </EM><HR></P> +<P> +<H2><A NAME="toc1">1.</A> <A HREF="Samba-meta-FAQ-1.html">Quick Reference Guides to Samba Documentation</A></H2> +<UL> +<LI><A HREF="Samba-meta-FAQ-1.html#ss1.1">1.1 Samba for the Impatient</A> +<LI><A HREF="Samba-meta-FAQ-1.html#ss1.2">1.2 All Samba Documentation</A> +</UL> + +<P> +<H2><A NAME="toc2">2.</A> <A HREF="Samba-meta-FAQ-2.html">General Information</A></H2> +<UL> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.1">2.1 What is Samba?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.2">2.2 What is the current version of Samba?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.3">2.3 Where can I get it? </A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.4">2.4 What do the version numbers mean?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.5">2.5 Where can I go for further information?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.6">2.6 How do I subscribe to the Samba Mailing Lists?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.7">2.7 Something's gone wrong - what should I do?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.8">2.8 How do I submit patches or bug reports?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.9">2.9 What if I have an URGENT message for the developers?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.10">2.10 What if I need paid-for support?</A> +<LI><A HREF="Samba-meta-FAQ-2.html#ss2.11">2.11 Pizza supply details</A> +</UL> + +<P> +<H2><A NAME="toc3">3.</A> <A HREF="Samba-meta-FAQ-3.html">About the CIFS and SMB Protocols</A></H2> +<UL> +<LI><A HREF="Samba-meta-FAQ-3.html#ss3.1">3.1 What is the Server Message Block (SMB) Protocol?</A> +<LI><A HREF="Samba-meta-FAQ-3.html#ss3.2">3.2 What is the Common Internet Filesystem (CIFS)?</A> +<LI><A HREF="Samba-meta-FAQ-3.html#ss3.3">3.3 What is Browsing? </A> +</UL> + +<P> +<H2><A NAME="toc4">4.</A> <A HREF="Samba-meta-FAQ-4.html">Designing A SMB and CIFS Network</A></H2> +<UL> +<LI><A HREF="Samba-meta-FAQ-4.html#ss4.1">4.1 Workgroups, Domains, Authentication and Browsing</A> +<LI><A HREF="Samba-meta-FAQ-4.html#ss4.2">4.2 Authentication Schemes</A> +<LI><A HREF="Samba-meta-FAQ-4.html#ss4.3">4.3 Post-Authentication: Netlogon, Logon Scripts, Profiles</A> +</UL> + +<P> +<H2><A NAME="toc5">5.</A> <A HREF="Samba-meta-FAQ-5.html">Cross-Protocol File Sharing</A></H2> + +<P> +<H2><A NAME="toc6">6.</A> <A HREF="Samba-meta-FAQ-6.html">Miscellaneous</A></H2> +<UL> +<LI><A HREF="Samba-meta-FAQ-6.html#ss6.1">6.1 Is Samba Year 2000 compliant?</A> +</UL> + + +<HR> +Previous +<A HREF="Samba-meta-FAQ-1.html">Next</A> +Table of Contents +</BODY> +</HTML> diff --git a/docs/faq/Samba-meta-FAQ.sgml b/docs/faq/Samba-meta-FAQ.sgml new file mode 100644 index 00000000000..75038f19f53 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ.sgml @@ -0,0 +1,771 @@ +<!doctype linuxdoc system> <!-- -*- SGML -*- --> +<!-- + v 0.1 23 Aug 1997 Dan Shearer + Original Samba-meta-FAQ.sgml from Paul's sambafaq.sgml + v 0.2 25 Aug 1997 Dan + v 0.3 7 Oct 1997 Paul + Changed samba.canberra refs to samba.anu.../samba/ +--> + +<article> + +<title> Samba meta FAQ + +<author>Dan Shearer & Paul Blackman, <tt>ictinus@samba.anu.edu.au</tt> + +<date>v 0.3, 7 Oct '97 + +<abstract> This is the meta-Frequently Asked Questions (FAQ) document +for Samba, the free and very popular SMB and CIFS server product. It +contains overview information for the Samba suite of programs, a +quick-start guide, and pointers to all other Samba documentation. Other +FAQs exist for specific client and server issues, and HOWTO documents +for more extended topics to do with Samba software. Current to version +Samba 1.9.17. Please send any corrections to the author. +</abstract> + +<toc> + +<sect> Quick Reference Guides to Samba Documentation<p><label id=quickref> + +We are endeavouring to provide links here to every major class of +information about Samba or things related to Samba. We cannot list every +document, but we are aiming for all documents to be at most two +referrals from those listed here. This needs constant maintaining, so +please send the author your feedback. + +<sect1> Samba for the Impatient<p><label id="impatient"> + +You know you should read the documentation but can't wait to start? What +you need to do then is follow the instructions in the following +documents in the order given. This should be enough to get a fairly +simple site going quickly. If you have any problems, refer back to this +meta-FAQ and follow the links to find more reading material. + +<descrip> + +<label id="ImpGet"><tag/Getting Samba:/ The fastest way to get Samba +going is and install it is to have an operating system for which the +Samba team has put together an installation package. To see if your OS +is included have a look at the directory +/pub/samba/Binary_Packages/"OS_Vendor" on your nearest <url +url="../MIRRORS" name="mirror site">. If it is included follow the +installation instructions in the README file there and then do some <ref id="ImpTest" +name="basic testing">. If you are not so fortunate, follow the normal <ref +id="WhereFrom" name="download instructions"> and then continue with <ref +id="ImpInst" name="building and installing Samba">. + +<label id="ImpInst"><tag/Building and Installing Samba:/ At the moment +there are two kinds of Samba server installs besides the prepackaged +binaries mentioned in the previous step. You need to decide if you have a <url url="../UNIX_INSTALL.txt" +name="Unix or close relative"> or <url +url="Samba-Server-FAQ.html#PortInfo" name="other supported operating system">. + +<label id="ImpTest"><tag/Basic Testing:/ Try to connect using the +supplied smbclient command-line program. You need to know the IP +hostname of your server. A service name must be defined in smb.conf, as +given in the examples (under many operating systems if there is a +[homes] service you can just use a valid username.) Then type +<tt> + smbclient \\hostname\servicename +</tt> +Under most Unixes you will need to put the parameters within quotation +marks. If this works, try connecting from one of the SMB clients you +were planning to use with Samba. + +<label id="ImpDebug"><tag/Debug sequence:/ If you think you have completed the +previous step and things aren't working properly work through +<url url="../DIAGNOSIS.txt" name="the diagnosis recipe."> + +<label id="ImpExp"><tag/Exporting files to SMB clients:/ You should read the manual pages +for smb.conf, but here is a <url url="Samba-Server-FAQ.html#Exporting" +name="quick answer guide."> + +<label id="ImpControl"><tag/Controlling user access:/ the quickest and dirtiest way of sharing +resources is to use <ref id="ShareModeSecurity" name="share level +security."> If you want to spend more time and have a proper username +and password database you must read the paragraph on <ref +id="DomainModeSecurity" name="domain mode security."> If you want +encryption (eg you are using Windows NT clients) follow the <url +url="Samba-Server-FAQ.html#SMBEncryptionSteps" name="SMB encryption +instructions."> + +<label id="ImpBrowse"><tag/Browsing:/ if you are happy to type in "\\samba-server\sharename" +at the client end then do not read any further. Otherwise you need to +understand the <ref id="BrowsingDefinitions" name="browsing terminology"> +and read <url url="Samba-Server-FAQ.html#NameBrowsing">. + +<label id="ImpPrint"><tag/Printing:/ See the <url url="Samba-Server-FAQ.html#Printing" +name="printing quick answer guide."> + +</descrip> + +If you have got everything working to this point, you can expect Samba +to be stable and secure: these are its greatest strengths. However Samba +has a great deal to offer and to go further you must do some more +reading. Speed and security optimisations, printer accounting, network +logons, roving profiles, browsing across multiple subnets and so on are +all covered either in this document or in those it refers to. + +<sect1> All Samba Documentation<p><label id=AllDocs> + +<itemize> + +<item> Meta-FAQ. This is the mother of all documents, and is the one you +are reading now. The latest version is always at <url +url="http://samba.anu.edu.au/[.....]"> but there is probably a much +nearer <url url="../MIRRORS" name="mirror site"> which you should use +instead. + +<item> <url url="Samba-Server-FAQ.html"> is the best starting point for +information about server-side issues. Includes configuration tips and +pointers for Samba on particular operating systems (with 40 to choose +from...) + +<item> <url url="Samba-Client-FAQ.html"> is the best starting point for +information about client-side issues, includes a list of all clients +that are known to work with Samba. + +<item> <url url="samba-man-index.html" name="manual pages"> contains +descriptions of and links to all the Samba manual pages, in Unix man and +postscript format. + +<item> <url url="samba-txt-index.html"> has descriptions of and links to +a large number of text files have been contributed to samba covering +many topics. These are gradually being absorbed into the FAQs and HOWTOs +but in the meantime you might find helpful answers here. + +<item> + +</itemize> + +<sect> General Information<p><label id="general_info"> + +All about Samba - what it is, how to get it, related sources of +information, how to understand the numbering scheme, pizza +details. + +<sect1> What is Samba?<p><label id="introduction"> + +Samba is a suite of programs which work together to allow clients to +access to a server's filespace and printers via the SMB (Server Message +Block) and CIFS (Common Internet Filesystem) protocols. Initially +written for Unix, Samba now also runs on Netware, OS/2, VMS, StratOS and +Amigas. Ports to BeOS and other operating systems are underway. Samba +gives the capability for these operating systems to behave much like a +LAN Server, Windows NT Server or Pathworks machine, only with added +functionality and flexibility designed to make life easier for +administrators. + +This means that using Samba you can share a server's disks and printers +to many sorts of network clients, including Lan Manager, Windows for +Workgroups, Windows NT, Linux, OS/2, and AIX. There is also a generic +client program supplied as part of the Samba suite which gives a user on +the server an ftp-like interface to access filespace and printers on any +other SMB/CIFS servers. + +SMB has been implemented over many protocols, including XNS, NBT, IPX, +NetBEUI and TCP/IP. Samba only uses TCP/IP. This is not likely to change +although there have been some requests for NetBEUI support. + +Many users report that compared to other SMB implementations Samba is +more stable, faster, and compatible with more clients. Administrators of +some large installations say that Samba is the only SMB server available +which will scale to many tens of thousands of users without crashing. +The easy way to test these claims is to download it and try it for +yourself! + +The suite is supplied with full source code under the <url +url="../COPYING" name="GNU Public License">. The GPL means that you can +use Samba for whatever purpose you wish (including changing the source +or selling it for money) but under all circumstances the source code +must be made freely available. A copy of the GPL must always be included +in any copy of the package. + +The primary creator of the Samba suite is Andrew Tridgell. Later +versions incorporate much effort by many net.helpers. The man pages +and this FAQ were originally written by Karl Auer. + +<sect1> What is the current version of Samba?<p><label id="current_version"> + +At time of writing, the current version was 1.9.17. If you want to be +sure check the bottom of the change-log file. <url url="ftp://samba.anu.edu.au/pub/samba/alpha/change-log"> + +For more information see <ref id="version_nums" name="What do the version numbers mean?"> + +<sect1> Where can I get it? <p><label id="WhereFrom"> + +The Samba suite is available via anonymous ftp from samba.anu.edu.au and +many <url url="../MIRRORS" name="mirror"> sites. You will get much +faster performance if you use a mirror site. The latest and greatest +versions of the suite are in the directory: + +/pub/samba/ + +Development (read "alpha") versions, which are NOT necessarily stable +and which do NOT necessarily have accurate documentation, are available +in the directory: + +/pub/samba/alpha + +Note that binaries are NOT included in any of the above. Samba is +distributed ONLY in source form, though binaries may be available from +other sites. Most Linux distributions, for example, do contain Samba +binaries for that platform. The VMS, OS/2, Netware and Amiga and other +ports typically have binaries made available. + +A special case is vendor-provided binary packages. Samba binaries and +default configuration files are put into packages for a specific +operating system. RedHat Linux and Sun Solaris (Sparc and x86) is +already included, and others such as OS/2 may follow. All packages are +in the directory: + +/pub/samba/Binary_Packages/"OS_Vendor" + +<sect1>What do the version numbers mean?<p><label id="version_nums"> + +It is not recommended that you run a version of Samba with the word +"alpha" in its name unless you know what you are doing and are willing +to do some debugging. Many, many people just get the latest +recommended stable release version and are happy. If you are brave, by +all means take the plunge and help with the testing and development - +but don't install it on your departmental server. Samba is typically +very stable and safe, and this is mostly due to the policy of many +public releases. + +How the scheme works: + +<enum> + +<item>When major changes are made the version number is increased. For +example, the transition from 1.9.16 to 1.9.17. However, this version +number will not appear immediately and people should continue to use +1.9.15 for production systems (see next point.) + +<item>Just after major changes are made the software is considered +unstable, and a series of alpha releases are distributed, for example +1.9.16alpha1. These are for testing by those who know what they are +doing. The "alpha" in the filename will hopefully scare off those who +are just looking for the latest version to install. + +<item>When Andrew thinks that the alphas have stabilised to the point +where he would recommend new users install it, he renames it to the +same version number without the alpha, for example 1.9.17. + +<item>Inevitably bugs are found in the "stable" releases and minor patch +levels are released which give us the pXX series, for example 1.9.17p2. + +</enum> + +So the progression goes: + +<verb> + 1.9.16p10 (production) + 1.9.16p11 (production) + 1.9.17alpha1 (test sites only) + : + 1.9.17alpha20 (test sites only) + 1.9.17 (production) + 1.9.17p1 (production) +</verb> + +The above system means that whenever someone looks at the samba ftp +site they will be able to grab the highest numbered release without an +alpha in the name and be sure of getting the current recommended +version. + +<sect1> Where can I go for further information?<p><label id="more"> + +There are a number of places to look for more information on Samba, +including: + +<itemize> + +<item>Two mailing lists devoted to discussion of Samba-related matters. +See below for subscription information. + +<item>The newsgroup comp.protocols.smb, which has a great deal of +discussion about Samba. + +<item>The WWW site 'SAMBA Web Pages' at <url +url="http://samba.anu.edu.au/samba/"> includes: + + <itemize> + <item>Links to man pages and documentation, including this FAQ + <item>A comprehensive survey of Samba users + <item>A searchable hypertext archive of the Samba mailing list + <item>Links to Samba source code, binaries, and mirrors of both + <item>This FAQ and the rest in its family + </itemize> + +</itemize> + +<sect1>How do I subscribe to the Samba Mailing Lists?<p><label id="mailinglist"> + +Send email to <htmlurl url="mailto:listproc@samba.anu.edu.au" +name="listproc@samba.anu.edu.au">. Make sure the subject line is blank, +and include the following two lines in the body of the message: + +<tscreen><verb> +subscribe samba Firstname Lastname +subscribe samba-announce Firstname Lastname +</verb></tscreen> + +Obviously you should substitute YOUR first name for "Firstname" and +YOUR last name for "Lastname"! Try not to send any signature, it +sometimes confuses the list processor. + +The samba list is a digest list - every eight hours or so it sends a +single message containing all the messages that have been received by +the list since the last time and sends a copy of this message to all +subscribers. There are thousands of people on this list. + +If you stop being interested in Samba, please send another email to +<htmlurl url="mailto:listproc@samba.anu.edu.au" name="listproc@samba.anu.edu.au">. Make sure the subject line is blank, and +include the following two lines in the body of the message: + +<tscreen><verb> +unsubscribe samba +unsubscribe samba-announce +</verb></tscreen> + +The <bf>From:</bf> line in your message <em>MUST</em> be the same +address you used when you subscribed. + +<sect1> Something's gone wrong - what should I do?<p><label id="wrong"> + +<bf>[#] *** IMPORTANT! *** [#]</bf> +<p> + +DO NOT post messages on mailing lists or in newsgroups until you have +carried out the first three steps given here! + +<enum> <item> See if there are any likely looking entries in this FAQ! +If you have just installed Samba, have you run through the checklist in +<url url="ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt" +name="DIAGNOSIS.txt">? It can save you a lot of time and effort. +DIAGNOSIS.txt can also be found in the docs directory of the Samba +distribution. + +<item> Read the man pages for smbd, nmbd and smb.conf, looking for +topics that relate to what you are trying to do. + +<item> If there is no obvious solution to hand, try to get a look at +the log files for smbd and/or nmbd for the period during which you +were having problems. You may need to reconfigure the servers to +provide more extensive debugging information - usually level 2 or +level 3 provide ample debugging info. Inspect these logs closely, +looking particularly for the string "Error:". + +<item> If you need urgent help and are willing to pay for it see +<ref id="PaidSupport" name="Paid Support">. + +</enum> + +If you still haven't got anywhere, ask the mailing list or newsgroup. In +general nobody minds answering questions provided you have followed the +preceding steps. It might be a good idea to scan the archives of the +mailing list, which are available through the Samba web site described +in the previous section. When you post be sure to include a good +description of your environment and your problem. + +If you successfully solve a problem, please mail the FAQ maintainer a +succinct description of the symptom, the problem and the solution, so +that an explanation can be incorporated into the next version. + +<sect1> How do I submit patches or bug reports?<p> + +If you make changes to the source code, <em>please</em> submit these patches +so that everyone else gets the benefit of your work. This is one of +the most important aspects to the maintainence of Samba. Send all +patches to <htmlurl url="mailto:samba-bugs@samba.anu.edu.au" name="samba-bugs@samba.anu.edu.au">. Do not send patches to Andrew Tridgell or any +other individual, they may be lost if you do. + +Patch format +------------ + +If you are sending a patch to fix a problem then please don't just use +standard diff format. As an example, samba-bugs received this patch from +someone: + +382a +#endif +.. +381a +#if !defined(NEWS61) + +How are we supposed to work out what this does and where it goes? These +sort of patches only work if we both have identical files in the first +place. The Samba sources are constantly changing at the hands of multiple +developers, so it doesn't work. + +Please use either context diffs or (even better) unified diffs. You +get these using "diff -c4" or "diff -u". If you don't have a diff that +can generate these then please send manualy commented patches to I +know what is being changed and where. Most patches are applied by hand so +the info must be clear. + +This is a basic guideline that will assist us with assessing your problem +more efficiently : + +Machine Arch: +Machine OS: +OS Version: +Kernel: + +Compiler: +Libc Version: + +Samba Version: + +Network Layout (description): + +What else is on machine (services, etc): + +Some extras : + +<itemize> + +<item> what you did and what happened + +<item> relevant parts of a debugging output file with debuglevel higher. + If you can't find the relevant parts, please ask before mailing + huge files. + +<item> anything else you think is useful to trace down the bug + +</itemize> + +<sect1> What if I have an URGENT message for the developers?<p> + +If you have spotted something very serious and believe that it is +important to contact the developers quickly send a message to +samba-urgent@samba.anu.edu.au. This will be processed more quickly than +mail to samba-bugs. Please think carefully before using this address. An +example of its use might be to report a security hole. + +Examples of things <em>not</em> to send to samba-urgent include problems +getting Samba to work at all and bugs that cannot potentially cause damage. + +<sect1> What if I need paid-for support?<p><label id=PaidSupport> + +Samba has a large network of consultants who provide Samba support on a +commercial basis. The list is included in the package in <url +url="../Support.txt">, and the latest version will always be on the main +samba ftp site. Any company in the world can request that the samba team +include their details in Support.txt so we can give no guarantee of +their services. + +<sect1> Pizza supply details<p><label id="pizza"> +Those who have registered in the Samba survey as "Pizza Factory" will +already know this, but the rest may need some help. Andrew doesn't ask +for payment, but he does appreciate it when people give him +pizza. This calls for a little organisation when the pizza donor is +twenty thousand kilometres away, but it has been done. + +<enum> +<item> Ring up your local branch of an international pizza chain +and see if they honour their vouchers internationally. Pizza Hut do, +which is how the entire Canberra Linux Users Group got to eat pizza +one night, courtesy of someone in the US. + +<item>Ring up a local pizza shop in Canberra and quote a credit +card number for a certain amount, and tell them that Andrew will be +collecting it (don't forget to tell him.) One kind soul from Germany +did this. + +<item>Purchase a pizza voucher from your local pizza shop that has +no international affiliations and send it to Andrew. It is completely +useless but he can hang it on the wall next to the one he already has +from Germany :-) + +<item>Air freight him a pizza with your favourite regional +flavours. It will probably get stuck in customs or torn apart by +hungry sniffer dogs but it will have been a noble gesture. + +</enum> + +<sect>About the CIFS and SMB Protocols<p><label id="CifsSmb"> + +<sect1> What is the Server Message Block (SMB) Protocol?<p> +SMB is a filesharing protocol that has had several maintainers and +contributors over the years including Xerox, 3Com and most recently +Microsoft. Names for this protocol include LAN Manager and Microsoft +Networking. Parts of the specification has been made public at several +versions including in an X/Open document, as listed at +<url url="ftp://ftp.microsoft.com/developr/drg/CIFS/">. No specification +releases were made between 1992 and 1996, and during that period +Microsoft became the SMB implementor with the largest market share. +Microsoft developed the specification further for its products but for +various reasons connected with developer's workload rather than market +strategy did not make the changes public. This culminated with the +"Windows NT 0.12" version released with NT 3.5 in 1995 which had significant +improvements and bugs. Because Microsoft client systems are so popular, +it is fair to say that what Microsoft with Windows affects all suppliers +of SMB server products. + +From 1994 Andrew Tridgell began doing some serious work on his +Smbserver (now Samba) product and with some helpers started to +implement more and more of these protocols. Samba began to take +a significant share of the SMB server market. + +<sect1> What is the Common Internet Filesystem (CIFS)?<p> +The initial pressure for Microsoft to document their current SMB +implementation came from the Samba team, who kept coming across things +on the wire that Microsoft either didn't know about or hadn't documented +anywhere (even in the sourcecode to Windows NT.) Then Sun Microsystems +came out with their WebNFS initiative, designed to replace FTP for file +transfers on the Internet. There are many drawbacks to WebNFS (including +its scope - it aims to replace HTTP as well!) but the concept was +attractive. FTP is not very clever, and why should it be harder to get +files from across the world than across the room? + +Some hasty revisions were made and an Internet Draft for the Common +Internet Filesystem (CIFS) was released. Note that CIFS is not an +Internet standard and is a very long way from becoming one, BUT the +protocol specification is in the public domain and ongoing discussions +concerning the spec take place on a public mailing list according to the +rules of the Internet Engineering Task Force. For more information and +pointers see <url url="http://samba.anu.edu.au/cifs/"> + +The following is taken from <url url="http://www.microsoft.com/intdev/cifs/"> + +<verb> + CIFS defines a standard remote file system access protocol for use + over the Internet, enabling groups of users to work together and + share documents across the Internet or within their corporate + intranets. CIFS is an open, cross-platform technology based on the + native file-sharing protocols built into Microsoft® Windows® and + other popular PC operating systems, and supported on dozens of + other platforms, including UNIX®. With CIFS, millions of computer + users can open and share remote files on the Internet without having + to install new software or change the way they work." +</verb> + +If you consider CIFS as a backwardsly-compatible refinement of SMB that +will work reasonably efficiently over the Internet you won't be too far +wrong. + +The net effect is that Microsoft is now documenting large parts of their +Windows NT fileserver protocols. The security concepts embodied in +Windows NT are part of the specification, which is why Samba +documentation often talks in terms of Windows NT. However there is no +reason why a site shouldn't conduct all its file and printer sharing +with CIFS and yet have no Microsoft products at all. + +<sect1> What is Browsing? <p> +The term "Browsing" causes a lot of confusion. It is the part of the +SMB/CIFS protocol which allows for resource discovery. For example, in +the Windows NT Explorer it is possible to see a "Network Neighbourhood" +of computers in the same SMB workgroup. Clicking on the name of one of +these machines brings up a list of file and printer resources for +connecting to. In this way you can cruise the network, seeing what +things are available. How this scales to the Internet is a subject for +debate. Look at the CIFS list archives to see what the experts think. + +<sect>Designing A SMB and CIFS Network<p> + +The big issues for installing any network of LAN or WAN file and print +servers are + +<itemize> + +<item>How and where usernames, passwords and other security information +is stored + +<item>What method can be used for locating the resources that users have +permission to use + +<item>What protocols the clients can converse with + +</itemize> + +If you buy Netware, Windows NT or just about any other LAN fileserver +product you are expected to lock yourself into the product's preferred +answers to these questions. This tendancy is restrictive and often very +expensive for a site where there is only one kind of client or server, +and for sites with a mixture of operating systems it often makes it +impossible to share resources between some sets of users. + +The Samba philosophy is to make things as easy as possible for +administators, which means allowing as many combinations of clients, +servers, operating systems and protocols as possible. + +<sect1>Workgroups, Domains, Authentication and Browsing<p> + +From the point of view of networking implementation, Domains and +Workgroups are <em>exactly</em> the same, except for the client logon +sequence. Some kind of distributed authentication database is associated +with a domain (there are quite a few choices) and this adds so much +flexibility that many people think of a domain as a completely different +entity to a workgroup. From Samba's point of view a client connecting to +a service presents an authentication token, and it if it is valid they +have access. Samba does not care what mechanism was used to generate +that token in the first place. + +The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +However the network browsing functionality of domains and workgroups is +identical and is explained in <url url="../BROWSING.txt">. + +There are some implementation differences: Windows 95 can be a member of +both a workgroup and a domain, but Windows NT cannot. Windows 95 also +has the concept of an "alternative workgroup". Samba can only be a +member of a single workgroup or domain, although this is due to change +with a future version when nmbd will be split into two daemons, one for +WINS and the other for browsing (<url url="../NetBIOS.txt"> explains +what WINS is.) + +<sect2> Defining the Terms<p><label id="BrowseAndDomainDefs"> + +<descrip> + +<tag/Workgroup/ means a collection of machines that maintain a common +browsing database containing information about their shared resources. +They do not necessarily have any security information in common (if they +do, it gets called a Domain.) The browsing database is dynamic, modified +as servers come and go on the network and as resources are added or +deleted. The term "browsing" refers to a user accessing the database via +whatever interface the client provides, eg the OS/2 Workplace Shell or +Windows 95 Explorer. SMB servers agree between themselves as to which +ones will maintain the browsing database. Workgroups can be anywhere on +a connected TCP/IP network, including on different subnets or even on +the Interet. This is a very tricky part of SMB to implement. + +<tag/Master Browsers/ are machines which holds the master browsing +database for a workgroup or domain. There are two kinds of Master Browser: + +<itemize> + +<item> Domain Master Browser, which holds the master browsing +information for an entire domain, which may well cross multiple TCP/IP +subnets. + +<item> Local Master Browser, which holds the master browsing database +for a particular subnet and communicates with the Domain Master Browser +to get information on other subnets. + +</itemize> + +Subnets are differentiated because browsing is based on broadcasts, and +broadcasts do not pass through routers. Subnets are not routed: while it +is possible to have more than one subnet on a single network segment +this is regarded as very bad practice. + +Master Browsers (both Domain and Local) are elected dynamically +according to an algorithm which is supposed to take into account the +machine's ability to sustain the browsing load. Samba can be configured +to always act as a master browser, ie it always wins elections under all +circumstances, even against systems such as a Windows NT Primary Domain +Controller which themselves expect to win. + +There are also Backup Browsers which are promoted to Master Browsers in +the event of a Master Browser disappearing from the network. + +Alternative terms include confusing variations such as "Browse Master", +and "Master Browser" which we are trying to eliminate from the Samba +documentation. + +<tag/Domain Controller/ is a term which comes from the Microsoft and IBM +etc implementation of the LAN Manager protocols. It is tied to +authentication. There are other ways of doing domain authentication, but +the Windows NT method has a large market share. The general issues are +discussed in <url url="../DOMAIN.txt"> and a Windows NT-specific +discussion is in <url url="../DOMAIN_CONTROL.txt">. + +</descrip> + +<sect2>Sharelevel (Workgroup) Security Services<p><label id="ShareModeSecurity"> + +With the Samba setting "security = SHARE", all shared resources +information about what password is associated with them but only hints +as to what usernames might be valid (the hint can be 'all users', in +which case any username will work. This is usually a bad idea, but +reflects both the initial implementations of SMB in the mid-80s and +its reincarnation with Windows for Workgroups in 1992. The idea behind +workgroup security was that small independant groups of people could +share information on an ad-hoc basis without there being an +authentication infrastructure present or requiring them to do more than +fill in a dialogue box. + +<sect2>Authentication Domain Mode Services<p><label id="DomainModeSecurity"> + +With the Samba settings "security = USER" or "security = SERVER" +accesses to all resources are checked for username/password pair matches +in a more rigorous manner. To the client, this has the effect of +emulating a Microsoft Domain. The client is not concerned whether or not +Samba looks up a Windows NT SAM or does it in some other way. + +<sect1>Authentication Schemes<p> + +In the simple case authentication information is stored on a single +server and the user types a password on connecting for the first time. +However client operating systems often require a password before they +can be used at all, and in addition users usually want access to more +than one server. Asking users to remember many different passwords in +different contexts just does not work. Some kind of distributed +authentication database is needed. It must cope with password changes +and provide for assigning groups of users the same level of access +permissions. This is why Samba installations often choose to implement a +Domain model straight away. + +Authentication decisions are some of the biggest in designing a network. +Are you going to use a scheme native to the client operating system, +native to the server operating system, or newly installed on both? A +list of options relevant to Samba (ie that make sense in the context of +the SMB protocol) follows. Any experiences with other setups would be +appreciated. [refer to server FAQ for "passwd chat" passwd program +password server etc etc...] + +<sect2>NIS<p> + +For Windows 95, Windows for Workgroups and most other clients Samba can +be a domain controller and share the password database via NIS +transparently. Windows NT is different. +<url url="http://www.dcs.qmw.ac.uk/~williams" name="Free NIS NT client"> + +<sect2>Kerberos<p> + +Kerberos for US users only: +<url url="http://www.cygnus.com/product/unifying-security.html" +name="Kerberos overview"> +<url url="http://www.cygnus.com/product/kerbnet-download.html" +name="Download Kerberos"> + +<sect2>FTP<p> + +Other NT w/s logon hack via NT + +<sect2>Default Server Method<p> + +<sect2>Client-side Database Only<p> + +<sect1>Post-Authentication: Netlogon, Logon Scripts, Profiles<p> + +See <url url="../DOMAIN.txt"> + +<sect>Cross-Protocol File Sharing<p> + +Samba is an important tool for... + +It is possible to... + +File protocol gateways... + +"Setting up a Linux File Server" http://vetrec.mit.edu/people/narf/linux.html + +Two free implementations of Appletalk for Unix are Netatalk, <url +url="http://www.umich.edu/~rsug/netatalk/">, and CAP, <url +url="http://www.cs.mu.oz.au/appletalk/atalk.html">. What Samba offers MS +Windows users, these packages offer to Macs. For more info on these +packages, Samba, and Linux (and other UNIX-based systems) see <url +url="http://www.eats.com/linux_mac_win.html"> 3.5) Sniffing your nework + + +<sect>Miscellaneous<p><label id="miscellaneous"> +<sect1>Is Samba Year 2000 compliant?<p><label id="Year2000Compliant"> +The CIFS protocol that Samba implements +negotiates times in various formats, all of which +are able to cope with dates beyond 2000. + +</article> diff --git a/docs/faq/Samba-meta-FAQ.txt b/docs/faq/Samba-meta-FAQ.txt new file mode 100644 index 00000000000..65d9a57ff62 --- /dev/null +++ b/docs/faq/Samba-meta-FAQ.txt @@ -0,0 +1,924 @@ + Samba meta FAQ + Dan Shearer & Paul Blackman, ictinus@samba.anu.edu.au + v 0.3, 7 Oct '97 + + This is the meta-Frequently Asked Questions (FAQ) document for Samba, + the free and very popular SMB and CIFS server product. It contains + overview information for the Samba suite of programs, a quick-start + guide, and pointers to all other Samba documentation. Other FAQs exist + for specific client and server issues, and HOWTO documents for more + extended topics to do with Samba software. Current to version Samba + 1.9.17. Please send any corrections to the author. + ______________________________________________________________________ + + Table of Contents: + + 1. Quick Reference Guides to Samba Documentation + + 1.1. Samba for the Impatient + + 1.2. All Samba Documentation + + 2. General Information + + 2.1. What is Samba? + + 2.2. What is the current version of Samba? + + 2.3. Where can I get it? + + 2.4. What do the version numbers mean? + + 2.5. Where can I go for further information? + + 2.6. How do I subscribe to the Samba Mailing Lists? + + 2.7. Something's gone wrong - what should I do? + + 2.8. How do I submit patches or bug reports? + + 2.9. What if I have an URGENT message for the developers? + + 2.10. What if I need paid-for support? + + 2.11. Pizza supply details + + 3. About the CIFS and SMB Protocols + + 3.1. What is the Server Message Block (SMB) Protocol? + + 3.2. What is the Common Internet Filesystem (CIFS)? + + 3.3. What is Browsing? + + 4. Designing A SMB and CIFS Network + + 4.1. Workgroups, Domains, Authentication and Browsing + + 4.1.1. Defining the Terms + + 4.1.2. Sharelevel (Workgroup) Security Services + + 4.1.3. Authentication Domain Mode Services + + 4.2. Authentication Schemes + + + 4.2.1. NIS + + 4.2.2. Kerberos + + 4.2.3. FTP + + 4.2.4. Default Server Method + + 4.2.5. Client-side Database Only + + 4.3. Post-Authentication: Netlogon, Logon Scripts, Profiles + + 5. Cross-Protocol File Sharing + + 6. Miscellaneous + + 6.1. Is Samba Year 2000 compliant? + ______________________________________________________________________ + + 11.. QQuuiicckk RReeffeerreennccee GGuuiiddeess ttoo SSaammbbaa DDooccuummeennttaattiioonn + + + We are endeavouring to provide links here to every major class of + information about Samba or things related to Samba. We cannot list + every document, but we are aiming for all documents to be at most two + referrals from those listed here. This needs constant maintaining, so + please send the author your feedback. + + + 11..11.. SSaammbbaa ffoorr tthhee IImmppaattiieenntt + + + You know you should read the documentation but can't wait to start? + What you need to do then is follow the instructions in the following + documents in the order given. This should be enough to get a fairly + simple site going quickly. If you have any problems, refer back to + this meta-FAQ and follow the links to find more reading material. + + + + GGeettttiinngg SSaammbbaa:: + The fastest way to get Samba going is and install it is to have + an operating system for which the Samba team has put together an + installation package. To see if your OS is included have a look + at the directory /pub/samba/Binary_Packages/"OS_Vendor" on your + nearest mirror site <../MIRRORS>. If it is included follow the + installation instructions in the README file there and then do + some ``basic testing''. If you are not so fortunate, follow the + normal ``download instructions'' and then continue with + ``building and installing Samba''. + + + BBuuiillddiinngg aanndd IInnssttaalllliinngg SSaammbbaa:: + At the moment there are two kinds of Samba server installs + besides the prepackaged binaries mentioned in the previous step. + You need to decide if you have a Unix or close relative + <../UNIX_INSTALL.txt> or other supported operating system + <Samba-Server-FAQ.html#PortInfo>. + + + BBaassiicc TTeessttiinngg:: + Try to connect using the supplied smbclient command-line + program. You need to know the IP hostname of your server. A + service name must be defined in smb.conf, as given in the + examples (under many operating systems if there is a homes + service you can just use a valid username.) Then type smbclient + \hostnamevicename Under most Unixes you will need to put the + parameters within quotation marks. If this works, try connecting + from one of the SMB clients you were planning to use with Samba. + + + DDeebbuugg sseeqquueennccee:: + If you think you have completed the previous step and things + aren't working properly work through the diagnosis recipe. + <../DIAGNOSIS.txt> + + + EExxppoorrttiinngg ffiilleess ttoo SSMMBB cclliieennttss:: + You should read the manual pages for smb.conf, but here is a + quick answer guide. <Samba-Server-FAQ.html#Exporting> + + + CCoonnttrroolllliinngg uusseerr aacccceessss:: + the quickest and dirtiest way of sharing resources is to use + ``share level security.'' If you want to spend more time and + have a proper username and password database you must read the + paragraph on ``domain mode security.'' If you want encryption + (eg you are using Windows NT clients) follow the SMB encryption + instructions. <Samba-Server-FAQ.html#SMBEncryptionSteps> + + + BBrroowwssiinngg:: + if you are happy to type in "\samba-serverrename" at the client + end then do not read any further. Otherwise you need to + understand the ``browsing terminology'' and read <Samba-Server- + FAQ.html#NameBrowsing>. + + + PPrriinnttiinngg:: + See the printing quick answer guide. <Samba-Server- + FAQ.html#Printing> + + + If you have got everything working to this point, you can expect Samba + to be stable and secure: these are its greatest strengths. However + Samba has a great deal to offer and to go further you must do some + more reading. Speed and security optimisations, printer accounting, + network logons, roving profiles, browsing across multiple subnets and + so on are all covered either in this document or in those it refers + to. + + + 11..22.. AAllll SSaammbbaa DDooccuummeennttaattiioonn + + + + +o Meta-FAQ. This is the mother of all documents, and is the one you + are reading now. The latest version is always at + <http://samba.anu.edu.au/[.....]> but there is probably a much + nearer mirror site <../MIRRORS> which you should use instead. + + +o <Samba-Server-FAQ.html> is the best starting point for information + about server-side issues. Includes configuration tips and pointers + for Samba on particular operating systems (with 40 to choose + from...) + + +o <Samba-Client-FAQ.html> is the best starting point for information + about client-side issues, includes a list of all clients that are + known to work with Samba. + + +o manual pages <samba-man-index.html> contains descriptions of and + links to all the Samba manual pages, in Unix man and postscript + format. + + +o <samba-txt-index.html> has descriptions of and links to a large + number of text files have been contributed to samba covering many + topics. These are gradually being absorbed into the FAQs and HOWTOs + but in the meantime you might find helpful answers here. + + +o + + + 22.. GGeenneerraall IInnffoorrmmaattiioonn + + + All about Samba - what it is, how to get it, related sources of + information, how to understand the numbering scheme, pizza details. + + + 22..11.. WWhhaatt iiss SSaammbbaa?? + + + Samba is a suite of programs which work together to allow clients to + access to a server's filespace and printers via the SMB (Server + Message Block) and CIFS (Common Internet Filesystem) protocols. + Initially written for Unix, Samba now also runs on Netware, OS/2, VMS, + StratOS and Amigas. Ports to BeOS and other operating systems are + underway. Samba gives the capability for these operating systems to + behave much like a LAN Server, Windows NT Server or Pathworks machine, + only with added functionality and flexibility designed to make life + easier for administrators. + + This means that using Samba you can share a server's disks and + printers to many sorts of network clients, including Lan Manager, + Windows for Workgroups, Windows NT, Linux, OS/2, and AIX. There is + also a generic client program supplied as part of the Samba suite + which gives a user on the server an ftp-like interface to access + filespace and printers on any other SMB/CIFS servers. + + SMB has been implemented over many protocols, including XNS, NBT, IPX, + NetBEUI and TCP/IP. Samba only uses TCP/IP. This is not likely to + change although there have been some requests for NetBEUI support. + + Many users report that compared to other SMB implementations Samba is + more stable, faster, and compatible with more clients. Administrators + of some large installations say that Samba is the only SMB server + available which will scale to many tens of thousands of users without + crashing. The easy way to test these claims is to download it and try + it for yourself! + + The suite is supplied with full source code under the GNU Public + License <../COPYING>. The GPL means that you can use Samba for + whatever purpose you wish (including changing the source or selling it + for money) but under all circumstances the source code must be made + freely available. A copy of the GPL must always be included in any + copy of the package. + + The primary creator of the Samba suite is Andrew Tridgell. Later + versions incorporate much effort by many net.helpers. The man pages + and this FAQ were originally written by Karl Auer. + + + 22..22.. WWhhaatt iiss tthhee ccuurrrreenntt vveerrssiioonn ooff SSaammbbaa?? + + + At time of writing, the current version was 1.9.17. If you want to be + sure check the bottom of the change-log file. + <ftp://samba.anu.edu.au/pub/samba/alpha/change-log> + For more information see ``What do the version numbers mean?'' + + + 22..33.. WWhheerree ccaann II ggeett iitt?? + + + The Samba suite is available via anonymous ftp from samba.anu.edu.au + and many mirror <../MIRRORS> sites. You will get much faster + performance if you use a mirror site. The latest and greatest versions + of the suite are in the directory: + + /pub/samba/ + + Development (read "alpha") versions, which are NOT necessarily stable + and which do NOT necessarily have accurate documentation, are + available in the directory: + + /pub/samba/alpha + + Note that binaries are NOT included in any of the above. Samba is + distributed ONLY in source form, though binaries may be available from + other sites. Most Linux distributions, for example, do contain Samba + binaries for that platform. The VMS, OS/2, Netware and Amiga and other + ports typically have binaries made available. + + A special case is vendor-provided binary packages. Samba binaries and + default configuration files are put into packages for a specific + operating system. RedHat Linux and Sun Solaris (Sparc and x86) is + already included, and others such as OS/2 may follow. All packages are + in the directory: + + /pub/samba/Binary_Packages/"OS_Vendor" + + + 22..44.. WWhhaatt ddoo tthhee vveerrssiioonn nnuummbbeerrss mmeeaann?? + + + It is not recommended that you run a version of Samba with the word + "alpha" in its name unless you know what you are doing and are willing + to do some debugging. Many, many people just get the latest + recommended stable release version and are happy. If you are brave, by + all means take the plunge and help with the testing and development - + but don't install it on your departmental server. Samba is typically + very stable and safe, and this is mostly due to the policy of many + public releases. + + How the scheme works: + + + 1. When major changes are made the version number is increased. For + example, the transition from 1.9.16 to 1.9.17. However, this + version number will not appear immediately and people should + continue to use 1.9.15 for production systems (see next point.) + + 2. Just after major changes are made the software is considered + unstable, and a series of alpha releases are distributed, for + example 1.9.16alpha1. These are for testing by those who know what + they are doing. The "alpha" in the filename will hopefully scare + off those who are just looking for the latest version to install. + + 3. When Andrew thinks that the alphas have stabilised to the point + where he would recommend new users install it, he renames it to the + same version number without the alpha, for example 1.9.17. + + 4. Inevitably bugs are found in the "stable" releases and minor patch + levels are released which give us the pXX series, for example + 1.9.17p2. + + So the progression goes: + + + 1.9.16p10 (production) + 1.9.16p11 (production) + 1.9.17alpha1 (test sites only) + : + 1.9.17alpha20 (test sites only) + 1.9.17 (production) + 1.9.17p1 (production) + + + + The above system means that whenever someone looks at the samba ftp + site they will be able to grab the highest numbered release without an + alpha in the name and be sure of getting the current recommended + version. + + + 22..55.. WWhheerree ccaann II ggoo ffoorr ffuurrtthheerr iinnffoorrmmaattiioonn?? + + + There are a number of places to look for more information on Samba, + including: + + + +o Two mailing lists devoted to discussion of Samba-related matters. + See below for subscription information. + + +o The newsgroup comp.protocols.smb, which has a great deal of + discussion about Samba. + + +o The WWW site 'SAMBA Web Pages' at <http://samba.anu.edu.au/samba/> + includes: + + + +o Links to man pages and documentation, including this FAQ + + +o A comprehensive survey of Samba users + + +o A searchable hypertext archive of the Samba mailing list + + +o Links to Samba source code, binaries, and mirrors of both + + +o This FAQ and the rest in its family + + + + 22..66.. HHooww ddoo II ssuubbssccrriibbee ttoo tthhee SSaammbbaa MMaaiilliinngg LLiissttss?? + + + Send email to listproc@samba.anu.edu.au. Make sure the subject line is + blank, and include the following two lines in the body of the message: + + + + subscribe samba Firstname Lastname + subscribe samba-announce Firstname Lastname + + + + + Obviously you should substitute YOUR first name for "Firstname" and + YOUR last name for "Lastname"! Try not to send any signature, it + sometimes confuses the list processor. + + The samba list is a digest list - every eight hours or so it sends a + single message containing all the messages that have been received by + the list since the last time and sends a copy of this message to all + subscribers. There are thousands of people on this list. + + If you stop being interested in Samba, please send another email to + listproc@samba.anu.edu.au. Make sure the subject line is blank, and + include the following two lines in the body of the message: + + + + unsubscribe samba + unsubscribe samba-announce + + + + + The FFrroomm:: line in your message _M_U_S_T be the same address you used when + you subscribed. + + + 22..77.. SSoommeetthhiinngg''ss ggoonnee wwrroonngg -- wwhhaatt sshhoouulldd II ddoo?? + + + ## ****** IIMMPPOORRTTAANNTT!! ****** ## + + + DO NOT post messages on mailing lists or in newsgroups until you have + carried out the first three steps given here! + + + 1. See if there are any likely looking entries in this FAQ! If you + have just installed Samba, have you run through the checklist in + DIAGNOSIS.txt <ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt>? It + can save you a lot of time and effort. DIAGNOSIS.txt can also be + found in the docs directory of the Samba distribution. + + 2. Read the man pages for smbd, nmbd and smb.conf, looking for topics + that relate to what you are trying to do. + + 3. If there is no obvious solution to hand, try to get a look at the + log files for smbd and/or nmbd for the period during which you were + having problems. You may need to reconfigure the servers to provide + more extensive debugging information - usually level 2 or level 3 + provide ample debugging info. Inspect these logs closely, looking + particularly for the string "Error:". + + 4. If you need urgent help and are willing to pay for it see ``Paid + Support''. + + If you still haven't got anywhere, ask the mailing list or newsgroup. + In general nobody minds answering questions provided you have followed + the preceding steps. It might be a good idea to scan the archives of + the mailing list, which are available through the Samba web site + described in the previous section. When you post be sure to include a + good description of your environment and your problem. + + If you successfully solve a problem, please mail the FAQ maintainer a + succinct description of the symptom, the problem and the solution, so + that an explanation can be incorporated into the next version. + + + + + 22..88.. HHooww ddoo II ssuubbmmiitt ppaattcchheess oorr bbuugg rreeppoorrttss?? + + + If you make changes to the source code, _p_l_e_a_s_e submit these patches so + that everyone else gets the benefit of your work. This is one of the + most important aspects to the maintainence of Samba. Send all patches + to samba-bugs@samba.anu.edu.au. Do not send patches to Andrew Tridgell + or any other individual, they may be lost if you do. + + Patch format ------------ + + If you are sending a patch to fix a problem then please don't just use + standard diff format. As an example, samba-bugs received this patch + from someone: + + 382a #endif 381a #if !defined(NEWS61) + + How are we supposed to work out what this does and where it goes? + These sort of patches only work if we both have identical files in the + first place. The Samba sources are constantly changing at the hands of + multiple developers, so it doesn't work. + + Please use either context diffs or (even better) unified diffs. You + get these using "diff -c4" or "diff -u". If you don't have a diff that + can generate these then please send manualy commented patches to I + know what is being changed and where. Most patches are applied by hand + so the info must be clear. + + This is a basic guideline that will assist us with assessing your + problem more efficiently : + + Machine Arch: Machine OS: OS Version: Kernel: + + Compiler: Libc Version: + + Samba Version: + + Network Layout (description): + + What else is on machine (services, etc): + + Some extras : + + + +o what you did and what happened + + +o relevant parts of a debugging output file with debuglevel higher. + If you can't find the relevant parts, please ask before mailing + huge files. + + +o anything else you think is useful to trace down the bug + + + 22..99.. WWhhaatt iiff II hhaavvee aann UURRGGEENNTT mmeessssaaggee ffoorr tthhee ddeevveellooppeerrss?? + + + If you have spotted something very serious and believe that it is + important to contact the developers quickly send a message to samba- + urgent@samba.anu.edu.au. This will be processed more quickly than mail + to samba-bugs. Please think carefully before using this address. An + example of its use might be to report a security hole. + + Examples of things _n_o_t to send to samba-urgent include problems + getting Samba to work at all and bugs that cannot potentially cause + damage. + + 22..1100.. WWhhaatt iiff II nneeeedd ppaaiidd--ffoorr ssuuppppoorrtt?? + + + Samba has a large network of consultants who provide Samba support on + a commercial basis. The list is included in the package in + <../Support.txt>, and the latest version will always be on the main + samba ftp site. Any company in the world can request that the samba + team include their details in Support.txt so we can give no guarantee + of their services. + + + 22..1111.. PPiizzzzaa ssuuppppllyy ddeettaaiillss + + + Those who have registered in the Samba survey as "Pizza Factory" will + already know this, but the rest may need some help. Andrew doesn't ask + for payment, but he does appreciate it when people give him pizza. + This calls for a little organisation when the pizza donor is twenty + thousand kilometres away, but it has been done. + + + 1. Ring up your local branch of an international pizza chain and see + if they honour their vouchers internationally. Pizza Hut do, which + is how the entire Canberra Linux Users Group got to eat pizza one + night, courtesy of someone in the US. + + 2. Ring up a local pizza shop in Canberra and quote a credit card + number for a certain amount, and tell them that Andrew will be + collecting it (don't forget to tell him.) One kind soul from + Germany did this. + + 3. Purchase a pizza voucher from your local pizza shop that has no + international affiliations and send it to Andrew. It is completely + useless but he can hang it on the wall next to the one he already + has from Germany :-) + + 4. Air freight him a pizza with your favourite regional flavours. It + will probably get stuck in customs or torn apart by hungry sniffer + dogs but it will have been a noble gesture. + + + 33.. AAbboouutt tthhee CCIIFFSS aanndd SSMMBB PPrroottooccoollss + + + + 33..11.. WWhhaatt iiss tthhee SSeerrvveerr MMeessssaaggee BBlloocckk ((SSMMBB)) PPrroottooccooll?? + + SMB is a filesharing protocol that has had several maintainers and + contributors over the years including Xerox, 3Com and most recently + Microsoft. Names for this protocol include LAN Manager and Microsoft + Networking. Parts of the specification has been made public at several + versions including in an X/Open document, as listed at + <ftp://ftp.microsoft.com/developr/drg/CIFS/>. No specification + releases were made between 1992 and 1996, and during that period + Microsoft became the SMB implementor with the largest market share. + Microsoft developed the specification further for its products but for + various reasons connected with developer's workload rather than market + strategy did not make the changes public. This culminated with the + "Windows NT 0.12" version released with NT 3.5 in 1995 which had + significant improvements and bugs. Because Microsoft client systems + are so popular, it is fair to say that what Microsoft with Windows + affects all suppliers of SMB server products. + + From 1994 Andrew Tridgell began doing some serious work on his + Smbserver (now Samba) product and with some helpers started to + implement more and more of these protocols. Samba began to take a + significant share of the SMB server market. + + + 33..22.. WWhhaatt iiss tthhee CCoommmmoonn IInntteerrnneett FFiilleessyysstteemm ((CCIIFFSS))?? + + The initial pressure for Microsoft to document their current SMB + implementation came from the Samba team, who kept coming across things + on the wire that Microsoft either didn't know about or hadn't + documented anywhere (even in the sourcecode to Windows NT.) Then Sun + Microsystems came out with their WebNFS initiative, designed to + replace FTP for file transfers on the Internet. There are many + drawbacks to WebNFS (including its scope - it aims to replace HTTP as + well!) but the concept was attractive. FTP is not very clever, and why + should it be harder to get files from across the world than across the + room? + + Some hasty revisions were made and an Internet Draft for the Common + Internet Filesystem (CIFS) was released. Note that CIFS is not an + Internet standard and is a very long way from becoming one, BUT the + protocol specification is in the public domain and ongoing discussions + concerning the spec take place on a public mailing list according to + the rules of the Internet Engineering Task Force. For more information + and pointers see <http://samba.anu.edu.au/cifs/> + + The following is taken from <http://www.microsoft.com/intdev/cifs/> + + + CIFS defines a standard remote file system access protocol for use + over the Internet, enabling groups of users to work together and + share documents across the Internet or within their corporate + intranets. CIFS is an open, cross-platform technology based on the + native file-sharing protocols built into Microsoft Windows and + other popular PC operating systems, and supported on dozens of + other platforms, including UNIX. With CIFS, millions of computer + users can open and share remote files on the Internet without having + to install new software or change the way they work." + + + + If you consider CIFS as a backwardsly-compatible refinement of SMB + that will work reasonably efficiently over the Internet you won't be + too far wrong. + + The net effect is that Microsoft is now documenting large parts of + their Windows NT fileserver protocols. The security concepts embodied + in Windows NT are part of the specification, which is why Samba + documentation often talks in terms of Windows NT. However there is no + reason why a site shouldn't conduct all its file and printer sharing + with CIFS and yet have no Microsoft products at all. + + + 33..33.. WWhhaatt iiss BBrroowwssiinngg?? + + The term "Browsing" causes a lot of confusion. It is the part of the + SMB/CIFS protocol which allows for resource discovery. For example, in + the Windows NT Explorer it is possible to see a "Network + Neighbourhood" of computers in the same SMB workgroup. Clicking on the + name of one of these machines brings up a list of file and printer + resources for connecting to. In this way you can cruise the network, + seeing what things are available. How this scales to the Internet is a + subject for debate. Look at the CIFS list archives to see what the + experts think. + + + + + 44.. DDeessiiggnniinngg AA SSMMBB aanndd CCIIFFSS NNeettwwoorrkk + + + The big issues for installing any network of LAN or WAN file and print + servers are + + + +o How and where usernames, passwords and other security information + is stored + + +o What method can be used for locating the resources that users have + permission to use + + +o What protocols the clients can converse with + + + If you buy Netware, Windows NT or just about any other LAN fileserver + product you are expected to lock yourself into the product's preferred + answers to these questions. This tendancy is restrictive and often + very expensive for a site where there is only one kind of client or + server, and for sites with a mixture of operating systems it often + makes it impossible to share resources between some sets of users. + + The Samba philosophy is to make things as easy as possible for + administators, which means allowing as many combinations of clients, + servers, operating systems and protocols as possible. + + + 44..11.. WWoorrkkggrroouuppss,, DDoommaaiinnss,, AAuutthheennttiiccaattiioonn aanndd BBrroowwssiinngg + + + From the point of view of networking implementation, Domains and + Workgroups are _e_x_a_c_t_l_y the same, except for the client logon sequence. + Some kind of distributed authentication database is associated with a + domain (there are quite a few choices) and this adds so much + flexibility that many people think of a domain as a completely + different entity to a workgroup. From Samba's point of view a client + connecting to a service presents an authentication token, and it if it + is valid they have access. Samba does not care what mechanism was used + to generate that token in the first place. + + The SMB client logging on to a domain has an expectation that every + other server in the domain should accept the same authentication + information. However the network browsing functionality of domains + and workgroups is identical and is explained in <../BROWSING.txt>. + + There are some implementation differences: Windows 95 can be a member + of both a workgroup and a domain, but Windows NT cannot. Windows 95 + also has the concept of an "alternative workgroup". Samba can only be + a member of a single workgroup or domain, although this is due to + change with a future version when nmbd will be split into two daemons, + one for WINS and the other for browsing ( <../NetBIOS.txt> explains + what WINS is.) + + + 44..11..11.. DDeeffiinniinngg tthhee TTeerrmmss + + + + + WWoorrkkggrroouupp + means a collection of machines that maintain a common browsing + database containing information about their shared resources. + They do not necessarily have any security information in common + (if they do, it gets called a Domain.) The browsing database is + dynamic, modified as servers come and go on the network and as + resources are added or deleted. The term "browsing" refers to a + user accessing the database via whatever interface the client + provides, eg the OS/2 Workplace Shell or Windows 95 Explorer. + SMB servers agree between themselves as to which ones will + maintain the browsing database. Workgroups can be anywhere on a + connected TCP/IP network, including on different subnets or even + on the Interet. This is a very tricky part of SMB to implement. + + + MMaasstteerr BBrroowwsseerrss + are machines which holds the master browsing database for a + workgroup or domain. There are two kinds of Master Browser: + + + +o Domain Master Browser, which holds the master browsing + information for an entire domain, which may well cross multiple + TCP/IP subnets. + + +o Local Master Browser, which holds the master browsing database + for a particular subnet and communicates with the Domain Master + Browser to get information on other subnets. + + Subnets are differentiated because browsing is based on + broadcasts, and broadcasts do not pass through routers. Subnets + are not routed: while it is possible to have more than one + subnet on a single network segment this is regarded as very bad + practice. + + Master Browsers (both Domain and Local) are elected dynamically + according to an algorithm which is supposed to take into account + the machine's ability to sustain the browsing load. Samba can be + configured to always act as a master browser, ie it always wins + elections under all circumstances, even against systems such as + a Windows NT Primary Domain Controller which themselves expect + to win. + + There are also Backup Browsers which are promoted to Master + Browsers in the event of a Master Browser disappearing from the + network. + + Alternative terms include confusing variations such as "Browse + Master", and "Master Browser" which we are trying to eliminate + from the Samba documentation. + + + DDoommaaiinn CCoonnttrroolllleerr + is a term which comes from the Microsoft and IBM etc + implementation of the LAN Manager protocols. It is tied to + authentication. There are other ways of doing domain + authentication, but the Windows NT method has a large market + share. The general issues are discussed in <../DOMAIN.txt> and + a Windows NT-specific discussion is in <../DOMAIN_CONTROL.txt>. + + + + 44..11..22.. SShhaarreelleevveell ((WWoorrkkggrroouupp)) SSeeccuurriittyy SSeerrvviicceess + + + With the Samba setting "security = SHARE", all shared resources + information about what password is associated with them but only hints + as to what usernames might be valid (the hint can be 'all users', in + which case any username will work. This is usually a bad idea, but + reflects both the initial implementations of SMB in the mid-80s and + its reincarnation with Windows for Workgroups in 1992. The idea behind + workgroup security was that small independant groups of people could + share information on an ad-hoc basis without there being an + authentication infrastructure present or requiring them to do more + than fill in a dialogue box. + + + 44..11..33.. AAuutthheennttiiccaattiioonn DDoommaaiinn MMooddee SSeerrvviicceess + + + With the Samba settings "security = USER" or "security = SERVER" + accesses to all resources are checked for username/password pair + matches in a more rigorous manner. To the client, this has the effect + of emulating a Microsoft Domain. The client is not concerned whether + or not Samba looks up a Windows NT SAM or does it in some other way. + + + 44..22.. AAuutthheennttiiccaattiioonn SScchheemmeess + + + In the simple case authentication information is stored on a single + server and the user types a password on connecting for the first time. + However client operating systems often require a password before they + can be used at all, and in addition users usually want access to more + than one server. Asking users to remember many different passwords in + different contexts just does not work. Some kind of distributed + authentication database is needed. It must cope with password changes + and provide for assigning groups of users the same level of access + permissions. This is why Samba installations often choose to implement + a Domain model straight away. + + Authentication decisions are some of the biggest in designing a + network. Are you going to use a scheme native to the client operating + system, native to the server operating system, or newly installed on + both? A list of options relevant to Samba (ie that make sense in the + context of the SMB protocol) follows. Any experiences with other + setups would be appreciated. refer to server FAQ for "passwd chat" + passwd program password server etc etc... + + + 44..22..11.. NNIISS + + + For Windows 95, Windows for Workgroups and most other clients Samba + can be a domain controller and share the password database via NIS + transparently. Windows NT is different. Free NIS NT client + <http://www.dcs.qmw.ac.uk/~williams> + + + 44..22..22.. KKeerrbbeerrooss + + + Kerberos for US users only: Kerberos overview + <http://www.cygnus.com/product/unifying-security.html> Download + Kerberos <http://www.cygnus.com/product/kerbnet-download.html> + + + 44..22..33.. FFTTPP + + + Other NT w/s logon hack via NT + + + 44..22..44.. DDeeffaauulltt SSeerrvveerr MMeetthhoodd + + + + + + 44..22..55.. CClliieenntt--ssiiddee DDaattaabbaassee OOnnllyy + + + + 44..33.. PPoosstt--AAuutthheennttiiccaattiioonn:: NNeettllooggoonn,, LLooggoonn SSccrriippttss,, PPrrooffiilleess + + + See <../DOMAIN.txt> + + + 55.. CCrroossss--PPrroottooccooll FFiillee SShhaarriinngg + + + Samba is an important tool for... + + It is possible to... + + File protocol gateways... + + "Setting up a Linux File Server" + http://vetrec.mit.edu/people/narf/linux.html + + Two free implementations of Appletalk for Unix are Netatalk, + <http://www.umich.edu/~rsug/netatalk/>, and CAP, + <http://www.cs.mu.oz.au/appletalk/atalk.html>. What Samba offers MS + Windows users, these packages offer to Macs. For more info on these + packages, Samba, and Linux (and other UNIX-based systems) see + <http://www.eats.com/linux_mac_win.html> 3.5) Sniffing your nework + + + + 66.. MMiisscceellllaanneeoouuss + + + 66..11.. IIss SSaammbbaa YYeeaarr 22000000 ccoommpplliiaanntt?? + + + The CIFS protocol that Samba implements negotiates times in various + formats, all of which are able to cope with dates beyond 2000. + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/faq/sambafaq-1.html b/docs/faq/sambafaq-1.html new file mode 100644 index 00000000000..c010e50e011 --- /dev/null +++ b/docs/faq/sambafaq-1.html @@ -0,0 +1,392 @@ +<HTML> +<HEAD> +<TITLE> Samba FAQ: General Information</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="sambafaq-2.html">Next</A> +<A HREF="sambafaq.html#toc1">Table of Contents</A> +<HR> +<H2><A NAME="s1">1. General Information</A></H2> + +<P> +<A NAME="general_info"></A> +</P> +<P>All about Samba - what it is, how to get it, related sources of +information, how to understand the version numbering scheme, pizza +details</P> + +<H2><A NAME="ss1.1">1.1 What is Samba? </A></H2> + +<P> +<A NAME="introduction"></A> + +Samba is a suite of programs which work together to allow clients to +access to a server's filespace and printers via the SMB (Server +Message Block) protocol. Initially written for Unix, Samba now also +runs on Netware, OS/2 and VMS.</P> +<P>In practice, this means that you can redirect disks and printers to +Unix disks and printers from Lan Manager clients, Windows for +Workgroups 3.11 clients, Windows NT clients, Linux clients and OS/2 +clients. There is also a generic Unix client program supplied as part +of the suite which allows Unix users to use an ftp-like interface to +access filespace and printers on any other SMB servers. This gives the +capability for these operating systems to behave much like a LAN +Server or Windows NT Server machine, only with added functionality and +flexibility designed to make life easier for administrators.</P> +<P>The components of the suite are (in summary):</P> +<P> +<UL> +<LI><B>smbd</B>, the SMB server. This handles actual connections from clients, doing all the file, permission and username work</LI> +<LI><B>nmbd</B>, the Netbios name server, which helps clients locate servers, doing the browsing work and managing domains as this capability is being built into Samba</LI> +<LI><B>smbclient</B>, the Unix-hosted client program</LI> +<LI><B>smbrun</B>, a little 'glue' program to help the server run external programs</LI> +<LI><B>testprns</B>, a program to test server access to printers</LI> +<LI><B>testparms</B>, a program to test the Samba configuration file for correctness</LI> +<LI><B>smb.conf</B>, the Samba configuration file</LI> +<LI><B>smbprint</B>, a sample script to allow a Unix host to use smbclient to print to an SMB server</LI> +<LI><B>Documentation!</B> DON'T neglect to read it - you will save a great deal of time!</LI> +</UL> +</P> +<P>The suite is supplied with full source (of course!) and is GPLed.</P> +<P>The primary creator of the Samba suite is Andrew Tridgell. Later +versions incorporate much effort by many net.helpers. The man pages +and this FAQ were originally written by Karl Auer.</P> + + +<H2><A NAME="ss1.2">1.2 What is the current version of Samba? </A></H2> + +<P> +<A NAME="current_version"></A> + +At time of writing, the current version was 1.9.17. If you want to be +sure check the bottom of the change-log file. +<A HREF="ftp://samba.anu.edu.au/pub/samba/alpha/change-log">ftp://samba.anu.edu.au/pub/samba/alpha/change-log</A></P> +<P>For more information see +<A HREF="#version_nums">What do the version numbers mean?</A></P> + + +<H2><A NAME="ss1.3">1.3 Where can I get it? </A></H2> + +<P> +<A NAME="where"></A> + +The Samba suite is available via anonymous ftp from +samba.anu.edu.au. The latest and greatest versions of the suite are in +the directory:</P> +<P>/pub/samba/</P> +<P>Development (read "alpha") versions, which are NOT necessarily stable +and which do NOT necessarily have accurate documentation, are +available in the directory:</P> +<P>/pub/samba/alpha</P> +<P>Note that binaries are NOT included in any of the above. Samba is +distributed ONLY in source form, though binaries may be available from +other sites. Recent versions of some Linux distributions, for example, +do contain Samba binaries for that platform.</P> + + +<H2><A NAME="ss1.4">1.4 What do the version numbers mean? </A></H2> + +<P> +<A NAME="version_nums"></A> + +It is not recommended that you run a version of Samba with the word +"alpha" in its name unless you know what you are doing and are willing +to do some debugging. Many, many people just get the latest +recommended stable release version and are happy. If you are brave, by +all means take the plunge and help with the testing and development - +but don't install it on your departmental server. Samba is typically +very stable and safe, and this is mostly due to the policy of many +public releases.</P> +<P>How the scheme works: +<OL> +<LI>When major changes are made the version number is increased. For +example, the transition from 1.9.15 to 1.9.16. However, this version +number will not appear immediately and people should continue to use +1.9.15 for production systems (see next point.) +</LI> +<LI>Just after major changes are made the software is considered +unstable, and a series of alpha releases are distributed, for example +1.9.16alpha1. These are for testing by those who know what they are +doing. The "alpha" in the filename will hopefully scare off those who +are just looking for the latest version to install. +</LI> +<LI>When Andrew thinks that the alphas have stabilised to the point +where he would recommend new users install it, he renames it to the +same version number without the alpha, for example 1.9.16. +</LI> +<LI>Inevitably bugs are found in the "stable" releases and minor patch +levels are released which give us the pXX series, for example 1.9.16p2.</LI> +</OL> + +So the progression goes: +<PRE> + 1.9.15p7 (production) + 1.9.15p8 (production) + 1.9.16alpha1 (test sites only) + : + 1.9.16alpha20 (test sites only) + 1.9.16 (production) + 1.9.16p1 (production) +</PRE> + +The above system means that whenever someone looks at the samba ftp +site they will be able to grab the highest numbered release without an +alpha in the name and be sure of getting the current recommended +version.</P> + + +<H2><A NAME="ss1.5">1.5 What platforms are supported? </A></H2> + +<P> +<A NAME="platforms"></A> + +Many different platforms have run Samba successfully. The platforms +most widely used and thus best tested are Linux and SunOS.</P> +<P>At time of writing, the Makefile claimed support for: +<UL> +<LI> A/UX 3.0</LI> +<LI> AIX</LI> +<LI> Altos Series 386/1000</LI> +<LI> Amiga</LI> +<LI> Apollo Domain/OS sr10.3</LI> +<LI> BSDI </LI> +<LI> B.O.S. (Bull Operating System)</LI> +<LI> Cray, Unicos 8.0</LI> +<LI> Convex</LI> +<LI> DGUX. </LI> +<LI> DNIX.</LI> +<LI> FreeBSD</LI> +<LI> HP-UX</LI> +<LI> Intergraph. </LI> +<LI> Linux with/without shadow passwords and quota</LI> +<LI> LYNX 2.3.0</LI> +<LI> MachTen (a unix like system for Macintoshes)</LI> +<LI> Motorola 88xxx/9xx range of machines</LI> +<LI> NetBSD</LI> +<LI> NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach).</LI> +<LI> OS/2 using EMX 0.9b</LI> +<LI> OSF1</LI> +<LI> QNX 4.22</LI> +<LI> RiscIX. </LI> +<LI> RISCOs 5.0B</LI> +<LI> SEQUENT. </LI> +<LI> SCO (including: 3.2v2, European dist., OpenServer 5)</LI> +<LI> SGI.</LI> +<LI> SMP_DC.OSx v1.1-94c079 on Pyramid S series</LI> +<LI> SONY NEWS, NEWS-OS (4.2.x and 6.1.x)</LI> +<LI> SUNOS 4</LI> +<LI> SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later')</LI> +<LI> Sunsoft ISC SVR3V4</LI> +<LI> SVR4</LI> +<LI> System V with some berkely extensions (Motorola 88k R32V3.2).</LI> +<LI> ULTRIX.</LI> +<LI> UNIXWARE</LI> +<LI> UXP/DS</LI> +</UL> +</P> + + +<H2><A NAME="ss1.6">1.6 How can I find out more about Samba? </A></H2> + +<P> +<A NAME="more"></A> + +There are a number of places to look for more information on Samba, including: +<UL> +<LI>Two mailing lists devoted to discussion of Samba-related matters. </LI> +<LI>The newsgroup, comp.protocols.smb, which has a great deal of discussion on Samba. </LI> +<LI>The WWW site 'SAMBA Web Pages' at +<A HREF="http://samba.edu.au/samba/">http://samba.edu.au/samba/</A> includes: +<UL> +<LI>Links to man pages and documentation, including this FAQ</LI> +<LI>A comprehensive survey of Samba users.</LI> +<LI>A searchable hypertext archive of the Samba mailing list.</LI> +<LI>Links to Samba source code, binaries, and mirrors of both.</LI> +</UL> +</LI> +<LI>The long list of topic documentation. These files can be found in the 'docs' directory of the Samba source, or at +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/">ftp://samba.anu.edu.au/pub/samba/docs/</A> +<UL> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Application_Serving.txt">Application_Serving.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt">BROWSING.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/BUGS.txt">BUGS.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/DIAGNOSIS.txt">DIAGNOSIS.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/DNIX.txt">DNIX.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN.txt">DOMAIN.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN_CONTROL.txt">CONTROL.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt">ENCRYPTION.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Faxing.txt">Faxing.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/GOTCHAS.txt">GOTCHAS.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/HINTS.txt">HINTS.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.sambatar">INSTALL.sambatar</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.txt">INSTALL.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/MIRRORS">MIRRORS</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/NetBIOS.txt">NetBIOS.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/OS2.txt">OS2.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/PROJECTS">PROJECTS</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Passwords.txt">Passwords.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Printing.txt">Printing.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/README.DCEDFS">README.DCEDFS</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/README.OS2">README.OS2</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/README.jis">README.jis</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/README.sambatar">README.sambatar</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/SCO.txt">SCO.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/SMBTAR.notes">SMBTAR.notes</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Speed.txt">Speed.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Support.txt">Support.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/THANKS">THANKS</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Tracing.txt">Tracing.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/UNIX-SMB.txt">SMB.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/Warp.txt">Warp.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/WinNT.txt">WinNT.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/history">history</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt">level.txt</A></LI> +<LI> +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/wfw_slip.htm">slip.htm</A></LI> +</UL> +</LI> +</UL> +</P> + + +<H2><A NAME="ss1.7">1.7 How do I subscribe to the Samba Mailing Lists?</A></H2> + +<P> +<A NAME="mailinglist"></A> + +Send email to +<A HREF="mailto:listproc@samba.anu.edu.au">listproc@samba.anu.edu.au</A>. Make sure the subject line is +blank, and include the following two lines in the body of the message: +<BLOCKQUOTE><CODE> +<PRE> +subscribe samba Firstname Lastname +subscribe samba-announce Firstname Lastname +</PRE> +</CODE></BLOCKQUOTE> + +Obviously you should substitute YOUR first name for "Firstname" and +YOUR last name for "Lastname"! Try not to send any signature stuff, it +sometimes confuses the list processor.</P> +<P>The samba list is a digest list - every eight hours or so it +regurgitates a single message containing all the messages that have +been received by the list since the last time and sends a copy of this +message to all subscribers.</P> +<P>If you stop being interested in Samba, please send another email to +<A HREF="mailto:listproc@samba.anu.edu.au">listproc@samba.anu.edu.au</A>. Make sure the subject line is blank, and +include the following two lines in the body of the message: +<BLOCKQUOTE><CODE> +<PRE> +unsubscribe samba +unsubscribe samba-announce +</PRE> +</CODE></BLOCKQUOTE> + +The <B>From:</B> line in your message <EM>MUST</EM> be the same address you used when +you subscribed.</P> + + +<H2><A NAME="ss1.8">1.8 Something's gone wrong - what should I do? </A></H2> + +<P> +<A NAME="wrong"></A> + +<B><F>#</F> *** IMPORTANT! *** <F>#</F></B></P> +<P>DO NOT post messages on mailing lists or in newsgroups until you have +carried out the first three steps given here!</P> +<P>Firstly, see if there are any likely looking entries in this FAQ! If +you have just installed Samba, have you run through the checklist in +<A HREF="ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt">DIAGNOSIS.txt</A>? It can save you a lot of time and effort. +DIAGNOSIS.txt can also be found in the docs directory of the Samba distribution.</P> +<P>Secondly, read the man pages for smbd, nmbd and smb.conf, looking for +topics that relate to what you are trying to do.</P> +<P>Thirdly, if there is no obvious solution to hand, try to get a look at +the log files for smbd and/or nmbd for the period during which you +were having problems. You may need to reconfigure the servers to +provide more extensive debugging information - usually level 2 or +level 3 provide ample debugging info. Inspect these logs closely, +looking particularly for the string "Error:".</P> +<P>Fourthly, if you still haven't got anywhere, ask the mailing list or +newsgroup. In general nobody minds answering questions provided you +have followed the preceding steps. It might be a good idea to scan the +archives of the mailing list, which are available through the Samba +web site described in the previous +section.</P> +<P>If you successfully solve a problem, please mail the FAQ maintainer a +succinct description of the symptom, the problem and the solution, so +I can incorporate it in the next version.</P> +<P>If you make changes to the source code, _please_ submit these patches +so that everyone else gets the benefit of your work. This is one of +the most important aspects to the maintainence of Samba. Send all +patches to +<A HREF="mailto:samba-bugs@samba.anu.edu.au">samba-bugs@samba.anu.edu.au</A>. Do not send patches to Andrew Tridgell or any +other individual, they may be lost if you do.</P> + + +<H2><A NAME="ss1.9">1.9 Pizza supply details </A></H2> + +<P> +<A NAME="pizza"></A> + +Those who have registered in the Samba survey as "Pizza Factory" will +already know this, but the rest may need some help. Andrew doesn't ask +for payment, but he does appreciate it when people give him +pizza. This calls for a little organisation when the pizza donor is +twenty thousand kilometres away, but it has been done.</P> +<P>Method 1: Ring up your local branch of an international pizza chain +and see if they honour their vouchers internationally. Pizza Hut do, +which is how the entire Canberra Linux Users Group got to eat pizza +one night, courtesy of someone in the US</P> +<P>Method 2: Ring up a local pizza shop in Canberra and quote a credit +card number for a certain amount, and tell them that Andrew will be +collecting it (don't forget to tell him.) One kind soul from Germany +did this.</P> +<P>Method 3: Purchase a pizza voucher from your local pizza shop that has +no international affiliations and send it to Andrew. It is completely +useless but he can hang it on the wall next to the one he already has +from Germany :-)</P> +<P>Method 4: Air freight him a pizza with your favourite regional +flavours. It will probably get stuck in customs or torn apart by +hungry sniffer dogs but it will have been a noble gesture.</P> + + +<HR> +Previous +<A HREF="sambafaq-2.html">Next</A> +<A HREF="sambafaq.html#toc1">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/sambafaq-2.html b/docs/faq/sambafaq-2.html new file mode 100644 index 00000000000..b92a1e2fcd1 --- /dev/null +++ b/docs/faq/sambafaq-2.html @@ -0,0 +1,239 @@ +<HTML> +<HEAD> +<TITLE> Samba FAQ: Compiling and installing Samba on a Unix host</TITLE> +</HEAD> +<BODY> +<A HREF="sambafaq-1.html">Previous</A> +<A HREF="sambafaq-3.html">Next</A> +<A HREF="sambafaq.html#toc2">Table of Contents</A> +<HR> +<H2><A NAME="s2">2. Compiling and installing Samba on a Unix host</A></H2> + +<P> +<A NAME="unix_install"></A> +</P> + +<H2><A NAME="ss2.1">2.1 I can't see the Samba server in any browse lists!</A></H2> + +<P> +<A NAME="no_browse"></A> + +See +<A HREF="ftp://samba.anu.edu.au/pub/samba/BROWSING.txt">BROWSING.txt</A> +for more information on browsing. Browsing.txt can also be found +in the docs directory of the Samba source.</P> +<P>If your GUI client does not permit you to select non-browsable +servers, you may need to do so on the command line. For example, under +Lan Manager you might connect to the above service as disk drive M: +thusly: +<BLOCKQUOTE><CODE> +<PRE> + net use M: \\mary\fred +</PRE> +</CODE></BLOCKQUOTE> + +The details of how to do this and the specific syntax varies from +client to client - check your client's documentation.</P> + + +<H2><A NAME="ss2.2">2.2 Some files that I KNOW are on the server doesn't show up when I view the files from my client! </A></H2> + +<P> +<A NAME="missing_files"></A> + +See the next question.</P> + +<H2><A NAME="ss2.3">2.3 Some files on the server show up with really wierd filenames when I view the files from my client! </A></H2> + +<P> +<A NAME="strange_filenames"></A> + +If you check what files are not showing up, you will note that they +are files which contain upper case letters or which are otherwise not +DOS-compatible (ie, they are not legal DOS filenames for some reason).</P> +<P>The Samba server can be configured either to ignore such files +completely, or to present them to the client in "mangled" form. If you +are not seeing the files at all, the Samba server has most likely been +configured to ignore them. Consult the man page smb.conf(5) for +details of how to change this - the parameter you need to set is +"mangled names = yes".</P> + + +<H2><A NAME="ss2.4">2.4 My client reports "cannot locate specified computer" or similar</A></H2> + +<P> +<A NAME="cant_see_server"></A> + +This indicates one of three things: You supplied an incorrect server +name, the underlying TCP/IP layer is not working correctly, or the +name you specified cannot be resolved.</P> +<P>After carefully checking that the name you typed is the name you +should have typed, try doing things like pinging a host or telnetting +to somewhere on your network to see if TCP/IP is functioning OK. If it +is, the problem is most likely name resolution.</P> +<P>If your client has a facility to do so, hardcode a mapping between the +hosts IP and the name you want to use. For example, with Man Manager +or Windows for Workgroups you would put a suitable entry in the file +LMHOSTS. If this works, the problem is in the communication between +your client and the netbios name server. If it does not work, then +there is something fundamental wrong with your naming and the solution +is beyond the scope of this document.</P> +<P>If you do not have any server on your subnet supplying netbios name +resolution, hardcoded mappings are your only option. If you DO have a +netbios name server running (such as the Samba suite's nmbd program), +the problem probably lies in the way it is set up. Refer to Section +Two of this FAQ for more ideas.</P> +<P>By the way, remember to REMOVE the hardcoded mapping before further +tests :-) </P> + + +<H2><A NAME="ss2.5">2.5 My client reports "cannot locate specified share name" or similar</A></H2> + +<P> +<A NAME="cant_see_share"></A> + +This message indicates that your client CAN locate the specified +server, which is a good start, but that it cannot find a service of +the name you gave.</P> +<P>The first step is to check the exact name of the service you are +trying to connect to (consult your system administrator). Assuming it +exists and you specified it correctly (read your client's doco on how +to specify a service name correctly), read on:</P> +<P> +<UL> +<LI> Many clients cannot accept or use service names longer than eight characters.</LI> +<LI> Many clients cannot accept or use service names containing spaces.</LI> +<LI> Some servers (not Samba though) are case sensitive with service names.</LI> +<LI> Some clients force service names into upper case.</LI> +</UL> +</P> + + +<H2><A NAME="ss2.6">2.6 My client reports "cannot find domain controller", "cannot log on to the network" or similar </A></H2> + +<P> +<A NAME="cant_see_net"></A> + +Nothing is wrong - Samba does not implement the primary domain name +controller stuff for several reasons, including the fact that the +whole concept of a primary domain controller and "logging in to a +network" doesn't fit well with clients possibly running on multiuser +machines (such as users of smbclient under Unix). Having said that, +several developers are working hard on building it in to the next +major version of Samba. If you can contribute, send a message to +<A HREF="mailto:samba-bugs@samba.anu.edu.au">samba-bugs@samba.anu.edu.au</A> !</P> +<P>Seeing this message should not affect your ability to mount redirected +disks and printers, which is really what all this is about.</P> +<P>For many clients (including Windows for Workgroups and Lan Manager), +setting the domain to STANDALONE at least gets rid of the message.</P> + + +<H2><A NAME="ss2.7">2.7 Printing doesn't work :-(</A></H2> + +<P> +<A NAME="no_printing"></A> + +Make sure that the specified print command for the service you are +connecting to is correct and that it has a fully-qualified path (eg., +use "/usr/bin/lpr" rather than just "lpr").</P> +<P>Make sure that the spool directory specified for the service is +writable by the user connected to the service. In particular the user +"nobody" often has problems with printing, even if it worked with an +earlier version of Samba. Try creating another guest user other than +"nobody".</P> +<P>Make sure that the user specified in the service is permitted to use +the printer.</P> +<P>Check the debug log produced by smbd. Search for the printer name and +see if the log turns up any clues. Note that error messages to do with +a service ipc$ are meaningless - they relate to the way the client +attempts to retrieve status information when using the LANMAN1 +protocol.</P> +<P>If using WfWg then you need to set the default protocol to TCP/IP, not +Netbeui. This is a WfWg bug.</P> +<P>If using the Lanman1 protocol (the default) then try switching to +coreplus. Also not that print status error messages don't mean +printing won't work. The print status is received by a different +mechanism.</P> + + +<H2><A NAME="ss2.8">2.8 My programs install on the server OK, but refuse to work properly</A></H2> + +<P> +<A NAME="programs_wont_run"></A> + +There are numerous possible reasons for this, but one MAJOR +possibility is that your software uses locking. Make sure you are +using Samba 1.6.11 or later. It may also be possible to work around +the problem by setting "locking=no" in the Samba configuration file +for the service the software is installed on. This should be regarded +as a strictly temporary solution.</P> +<P>In earlier Samba versions there were some difficulties with the very +latest Microsoft products, particularly Excel 5 and Word for Windows +6. These should have all been solved. If not then please let Andrew +Tridgell know via email at +<A HREF="mailto:samba-bugs@samba.anu.edu.au">samba-bugs@samba.anu.edu.au</A>.</P> + + +<H2><A NAME="ss2.9">2.9 My "server string" doesn't seem to be recognised</A></H2> + +<P> +<A NAME="bad_server_string"></A> + +OR My client reports the default setting, eg. "Samba 1.9.15p4", instead +of what I have changed it to in the smb.conf file.</P> +<P>You need to use the -C option in nmbd. The "server string" affects +what smbd puts out and -C affects what nmbd puts out.</P> +<P>Current versions of Samba (1.9.16 +) have combined these options into +the "server string" field of smb.conf, -C for nmbd is now obsolete.</P> + + +<H2><A NAME="ss2.10">2.10 My client reports "This server is not configured to list shared resources" </A></H2> + +<P> +<A NAME="cant_list_shares"></A> + +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in smbd. Check that your guest account is +valid.</P> +<P>See also 'guest account' in smb.conf man page.</P> + + +<H2><A NAME="ss2.11">2.11 Log message "you appear to have a trapdoor uid system" </A></H2> + +<P> +<A NAME="trapdoor_uid"></A> + +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535.</P> +<P>It might also mean that your OS has a trapdoor uid/gid system :-)</P> +<P>This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems.</P> +<P>The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user.</P> +<P>Complain to your OS vendor and ask them to fix their system.</P> +<P>Note: the reason why 65535 is a VERY bad choice of uid and gid is that +it casts to -1 as a uid, and the setreuid() system call ignores (with +no error) uid changes to -1. This means any daemon attempting to run +as uid 65535 will actually run as root. This is not good!</P> + + +<HR> +<A HREF="sambafaq-1.html">Previous</A> +<A HREF="sambafaq-3.html">Next</A> +<A HREF="sambafaq.html#toc2">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/sambafaq-3.html b/docs/faq/sambafaq-3.html new file mode 100644 index 00000000000..1b5dcf4d9aa --- /dev/null +++ b/docs/faq/sambafaq-3.html @@ -0,0 +1,322 @@ +<HTML> +<HEAD> +<TITLE> Samba FAQ: Common client questions</TITLE> +</HEAD> +<BODY> +<A HREF="sambafaq-2.html">Previous</A> +<A HREF="sambafaq-4.html">Next</A> +<A HREF="sambafaq.html#toc3">Table of Contents</A> +<HR> +<H2><A NAME="s3">3. Common client questions</A></H2> + +<P> +<A NAME="client_questions"></A> +</P> + +<H2><A NAME="ss3.1">3.1 Are there any Macintosh clients for Samba?</A></H2> + +<P> +<A NAME="mac_clients"></A> + +Yes! Thursby now have a CIFS Client / Server called DAVE - see +<A HREF="http://www.thursby.com/">http://www.thursby.com/</A>. +They test it against Windows 95, Windows NT and samba for compatibility issues. +At the time of writing, DAVE was at version 1.0.1. The 1.0.0 to 1.0.1 update is available +as a free download from the Thursby web site (the speed of finder copies has +been greatly enhanced, and there are bug-fixes included).</P> +<P>Alternatives - There are two free implementations of AppleTalk for +several kinds of UNIX machnes, and several more commercial ones. +These products allow you to run file services and print services +natively to Macintosh users, with no additional support required on +the Macintosh. The two free omplementations are Netatalk, +<A HREF="http://www.umich.edu/~rsug/netatalk/">http://www.umich.edu/~rsug/netatalk/</A>, and CAP, +<A HREF="http://www.cs.mu.oz.au/appletalk/atalk.html">http://www.cs.mu.oz.au/appletalk/atalk.html</A>. What Samba offers +MS Windows users, these packages offer to Macs. For more info on +these packages, Samba, and Linux (and other UNIX-based systems) +see +<A HREF="http://www.eats.com/linux_mac_win.html">http://www.eats.com/linux_mac_win.html</A></P> + + +<H2><A NAME="ss3.2">3.2 "Session request failed (131,130)" error</A></H2> + +<P> +<A NAME="sess_req_fail"></A> + +The following answer is provided by John E. Miller:</P> +<P>I'll assume that you're able to ping back and forth between the +machines by IP address and name, and that you're using some security +model where you're confident that you've got user IDs and passwords +right. The logging options (-d3 or greater) can help a lot with that. +DNS and WINS configuration can also impact connectivity as well.</P> +<P>Now, on to 'scope id's. Somewhere in your Win95 TCP/IP network +configuration (I'm too much of an NT bigot to know where it's located +in the Win95 setup, but I'll have to learn someday since I teach for a +Microsoft Solution Provider Authorized Tech Education Center - what an +acronym...) <F>Note: It's under Control Panel | Network | TCP/IP | WINS +Configuration</F> there's a little text entry field called something like +'Scope ID'.</P> +<P>This field essentially creates 'invisible' sub-workgroups on the same +wire. Boxes can only see other boxes whose Scope IDs are set to the +exact same value - it's sometimes used by OEMs to configure their +boxes to browse only other boxes from the same vendor and, in most +environments, this field should be left blank. If you, in fact, have +something in this box that EXACT value (case-sensitive!) needs to be +provided to smbclient and nmbd as the -i (lowercase) parameter. So, if +your Scope ID is configured as the string 'SomeStr' in Win95 then +you'd have to use smbclient -iSomeStr <F>otherparms</F> in connecting to +it.</P> + + +<H2><A NAME="ss3.3">3.3 How do I synchronise my PC's clock with my Samba server? </A></H2> + +<P> +<A NAME="synchronise_clock"></A> + +To syncronize your PC's clock with your Samba server: +<UL> +<LI> Copy timesync.pif to your windows directory</LI> +<LI> timesync.pif can be found at: +<A HREF="http://samba.anu.edu.au/samba/binaries/miscellaneous/timesync.pif">http://samba.anu.edu.au/samba/binaries/miscellaneous/timesync.pif</A></LI> +<LI> Add timesync.pif to your 'Start Up' group/folder</LI> +<LI> Open the properties dialog box for the program/icon</LI> +<LI> Make sure the 'Run Minimized' option is set in program 'Properties'</LI> +<LI> Change the command line section that reads <F>\\sambahost</F> to reflect the name of your server.</LI> +<LI> Close the properties dialog box by choosing 'OK'</LI> +</UL> + +Each time you start your computer (or login for Win95) your PC will +synchronize its clock with your Samba server.</P> +<P>Alternativley, if you clients support Domain Logons, you can setup Domain Logons with Samba +- see: +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt">BROWSING.txt</A> *** for more information.</P> +<P>Then add +<BLOCKQUOTE><CODE> +<PRE> +NET TIME \\%L /SET /YES +</PRE> +</CODE></BLOCKQUOTE> + +as one of the lines in the logon script.</P> + +<H2><A NAME="ss3.4">3.4 Problems with WinDD, NTrigue, WinCenterPro etc</A></H2> + +<P> +<A NAME="multiple_session_clients"></A> +</P> +<P>All of the above programs are applications that sit on an NT box and +allow multiple users to access the NT GUI applications from remote +workstations (often over X).</P> +<P>What has this got to do with Samba? The problem comes when these users +use filemanager to mount shares from a Samba server. The most common +symptom is that the first user to connect get correct file permissions +and has a nice day, but subsequent connections get logged in as the +same user as the first person to login. They find that they cannot +access files in their own home directory, but that they can access +files in the first users home directory (maybe not such a nice day +after all?)</P> +<P>Why does this happen? The above products all share a common heritage +(and code base I believe). They all open just a single TCP based SMB +connection to the Samba server, and requests from all users are piped +over this connection. This is unfortunate, but not fatal.</P> +<P>It means that if you run your Samba server in share level security +(the default) then things will definately break as described +above. The share level SMB security model has no provision for +multiple user IDs on the one SMB connection. See +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt">security_level.txt</A> in +the docs for more info on share/user/server level security.</P> +<P>If you run in user or server level security then you have a chance, +but only if you have a recent version of Samba (at least 1.9.15p6). In +older versions bugs in Samba meant you still would have had problems.</P> +<P>If you have a trapdoor uid system in your OS then it will never work +properly. Samba needs to be able to switch uids on the connection and +it can't if your OS has a trapdoor uid system. You'll know this +because Samba will note it in your logs.</P> +<P>Also note that you should not use the magic "homes" share name with +products like these, as otherwise all users will end up with the same +home directory. Use <F>\\server\username</F> instead.</P> + + +<H2><A NAME="ss3.5">3.5 Problem with printers under NT</A></H2> + +<P> +<A NAME="nt_printers"></A> + +This info from Stefan Hergeth +hergeth@f7axp1.informatik.fh-muenchen.de may be useful:</P> +<P>A network-printer (with ethernetcard) is connected to the NT-Clients +via our UNIX-Fileserver (SAMBA-Server), like the configuration told by +Matthew Harrell harrell@leech.nrl.navy.mil (see WinNT.txt) +<OL> +<LI>If a user has choosen this printer as the default printer in his +NT-Session and this printer is not connected to the network +(e.g. switched off) than this user has a problem with the SAMBA- +connection of his filesystems. It's very slow. +</LI> +<LI>If the printer is connected to the network everything works fine. +</LI> +<LI>When the smbd ist started with debug level 3, you can see that the +NT spooling system try to connect to the printer many times. If the +printer ist not connected to the network this request fails and the +NT spooler is wasting a lot of time to connect to the printer service. +This seems to be the reason for the slow network connection. +</LI> +<LI>Maybe it's possible to change this behaviour by setting different +printer properties in the Print-Manager-Menu of NT, but i didn't try it yet.</LI> +</OL> +</P> + + +<H2><A NAME="ss3.6">3.6 Why are my file's timestamps off by an hour, or by a few hours?</A></H2> + +<P> +<A NAME="dst_bugs"></A> + +This is from Paul Eggert eggert@twinsun.com.</P> +<P>Most likely it's a problem with your time zone settings.</P> +<P>Internally, Samba maintains time in traditional Unix format, +namely, the number of seconds since 1970-01-01 00:00:00 Universal Time +(or ``GMT''), not counting leap seconds.</P> +<P>On the server side, Samba uses the Unix TZ variable to convert +internal timestamps to and from local time. So on the server side, there are +two things to get right. +<OL> +<LI>The Unix system clock must have the correct Universal time. +Use the shell command "sh -c 'TZ=UTC0 date'" to check this. +</LI> +<LI>The TZ environment variable must be set on the server +before Samba is invoked. The details of this depend on the +server OS, but typically you must edit a file whose name is +/etc/TIMEZONE or /etc/default/init, or run the command `zic -l'. +</LI> +<LI>TZ must have the correct value. +<OL> +<LI>If possible, use geographical time zone settings +(e.g. TZ='America/Los_Angeles' or perhaps +TZ=':US/Pacific'). These are supported by most +popular Unix OSes, are easier to get right, and are +more accurate for historical timestamps. If your +operating system has out-of-date tables, you should be +able to update them from the public domain time zone +tables at +<A HREF="ftp://elsie.nci.nih.gov/pub/">ftp://elsie.nci.nih.gov/pub/</A>. +</LI> +<LI>If your system does not support geographical timezone +settings, you must use a Posix-style TZ strings, e.g. +TZ='PST8PDT,M4.1.0/2,M10.5.0/2' for US Pacific time. +Posix TZ strings can take the following form (with optional +items in brackets): +<PRE> + StdOffset[Dst[Offset],Date/Time,Date/Time] +</PRE> + +where: +<UL> +<LI> `Std' is the standard time designation (e.g. `PST'). +</LI> +<LI> `Offset' is the number of hours behind UTC (e.g. `8'). +Prepend a `-' if you are ahead of UTC, and +append `:30' if you are at a half-hour offset. +Omit all the remaining items if you do not use +daylight-saving time. +</LI> +<LI> `Dst' is the daylight-saving time designation +(e.g. `PDT'). + +The optional second `Offset' is the number of +hours that daylight-saving time is behind UTC. +The default is 1 hour ahead of standard time. +</LI> +<LI> `Date/Time,Date/Time' specify when daylight-saving +time starts and ends. The format for a date is +`Mm.n.d', which specifies the dth day (0 is Sunday) +of the nth week of the mth month, where week 5 means +the last such day in the month. The format for a +time is <F>h</F>h<F>:mm[:ss</F>], using a 24-hour clock.</LI> +</UL> + +Other Posix string formats are allowed but you don't want +to know about them.</LI> +</OL> +</LI> +</OL> + +On the client side, you must make sure that your client's clock and +time zone is also set appropriately. <F>[I don't know how to do this.</F>] +Samba traditionally has had many problems dealing with time zones, due +to the bizarre ways that Microsoft network protocols handle time +zones. A common symptom is for file timestamps to be off by an hour. +To work around the problem, try disconnecting from your Samba server +and then reconnecting to it; or upgrade your Samba server to +1.9.16alpha10 or later.</P> + + +<H2><A NAME="ss3.7">3.7 How do I set the printer driver name correctly? </A></H2> + +<P> +<A NAME="printer_driver_name"></A> + +Question: +On NT, I opened "Printer Manager" and "Connect to Printer". +Enter <F>"\\ptdi270\ps1"</F> in the box of printer. I got the +following error message: +<BLOCKQUOTE><CODE> +<PRE> + You do not have sufficient access to your machine + to connect to the selected printer, since a driver + needs to be installed locally. +</PRE> +</CODE></BLOCKQUOTE> + +Answer:</P> +<P>In the more recent versions of Samba you can now set the "printer +driver" in smb.conf. This tells the client what driver to use. For +example: +<BLOCKQUOTE><CODE> +<PRE> + printer driver = HP LaserJet 4L +</PRE> +</CODE></BLOCKQUOTE> + +with this, NT knows to use the right driver. You have to get this string +exactly right.</P> +<P>To find the exact string to use, you need to get to the dialog box in +your client where you select which printer driver to install. The +correct strings for all the different printers are shown in a listbox +in that dialog box.</P> +<P>You could also try setting the driver to NULL like this: +<BLOCKQUOTE><CODE> +<PRE> + printer driver = NULL +</PRE> +</CODE></BLOCKQUOTE> + +this is effectively what older versions of Samba did, so if that +worked for you then give it a go. If this does work then let us know via +<A HREF="mailto:samba-bugs@samba.anu.edu.au">samba-bugs@samba.anu.edu.au</A>, +and we'll make it the default. Currently the default is a 0 length +string.</P> + + +<H2><A NAME="ss3.8">3.8 I've applied NT 4.0 SP3, and now I can't access Samba shares, Why?</A></H2> + +<P> +<A NAME="NT_SP3_FIX"></A> + +As of SP3, Microsoft has decided that they will no longer default to +passing clear text passwords over the network. To enable access to +Samba shares from NT 4.0 SP3, you must do <B>ONE</B> of two things: +<OL> +<LI> Set the Samba configuration option 'security = user' and implement all of the stuff detailed in +<A HREF="ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt">ENCRYPTION.txt</A>.</LI> +<LI> Follow Microsoft's directions for setting your NT box to allow plain text passwords. see +<A HREF="http://www.microsoft.com/kb/articles/q166/7/30.htm">Knowledge Base Article Q166730</A></LI> +</OL> +</P> + + +<HR> +<A HREF="sambafaq-2.html">Previous</A> +<A HREF="sambafaq-4.html">Next</A> +<A HREF="sambafaq.html#toc3">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/sambafaq-4.html b/docs/faq/sambafaq-4.html new file mode 100644 index 00000000000..94d5c419906 --- /dev/null +++ b/docs/faq/sambafaq-4.html @@ -0,0 +1,37 @@ +<HTML> +<HEAD> +<TITLE> Samba FAQ: Specific client application problems</TITLE> +</HEAD> +<BODY> +<A HREF="sambafaq-3.html">Previous</A> +<A HREF="sambafaq-5.html">Next</A> +<A HREF="sambafaq.html#toc4">Table of Contents</A> +<HR> +<H2><A NAME="s4">4. Specific client application problems</A></H2> + +<P> +<A NAME="client_problems"></A> +</P> + +<H2><A NAME="ss4.1">4.1 MS Office Setup reports "Cannot change properties of '\MSOFFICE\SETUP.INI'"</A></H2> + +<P> +<A NAME="cant_change_properties"></A> + +When installing MS Office on a Samba drive for which you have admin +user permissions, ie. admin users = username, you will find the +setup program unable to complete the installation.</P> +<P>To get around this problem, do the installation without admin user +permissions The problem is that MS Office Setup checks that a file is +rdonly by trying to open it for writing.</P> +<P>Admin users can always open a file for writing, as they run as root. +You just have to install as a non-admin user and then use "chown -R" +to fix the owner.</P> + + +<HR> +<A HREF="sambafaq-3.html">Previous</A> +<A HREF="sambafaq-5.html">Next</A> +<A HREF="sambafaq.html#toc4">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/sambafaq-5.html b/docs/faq/sambafaq-5.html new file mode 100644 index 00000000000..0a6e9d08f03 --- /dev/null +++ b/docs/faq/sambafaq-5.html @@ -0,0 +1,30 @@ +<HTML> +<HEAD> +<TITLE> Samba FAQ: Miscellaneous</TITLE> +</HEAD> +<BODY> +<A HREF="sambafaq-4.html">Previous</A> +Next +<A HREF="sambafaq.html#toc5">Table of Contents</A> +<HR> +<H2><A NAME="s5">5. Miscellaneous</A></H2> + +<P> +<A NAME="miscellaneous"></A> +</P> +<H2><A NAME="ss5.1">5.1 Is Samba Year 2000 compliant?</A></H2> + +<P> +<A NAME="Year2000Compliant"></A> + +The CIFS protocol that Samba implements +negotiates times in various formats, all of which +are able to cope with dates beyond 2000.</P> + + +<HR> +<A HREF="sambafaq-4.html">Previous</A> +Next +<A HREF="sambafaq.html#toc5">Table of Contents</A> +</BODY> +</HTML> diff --git a/docs/faq/sambafaq.html b/docs/faq/sambafaq.html new file mode 100644 index 00000000000..9c45d524dd3 --- /dev/null +++ b/docs/faq/sambafaq.html @@ -0,0 +1,115 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<HTML> +<HEAD> +<TITLE> Samba FAQ</TITLE> +</HEAD> +<BODY> +Previous +<A HREF="sambafaq-1.html">Next</A> +Table of Contents +<HR> +<H1> Samba FAQ</H1> + +<H2>Paul Blackman, <CODE>ictinus@samba.anu.edu.au</CODE></H2>v 0.8, June '97 +<P><HR><EM> This is the Frequently Asked Questions (FAQ) document for +Samba, the free and very popular SMB server product. An SMB server +allows file and printer connections from clients such as Windows, +OS/2, Linux and others. Current to version 1.9.17. Please send any +corrections to the author.</EM><HR></P> +<P> +<H2><A NAME="toc1">1.</A> <A HREF="sambafaq-1.html">General Information</A></H2> +<UL> +<LI><A HREF="sambafaq-1.html#ss1.1">1.1 What is Samba? </A> +<LI><A HREF="sambafaq-1.html#ss1.2">1.2 What is the current version of Samba? </A> +<LI><A HREF="sambafaq-1.html#ss1.3">1.3 Where can I get it? </A> +<LI><A HREF="sambafaq-1.html#ss1.4">1.4 What do the version numbers mean? </A> +<LI><A HREF="sambafaq-1.html#ss1.5">1.5 What platforms are supported? </A> +<LI><A HREF="sambafaq-1.html#ss1.6">1.6 How can I find out more about Samba? </A> +<LI><A HREF="sambafaq-1.html#ss1.7">1.7 How do I subscribe to the Samba Mailing Lists?</A> +<LI><A HREF="sambafaq-1.html#ss1.8">1.8 Something's gone wrong - what should I do? </A> +<LI><A HREF="sambafaq-1.html#ss1.9">1.9 Pizza supply details </A> +</UL> + +<P> +<H2><A NAME="toc2">2.</A> <A HREF="sambafaq-2.html">Compiling and installing Samba on a Unix host</A></H2> +<UL> +<LI><A HREF="sambafaq-2.html#ss2.1">2.1 I can't see the Samba server in any browse lists!</A> +<LI><A HREF="sambafaq-2.html#ss2.2">2.2 Some files that I KNOW are on the server doesn't show up when I view the files from my client! </A> +<LI><A HREF="sambafaq-2.html#ss2.3">2.3 Some files on the server show up with really wierd filenames when I view the files from my client! </A> +<LI><A HREF="sambafaq-2.html#ss2.4">2.4 My client reports "cannot locate specified computer" or similar</A> +<LI><A HREF="sambafaq-2.html#ss2.5">2.5 My client reports "cannot locate specified share name" or similar</A> +<LI><A HREF="sambafaq-2.html#ss2.6">2.6 My client reports "cannot find domain controller", "cannot log on to the network" or similar </A> +<LI><A HREF="sambafaq-2.html#ss2.7">2.7 Printing doesn't work :-(</A> +<LI><A HREF="sambafaq-2.html#ss2.8">2.8 My programs install on the server OK, but refuse to work properly</A> +<LI><A HREF="sambafaq-2.html#ss2.9">2.9 My "server string" doesn't seem to be recognised</A> +<LI><A HREF="sambafaq-2.html#ss2.10">2.10 My client reports "This server is not configured to list shared resources" </A> +<LI><A HREF="sambafaq-2.html#ss2.11">2.11 Log message "you appear to have a trapdoor uid system" </A> +</UL> + +<P> +<H2><A NAME="toc3">3.</A> <A HREF="sambafaq-3.html">Common client questions</A></H2> +<UL> +<LI><A HREF="sambafaq-3.html#ss3.1">3.1 Are there any Macintosh clients for Samba?</A> +<LI><A HREF="sambafaq-3.html#ss3.2">3.2 "Session request failed (131,130)" error</A> +<LI><A HREF="sambafaq-3.html#ss3.3">3.3 How do I synchronise my PC's clock with my Samba server? </A> +<LI><A HREF="sambafaq-3.html#ss3.4">3.4 Problems with WinDD, NTrigue, WinCenterPro etc</A> +<LI><A HREF="sambafaq-3.html#ss3.5">3.5 Problem with printers under NT</A> +<LI><A HREF="sambafaq-3.html#ss3.6">3.6 Why are my file's timestamps off by an hour, or by a few hours?</A> +<LI><A HREF="sambafaq-3.html#ss3.7">3.7 How do I set the printer driver name correctly? </A> +<LI><A HREF="sambafaq-3.html#ss3.8">3.8 I've applied NT 4.0 SP3, and now I can't access Samba shares, Why?</A> +</UL> + +<P> +<H2><A NAME="toc4">4.</A> <A HREF="sambafaq-4.html">Specific client application problems</A></H2> +<UL> +<LI><A HREF="sambafaq-4.html#ss4.1">4.1 MS Office Setup reports "Cannot change properties of '\MSOFFICE\SETUP.INI'"</A> +</UL> + +<P> +<H2><A NAME="toc5">5.</A> <A HREF="sambafaq-5.html">Miscellaneous</A></H2> +<UL> +<LI><A HREF="sambafaq-5.html#ss5.1">5.1 Is Samba Year 2000 compliant?</A> +</UL> + + +<HR> +Previous +<A HREF="sambafaq-1.html">Next</A> +Table of Contents +</BODY> +</HTML> diff --git a/docs/faq/sambafaq.sgml b/docs/faq/sambafaq.sgml new file mode 100644 index 00000000000..d306881b56b --- /dev/null +++ b/docs/faq/sambafaq.sgml @@ -0,0 +1,792 @@ +<!doctype linuxdoc system> <!-- -*- SGML -*- --> +<!-- + v 0.5 18 Oct 1996 Dan Shearer Dan.Shearer@unisa.edu.au + First linuxdoc-sgml version, outline only + v 0.6 25 Oct 1996 Dan + Filled in from current text faq + v 0.7 1 June 1997 Paul + Replicated changes in txt faq to sgml faq + 9 June 1997 Paul + Lots of changes, added doco list, updated compatible systems list + added NT SP3 entry, added Year 2000 entry, Getting ready for 1.9.17 + v 0.8 7th Oct 97 Paul + changed samba.canberra entries to samba.anu.../samba/ +--> + +<article> + +<title> Samba FAQ + +<author>Paul Blackman, <tt>ictinus@samba.anu.edu.au</tt> + +<date>v 0.8, June '97 + +<abstract> This is the Frequently Asked Questions (FAQ) document for +Samba, the free and very popular SMB server product. An SMB server +allows file and printer connections from clients such as Windows, +OS/2, Linux and others. Current to version 1.9.17. Please send any +corrections to the author. +</abstract> + +<toc> + +<sect> General Information<p> <label id="general_info"> + +All about Samba - what it is, how to get it, related sources of +information, how to understand the version numbering scheme, pizza +details + +<sect1> What is Samba? <p> <label id="introduction"> +Samba is a suite of programs which work together to allow clients to +access to a server's filespace and printers via the SMB (Server +Message Block) protocol. Initially written for Unix, Samba now also +runs on Netware, OS/2 and VMS. + +In practice, this means that you can redirect disks and printers to +Unix disks and printers from Lan Manager clients, Windows for +Workgroups 3.11 clients, Windows NT clients, Linux clients and OS/2 +clients. There is also a generic Unix client program supplied as part +of the suite which allows Unix users to use an ftp-like interface to +access filespace and printers on any other SMB servers. This gives the +capability for these operating systems to behave much like a LAN +Server or Windows NT Server machine, only with added functionality and +flexibility designed to make life easier for administrators. + +The components of the suite are (in summary): + +<itemize> +<item><bf>smbd</bf>, the SMB server. This handles actual connections from clients, doing all the file, permission and username work +<item><bf>nmbd</bf>, the Netbios name server, which helps clients locate servers, doing the browsing work and managing domains as this capability is being built into Samba +<item><bf>smbclient</bf>, the Unix-hosted client program +<item><bf>smbrun</bf>, a little 'glue' program to help the server run external programs +<item><bf>testprns</bf>, a program to test server access to printers +<item><bf>testparms</bf>, a program to test the Samba configuration file for correctness +<item><bf>smb.conf</bf>, the Samba configuration file +<item><bf>smbprint</bf>, a sample script to allow a Unix host to use smbclient to print to an SMB server +<item><bf>Documentation!</bf> DON'T neglect to read it - you will save a great deal of time! +</itemize> + +The suite is supplied with full source (of course!) and is GPLed. + +The primary creator of the Samba suite is Andrew Tridgell. Later +versions incorporate much effort by many net.helpers. The man pages +and this FAQ were originally written by Karl Auer. + +<sect1> What is the current version of Samba? <p><label id="current_version"> +At time of writing, the current version was 1.9.17. If you want to be +sure check the bottom of the change-log file. <url url="ftp://samba.anu.edu.au/pub/samba/alpha/change-log"> + +For more information see <ref id="version_nums" name="What do the +version numbers mean?"> + +<sect1> Where can I get it? <p> <label id="where"> +The Samba suite is available via anonymous ftp from +samba.anu.edu.au. The latest and greatest versions of the suite are in +the directory: + +/pub/samba/ + +Development (read "alpha") versions, which are NOT necessarily stable +and which do NOT necessarily have accurate documentation, are +available in the directory: + +/pub/samba/alpha + +Note that binaries are NOT included in any of the above. Samba is +distributed ONLY in source form, though binaries may be available from +other sites. Recent versions of some Linux distributions, for example, +do contain Samba binaries for that platform. + +<sect1> What do the version numbers mean? <p> <label id="version_nums"> +It is not recommended that you run a version of Samba with the word +"alpha" in its name unless you know what you are doing and are willing +to do some debugging. Many, many people just get the latest +recommended stable release version and are happy. If you are brave, by +all means take the plunge and help with the testing and development - +but don't install it on your departmental server. Samba is typically +very stable and safe, and this is mostly due to the policy of many +public releases. + +How the scheme works: +<enum> +<item>When major changes are made the version number is increased. For +example, the transition from 1.9.15 to 1.9.16. However, this version +number will not appear immediately and people should continue to use +1.9.15 for production systems (see next point.) + +<item>Just after major changes are made the software is considered +unstable, and a series of alpha releases are distributed, for example +1.9.16alpha1. These are for testing by those who know what they are +doing. The "alpha" in the filename will hopefully scare off those who +are just looking for the latest version to install. + +<item>When Andrew thinks that the alphas have stabilised to the point +where he would recommend new users install it, he renames it to the +same version number without the alpha, for example 1.9.16. + +<item>Inevitably bugs are found in the "stable" releases and minor patch +levels are released which give us the pXX series, for example 1.9.16p2. +</enum> +So the progression goes: +<verb> + 1.9.15p7 (production) + 1.9.15p8 (production) + 1.9.16alpha1 (test sites only) + : + 1.9.16alpha20 (test sites only) + 1.9.16 (production) + 1.9.16p1 (production) +</verb> +The above system means that whenever someone looks at the samba ftp +site they will be able to grab the highest numbered release without an +alpha in the name and be sure of getting the current recommended +version. + +<sect1> What platforms are supported? <p> <label id="platforms"> +Many different platforms have run Samba successfully. The platforms +most widely used and thus best tested are Linux and SunOS. + +At time of writing, the Makefile claimed support for: +<itemize> +<item> A/UX 3.0 +<item> AIX +<item> Altos Series 386/1000 +<item> Amiga +<item> Apollo Domain/OS sr10.3 +<item> BSDI +<item> B.O.S. (Bull Operating System) +<item> Cray, Unicos 8.0 +<item> Convex +<item> DGUX. +<item> DNIX. +<item> FreeBSD +<item> HP-UX +<item> Intergraph. +<item> Linux with/without shadow passwords and quota +<item> LYNX 2.3.0 +<item> MachTen (a unix like system for Macintoshes) +<item> Motorola 88xxx/9xx range of machines +<item> NetBSD +<item> NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for Mach). +<item> OS/2 using EMX 0.9b +<item> OSF1 +<item> QNX 4.22 +<item> RiscIX. +<item> RISCOs 5.0B +<item> SEQUENT. +<item> SCO (including: 3.2v2, European dist., OpenServer 5) +<item> SGI. +<item> SMP_DC.OSx v1.1-94c079 on Pyramid S series +<item> SONY NEWS, NEWS-OS (4.2.x and 6.1.x) +<item> SUNOS 4 +<item> SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later') +<item> Sunsoft ISC SVR3V4 +<item> SVR4 +<item> System V with some berkely extensions (Motorola 88k R32V3.2). +<item> ULTRIX. +<item> UNIXWARE +<item> UXP/DS +</itemize> + +<sect1> How can I find out more about Samba? <p> <label id="more"> +There are a number of places to look for more information on Samba, including: +<itemize> +<item>Two mailing lists devoted to discussion of Samba-related matters. +<item>The newsgroup, comp.protocols.smb, which has a great deal of discussion on Samba. +<item>The WWW site 'SAMBA Web Pages' at <url url="http://samba.edu.au/samba/"> includes: + <itemize> + <item>Links to man pages and documentation, including this FAQ + <item>A comprehensive survey of Samba users. + <item>A searchable hypertext archive of the Samba mailing list. + <item>Links to Samba source code, binaries, and mirrors of both. + </itemize> +<item>The long list of topic documentation. These files can be found in the 'docs' directory of the Samba source, or at <url url="ftp://samba.anu.edu.au/pub/samba/docs/"> + <itemize> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Application_Serving.txt" name="Application_Serving.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt" name="BROWSING.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/BUGS.txt" name="BUGS.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/DIAGNOSIS.txt" name="DIAGNOSIS.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/DNIX.txt" name="DNIX.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN.txt" name="DOMAIN.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN_CONTROL.txt" name="CONTROL.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt" name="ENCRYPTION.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Faxing.txt" name="Faxing.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/GOTCHAS.txt" name="GOTCHAS.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/HINTS.txt" name="HINTS.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.sambatar" name="INSTALL.sambatar"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.txt" name="INSTALL.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/MIRRORS" name="MIRRORS"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/NetBIOS.txt" name="NetBIOS.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/OS2.txt" name="OS2.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/PROJECTS" name="PROJECTS"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Passwords.txt" name="Passwords.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Printing.txt" name="Printing.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/README.DCEDFS" name="README.DCEDFS"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/README.OS2" name="README.OS2"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/README.jis" name="README.jis"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/README.sambatar" name="README.sambatar"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/SCO.txt" name="SCO.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/SMBTAR.notes" name="SMBTAR.notes"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Speed.txt" name="Speed.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Support.txt" name="Support.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/THANKS" name="THANKS"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Tracing.txt" name="Tracing.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/UNIX-SMB.txt" name="SMB.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/Warp.txt" name="Warp.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/WinNT.txt" name="WinNT.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/history" name="history"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt" name="level.txt"> + <item><url url="ftp://samba.anu.edu.au/pub/samba/docs/wfw_slip.htm" name="slip.htm"> + </itemize> +</itemize> + +<sect1>How do I subscribe to the Samba Mailing Lists?<p><label id="mailinglist"> +Send email to <htmlurl url="mailto:listproc@samba.anu.edu.au" name="listproc@samba.anu.edu.au">. Make sure the subject line is +blank, and include the following two lines in the body of the message: +<tscreen><verb> +subscribe samba Firstname Lastname +subscribe samba-announce Firstname Lastname +</verb></tscreen> +Obviously you should substitute YOUR first name for "Firstname" and +YOUR last name for "Lastname"! Try not to send any signature stuff, it +sometimes confuses the list processor. + +The samba list is a digest list - every eight hours or so it +regurgitates a single message containing all the messages that have +been received by the list since the last time and sends a copy of this +message to all subscribers. + +If you stop being interested in Samba, please send another email to +<htmlurl url="mailto:listproc@samba.anu.edu.au" name="listproc@samba.anu.edu.au">. Make sure the subject line is blank, and +include the following two lines in the body of the message: +<tscreen><verb> +unsubscribe samba +unsubscribe samba-announce +</verb></tscreen> +The <bf>From:</bf> line in your message <em>MUST</em> be the same address you used when +you subscribed. + +<sect1> Something's gone wrong - what should I do? <p> <label id="wrong"> +<bf>[#] *** IMPORTANT! *** [#]</bf> +<p>DO NOT post messages on mailing lists or in newsgroups until you have +carried out the first three steps given here! + +Firstly, see if there are any likely looking entries in this FAQ! If +you have just installed Samba, have you run through the checklist in +<url url="ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt" name="DIAGNOSIS.txt">? It can save you a lot of time and effort. +DIAGNOSIS.txt can also be found in the docs directory of the Samba distribution. + +Secondly, read the man pages for smbd, nmbd and smb.conf, looking for +topics that relate to what you are trying to do. + +Thirdly, if there is no obvious solution to hand, try to get a look at +the log files for smbd and/or nmbd for the period during which you +were having problems. You may need to reconfigure the servers to +provide more extensive debugging information - usually level 2 or +level 3 provide ample debugging info. Inspect these logs closely, +looking particularly for the string "Error:". + +Fourthly, if you still haven't got anywhere, ask the mailing list or +newsgroup. In general nobody minds answering questions provided you +have followed the preceding steps. It might be a good idea to scan the +archives of the mailing list, which are available through the Samba +web site described in the previous +section. + +If you successfully solve a problem, please mail the FAQ maintainer a +succinct description of the symptom, the problem and the solution, so +I can incorporate it in the next version. + +If you make changes to the source code, _please_ submit these patches +so that everyone else gets the benefit of your work. This is one of +the most important aspects to the maintainence of Samba. Send all +patches to <htmlurl url="mailto:samba-bugs@samba.anu.edu.au" name="samba-bugs@samba.anu.edu.au">. Do not send patches to Andrew Tridgell or any +other individual, they may be lost if you do. + +<sect1> Pizza supply details <p> <label id="pizza"> +Those who have registered in the Samba survey as "Pizza Factory" will +already know this, but the rest may need some help. Andrew doesn't ask +for payment, but he does appreciate it when people give him +pizza. This calls for a little organisation when the pizza donor is +twenty thousand kilometres away, but it has been done. + +Method 1: Ring up your local branch of an international pizza chain +and see if they honour their vouchers internationally. Pizza Hut do, +which is how the entire Canberra Linux Users Group got to eat pizza +one night, courtesy of someone in the US + +Method 2: Ring up a local pizza shop in Canberra and quote a credit +card number for a certain amount, and tell them that Andrew will be +collecting it (don't forget to tell him.) One kind soul from Germany +did this. + +Method 3: Purchase a pizza voucher from your local pizza shop that has +no international affiliations and send it to Andrew. It is completely +useless but he can hang it on the wall next to the one he already has +from Germany :-) + +Method 4: Air freight him a pizza with your favourite regional +flavours. It will probably get stuck in customs or torn apart by +hungry sniffer dogs but it will have been a noble gesture. + +<sect>Compiling and installing Samba on a Unix host<p><label id="unix_install"> + +<sect1>I can't see the Samba server in any browse lists!<p><label id="no_browse"> + See <url url="ftp://samba.anu.edu.au/pub/samba/BROWSING.txt" name="BROWSING.txt"> + for more information on browsing. Browsing.txt can also be found + in the docs directory of the Samba source. + +If your GUI client does not permit you to select non-browsable +servers, you may need to do so on the command line. For example, under +Lan Manager you might connect to the above service as disk drive M: +thusly: +<tscreen><verb> + net use M: \\mary\fred +</verb></tscreen> +The details of how to do this and the specific syntax varies from +client to client - check your client's documentation. + +<sect1>Some files that I KNOW are on the server doesn't show up when I view the files from my client! <p> <label id="missing_files"> +See the next question. +<sect1>Some files on the server show up with really wierd filenames when I view the files from my client! <p> <label id="strange_filenames"> +If you check what files are not showing up, you will note that they +are files which contain upper case letters or which are otherwise not +DOS-compatible (ie, they are not legal DOS filenames for some reason). + +The Samba server can be configured either to ignore such files +completely, or to present them to the client in "mangled" form. If you +are not seeing the files at all, the Samba server has most likely been +configured to ignore them. Consult the man page smb.conf(5) for +details of how to change this - the parameter you need to set is +"mangled names = yes". + +<sect1>My client reports "cannot locate specified computer" or similar<p><label id="cant_see_server"> +This indicates one of three things: You supplied an incorrect server +name, the underlying TCP/IP layer is not working correctly, or the +name you specified cannot be resolved. + +After carefully checking that the name you typed is the name you +should have typed, try doing things like pinging a host or telnetting +to somewhere on your network to see if TCP/IP is functioning OK. If it +is, the problem is most likely name resolution. + +If your client has a facility to do so, hardcode a mapping between the +hosts IP and the name you want to use. For example, with Man Manager +or Windows for Workgroups you would put a suitable entry in the file +LMHOSTS. If this works, the problem is in the communication between +your client and the netbios name server. If it does not work, then +there is something fundamental wrong with your naming and the solution +is beyond the scope of this document. + +If you do not have any server on your subnet supplying netbios name +resolution, hardcoded mappings are your only option. If you DO have a +netbios name server running (such as the Samba suite's nmbd program), +the problem probably lies in the way it is set up. Refer to Section +Two of this FAQ for more ideas. + +By the way, remember to REMOVE the hardcoded mapping before further +tests :-) + +<sect1>My client reports "cannot locate specified share name" or similar<p> <label id="cant_see_share"> +This message indicates that your client CAN locate the specified +server, which is a good start, but that it cannot find a service of +the name you gave. + +The first step is to check the exact name of the service you are +trying to connect to (consult your system administrator). Assuming it +exists and you specified it correctly (read your client's doco on how +to specify a service name correctly), read on: + +<itemize> +<item> Many clients cannot accept or use service names longer than eight characters. +<item> Many clients cannot accept or use service names containing spaces. +<item> Some servers (not Samba though) are case sensitive with service names. +<item> Some clients force service names into upper case. +</itemize> + +<sect1>My client reports "cannot find domain controller", "cannot log on to the network" or similar <p> <label id="cant_see_net"> +Nothing is wrong - Samba does not implement the primary domain name +controller stuff for several reasons, including the fact that the +whole concept of a primary domain controller and "logging in to a +network" doesn't fit well with clients possibly running on multiuser +machines (such as users of smbclient under Unix). Having said that, +several developers are working hard on building it in to the next +major version of Samba. If you can contribute, send a message to +<htmlurl url="mailto:samba-bugs@samba.anu.edu.au" name="samba-bugs@samba.anu.edu.au"> ! + +Seeing this message should not affect your ability to mount redirected +disks and printers, which is really what all this is about. + +For many clients (including Windows for Workgroups and Lan Manager), +setting the domain to STANDALONE at least gets rid of the message. + +<sect1>Printing doesn't work :-(<p> <label id="no_printing"> +Make sure that the specified print command for the service you are +connecting to is correct and that it has a fully-qualified path (eg., +use "/usr/bin/lpr" rather than just "lpr"). + +Make sure that the spool directory specified for the service is +writable by the user connected to the service. In particular the user +"nobody" often has problems with printing, even if it worked with an +earlier version of Samba. Try creating another guest user other than +"nobody". + +Make sure that the user specified in the service is permitted to use +the printer. + +Check the debug log produced by smbd. Search for the printer name and +see if the log turns up any clues. Note that error messages to do with +a service ipc$ are meaningless - they relate to the way the client +attempts to retrieve status information when using the LANMAN1 +protocol. + +If using WfWg then you need to set the default protocol to TCP/IP, not +Netbeui. This is a WfWg bug. + +If using the Lanman1 protocol (the default) then try switching to +coreplus. Also not that print status error messages don't mean +printing won't work. The print status is received by a different +mechanism. + +<sect1>My programs install on the server OK, but refuse to work properly<p><label id="programs_wont_run"> +There are numerous possible reasons for this, but one MAJOR +possibility is that your software uses locking. Make sure you are +using Samba 1.6.11 or later. It may also be possible to work around +the problem by setting "locking=no" in the Samba configuration file +for the service the software is installed on. This should be regarded +as a strictly temporary solution. + +In earlier Samba versions there were some difficulties with the very +latest Microsoft products, particularly Excel 5 and Word for Windows +6. These should have all been solved. If not then please let Andrew +Tridgell know via email at <htmlurl url="mailto:samba-bugs@samba.anu.edu.au" name="samba-bugs@samba.anu.edu.au">. + +<sect1>My "server string" doesn't seem to be recognised<p><label id="bad_server_string"> +OR My client reports the default setting, eg. "Samba 1.9.15p4", instead +of what I have changed it to in the smb.conf file. + +You need to use the -C option in nmbd. The "server string" affects +what smbd puts out and -C affects what nmbd puts out. + +Current versions of Samba (1.9.16 +) have combined these options into +the "server string" field of smb.conf, -C for nmbd is now obsolete. + +<sect1>My client reports "This server is not configured to list shared resources" <p> <label id="cant_list_shares"> +Your guest account is probably invalid for some reason. Samba uses the +guest account for browsing in smbd. Check that your guest account is +valid. + +See also 'guest account' in smb.conf man page. + +<sect1>Log message "you appear to have a trapdoor uid system" <p><label id="trapdoor_uid"> +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535. + +It might also mean that your OS has a trapdoor uid/gid system :-) + +This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems. + +The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user. + +Complain to your OS vendor and ask them to fix their system. + +Note: the reason why 65535 is a VERY bad choice of uid and gid is that +it casts to -1 as a uid, and the setreuid() system call ignores (with +no error) uid changes to -1. This means any daemon attempting to run +as uid 65535 will actually run as root. This is not good! + +<sect>Common client questions<p> <label id="client_questions"> + +<sect1>Are there any Macintosh clients for Samba?<p> <label id="mac_clients"> +Yes! Thursby now have a CIFS Client / Server called DAVE - see <url url="http://www.thursby.com/">. +They test it against Windows 95, Windows NT and samba for compatibility issues. +At the time of writing, DAVE was at version 1.0.1. The 1.0.0 to 1.0.1 update is available +as a free download from the Thursby web site (the speed of finder copies has +been greatly enhanced, and there are bug-fixes included). + +Alternatives - There are two free implementations of AppleTalk for +several kinds of UNIX machnes, and several more commercial ones. +These products allow you to run file services and print services +natively to Macintosh users, with no additional support required on +the Macintosh. The two free omplementations are Netatalk, +<url url="http://www.umich.edu/~rsug/netatalk/">, and CAP, +<url url="http://www.cs.mu.oz.au/appletalk/atalk.html">. What Samba offers +MS Windows users, these packages offer to Macs. For more info on +these packages, Samba, and Linux (and other UNIX-based systems) +see <url url="http://www.eats.com/linux_mac_win.html"> + +<sect1>"Session request failed (131,130)" error<p> <label id="sess_req_fail"> +The following answer is provided by John E. Miller: + +I'll assume that you're able to ping back and forth between the +machines by IP address and name, and that you're using some security +model where you're confident that you've got user IDs and passwords +right. The logging options (-d3 or greater) can help a lot with that. +DNS and WINS configuration can also impact connectivity as well. + +Now, on to 'scope id's. Somewhere in your Win95 TCP/IP network +configuration (I'm too much of an NT bigot to know where it's located +in the Win95 setup, but I'll have to learn someday since I teach for a +Microsoft Solution Provider Authorized Tech Education Center - what an +acronym...) [Note: It's under Control Panel | Network | TCP/IP | WINS +Configuration] there's a little text entry field called something like +'Scope ID'. + +This field essentially creates 'invisible' sub-workgroups on the same +wire. Boxes can only see other boxes whose Scope IDs are set to the +exact same value - it's sometimes used by OEMs to configure their +boxes to browse only other boxes from the same vendor and, in most +environments, this field should be left blank. If you, in fact, have +something in this box that EXACT value (case-sensitive!) needs to be +provided to smbclient and nmbd as the -i (lowercase) parameter. So, if +your Scope ID is configured as the string 'SomeStr' in Win95 then +you'd have to use smbclient -iSomeStr [otherparms] in connecting to +it. + +<sect1>How do I synchronise my PC's clock with my Samba server? <p><label id="synchronise_clock"> +To syncronize your PC's clock with your Samba server: +<itemize> +<item> Copy timesync.pif to your windows directory + <item> timesync.pif can be found at: + <url +url="http://samba.anu.edu.au/samba/binaries/miscellaneous/timesync.pif"> +<item> Add timesync.pif to your 'Start Up' group/folder +<item> Open the properties dialog box for the program/icon +<item> Make sure the 'Run Minimized' option is set in program 'Properties' +<iteM> Change the command line section that reads [\\sambahost] to reflect the name of your server. +<item> Close the properties dialog box by choosing 'OK' +</itemize> +Each time you start your computer (or login for Win95) your PC will +synchronize its clock with your Samba server. + +Alternativley, if you clients support Domain Logons, you can setup Domain Logons with Samba + - see: <url url="ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt" name="BROWSING.txt"> *** for more information. +<p>Then add +<tscreen><verb> +NET TIME \\%L /SET /YES +</verb></tscreen> +as one of the lines in the logon script. +<sect1>Problems with WinDD, NTrigue, WinCenterPro etc<p> +<label id="multiple_session_clients"> + +All of the above programs are applications that sit on an NT box and +allow multiple users to access the NT GUI applications from remote +workstations (often over X). + +What has this got to do with Samba? The problem comes when these users +use filemanager to mount shares from a Samba server. The most common +symptom is that the first user to connect get correct file permissions +and has a nice day, but subsequent connections get logged in as the +same user as the first person to login. They find that they cannot +access files in their own home directory, but that they can access +files in the first users home directory (maybe not such a nice day +after all?) + +Why does this happen? The above products all share a common heritage +(and code base I believe). They all open just a single TCP based SMB +connection to the Samba server, and requests from all users are piped +over this connection. This is unfortunate, but not fatal. + +It means that if you run your Samba server in share level security +(the default) then things will definately break as described +above. The share level SMB security model has no provision for +multiple user IDs on the one SMB connection. See <url url="ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt" name="security_level.txt"> in +the docs for more info on share/user/server level security. + +If you run in user or server level security then you have a chance, +but only if you have a recent version of Samba (at least 1.9.15p6). In +older versions bugs in Samba meant you still would have had problems. + +If you have a trapdoor uid system in your OS then it will never work +properly. Samba needs to be able to switch uids on the connection and +it can't if your OS has a trapdoor uid system. You'll know this +because Samba will note it in your logs. + +Also note that you should not use the magic "homes" share name with +products like these, as otherwise all users will end up with the same +home directory. Use [\\server\username] instead. + +<sect1>Problem with printers under NT<p> <label id="nt_printers"> +This info from Stefan Hergeth +hergeth@f7axp1.informatik.fh-muenchen.de may be useful: + + A network-printer (with ethernetcard) is connected to the NT-Clients +via our UNIX-Fileserver (SAMBA-Server), like the configuration told by + Matthew Harrell harrell@leech.nrl.navy.mil (see WinNT.txt) +<enum> +<item>If a user has choosen this printer as the default printer in his + NT-Session and this printer is not connected to the network + (e.g. switched off) than this user has a problem with the SAMBA- + connection of his filesystems. It's very slow. + +<item>If the printer is connected to the network everything works fine. + +<item>When the smbd ist started with debug level 3, you can see that the + NT spooling system try to connect to the printer many times. If the + printer ist not connected to the network this request fails and the + NT spooler is wasting a lot of time to connect to the printer service. + This seems to be the reason for the slow network connection. + +<item>Maybe it's possible to change this behaviour by setting different + printer properties in the Print-Manager-Menu of NT, but i didn't try it yet. +</enum> + +<sect1>Why are my file's timestamps off by an hour, or by a few hours?<p><label id="dst_bugs"> +This is from Paul Eggert eggert@twinsun.com. + +Most likely it's a problem with your time zone settings. + +Internally, Samba maintains time in traditional Unix format, +namely, the number of seconds since 1970-01-01 00:00:00 Universal Time +(or ``GMT''), not counting leap seconds. + +On the server side, Samba uses the Unix TZ variable to convert +internal timestamps to and from local time. So on the server side, there are +two things to get right. +<enum> +<item>The Unix system clock must have the correct Universal time. + Use the shell command "sh -c 'TZ=UTC0 date'" to check this. + +<item>The TZ environment variable must be set on the server + before Samba is invoked. The details of this depend on the + server OS, but typically you must edit a file whose name is + /etc/TIMEZONE or /etc/default/init, or run the command `zic -l'. + +<item>TZ must have the correct value. +<enum> + <item>If possible, use geographical time zone settings + (e.g. TZ='America/Los_Angeles' or perhaps + TZ=':US/Pacific'). These are supported by most + popular Unix OSes, are easier to get right, and are + more accurate for historical timestamps. If your + operating system has out-of-date tables, you should be + able to update them from the public domain time zone + tables at <url url="ftp://elsie.nci.nih.gov/pub/">. + + <item>If your system does not support geographical timezone + settings, you must use a Posix-style TZ strings, e.g. + TZ='PST8PDT,M4.1.0/2,M10.5.0/2' for US Pacific time. + Posix TZ strings can take the following form (with optional + items in brackets): +<verb> + StdOffset[Dst[Offset],Date/Time,Date/Time] +</verb> + where: +<itemize> +<item> `Std' is the standard time designation (e.g. `PST'). + +<item> `Offset' is the number of hours behind UTC (e.g. `8'). + Prepend a `-' if you are ahead of UTC, and + append `:30' if you are at a half-hour offset. + Omit all the remaining items if you do not use + daylight-saving time. + +<item> `Dst' is the daylight-saving time designation + (e.g. `PDT'). + + The optional second `Offset' is the number of + hours that daylight-saving time is behind UTC. + The default is 1 hour ahead of standard time. + +<item> `Date/Time,Date/Time' specify when daylight-saving + time starts and ends. The format for a date is + `Mm.n.d', which specifies the dth day (0 is Sunday) + of the nth week of the mth month, where week 5 means + the last such day in the month. The format for a + time is [h]h[:mm[:ss]], using a 24-hour clock. +</itemize> + Other Posix string formats are allowed but you don't want + to know about them. +</enum> +</enum> +On the client side, you must make sure that your client's clock and +time zone is also set appropriately. [[I don't know how to do this.]] +Samba traditionally has had many problems dealing with time zones, due +to the bizarre ways that Microsoft network protocols handle time +zones. A common symptom is for file timestamps to be off by an hour. +To work around the problem, try disconnecting from your Samba server +and then reconnecting to it; or upgrade your Samba server to +1.9.16alpha10 or later. + +<sect1> How do I set the printer driver name correctly? <p><label id="printer_driver_name"> +Question: + On NT, I opened "Printer Manager" and "Connect to Printer". + Enter ["\\ptdi270\ps1"] in the box of printer. I got the + following error message: +<tscreen><verb> + You do not have sufficient access to your machine + to connect to the selected printer, since a driver + needs to be installed locally. +</verb></tscreen> +Answer: + +In the more recent versions of Samba you can now set the "printer +driver" in smb.conf. This tells the client what driver to use. For +example: +<tscreen><verb> + printer driver = HP LaserJet 4L +</verb></tscreen> +with this, NT knows to use the right driver. You have to get this string +exactly right. + +To find the exact string to use, you need to get to the dialog box in +your client where you select which printer driver to install. The +correct strings for all the different printers are shown in a listbox +in that dialog box. + +You could also try setting the driver to NULL like this: +<tscreen><verb> + printer driver = NULL +</verb></tscreen> +this is effectively what older versions of Samba did, so if that +worked for you then give it a go. If this does work then let us know via <htmlurl url="mailto:samba-bugs@samba.anu.edu.au" name="samba-bugs@samba.anu.edu.au">, +and we'll make it the default. Currently the default is a 0 length +string. + +<sect1>I've applied NT 4.0 SP3, and now I can't access Samba shares, Why?<p><label id="NT_SP3_FIX"> +As of SP3, Microsoft has decided that they will no longer default to +passing clear text passwords over the network. To enable access to +Samba shares from NT 4.0 SP3, you must do <bf>ONE</bf> of two things: +<enum> +<item> Set the Samba configuration option 'security = user' and implement all of the stuff detailed in <url url="ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt" name="ENCRYPTION.txt">. +<item> Follow Microsoft's directions for setting your NT box to allow plain text passwords. see <url url="http://www.microsoft.com/kb/articles/q166/7/30.htm" name="Knowledge Base Article Q166730"> +</enum> + +<sect>Specific client application problems<p> <label id="client_problems"> + +<sect1>MS Office Setup reports "Cannot change properties of '\MSOFFICE\SETUP.INI'"<p> <label id="cant_change_properties"> +When installing MS Office on a Samba drive for which you have admin +user permissions, ie. admin users = username, you will find the +setup program unable to complete the installation. + +To get around this problem, do the installation without admin user +permissions The problem is that MS Office Setup checks that a file is +rdonly by trying to open it for writing. + +Admin users can always open a file for writing, as they run as root. +You just have to install as a non-admin user and then use "chown -R" +to fix the owner. + +<sect>Miscellaneous<p> <label id="miscellaneous"> +<sect1>Is Samba Year 2000 compliant?<p><label id="Year2000Compliant"> +The CIFS protocol that Samba implements +negotiates times in various formats, all of which +are able to cope with dates beyond 2000. + +</article> diff --git a/docs/faq/sambafaq.txt b/docs/faq/sambafaq.txt new file mode 100644 index 00000000000..7108846ae67 --- /dev/null +++ b/docs/faq/sambafaq.txt @@ -0,0 +1,1122 @@ + Samba FAQ + Paul Blackman, ictinus@samba.anu.edu.au + v 0.8, June '97 + + This is the Frequently Asked Questions (FAQ) document for Samba, the + free and very popular SMB server product. An SMB server allows file + and printer connections from clients such as Windows, OS/2, Linux and + others. Current to version 1.9.17. Please send any corrections to the + author. + ______________________________________________________________________ + + Table of Contents: + + 1. General Information + + 1.1. What is Samba? + + 1.2. What is the current version of Samba? + + 1.3. Where can I get it? + + 1.4. What do the version numbers mean? + + 1.5. What platforms are supported? + + 1.6. How can I find out more about Samba? + + 1.7. How do I subscribe to the Samba Mailing Lists? + + 1.8. Something's gone wrong - what should I do? + + 1.9. Pizza supply details + + 2. Compiling and installing Samba on a Unix host + + 2.1. I can't see the Samba server in any browse lists! + + 2.2. Some files that I KNOW are on the server doesn't show up when + I view the files from my client! + + 2.3. Some files on the server show up with really wierd filenames + when I view the files from my client! + + 2.4. My client reports "cannot locate specified computer" or + similar + + 2.5. My client reports "cannot locate specified share name" or + similar + + 2.6. My client reports "cannot find domain controller", "cannot log + on to the network" or similar + + 2.7. Printing doesn't work :-( + + 2.8. My programs install on the server OK, but refuse to work + properly + + 2.9. My "server string" doesn't seem to be recognised + + 2.10. My client reports "This server is not configured to list + shared resources" + + 2.11. Log message "you appear to have a trapdoor uid system" + + 3. Common client questions + + 3.1. Are there any Macintosh clients for Samba? + + 3.2. "Session request failed (131,130)" error + + 3.3. How do I synchronise my PC's clock with my Samba server? + + 3.4. Problems with WinDD, NTrigue, WinCenterPro etc + + 3.5. Problem with printers under NT + + 3.6. Why are my file's timestamps off by an hour, or by a few + hours? + + 3.7. How do I set the printer driver name correctly? + + 3.8. I've applied NT 4.0 SP3, and now I can't access Samba shares, + Why? + + 4. Specific client application problems + + 4.1. MS Office Setup reports "Cannot change properties of + 'MSOFFICEUP.INI'" + + 5. Miscellaneous + + 5.1. Is Samba Year 2000 compliant? + ______________________________________________________________________ + + 11.. GGeenneerraall IInnffoorrmmaattiioonn + + + + All about Samba - what it is, how to get it, related sources of + information, how to understand the version numbering scheme, pizza + details + + + 11..11.. WWhhaatt iiss SSaammbbaa?? + + + Samba is a suite of programs which work together to allow clients to + access to a server's filespace and printers via the SMB (Server + Message Block) protocol. Initially written for Unix, Samba now also + runs on Netware, OS/2 and VMS. + + In practice, this means that you can redirect disks and printers to + Unix disks and printers from Lan Manager clients, Windows for + Workgroups 3.11 clients, Windows NT clients, Linux clients and OS/2 + clients. There is also a generic Unix client program supplied as part + of the suite which allows Unix users to use an ftp-like interface to + access filespace and printers on any other SMB servers. This gives the + capability for these operating systems to behave much like a LAN + Server or Windows NT Server machine, only with added functionality and + flexibility designed to make life easier for administrators. + + The components of the suite are (in summary): + + + +o ssmmbbdd, the SMB server. This handles actual connections from clients, + doing all the file, permission and username work + + +o nnmmbbdd, the Netbios name server, which helps clients locate servers, + doing the browsing work and managing domains as this capability is + being built into Samba + + + +o ssmmbbcclliieenntt, the Unix-hosted client program + + +o ssmmbbrruunn, a little 'glue' program to help the server run external + programs + + +o tteessttpprrnnss, a program to test server access to printers + + +o tteessttppaarrmmss, a program to test the Samba configuration file for + correctness + + +o ssmmbb..ccoonnff, the Samba configuration file + + +o ssmmbbpprriinntt, a sample script to allow a Unix host to use smbclient to + print to an SMB server + + +o DDooccuummeennttaattiioonn!! DON'T neglect to read it - you will save a great + deal of time! + + The suite is supplied with full source (of course!) and is GPLed. + + The primary creator of the Samba suite is Andrew Tridgell. Later + versions incorporate much effort by many net.helpers. The man pages + and this FAQ were originally written by Karl Auer. + + + 11..22.. WWhhaatt iiss tthhee ccuurrrreenntt vveerrssiioonn ooff SSaammbbaa?? + + + At time of writing, the current version was 1.9.17. If you want to be + sure check the bottom of the change-log file. + <ftp://samba.anu.edu.au/pub/samba/alpha/change-log> + + For more information see ``What do the version numbers mean?'' + + + 11..33.. WWhheerree ccaann II ggeett iitt?? + + + The Samba suite is available via anonymous ftp from samba.anu.edu.au. + The latest and greatest versions of the suite are in the directory: + + /pub/samba/ + + Development (read "alpha") versions, which are NOT necessarily stable + and which do NOT necessarily have accurate documentation, are + available in the directory: + + /pub/samba/alpha + + Note that binaries are NOT included in any of the above. Samba is + distributed ONLY in source form, though binaries may be available from + other sites. Recent versions of some Linux distributions, for example, + do contain Samba binaries for that platform. + + + 11..44.. WWhhaatt ddoo tthhee vveerrssiioonn nnuummbbeerrss mmeeaann?? + + + It is not recommended that you run a version of Samba with the word + "alpha" in its name unless you know what you are doing and are willing + to do some debugging. Many, many people just get the latest + recommended stable release version and are happy. If you are brave, by + all means take the plunge and help with the testing and development - + but don't install it on your departmental server. Samba is typically + very stable and safe, and this is mostly due to the policy of many + public releases. + How the scheme works: + + 1. When major changes are made the version number is increased. For + example, the transition from 1.9.15 to 1.9.16. However, this + version number will not appear immediately and people should + continue to use 1.9.15 for production systems (see next point.) + + 2. Just after major changes are made the software is considered + unstable, and a series of alpha releases are distributed, for + example 1.9.16alpha1. These are for testing by those who know what + they are doing. The "alpha" in the filename will hopefully scare + off those who are just looking for the latest version to install. + + 3. When Andrew thinks that the alphas have stabilised to the point + where he would recommend new users install it, he renames it to the + same version number without the alpha, for example 1.9.16. + + 4. Inevitably bugs are found in the "stable" releases and minor patch + levels are released which give us the pXX series, for example + 1.9.16p2. + + So the progression goes: + + 1.9.15p7 (production) + 1.9.15p8 (production) + 1.9.16alpha1 (test sites only) + : + 1.9.16alpha20 (test sites only) + 1.9.16 (production) + 1.9.16p1 (production) + + + The above system means that whenever someone looks at the samba ftp + site they will be able to grab the highest numbered release without an + alpha in the name and be sure of getting the current recommended ver- + sion. + + + 11..55.. WWhhaatt ppllaattffoorrmmss aarree ssuuppppoorrtteedd?? + + + Many different platforms have run Samba successfully. The platforms + most widely used and thus best tested are Linux and SunOS. + + At time of writing, the Makefile claimed support for: + + +o A/UX 3.0 + + +o AIX + + +o Altos Series 386/1000 + + +o Amiga + + +o Apollo Domain/OS sr10.3 + + +o BSDI + + +o B.O.S. (Bull Operating System) + + +o Cray, Unicos 8.0 + + +o Convex + + +o DGUX. + + +o DNIX. + + +o FreeBSD + + +o HP-UX + + +o Intergraph. + + +o Linux with/without shadow passwords and quota + + +o LYNX 2.3.0 + + +o MachTen (a unix like system for Macintoshes) + + +o Motorola 88xxx/9xx range of machines + + +o NetBSD + + +o NEXTSTEP Release 2.X, 3.0 and greater (including OPENSTEP for + Mach). + + +o OS/2 using EMX 0.9b + + +o OSF1 + + +o QNX 4.22 + + +o RiscIX. + + +o RISCOs 5.0B + + +o SEQUENT. + + +o SCO (including: 3.2v2, European dist., OpenServer 5) + + +o SGI. + + +o SMP_DC.OSx v1.1-94c079 on Pyramid S series + + +o SONY NEWS, NEWS-OS (4.2.x and 6.1.x) + + +o SUNOS 4 + + +o SUNOS 5.2, 5.3, and 5.4 (Solaris 2.2, 2.3, and '2.4 and later') + + +o Sunsoft ISC SVR3V4 + + +o SVR4 + + +o System V with some berkely extensions (Motorola 88k R32V3.2). + + +o ULTRIX. + + +o UNIXWARE + + +o UXP/DS + + + 11..66.. HHooww ccaann II ffiinndd oouutt mmoorree aabboouutt SSaammbbaa?? + + + There are a number of places to look for more information on Samba, + including: + + +o Two mailing lists devoted to discussion of Samba-related matters. + + +o The newsgroup, comp.protocols.smb, which has a great deal of + discussion on Samba. + + +o The WWW site 'SAMBA Web Pages' at <http://samba.edu.au/samba/> + includes: + + +o Links to man pages and documentation, including this FAQ + + +o A comprehensive survey of Samba users. + + +o A searchable hypertext archive of the Samba mailing list. + + +o Links to Samba source code, binaries, and mirrors of both. + + +o The long list of topic documentation. These files can be found in + the 'docs' directory of the Samba source, or at + <ftp://samba.anu.edu.au/pub/samba/docs/> + + +o Application_Serving.txt + <ftp://samba.anu.edu.au/pub/samba/docs/Application_Serving.txt> + + +o BROWSING.txt <ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt> + + +o BUGS.txt <ftp://samba.anu.edu.au/pub/samba/docs/BUGS.txt> + + +o DIAGNOSIS.txt <ftp://samba.anu.edu.au/pub/samba/docs/DIAGNOSIS.txt> + + +o DNIX.txt <ftp://samba.anu.edu.au/pub/samba/docs/DNIX.txt> + + +o DOMAIN.txt <ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN.txt> + + +o CONTROL.txt + <ftp://samba.anu.edu.au/pub/samba/docs/DOMAIN_CONTROL.txt> + + +o ENCRYPTION.txt + <ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt> + + +o Faxing.txt <ftp://samba.anu.edu.au/pub/samba/docs/Faxing.txt> + + +o GOTCHAS.txt <ftp://samba.anu.edu.au/pub/samba/docs/GOTCHAS.txt> + + +o HINTS.txt <ftp://samba.anu.edu.au/pub/samba/docs/HINTS.txt> + + +o INSTALL.sambatar + <ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.sambatar> + + +o INSTALL.txt <ftp://samba.anu.edu.au/pub/samba/docs/INSTALL.txt> + + +o MIRRORS <ftp://samba.anu.edu.au/pub/samba/docs/MIRRORS> + + +o NetBIOS.txt <ftp://samba.anu.edu.au/pub/samba/docs/NetBIOS.txt> + + +o OS2.txt <ftp://samba.anu.edu.au/pub/samba/docs/OS2.txt> + + +o PROJECTS <ftp://samba.anu.edu.au/pub/samba/docs/PROJECTS> + + +o Passwords.txt <ftp://samba.anu.edu.au/pub/samba/docs/Passwords.txt> + + +o Printing.txt <ftp://samba.anu.edu.au/pub/samba/docs/Printing.txt> + + +o README.DCEDFS <ftp://samba.anu.edu.au/pub/samba/docs/README.DCEDFS> + + +o README.OS2 <ftp://samba.anu.edu.au/pub/samba/docs/README.OS2> + + +o README.jis <ftp://samba.anu.edu.au/pub/samba/docs/README.jis> + + +o README.sambatar + <ftp://samba.anu.edu.au/pub/samba/docs/README.sambatar> + + +o SCO.txt <ftp://samba.anu.edu.au/pub/samba/docs/SCO.txt> + + +o SMBTAR.notes <ftp://samba.anu.edu.au/pub/samba/docs/SMBTAR.notes> + + +o Speed.txt <ftp://samba.anu.edu.au/pub/samba/docs/Speed.txt> + + +o Support.txt <ftp://samba.anu.edu.au/pub/samba/docs/Support.txt> + + +o THANKS <ftp://samba.anu.edu.au/pub/samba/docs/THANKS> + + +o Tracing.txt <ftp://samba.anu.edu.au/pub/samba/docs/Tracing.txt> + + +o SMB.txt <ftp://samba.anu.edu.au/pub/samba/docs/UNIX-SMB.txt> + + +o Warp.txt <ftp://samba.anu.edu.au/pub/samba/docs/Warp.txt> + + +o WinNT.txt <ftp://samba.anu.edu.au/pub/samba/docs/WinNT.txt> + + +o history <ftp://samba.anu.edu.au/pub/samba/docs/history> + + +o level.txt + <ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt> + + +o slip.htm <ftp://samba.anu.edu.au/pub/samba/docs/wfw_slip.htm> + + + 11..77.. HHooww ddoo II ssuubbssccrriibbee ttoo tthhee SSaammbbaa MMaaiilliinngg LLiissttss?? + + + Send email to listproc@samba.anu.edu.au. Make sure the subject line is + blank, and include the following two lines in the body of the message: + + + subscribe samba Firstname Lastname + subscribe samba-announce Firstname Lastname + + + + + Obviously you should substitute YOUR first name for "Firstname" and + YOUR last name for "Lastname"! Try not to send any signature stuff, it + sometimes confuses the list processor. + + The samba list is a digest list - every eight hours or so it + regurgitates a single message containing all the messages that have + been received by the list since the last time and sends a copy of this + message to all subscribers. + + If you stop being interested in Samba, please send another email to + listproc@samba.anu.edu.au. Make sure the subject line is blank, and + include the following two lines in the body of the message: + + + unsubscribe samba + unsubscribe samba-announce + + + + + The FFrroomm:: line in your message _M_U_S_T be the same address you used when + you subscribed. + + + 11..88.. SSoommeetthhiinngg''ss ggoonnee wwrroonngg -- wwhhaatt sshhoouulldd II ddoo?? + + + ## ****** IIMMPPOORRTTAANNTT!! ****** ## + + DO NOT post messages on mailing lists or in newsgroups until you have + carried out the first three steps given here! + + Firstly, see if there are any likely looking entries in this FAQ! If + you have just installed Samba, have you run through the checklist in + DIAGNOSIS.txt <ftp://samba.anu.edu.au/pub/samba/DIAGNOSIS.txt>? It can + save you a lot of time and effort. DIAGNOSIS.txt can also be found in + the docs directory of the Samba distribution. + + Secondly, read the man pages for smbd, nmbd and smb.conf, looking for + topics that relate to what you are trying to do. + + Thirdly, if there is no obvious solution to hand, try to get a look at + the log files for smbd and/or nmbd for the period during which you + were having problems. You may need to reconfigure the servers to + provide more extensive debugging information - usually level 2 or + level 3 provide ample debugging info. Inspect these logs closely, + looking particularly for the string "Error:". + + Fourthly, if you still haven't got anywhere, ask the mailing list or + newsgroup. In general nobody minds answering questions provided you + have followed the preceding steps. It might be a good idea to scan the + archives of the mailing list, which are available through the Samba + web site described in the previous section. + + If you successfully solve a problem, please mail the FAQ maintainer a + succinct description of the symptom, the problem and the solution, so + I can incorporate it in the next version. + + If you make changes to the source code, _please_ submit these patches + so that everyone else gets the benefit of your work. This is one of + the most important aspects to the maintainence of Samba. Send all + patches to samba-bugs@samba.anu.edu.au. Do not send patches to Andrew + Tridgell or any other individual, they may be lost if you do. + + + 11..99.. PPiizzzzaa ssuuppppllyy ddeettaaiillss + + + Those who have registered in the Samba survey as "Pizza Factory" will + already know this, but the rest may need some help. Andrew doesn't ask + for payment, but he does appreciate it when people give him pizza. + This calls for a little organisation when the pizza donor is twenty + thousand kilometres away, but it has been done. + + Method 1: Ring up your local branch of an international pizza chain + and see if they honour their vouchers internationally. Pizza Hut do, + which is how the entire Canberra Linux Users Group got to eat pizza + one night, courtesy of someone in the US + + Method 2: Ring up a local pizza shop in Canberra and quote a credit + card number for a certain amount, and tell them that Andrew will be + collecting it (don't forget to tell him.) One kind soul from Germany + did this. + + Method 3: Purchase a pizza voucher from your local pizza shop that has + no international affiliations and send it to Andrew. It is completely + useless but he can hang it on the wall next to the one he already has + from Germany :-) + + + Method 4: Air freight him a pizza with your favourite regional + flavours. It will probably get stuck in customs or torn apart by + hungry sniffer dogs but it will have been a noble gesture. + + + 22.. CCoommppiilliinngg aanndd iinnssttaalllliinngg SSaammbbaa oonn aa UUnniixx hhoosstt + + + + 22..11.. II ccaann''tt sseeee tthhee SSaammbbaa sseerrvveerr iinn aannyy bbrroowwssee lliissttss!! + + + See BROWSING.txt <ftp://samba.anu.edu.au/pub/samba/BROWSING.txt> for + more information on browsing. Browsing.txt can also be found in the + docs directory of the Samba source. + + If your GUI client does not permit you to select non-browsable + servers, you may need to do so on the command line. For example, under + Lan Manager you might connect to the above service as disk drive M: + thusly: + + + net use M: \\mary\fred + + + + + The details of how to do this and the specific syntax varies from + client to client - check your client's documentation. + + + 22..22.. SSoommee ffiilleess tthhaatt II KKNNOOWW aarree oonn tthhee sseerrvveerr ddooeessnn''tt sshhooww uupp wwhheenn II + vviieeww tthhee ffiilleess ffrroomm mmyy cclliieenntt!! + + + See the next question. + + 22..33.. SSoommee ffiilleess oonn tthhee sseerrvveerr sshhooww uupp wwiitthh rreeaallllyy wwiieerrdd ffiilleennaammeess + wwhheenn II vviieeww tthhee ffiilleess ffrroomm mmyy cclliieenntt!! + + + If you check what files are not showing up, you will note that they + are files which contain upper case letters or which are otherwise not + DOS-compatible (ie, they are not legal DOS filenames for some reason). + + The Samba server can be configured either to ignore such files + completely, or to present them to the client in "mangled" form. If you + are not seeing the files at all, the Samba server has most likely been + configured to ignore them. Consult the man page smb.conf(5) for + details of how to change this - the parameter you need to set is + "mangled names = yes". + + + 22..44.. MMyy cclliieenntt rreeppoorrttss ""ccaannnnoott llooccaattee ssppeecciiffiieedd ccoommppuutteerr"" oorr ssiimmiillaarr + + + This indicates one of three things: You supplied an incorrect server + name, the underlying TCP/IP layer is not working correctly, or the + name you specified cannot be resolved. + + After carefully checking that the name you typed is the name you + should have typed, try doing things like pinging a host or telnetting + to somewhere on your network to see if TCP/IP is functioning OK. If it + is, the problem is most likely name resolution. + + + If your client has a facility to do so, hardcode a mapping between the + hosts IP and the name you want to use. For example, with Man Manager + or Windows for Workgroups you would put a suitable entry in the file + LMHOSTS. If this works, the problem is in the communication between + your client and the netbios name server. If it does not work, then + there is something fundamental wrong with your naming and the solution + is beyond the scope of this document. + + If you do not have any server on your subnet supplying netbios name + resolution, hardcoded mappings are your only option. If you DO have a + netbios name server running (such as the Samba suite's nmbd program), + the problem probably lies in the way it is set up. Refer to Section + Two of this FAQ for more ideas. + + By the way, remember to REMOVE the hardcoded mapping before further + tests :-) + + + 22..55.. MMyy cclliieenntt rreeppoorrttss ""ccaannnnoott llooccaattee ssppeecciiffiieedd sshhaarree nnaammee"" oorr ssiimmii-- + llaarr + + + This message indicates that your client CAN locate the specified + server, which is a good start, but that it cannot find a service of + the name you gave. + + The first step is to check the exact name of the service you are + trying to connect to (consult your system administrator). Assuming it + exists and you specified it correctly (read your client's doco on how + to specify a service name correctly), read on: + + + +o Many clients cannot accept or use service names longer than eight + characters. + + +o Many clients cannot accept or use service names containing spaces. + + +o Some servers (not Samba though) are case sensitive with service + names. + + +o Some clients force service names into upper case. + + + 22..66.. MMyy cclliieenntt rreeppoorrttss ""ccaannnnoott ffiinndd ddoommaaiinn ccoonnttrroolllleerr"",, ""ccaannnnoott lloogg + oonn ttoo tthhee nneettwwoorrkk"" oorr ssiimmiillaarr + + + Nothing is wrong - Samba does not implement the primary domain name + controller stuff for several reasons, including the fact that the + whole concept of a primary domain controller and "logging in to a + network" doesn't fit well with clients possibly running on multiuser + machines (such as users of smbclient under Unix). Having said that, + several developers are working hard on building it in to the next + major version of Samba. If you can contribute, send a message to + samba-bugs@samba.anu.edu.au ! + + Seeing this message should not affect your ability to mount redirected + disks and printers, which is really what all this is about. + + For many clients (including Windows for Workgroups and Lan Manager), + setting the domain to STANDALONE at least gets rid of the message. + + + + + + 22..77.. PPrriinnttiinngg ddooeessnn''tt wwoorrkk ::--(( + + + Make sure that the specified print command for the service you are + connecting to is correct and that it has a fully-qualified path (eg., + use "/usr/bin/lpr" rather than just "lpr"). + + Make sure that the spool directory specified for the service is + writable by the user connected to the service. In particular the user + "nobody" often has problems with printing, even if it worked with an + earlier version of Samba. Try creating another guest user other than + "nobody". + + Make sure that the user specified in the service is permitted to use + the printer. + + Check the debug log produced by smbd. Search for the printer name and + see if the log turns up any clues. Note that error messages to do with + a service ipc$ are meaningless - they relate to the way the client + attempts to retrieve status information when using the LANMAN1 + protocol. + + If using WfWg then you need to set the default protocol to TCP/IP, not + Netbeui. This is a WfWg bug. + + If using the Lanman1 protocol (the default) then try switching to + coreplus. Also not that print status error messages don't mean + printing won't work. The print status is received by a different + mechanism. + + + 22..88.. MMyy pprrooggrraammss iinnssttaallll oonn tthhee sseerrvveerr OOKK,, bbuutt rreeffuussee ttoo wwoorrkk pprroopp-- + eerrllyy + + + There are numerous possible reasons for this, but one MAJOR + possibility is that your software uses locking. Make sure you are + using Samba 1.6.11 or later. It may also be possible to work around + the problem by setting "locking=no" in the Samba configuration file + for the service the software is installed on. This should be regarded + as a strictly temporary solution. + + In earlier Samba versions there were some difficulties with the very + latest Microsoft products, particularly Excel 5 and Word for Windows + 6. These should have all been solved. If not then please let Andrew + Tridgell know via email at samba-bugs@samba.anu.edu.au. + + + 22..99.. MMyy ""sseerrvveerr ssttrriinngg"" ddooeessnn''tt sseeeemm ttoo bbee rreeccooggnniisseedd + + + OR My client reports the default setting, eg. "Samba 1.9.15p4", + instead of what I have changed it to in the smb.conf file. + + You need to use the -C option in nmbd. The "server string" affects + what smbd puts out and -C affects what nmbd puts out. + + Current versions of Samba (1.9.16 +) have combined these options into + the "server string" field of smb.conf, -C for nmbd is now obsolete. + + + 22..1100.. MMyy cclliieenntt rreeppoorrttss ""TThhiiss sseerrvveerr iiss nnoott ccoonnffiigguurreedd ttoo lliisstt sshhaarreedd + rreessoouurrcceess"" + + + Your guest account is probably invalid for some reason. Samba uses the + guest account for browsing in smbd. Check that your guest account is + valid. + + See also 'guest account' in smb.conf man page. + + + 22..1111.. LLoogg mmeessssaaggee ""yyoouu aappppeeaarr ttoo hhaavvee aa ttrraappddoooorr uuiidd ssyysstteemm"" + + + This can have several causes. It might be because you are using a uid + or gid of 65535 or -1. This is a VERY bad idea, and is a big security + hole. Check carefully in your /etc/passwd file and make sure that no + user has uid 65535 or -1. Especially check the "nobody" user, as many + broken systems are shipped with nobody setup with a uid of 65535. + + It might also mean that your OS has a trapdoor uid/gid system :-) + + This means that once a process changes effective uid from root to + another user it can't go back to root. Unfortunately Samba relies on + being able to change effective uid from root to non-root and back + again to implement its security policy. If your OS has a trapdoor uid + system this won't work, and several things in Samba may break. Less + things will break if you use user or server level security instead of + the default share level security, but you may still strike problems. + + The problems don't give rise to any security holes, so don't panic, + but it does mean some of Samba's capabilities will be unavailable. In + particular you will not be able to connect to the Samba server as two + different uids at once. This may happen if you try to print as a + "guest" while accessing a share as a normal user. It may also affect + your ability to list the available shares as this is normally done as + the guest user. + + Complain to your OS vendor and ask them to fix their system. + + Note: the reason why 65535 is a VERY bad choice of uid and gid is that + it casts to -1 as a uid, and the setreuid() system call ignores (with + no error) uid changes to -1. This means any daemon attempting to run + as uid 65535 will actually run as root. This is not good! + + + 33.. CCoommmmoonn cclliieenntt qquueessttiioonnss + + + + + 33..11.. AArree tthheerree aannyy MMaacciinnttoosshh cclliieennttss ffoorr SSaammbbaa?? + + + Yes! Thursby now have a CIFS Client / Server called DAVE - see + <http://www.thursby.com/>. They test it against Windows 95, Windows + NT and samba for compatibility issues. At the time of writing, DAVE + was at version 1.0.1. The 1.0.0 to 1.0.1 update is available as a free + download from the Thursby web site (the speed of finder copies has + been greatly enhanced, and there are bug-fixes included). + + Alternatives - There are two free implementations of AppleTalk for + several kinds of UNIX machnes, and several more commercial ones. + These products allow you to run file services and print services + natively to Macintosh users, with no additional support required on + the Macintosh. The two free omplementations are Netatalk, + <http://www.umich.edu/~rsug/netatalk/>, and CAP, + <http://www.cs.mu.oz.au/appletalk/atalk.html>. What Samba offers MS + Windows users, these packages offer to Macs. For more info on these + packages, Samba, and Linux (and other UNIX-based systems) see + <http://www.eats.com/linux_mac_win.html> + 33..22.. SSeessssiioonn rreeqquueesstt ffaaiilleedd ((113311,,113300))"" eerrrroorr + + + The following answer is provided by John E. Miller: + + I'll assume that you're able to ping back and forth between the + machines by IP address and name, and that you're using some security + model where you're confident that you've got user IDs and passwords + right. The logging options (-d3 or greater) can help a lot with that. + DNS and WINS configuration can also impact connectivity as well. + + Now, on to 'scope id's. Somewhere in your Win95 TCP/IP network + configuration (I'm too much of an NT bigot to know where it's located + in the Win95 setup, but I'll have to learn someday since I teach for a + Microsoft Solution Provider Authorized Tech Education Center - what an + acronym...) Note: It's under Control Panel | Network | TCP/IP | WINS + Configuration there's a little text entry field called something like + + This field essentially creates 'invisible' sub-workgroups on the same + wire. Boxes can only see other boxes whose Scope IDs are set to the + exact same value - it's sometimes used by OEMs to configure their + boxes to browse only other boxes from the same vendor and, in most + environments, this field should be left blank. If you, in fact, have + something in this box that EXACT value (case-sensitive!) needs to be + provided to smbclient and nmbd as the -i (lowercase) parameter. So, if + your Scope ID is configured as the string 'SomeStr' in Win95 then + you'd have to use smbclient -iSomeStr otherparms in connecting to it. + + + 33..33.. HHooww ddoo II ssyynncchhrroonniissee mmyy PPCC''ss cclloocckk wwiitthh mmyy SSaammbbaa sseerrvveerr?? + + + To syncronize your PC's clock with your Samba server: + + +o Copy timesync.pif to your windows directory + + +o timesync.pif can be found at: + <http://samba.anu.edu.au/samba/binaries/miscellaneous/timesync.pif> + + +o Add timesync.pif to your 'Start Up' group/folder + + +o Open the properties dialog box for the program/icon + + +o Make sure the 'Run Minimized' option is set in program 'Properties' + + +o Change the command line section that reads \sambahost to reflect + the name of your server. + + +o Close the properties dialog box by choosing 'OK' + + Each time you start your computer (or login for Win95) your PC will + synchronize its clock with your Samba server. + + Alternativley, if you clients support Domain Logons, you can setup + Domain Logons with Samba - see: BROWSING.txt + <ftp://samba.anu.edu.au/pub/samba/docs/BROWSING.txt> *** for more + information. + + Then add + + + NET TIME \\%L /SET /YES + + + + + as one of the lines in the logon script. + + 33..44.. PPrroobblleemmss wwiitthh WWiinnDDDD,, NNTTrriigguuee,, WWiinnCCeenntteerrPPrroo eettcc + + + All of the above programs are applications that sit on an NT box and + allow multiple users to access the NT GUI applications from remote + workstations (often over X). + + What has this got to do with Samba? The problem comes when these users + use filemanager to mount shares from a Samba server. The most common + symptom is that the first user to connect get correct file permissions + and has a nice day, but subsequent connections get logged in as the + same user as the first person to login. They find that they cannot + access files in their own home directory, but that they can access + files in the first users home directory (maybe not such a nice day + after all?) + + Why does this happen? The above products all share a common heritage + (and code base I believe). They all open just a single TCP based SMB + connection to the Samba server, and requests from all users are piped + over this connection. This is unfortunate, but not fatal. + + It means that if you run your Samba server in share level security + (the default) then things will definately break as described above. + The share level SMB security model has no provision for multiple user + IDs on the one SMB connection. See security_level.txt + <ftp://samba.anu.edu.au/pub/samba/docs/security_level.txt> in the docs + for more info on share/user/server level security. + + If you run in user or server level security then you have a chance, + but only if you have a recent version of Samba (at least 1.9.15p6). In + older versions bugs in Samba meant you still would have had problems. + + If you have a trapdoor uid system in your OS then it will never work + properly. Samba needs to be able to switch uids on the connection and + it can't if your OS has a trapdoor uid system. You'll know this + because Samba will note it in your logs. + + Also note that you should not use the magic "homes" share name with + products like these, as otherwise all users will end up with the same + home directory. Use \serversername instead. + + + 33..55.. PPrroobblleemm wwiitthh pprriinntteerrss uunnddeerr NNTT + + + This info from Stefan Hergeth hergeth@f7axp1.informatik.fh-muenchen.de + may be useful: + + A network-printer (with ethernetcard) is connected to the NT-Clients + via our UNIX-Fileserver (SAMBA-Server), like the configuration told by + Matthew Harrell harrell@leech.nrl.navy.mil (see WinNT.txt) + + 1. If a user has choosen this printer as the default printer in his + NT-Session and this printer is not connected to the network (e.g. + switched off) than this user has a problem with the SAMBA- + connection of his filesystems. It's very slow. + + 2. If the printer is connected to the network everything works fine. + + 3. When the smbd ist started with debug level 3, you can see that the + NT spooling system try to connect to the printer many times. If the + printer ist not connected to the network this request fails and the + NT spooler is wasting a lot of time to connect to the printer + service. This seems to be the reason for the slow network + connection. + + 4. Maybe it's possible to change this behaviour by setting different + printer properties in the Print-Manager-Menu of NT, but i didn't + try it yet. + + + 33..66.. WWhhyy aarree mmyy ffiillee''ss ttiimmeessttaammppss ooffff bbyy aann hhoouurr,, oorr bbyy aa ffeeww hhoouurrss?? + + + This is from Paul Eggert eggert@twinsun.com. + + Most likely it's a problem with your time zone settings. + + Internally, Samba maintains time in traditional Unix format, namely, + the number of seconds since 1970-01-01 00:00:00 Universal Time (or + ``GMT''), not counting leap seconds. + + On the server side, Samba uses the Unix TZ variable to convert + internal timestamps to and from local time. So on the server side, + there are two things to get right. + + 1. The Unix system clock must have the correct Universal time. Use + the shell command "sh -c 'TZ=UTC0 date'" to check this. + + 2. The TZ environment variable must be set on the server before Samba + is invoked. The details of this depend on the server OS, but + typically you must edit a file whose name is /etc/TIMEZONE or + /etc/default/init, or run the command `zic -l'. + + 3. TZ must have the correct value. + + a. If possible, use geographical time zone settings (e.g. + TZ='America/Los_Angeles' or perhaps TZ=':US/Pacific'). These + are supported by most popular Unix OSes, are easier to get + right, and are more accurate for historical timestamps. If your + operating system has out-of-date tables, you should be able to + update them from the public domain time zone tables at + <ftp://elsie.nci.nih.gov/pub/>. + + b. If your system does not support geographical timezone settings, + you must use a Posix-style TZ strings, e.g. + TZ='PST8PDT,M4.1.0/2,M10.5.0/2' for US Pacific time. Posix TZ + strings can take the following form (with optional items in + brackets): + + StdOffset[Dst[Offset],Date/Time,Date/Time] + + + where: + + +o `Std' is the standard time designation (e.g. `PST'). + + +o `Offset' is the number of hours behind UTC (e.g. `8'). Prepend + a `-' if you are ahead of UTC, and append `:30' if you are at a + half-hour offset. Omit all the remaining items if you do not + use daylight-saving time. + + +o `Dst' is the daylight-saving time designation (e.g. `PDT'). + + The optional second `Offset' is the number of hours that + daylight-saving time is behind UTC. The default is 1 hour ahead + of standard time. + + +o `Date/Time,Date/Time' specify when daylight-saving time starts + and ends. The format for a date is `Mm.n.d', which specifies + the dth day (0 is Sunday) of the nth week of the mth month, + where week 5 means the last such day in the month. The format + for a time is hh:mm[:ss], using a 24-hour clock. + + Other Posix string formats are allowed but you don't want to + know about them. + + On the client side, you must make sure that your client's clock and + time zone is also set appropriately. [I don't know how to do + this.] Samba traditionally has had many problems dealing with time + zones, due to the bizarre ways that Microsoft network protocols + handle time zones. A common symptom is for file timestamps to be + off by an hour. To work around the problem, try disconnecting from + your Samba server and then reconnecting to it; or upgrade your + Samba server to 1.9.16alpha10 or later. + + + 33..77.. HHooww ddoo II sseett tthhee pprriinntteerr ddrriivveerr nnaammee ccoorrrreeccttllyy?? + + + Question: On NT, I opened "Printer Manager" and "Connect to Printer". + Enter "\ptdi270s1" + in the box of printer. I got the following error message: + + + You do not have sufficient access to your machine + to connect to the selected printer, since a driver + needs to be installed locally. + + + + + Answer: + + In the more recent versions of Samba you can now set the "printer + driver" in smb.conf. This tells the client what driver to use. For + example: + + + printer driver = HP LaserJet 4L + + + + + with this, NT knows to use the right driver. You have to get this + string exactly right. + + To find the exact string to use, you need to get to the dialog box in + your client where you select which printer driver to install. The + correct strings for all the different printers are shown in a listbox + in that dialog box. + + You could also try setting the driver to NULL like this: + + + printer driver = NULL + + + + + this is effectively what older versions of Samba did, so if that + worked for you then give it a go. If this does work then let us know + via samba-bugs@samba.anu.edu.au, and we'll make it the default. Cur- + rently the default is a 0 length string. + + + 33..88.. II''vvee aapppplliieedd NNTT 44..00 SSPP33,, aanndd nnooww II ccaann''tt aacccceessss SSaammbbaa sshhaarreess,, + WWhhyy?? + + + As of SP3, Microsoft has decided that they will no longer default to + passing clear text passwords over the network. To enable access to + Samba shares from NT 4.0 SP3, you must do OONNEE of two things: + + 1. Set the Samba configuration option 'security = user' and implement + all of the stuff detailed in ENCRYPTION.txt + <ftp://samba.anu.edu.au/pub/samba/docs/ENCRYPTION.txt>. + + 2. Follow Microsoft's directions for setting your NT box to allow + plain text passwords. see Knowledge Base Article Q166730 + <http://www.microsoft.com/kb/articles/q166/7/30.htm> + + + 44.. SSppeecciiffiicc cclliieenntt aapppplliiccaattiioonn pprroobblleemmss + + + + + 44..11.. MMSS OOffffiiccee SSeettuupp rreeppoorrttss ""CCaannnnoott cchhaannggee pprrooppeerrttiieess ooff ''MMSSOOFF-- + FFIICCEEUUPP..IINNII''"" + + + When installing MS Office on a Samba drive for which you have admin + user permissions, ie. admin users = username, you will find the setup + program unable to complete the installation. + + To get around this problem, do the installation without admin user + permissions The problem is that MS Office Setup checks that a file is + rdonly by trying to open it for writing. + + Admin users can always open a file for writing, as they run as root. + You just have to install as a non-admin user and then use "chown -R" + to fix the owner. + + + 55.. MMiisscceellllaanneeoouuss + + + + 55..11.. IIss SSaammbbaa YYeeaarr 22000000 ccoommpplliiaanntt?? + + + The CIFS protocol that Samba implements negotiates times in various + formats, all of which are able to cope with dates beyond 2000. + + + + + + + + + + + + + + + + + + diff --git a/docs/history b/docs/history index 83761e23b86..dd9e83719ff 100644 --- a/docs/history +++ b/docs/history @@ -1,8 +1,9 @@ -Note: This file is now quite out of date - but perhaps that's -appropriate? +Contributor: Andrew Tridgell and the Samba Team +Date: June 27, 1997 +Satus: Always out of date! (Would not be the same without it!) - -========= +Subject: A bit of history and a bit of fun +============================================================================ This is a short history of this project. It's not supposed to be comprehensive, just enough so that new users can get a feel for where @@ -10,7 +11,7 @@ this project has come from and maybe where it's going to. The whole thing really started in December 1991. I was (and still am) a PhD student in the Computer Sciences Laboratory at the Australian -Netional University, in Canberra, Australia. We had just got a +National University, in Canberra, Australia. We had just got a beta copy of eXcursion from Digital, and I was testing it on my PC. At this stage I was a MS-DOS user, dabbling in windows. @@ -111,7 +112,7 @@ code! I wrote back saying it was OK, but never heard from him again. I don't know if it went on the cd-rom. Anyway, the next big event was in December 1993, when Dan again sent -me an e-mail saying my server had "raised it's ugly head" on +me an e-mail saying my server had "raised its ugly head" on comp.protocols.tcpip.ibmpc. I had a quick look on the group, and was surprised to see that there were people interested in this thing. @@ -163,3 +164,33 @@ support and the ability to do domain logons etc. Samba has also been ported to OS/2, the amiga and NetWare. There are now 3000 people on the samba mailing list. --------------------- + + +--------------------- +It's now June 1997 and samba-1.9.17 is due out soon. My how time passes! +Please refer to the WHATSNEW.txt for an update on new features. Just when +you think you understand what is happening the ground rules change - this +is a real world after all. Since the heady days of March 1996 there has +been a concerted effort within the SMB protocol using community to document +and standardize the protocols. The CIFS initiative has helped a long way +towards creating a better understood and more interoperable environment. +The Samba Team has grown in number and have been very active in the standards +formation and documentation process. + +The net effect has been that we have had to do a lot of work to bring Samba +into line with new features and capabilities in the SMB protocols. + +The past year has been a productive one with the following releases: + 1.9.16, 1.9.16p2, 1.9.16p6, 1.9.16p9, 1.9.16p10, 1.9.16p11 + +There are some who believe that 1.9.15p8 was the best release and others +who would not want to be without the latest. Whatever your perception we +hope that 1.9.17 will close the gap and convince you all that the long +wait and the rolling changes really were worth it. Here is functionality +and a level of code maturity that ..., well - you can be the judge! + +Happy SMB networking! +Samba Team + +ps: The bugs are ours, so please report any you find. +--------------------- diff --git a/docs/manpages/make_smbcodepage.1 b/docs/manpages/make_smbcodepage.1 new file mode 100644 index 00000000000..049fa73a2a6 --- /dev/null +++ b/docs/manpages/make_smbcodepage.1 @@ -0,0 +1,131 @@ +.TH MAKE_SMBCODEPAGE 1 "09 Oct 1998" "make_smbcodepage 2.0.0-alpha11" +.SH NAME +make_smbcodepage \- create a binary codepage definition file from an ascii codepage definition source file, or reverse the process. +.SH SYNOPSIS +.B make_smbcodepage +.I c|d +.I codepage +.I inputfile +.I outputfile +.SH DESCRIPTION +This program is part of the Samba suite. + +.B make_smbcodepage +compiles or de-compiles codepage files for use with the internationalization +features of Samba 1.9.18. + +An ascii Samba codepage definition file is a description that tells Samba +how to map from upper to lower case for characters greater than ascii 127 +in the specified DOS code page. Note that for certain DOS codepages +(437 for example) mapping from lower to upper case may be asynchronous. +For example, in code page 437 lower case a acute maps to a plain upper +case A when going from lower to upper case, but maps from plain upper +case A to plain lower case a when lower casing a character. + +A binary Samba codepage definition file is a binary representation +of the same information, including a value that specifies what codepage +this file is describing. + +As Samba does not yet use UNICODE (current for Samba version 1.9.18) +you must specify the client code page that your DOS and Windows clients +are using if you wish to have case insensitivity done correctly for +your particular language. The default codepage Samba uses is 850 +(Western European). Ascii codepage definition sample files are provided +in the Samba distribution for codepages 437 (USA), 850 (Western European) +852 (MS-DOS Latin 2) and 932 (Kanji SJIS). Users are encouraged to +write ascii codepage definition files for their own code pages and +donate them to samba-bugs@samba.anu.edu.au. All codepage files in the +Samba source directory are compiled and installed when a 'make install' +command is issued there. + +An ascii codepage definition file consists of multiple lines containing +four fields. These fields are : +.B lower +which is the (hex) lower case character mapped on this line. +.B upper +which is the (hex) upper case character that the lower case character +will map to. +.B map upper to lower +which is a boolean value (put either True or False here) which tells +Samba if it is to map the given upper case character to the given +lower case character when lower casing a filename. +.B map lower to upper +which is a boolean value (put either True or False here) which tells +Samba if it is to map the given lower case character to the given +upper case character when upper casing a filename. + +.SH OPTIONS +.I c|d + +.RS 3 +This tells make_smbcodepage if it is compiling (c) an ascii code page file +to binary, or de-compiling a binary codepage file to ascii. +.RE + +.I codepage + +.RS 3 +This is the codepage we are processing (a number, eg. 850) +.RE + +.I inputfile + +.RS 3 +This is the input file to process. +.RE + +.I outputfile + +.RS 3 +This is the output file to produce. +.RE + +.SH FILES +.B codepage_def.<codepage> +.RS 3 +These are the input (ascii) codepage files provided in the Samba +source/ directory. +.RE +.SH FILES +.B codepage.<codepage> +.RS 3 +These are the output (binary) codepage files produced and placed in the Samba +destination lib/codepage/ directory. +.RE + +.SH ENVIRONMENT VARIABLES +Not applicable. +.SH INSTALLATION +The location of the server and its support files is a matter for individual +system administrators. The following are thus suggestions only. + +It is recommended that the +.B make_smbcodepage +program be installed under the /usr/local/samba hierarchy, in a directory readable +by all, writeable only by root. The program itself should be executable by all. +The program should NOT be setuid or setgid! +.SH VERSION +This man page is (mostly) correct for version 1.9.18 of the Samba suite, plus some +of the recent patches to it. These notes will necessarily lag behind +development of the software, so it is possible that your version of +the program has extensions or parameter semantics that differ from or are not +covered by this man page. Please notify these to the address below for +rectification. +.SH SEE ALSO +.BR smb.conf (5), +.BR smbd (8) + +.SH BUGS +None known. +.SH CREDITS +The +.B make_smbcodepage +program was written by Jeremy Allison (jallison@whistle.com) as part of the +Internationalization effort of the Samba software. + +Please send bug reports to samba-bugs@samba.anu.edu.au. + +See +.BR samba (7) +for a full list of contributors and details on how to +submit bug reports, comments etc. diff --git a/docs/manpages/nmbd.8 b/docs/manpages/nmbd.8 index e42f194cdee..0922982f008 100644 --- a/docs/manpages/nmbd.8 +++ b/docs/manpages/nmbd.8 @@ -1,44 +1,29 @@ -.TH NMBD 8 17/1/1995 nmbd nmbd +.TH NMBD 8 "09 Oct 1998" "nmbd 2.0.0-alpha11" .SH NAME nmbd \- provide netbios nameserver support to clients .SH SYNOPSIS .B nmbd [ -.B -B -.I broadcast address +.B \-D ] [ -.B -I -.I IP address -] [ -.B -D -] [ -.B -C comment string -] [ -.B -G -.I group name -] [ -.B -H +.B \-H .I netbios hosts file ] [ -.B -N -.I netmask -] [ -.B -d +.B \-d .I debuglevel ] [ -.B -l +.B \-l .I log basename ] [ -.B -n +.B \-n .I netbios name ] [ -.B -p +.B \-p .I port number ] [ -.B -s -.I config file name +.B \-s +.I configuration file ] - .SH DESCRIPTION This program is part of the Samba suite. @@ -51,44 +36,36 @@ LanManager clients, when they start up, may wish to locate a LanManager server. That is, they wish to know what IP number a specified host is using. This program simply listens for such requests, and if its own name is specified -it will respond with the IP number of the host it is running on. "Its own name" -is by default the name of the host it is running on, but this can be overriden -with the -.B -n -option (see "OPTIONS" below). Using the -.B -S -option (see "OPTIONS" below), it can also be instructed to respond with IP -information about other hosts, provided they are locatable via the -gethostbyname() call, or they are in a netbios hosts file. - -Nmbd can also be used as a WINS (Windows Internet Name Server) -server. It will do this automatically by default. What this basically -means is that it will respond to all name requests that it receives -that are not broadcasts, as long as it can resolve the name. +it will respond with the IP number of the host it is running on. +Its "own name" is by default the name of the host it is running on, +but this can be overriden with the +.B \-n +option (see "OPTIONS" below). + +.B nmbd +can also be used as a WINS (Windows Internet Name Server) server. +What this basically means is that it will respond to all name requests that +it receives that are not broadcasts, as long as it can resolve the name. +Resolvable names include all names in the netbios hosts file (if any, see +.B \-H +below), its own name, and any other names that it may have learned about +from other browsers on the network. +A change to previous versions is that nmbd will now no longer +do this automatically by default. .SH OPTIONS -.B -B +.B \-B .RS 3 -On some systems, the server is unable to determine the broadcast address to -use for name registration requests. If your system has this difficulty, this -parameter may be used to specify an appropriate broadcast address. The -address should be given in standard "a.b.c.d" notation. - -Only use this parameter if you are sure that the server cannot properly -determine the proper broadcast address. - -The default broadcast address is determined by the server at run time. If it -encounters difficulty doing so, it makes a guess based on the local IP -number. +This option is obsolete. Please use the "interfaces" option in smb.conf instead. .RE -.B -I + +.B \-I .RS 3 -On some systems, the server is unable to determine the correct IP -address to use. This allows you to override the default choice. +This option is obsolete. Please use the "interfaces" option in smb.conf instead. .RE -.B -D +.B \-D .RS 3 If specified, this parameter causes the server to operate as a daemon. That is, @@ -98,75 +75,60 @@ appropriate port. By default, the server will NOT operate as a daemon. .RE -.B -C comment string +.B \-C comment string .RS 3 -This allows you to set the "comment string" that is shown next to the -machine name in browse listings. - -A %v will be replaced with the Samba version number. - -A %h will be replaced with the hostname. - -It defaults to "Samba %v". +This option is obsolete. Please use the "server string" option in smb.conf +instead. .RE -.B -G +.B \-G .RS 3 -This option allows you to specify a netbios group (also known as -lanmanager domain) that the server should be part of. You may include -several of these on the command line if you like. Alternatively you -can use the -H option to load a netbios hosts file containing domain names. - -At startup, unless the -R switch has been used, the server will -attempt to register all group names in the hosts file and on the -command line (from the -G option). - -The server will also respond to queries on this name. +This option is obsolete. Please use the "workgroup" option in smb.conf instead. .RE -.B -H +.B \-H +.I netbios hosts file .RS 3 It may be useful in some situations to be able to specify a list of -netbios names for which the server should send a reply if -queried. This option allows that. The syntax is similar to the -standard /etc/hosts file format, but has some extensions. +netbios names for which the server should send a reply if queried. +This option allows you to specify a file containing such a list. +The syntax of the hosts file is similar to the standard /etc/hosts file +format, but has some extensions. The file contains three columns. Lines beginning with a # are ignored as comments. The first column is an IP address, or a hostname. If it is a hostname then it is interpreted as the IP address returned by -gethostbyname() when read. Any IP address of 0.0.0.0 will be -interpreted as the servers own IP address. +gethostbyname() when read. An IP address of 0.0.0.0 will be +interpreted as the server's own IP address. The second column is a netbios name. This is the name that the server will respond to. It must be less than 20 characters long. The third column is optional, and is intended for flags. Currently the -only flags supported are G, S and M. A G indicates that the name is a -group (also known as domain) name. +only flag supported is M, which means that this name is the default +netbios name for this machine. This has the same effect as specifying the +.B \-n +option to +.BR nmbd . -At startup all groups known to the server (either from this file or -from the -G option) are registered on the network (unless the -R -option has been selected). +NOTE: The G and S flags are now obsolete and are replaced by the +"interfaces" and "remote announce" options in smb.conf. -A S or G means that the specified address is a broadcast address of a -network that you want people to be able to browse you from. Nmbd will -search for a master browser in that domain and will send host -announcements to that machine, informing it that the specifed somain -is available. +The default hosts file name is set at compile time, typically as +.I /etc/lmhosts, +but this may be changed in the Samba Makefile. -A M means that this name is the default netbios name for this -machine. This has the same affect as specifying the -n option to nmbd. +After startup the server waits for queries, and will answer queries for +any name known to it. This includes all names in the netbios hosts file, +its own name, and any other names it may have learned about from other +browsers on the network. -After startup the server waits for queries, and will answer queries to -any name known to it. This includes all names in the netbios hosts -file (if any), it's own name, and any names given with the -G option. - -The primary intention of the -H option is to allow a mapping from -netbios names to internet domain names, and to allow the specification -of groups that the server should be part of. +The primary intention of the +.B \-H +option is to allow a mapping from netbios names to internet domain names. .B Example: @@ -177,315 +139,118 @@ of groups that the server should be part of. # if you want to include a name with a space in it then # use double quotes. - # first put ourselves in the group LANGROUP - 0.0.0.0 LANGROUP G - # next add a netbios alias for a faraway host arvidsjaur.anu.edu.au ARVIDSJAUR # finally put in an IP for a hard to find host 130.45.3.213 FREDDY - # now we want another subnet to be able to browse - # us in the workgroup UNIXSERV - 192.0.2.255 UNIXSERV G - .RE - -.B -M -.I workgroup name +.B \-N .RS 3 -If this parameter is given, the server will look for a master browser -for the specified workgroup name, report success or failure, then -exit. If successful, the IP address of the name located will be -reported. - -If you use the workgroup name "-" then nmbd will search for a master -browser for any workgroup by using the name __MSBROWSE__. - -This option is meant to be used interactively on the command line, not -as a daemon or in inetd. - +This option is obsolete. Please use the "interfaces" option in smb.conf instead. .RE -.B -N -.RS 3 -On some systems, the server is unable to determine the netmask. If -your system has this difficulty, this parameter may be used to specify -an appropriate netmask. The mask should be given in standard -"a.b.c.d" notation. - -Only use this parameter if you are sure that the server cannot properly -determine the proper netmask. - -The default netmask is determined by the server at run time. If it -encounters difficulty doing so, it makes a guess based on the local IP -number. -.RE - -.B -d +.B \-d .I debuglevel -.RS 3 - -debuglevel is an integer from 0 to 5. -The default value if this parameter is not specified is zero. - -The higher this value, the more detail will be logged to the log files about -the activities of the server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for day to day running -- it generates a small amount of information about operations carried out. - -Levels above 1 will generate considerable amounts of log data, and should -only be used when investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log data, most of which -is extremely cryptic. +.RS 3 +This option sets the debug level. See +.BR smb.conf (5). .RE -.B -l +.B \-l .I log file .RS 3 -If specified, -.I logfile -specifies a base filename into which operational data from the running server -will be logged. - -The default base name is specified at compile time. - -The base name is used to generate actual log file names. For example, if the -name specified was "log", the following files would be used for log data: - -.RS 3 -log.nmb (containing debugging information) - -log.nmb.in (containing inbound transaction data) - -log.nmb.out (containing outbound transaction data) -.RE - -The log files generated are never removed by the server. -.RE +The +.I log file +parameter specifies a path and base filename into which operational data +from the running +.B nmbd +server will be logged. +The actual log file name is generated by appending the extension ".nmb" to +the specified base name. +For example, if the name specified was "log" then the file log.nmb would +contain the debugging data. + +The default log file is specified at compile time, typically as +.I /var/log/log.nmb. .RE -.B -n +.B \-n .I netbios name .RS 3 -This parameter tells the server what netbios name to respond with when -queried. The same name is also registered on startup unless the -R -parameter was specified. - -The default netbios name used if this parameter is not specified is the -name of the host on which the server is running. +This option allows you to override the Netbios name that Samba uses for itself. .RE -.B -p -.I port number -.RS 3 - -port number is a positive integer value. - -The default value if this parameter is not specified is 137. - -This number is the port number that will be used when making connections to -the server from client software. The standard (well-known) port number for the -server is 137, hence the default. If you wish to run the server as an ordinary -user rather than as root, most systems will require you to use a port number -greater than 1024 - ask your system administrator for help if you are in this -situation. - -Note that the name server uses UDP, not TCP! - -This parameter is not normally specified except in the above situation. -.RE -.SH FILES - -.B /etc/inetd.conf - -.RS 3 -If the server is to be run by the inetd meta-daemon, this file must contain -suitable startup information for the meta-daemon. See the section -"INSTALLATION" below. -.RE - -.B /etc/rc.d/rc.inet2 +.B \-a .RS 3 -(or whatever initialisation script your system uses) - -If running the server as a daemon at startup, this file will need to contain -an appropriate startup sequence for the server. See the section "Installation" -below. +If this parameter is specified, the log files will be appended to with each +new connection. This is the default. .RE -.B /etc/services +.B \-o .RS 3 -If running the server via the meta-daemon inetd, this file must contain a -mapping of service name (eg., netbios-ns) to service port (eg., 137) and -protocol type (eg., udp). See the section "INSTALLATION" below. +Overwrite existing log files instead of appending to them. (This was the +default until version 2.0.0.) .RE -.RE - -.SH ENVIRONMENT VARIABLES -Not applicable. - -.SH INSTALLATION -The location of the server and its support files is a matter for individual -system administrators. The following are thus suggestions only. - -It is recommended that the server software be installed under the /usr/local -hierarchy, in a directory readable by all, writeable only by root. The server -program itself should be executable by all, as users may wish to run the -server themselves (in which case it will of course run with their privileges). -The server should NOT be setuid or setgid! - -The server log files should be put in a directory readable and writable only -by root, as the log files may contain sensitive information. - -The remaining notes will assume the following: +.B \-p +.I port number .RS 3 -nmbd (the server program) installed in /usr/local/smb - -log files stored in /var/adm/smblogs -.RE - -The server may be run either as a daemon by users or at startup, or it may -be run from a meta-daemon such as inetd upon request. If run as a daemon, the -server will always be ready, so starting sessions will be faster. If run from -a meta-daemon some memory will be saved and utilities such as the tcpd -TCP-wrapper may be used for extra security. - -When you've decided, continue with either "Running the server as a daemon" or -"Running the server on request". -.SH RUNNING THE SERVER AS A DAEMON -To run the server as a daemon from the command line, simply put the "-D" option -on the command line. There is no need to place an ampersand at the end of the -command line - the "-D" option causes the server to detach itself from the -tty anyway. -Any user can run the server as a daemon (execute permissions permitting, of -course). This is useful for testing purposes. - -To ensure that the server is run as a daemon whenever the machine is started, -you will need to modify the system startup files. Wherever appropriate (for -example, in /etc/rc.d/rc.inet2), insert the following line, substituting -values appropriate to your system: +port number is a positive integer value. -.RS 3 -/usr/local/smb/nmbd -D -l/var/adm/smblogs/log +Don't use this option unless you are an expert, in which case you +won't need help! .RE -(The above should appear in your initialisation script as a single line. -Depending on your terminal characteristics, it may not appear that way in -this man page. If the above appears as more than one line, please treat any -newlines or indentation as a single space or TAB character.) - -If the options used at compile time are appropriate for your system, all -parameters except the desired debug level and "-D" may be omitted. See the -section on "Options" above. -.SH RUNNING THE SERVER ON REQUEST -If your system uses a meta-daemon such as inetd, you can arrange to have the -SMB name server started whenever a process attempts to connect to it. This -requires several changes to the startup files on the host machine. If you are -experimenting as an ordinary user rather than as root, you will need the -assistance of your system administrator to modify the system files. - -First, ensure that a port is configured in the file /etc/services. The -well-known port 137 should be used if possible, though any port may be used. - -Ensure that a line similar to the following is in /etc/services: +.B \-s +.I configuration file .RS 3 -netbios-ns 137/udp -.RE - -Note for NIS/YP users: You may need to rebuild the NIS service maps rather -than alter your local /etc/services file. +The default configuration file name is set at compile time, typically as +.I /etc/smb.conf, +but this may be changed in the Samba Makefile. -Next, put a suitable line in the file /etc/inetd.conf (in the unlikely event -that you are using a meta-daemon other than inetd, you are on your own). Note -that the first item in this line matches the service name in /etc/services. -Substitute appropriate values for your system in this line (see -.B inetd(8)): - -.RS 3 -netbios-ns dgram udp wait root /usr/local/smb/nmbd -l/var/adm/smblogs/log +The file specified contains the configuration details required by the server. +See +.BR smb.conf (5) +for more information. .RE +.SH SIGNALS -(The above should appear in /etc/inetd.conf as a single line. Depending on -your terminal characteristics, it may not appear that way in this man page. -If the above appears as more than one line, please treat any newlines or -indentation as a single space or TAB character.) - -Note that there is no need to specify a port number here, even if you are -using a non-standard port number. -.SH TESTING THE INSTALLATION -If running the server as a daemon, execute it before proceeding. If -using a meta-daemon, either restart the system or kill and restart the -meta-daemon. Some versions of inetd will reread their configuration tables if -they receive a HUP signal. - -To test whether the name server is running, start up a client -.I on a different machine -and see whether the desired name is now present. Alternatively, run -the nameserver -.I on a different machine -specifying "-L netbiosname", where "netbiosname" is the name you have -configured the test server to respond with. The command should respond -with success, and the IP number of the machine using the specified netbios -name. You may need the -B parameter on some systems. See the README -file for more information on testing nmbd. +In version 1.9.18 and above, nmbd will accept SIGHUP, which will cause it to dump out +it's namelists into the file namelist.debug in the SAMBA/var/locks directory. This +will also cause nmbd to dump out it's server database in the log.nmb file. +Also new in version 1.9.18 and above is the ability to raise the debug log +level of nmbd by sending it a SIGUSR1 (kill -USR1 <nmbd-pid>) and to lower +the nmbd log level by sending it a SIGUSR2 (kill -USR2 <nmbd-pid>). This +is to allow transient problems to be diagnosed, whilst still running at +a normally low log level. .SH VERSION -This man page is (mostly) correct for version 1.9.00 of the Samba suite, plus some -of the recent patches to it. These notes will necessarily lag behind -development of the software, so it is possible that your version of -the server has extensions or parameter semantics that differ from or are not -covered by this man page. Please notify these to the address below for -rectification. + +This man page is (mostly) correct for version 1.9.16 of the Samba +suite, plus some of the recent patches to it. These notes will +necessarily lag behind development of the software, so it is possible +that your version of the server has extensions or parameter semantics +that differ from or are not covered by this man page. Please notify +these to the address below for rectification. .SH SEE ALSO -.B inetd(8), -.B smbd(8), -.B smb.conf(5), -.B smbclient(1), -.B testparm(1), -.B testprns(1) - -.SH DIAGNOSTICS -[This section under construction] - -Most diagnostics issued by the server are logged in the specified log file. The -log file name is specified at compile time, but may be overridden on the -command line. - -The number and nature of diagnostics available depends on the debug level used -by the server. If you have problems, set the debug level to 3 and peruse the -log files. - -Most messages are reasonably self-explanatory. Unfortunately, at time of -creation of this man page the source code is still too fluid to warrant -describing each and every diagnostic. At this stage your best bet is still -to grep the source code and inspect the conditions that gave rise to the -diagnostics you are seeing. - -.SH BUGS -None known. +.BR inetd (8), +.BR smbd (8), +.BR smb.conf (5), +.BR smbclient (1), +.BR testparm (1), +.BR testprns (1) .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -This man page written by Karl Auer (Karl.Auer@anu.edu.au) - -See -.B smb.conf(5) for a full list of contributors and details on how to -submit bug reports, comments etc. - - - - - diff --git a/docs/manpages/nmblookup.1 b/docs/manpages/nmblookup.1 new file mode 100644 index 00000000000..50cbbe2c2dc --- /dev/null +++ b/docs/manpages/nmblookup.1 @@ -0,0 +1,126 @@ +.TH NMBLOOKUP 1 "09 Oct 1998" "nmblookup 2.0.0-alpha11" +.SH NAME +nmblookup \- NBT client used to lookup netbios names +.SH SYNOPSIS +.B nmblookup +[ +.B \-M +] [ +.B \-R +] [ +.B \-S +] [ +.B \-r +] [ +.B \-A +] [ +.B \-B +.I broadcast address +] [ +.B \-U +.I unicast address +] [ +.B \-d +.I debuglevel +] +.B name +.SH DESCRIPTION +This program is part of the Samba suite. + +.B nmblookup +is used to find out NetBIOS names in a network. +.SH OPTIONS +.B \-d +.I debuglevel + +.RS 3 +This option sets the debug level. See +.BR smb.conf (5). +.RE + +.B \-B +.I broadcast address +.RS 3 + +Send the query to the broadcast address +.I broadcast address. +The default behavior of nmblookup is to send the query to the broadcast +address of the primary network interface. +.RE + +.B \-U +.I unicast address +.RS 3 + +Do a unicast query to the specified address or host +.I unicast address. +This is needed to query a WINS server. +.RE + +.B \-M + +.RS 3 +Searches for a master browser. +.RE + +.B \-R + +.RS 3 +Do a recursive lookup (needed to direct the query to the WINS portion +of the server rather than the broadcast portion.) + +.RE + +.B \-S + +.RS 3 +Lookup node status as well. +.RE + +.B \-r + +.RS 3 +Use root port 137 (Win95 only replies to this.) +.RE + +.B \-A + +.RS 3 +Do a node status on <name> as an IP Address. +.RE + +.SH EXAMPLES + +.B nmblookup +can be used to query a WINS server (in the same way +.B nslookup +is used to query DNS servers). To query a WINS server, +.B nmblookup +must be called like this: + +.B nmblookup +-U server -R 'query' + +For example, running ' +.B nmblookup +-U samba.anu.edu.au -R IRIX#1B' would query the WINS server +samba.anu.edu.au for the domain master browser (1B name) for the +IRIX workgroup. + +.SH VERSION + +This man page is (mostly) correct for version 1.9.16 of the Samba +suite, plus some of the recent patches to it. These notes will +necessarily lag behind development of the software, so it is possible +that your version of the server has extensions or parameter semantics +that differ from or are not covered by this man page. Please notify +these to the address below for rectification. +.SH SEE ALSO +.BR samba (8), +.BR nmbd (8), +.BR smb.conf (5) +.SH CREDITS +The original Samba software and related utilities were created by +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper +of the Source for this project. + diff --git a/docs/manpages/samba.7 b/docs/manpages/samba.7 index 0c81f736b6e..c87dd4b856f 100644 --- a/docs/manpages/samba.7 +++ b/docs/manpages/samba.7 @@ -1,15 +1,14 @@ -.TH SAMBA 7 29/3/95 Samba Samba +.TH SAMBA 7 "09 Oct 1998" "samba 2.0.0-alpha11" .SH NAME -Samba \- a LanManager like fileserver for Unix +Samba \- a LanManager like fileserver for UNIX .SH SYNOPSIS .B Samba .SH DESCRIPTION The .B Samba software suite is a collection of programs that implements the SMB -protocol for unix systems. This protocol is sometimes also referred to +protocol for UNIX systems. This protocol is sometimes also referred to as the LanManager or Netbios protocol. - .SH COMPONENTS The Samba suite is made up of several components. Each component is @@ -18,25 +17,37 @@ you read the documentation that comes with Samba and the manual pages of those components that you use. If the manual pages aren't clear enough then please send me a patch! -The smbd(8) daemon provides the file and print services to SMB clents, +The +.BR smbd (8) +daemon provides the file and print services to SMB clients, such as Windows for Workgroups, Windows NT or LanManager. The -configuration file for this daemon is described in smb.conf(5). +configuration file for this daemon is described in +.BR smb.conf (5). -The nmbd(8) daemon provides Netbios nameserving and browsing +The +.BR nmbd (8) +daemon provides Netbios nameserving and browsing support. It can also be run interactively to query other name service daemons. -The smbclient(1) program implements a simple ftp-like client. This is +The +.BR smbclient (1) +program implements a simple ftp-like client. This is useful for accessing SMB shares on other compatible servers (such as -WfWg), and can also be used to allow a unix box to print to a printer +WfWg), and can also be used to allow a UNIX box to print to a printer attached to any SMB server (such as a PC running WfWg). -The testparm(1) utility allows you to test your smb.conf(5) +The +.BR testparm (1) +utility allows you to test your +.BR smb.conf (5) configuration file. -The smbstatus(1) utility allows you to tell who is currently using the -smbd(8) server. - +The +.BR smbstatus (1) +utility allows you to tell who is currently using the +.BR smbd (8) +server. .SH AVAILABILITY The Samba software suite is licensed under the Gnu Public License. A @@ -45,7 +56,7 @@ encouraged to distribute copies of the Samba suite, but please keep it intact. The latest version of the Samba suite can be obtained via anonymous -ftp from nimbus.anu.edu.au in the directory pub/tridge/samba/. It is +ftp from samba.anu.edu.au in the directory pub/samba/. It is also available on several mirror sites worldwide. You may also find useful information about Samba on the newsgroup @@ -54,29 +65,26 @@ the mailing list are given in the README file that comes with Samba. If you have access to a WWW viewer (such as Netscape or Mosaic) then you will also find lots of useful information, including back issues -of the Samba mailing list, at http://lake.canberra.edu.au/pub/samba/ - +of the Samba mailing list, at http://samba.anu.edu.au/samba/ .SH AUTHOR The main author of the Samba suite is Andrew Tridgell. He may be -contacted via e-mail at samba-bugs@anu.edu.au. +contacted via e-mail at samba-bugs@samba.anu.edu.au. -There have also been an enourmous number of contributors to Samba from +There have also been an enormous number of contributors to Samba from all over the world. A partial list of these contributors is included in the CREDITS section below. The list is, however, badly out of date. More up to date info may be obtained from the change-log that comes with the Samba source code. - .SH CONTRIBUTIONS If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list. If you have patches to submit or bugs to report then you may mail them -directly to samba-bugs@anu.edu.au. Note, however, that due to the -enourmous popularity of this package I may take some time to repond to -mail. I prefer patches in "diff -u" format. - +directly to samba-bugs@samba.anu.edu.au. Note, however, that due to the +enormous popularity of this package I may take some time to repond to +mail. I prefer patches in "diff \-u" format. .SH CREDITS Contributors to the project are (in alphabetical order by email address): @@ -147,6 +155,8 @@ Contributors to the project are (in alphabetical order by email address): (kuku@acds.physik.rwth-aachen.de) ??? (lance@fox.com) + Leighton, Luke + (lkcl@pires.co.uk) Lendecke, Volker (lendecke@namu01.gwdg.de) ??? @@ -175,8 +185,10 @@ Contributors to the project are (in alphabetical order by email address): (joergs@toppoint.de) S{rkel{, Vesa (vesku@rankki.kcl.fi) + Terpstra, John + (jht@aquasoft.com.au) Tridgell, Andrew - (samba-bugs@anu.edu.au) + (samba-bugs@samba.anu.edu.au) Troyer, Dean (troyer@saifr00.ateng.az.honeywell.com) Wakelin, Ross diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 933d71ff0c3..1251487996b 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -1,4 +1,4 @@ -.TH SMB.CONF 5 11/10/94 smb.conf smb.conf +.TH SMB.CONF 5 "09 Oct 1998" "smb.conf 2.0.0-alpha11" .SH NAME smb.conf \- configuration file for smbd .SH SYNOPSIS @@ -15,7 +15,6 @@ program. The .B smbd program provides LanManager-like services to clients using the SMB protocol. - .SH FILE FORMAT The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next @@ -35,8 +34,8 @@ within a parameter value is retained verbatim. Any line beginning with a semicolon is ignored, as are lines containing only whitespace. -Any line ending in a \\ is "continued" on the next line in the -customary unix fashion. +Any line ending in a \e is "continued" on the next line in the +customary UNIX fashion. The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or @@ -91,7 +90,6 @@ means access will be permitted as the default guest user (specified elsewhere): read only = true printable = true public = true - .SH SPECIAL SECTIONS .SS The [global] section @@ -124,7 +122,7 @@ If no path was given, the path is set to the user's home directory. If you decide to use a path= line in your [homes] section then you may find it useful to use the %S macro. For example path=/data/pchome/%S would be useful if you have different home directories for your PCs -than for unix access. +than for UNIX access. This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss. @@ -212,6 +210,13 @@ could be used simply to limit access to a subset of your local printers. An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols ("|"). + +NOTE: On SYSV systems which use lpstat to determine what printers are +defined on the system you may be able to use "printcap name = lpstat" +to automatically obtain a list of printers. See the "printcap name" +option for more detils. + +.RE .SH PARAMETERS Parameters define the specific attributes of services. @@ -221,7 +226,7 @@ permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter 'G' in parentheses indicates that a parameter is specific to the [global] section. The letter 'S' indicates that a parameter can be -specified in a secvice specific section. Note that all S parameters +specified in a service specific section. Note that all S parameters can also be specified in the [global] section - in which case they will define the default behaviour for all services. @@ -237,7 +242,7 @@ interpreted as "path = /tmp/john" if the user connected with the username john. These substitutions are mostly noted in the descriptions below, but -there are some general substitions which apply whenever they might be +there are some general substitutions which apply whenever they might be relevant. These are: %S = the name of the current service, if any @@ -267,6 +272,16 @@ personality". %M = the internet name of the client machine +%N = the name of your NIS home directory server. This is obtained from +your NIS auto.map entry. If you have not compiled Samba with -DAUTOMOUNT +then this value will be the same as %L. + +%p = the path of the service's home directory, obtained from your NIS +auto.map entry. The NIS auto.map entry is split up as "%N:%p". + +%R = the selected protocol level after protocol negotiation. As of +Samba 1.9.18 it can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. + %d = The process id of the current server process %a = the architecture of the remote machine. Only some are recognised, @@ -283,7 +298,7 @@ substitutions and other smb.conf options. .SS NAME MANGLING -Samba supports "name mangling" so that Dos and Windows clients can use +Samba supports "name mangling" so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. @@ -317,13 +332,25 @@ upper case, or if they are forced to be the "default" case. This option can be use with "preserve case = yes" to permit long filenames to retain their case, while short names are lowered. Default no. -.SS COMPLETE LIST OF GLOBAL PARAMETER +.SS COMPLETE LIST OF GLOBAL PARAMETERS Here is a list of all global parameters. See the section of each parameter for details. Note that some are synonyms. +announce as + +announce version + auto services +bind interfaces only + +browse list + +character set + +client code page + config file deadtime @@ -336,38 +363,84 @@ default service dfree command +dns proxy + +domain controller + +domain logons + +domain master + encrypt passwords getwd cache +hide files + +hide dot files + +homedir map + hosts equiv include +interfaces + keepalive +lm announce + +lm interval + lock dir load printers +local master + lock directory log file log level +logon drive + +logon home + +logon path + +logon script + lpq cache time mangled stack max log size +max mux + max packet +max ttl + max xmit +max wins ttl + message command +min wins ttl + +name resolve order + +netbios aliases + +netbios name + +nis homedir + null passwords os level @@ -386,10 +459,10 @@ preferred master preload -printing - printcap name +printer driver file + protocol read bmpx @@ -400,6 +473,10 @@ read raw read size +remote announce + +remote browse sync + root root dir @@ -410,27 +487,51 @@ security server string +shared file entries + +shared mem size + +smb passwd file + smbrun +socket address + socket options status strip dot +syslog + +syslog only + time offset +time server + +unix realname + +username level + username map use rhosts valid chars +wins proxy + +wins server + +wins support + workgroup write raw -.SS COMPLETE LIST OF SERVICE PARAMETER +.SS COMPLETE LIST OF SERVICE PARAMETERS Here is a list of all service parameters. See the section of each parameter for details. Note that some are synonyms. @@ -459,14 +560,36 @@ comment default case +delete readonly + +delete veto files + deny hosts directory +directory mask + +directory mode + dont descend +dos filetimes + +dos filetime resolution + exec +fake directory create times + +fake oplocks + +follow symlinks + +force create mode + +force directory mode + force group force user @@ -515,10 +638,14 @@ max connections min print space +networkstation user login + only guest only user +oplocks + path postexec @@ -529,6 +656,12 @@ preserve case print command +printer driver + +printer driver location + +printing + print ok printable @@ -567,6 +700,10 @@ users valid users +veto files + +veto oplock files + volume wide links @@ -582,9 +719,9 @@ write list .SS EXPLANATION OF EACH PARAMETER .RS 3 -.SS admin users (G) +.SS admin users (S) -This is a list of users who will be granted administrative privilages +This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root). @@ -598,6 +735,35 @@ file permissions. .B Example: admin users = jason +.SS announce as (G) + +This specifies what type of server nmbd will announce itself as in +browse lists. By default this is set to Windows NT. The valid options +are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and +Windows for Workgroups respectively. Do not change this parameter +unless you have a specific need to stop Samba appearing as an NT +server as this may prevent Samba servers from participating as +browser servers correctly. + +.B Default: + announce as = NT + +.B Example + announce as = Win95 + +.SS announce version (G) + +This specifies the major and minor version numbers that nmbd +will use when announcing itself as a server. The default is 4.2. +Do not change this parameter unless you have a specific need to +set a Samba server to be a downlevel server. + +.B Default: + announce version = 4.2 + +.B Example: + announce version = 2.0 + .SS auto services (G) This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services @@ -612,21 +778,21 @@ then the "load printers" option is easier. .B Example: auto services = fred lp colorlp - .SS allow hosts (S) A synonym for this parameter is 'hosts allow'. This parameter is a comma delimited set of hosts which are permitted to access -a services. If specified in the [global] section, matching hosts will be -allowed access to any service that does not specifically exclude them from -access. Specific services my have their own list, which override those -specified in the [global] section. +a service. + +If specified in the [global] section then it will apply to all +services, regardless of whether the individual service has a different +setting. You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like "allow hosts = 150.203.5.". The full syntax of the list is described in the man page -.B hosts_access(5). +.BR hosts_access (5). You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also @@ -653,33 +819,21 @@ deny access from one particular host Note that access still requires suitable user-level passwords. -See testparm(1) for a way of testing your host access to see if it +See +.BR testparm (1) +for a way of testing your host access to see if it does what you expect. .B Default: - none (ie., all hosts permitted access) + none (i.e., all hosts permitted access) .B Example: allow hosts = 150.203.5. myhost.mynet.edu.au .SS alternate permissions (S) -This option affects the way the "read only" DOS attribute is produced -for unix files. If this is false then the read only bit is set for -files on writeable shares which the user cannot write to. - -If this is true then it is set for files whos user write bit is not set. - -The latter behaviour of useful for when users copy files from each -others directories, and use a file manager that preserves -permissions. Without this option they may get annoyed as all copied -files will have the "read only" bit set. - -.B Default: - alternate permissions = no - -.B Example: - alternate permissions = yes +This option is deprecated and is only included for backward +compatibility. .SS available (S) This parameter lets you 'turn off' a service. If 'available = no', then @@ -690,6 +844,40 @@ ALL attempts to connect to the service will fail. Such failures are logged. .B Example: available = no + +.SS bind interfaces only (G) +This global parameter (new for 1.9.18) allows the Samba admin to limit +what interfaces on a machine will serve smb requests. If affects file service +(smbd) and name service (nmbd) in slightly different ways. + +For name service it causes nmbd to bind to ports 137 and 138 on +the interfaces listed in the 'interfaces' parameter. nmbd also binds +to the 'all addresses' interface (0.0.0.0) on ports 137 and 138 +for the purposes of reading broadcast messages. If this option is +not set then nmbd will service name requests on all of these +sockets. If "bind interfaces only" is set then nmbd will check +the source address of any packets coming in on the broadcast +sockets and discard any that don't match the broadcast addresses +of the interfaces in the 'interfaces' parameter list. As unicast +packets are received on the other sockets it allows nmbd to +refuse to serve names to machines that send packets that arrive +through any interfaces not listed in the 'interfaces' list. +IP Source address spoofing does defeat this simple check, however +so it must not be used seriously as a security feature for nmbd. + +For file service it causes smbd to bind only to the interface +list given in the 'interfaces' parameter. This restricts the +networks that smbd will serve to packets coming in those interfaces. +Note that you should not use this parameter for machines that +are serving ppp or other intermittant or non-broadcast network +interfaces as it will not cope with non-permanent interfaces. + +.B Default: + bind interfaces only = False + +.B Example: + bind interfaces only = True + .SS browseable (S) This controls whether this share is seen in the list of available shares in a net view and in the browse list. @@ -699,14 +887,71 @@ shares in a net view and in the browse list. .B Example: browseable = No +.SS browse list(G) +This controls whether the smbd will serve a browse list to a client +doing a NetServerEnum call. Normally set to true. You should never +need to change this. + +.B Default: + browse list = Yes + +.SS case sensitive (G) +See the discussion on NAME MANGLING. .SS case sig names (G) See "case sensitive" +.SS character set (G) +This allows a smbd to map incoming characters from a DOS 850 Code page +to either a Western European (ISO8859-1) or Easter European (ISO8859-2) +code page. Normally not set, meaning no filename translation is done. + +.B Default + + character set = + +.B Example + + character set = iso8859-1 + +.SS client code page (G) +Currently (Samba 1.9.17 and above) this may be set to one of two +values, 850 or 437. It specifies the base DOS code page that the +clients accessing Samba are using. To determine this, open a DOS +command prompt and type the command "chcp". This will output the +code page. The default for USA MS-DOS, Windows 95, and Windows NT +releases is code page 437. The default for western european +releases of the above operating systems is code page 850. + +This parameter co-operates with the "valid chars" parameter in +determining what characters are valid in filenames and how +capitalization is done. It has been added as a convenience for +clients whose code page is either 437 or 850 so a convoluted +"valid chars" string does not have to be determined. If you +set both this parameter and the "valid chars" parameter the +"client code page" parameter MUST be set before the "valid chars" +in the smb.conf file. The "valid chars" string will then augment +the character settings in the "client code page" parameter. + +If "client code page" is set to a value other than 850 or 437 +it will default to 850. + +See also : "valid chars". + +.B Default + + client code page = 850 + +.B Example + + client code page = 437 + .SS comment (S) -This is a text field that is seen when a client does a net view to -list what shares are available. It will also be used when browsing is -fully supported. +This is a text field that is seen next to a share when a client does a +net view to list what shares are available. + +If you want to set the string that is displayed next to the machine +name then see the server string command. .B Default: No comment string @@ -726,11 +971,11 @@ file. This option takes the usual substitutions, which can be very useful. -If thew config file doesn't exist then it won't be loaded (allowing +If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients). .B Example: - config file = /usr/local/samba/smb.conf.%m + config file = /usr/local/samba/lib/smb.conf.%m .SS copy (S) This parameter allows you to 'clone' service entries. The specified @@ -750,21 +995,38 @@ in the configuration file than the service doing the copying. .SS create mask (S) A synonym for this parameter is 'create mode'. -This parameter is the octal modes which are used when converting DOS modes -to Unix modes. +When a file is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and +the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. +This parameter may be thought of as a bit-wise MASK for the UNIX +modes of a file. Any bit *not* set here will be removed from the +modes set on a file when it is created. + +The default value of this parameter removes the 'group' and 'other' +write and execute bits from the UNIX modes. + +Following this Samba will bit-wise 'OR' the UNIX mode created from +this parameter with the value of the "force create mode" parameter +which is set to 000 by default. -Note that Samba will or this value with 0700 as you must have at least -user read, write and execute for Samba to work properly. +For Samba 1.9.17 and above this parameter no longer affects directory +modes. See the parameter 'directory mode' for details. + +See also the "force create mode" parameter for forcing particular +mode bits to be set on created files. +See also the "directory mode" parameter for masking mode bits on created +directories. .B Default: - create mask = 0755 + create mask = 0744 .B Example: create mask = 0775 .SS create mode (S) See .B create mask. -.SS dead time (G) + +.SS deadtime (G) The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files @@ -782,13 +1044,15 @@ for most systems. A deadtime of zero indicates that no auto-disconnection should be performed. .B Default: - dead time = 0 + deadtime = 0 .B Example: - dead time = 15 + deadtime = 15 .SS debug level (G) The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the smb.conf file. This is to give +(logging level) to be specified in the +.B smb.conf +file. This is to give greater flexibility in the configuration of the system. The default will be the debug level specified on the command line. @@ -815,7 +1079,7 @@ attempting to connect to a nonexistent service results in an error. Typically the default service would be a public, read-only service. -Also not that s of 1.9.14 the apparent service name will be changed to +Also note that as of 1.9.14 the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service. @@ -831,6 +1095,19 @@ things. path = /%S +.SS delete readonly (S) +This parameter allows readonly files to be deleted. This is not normal DOS +semantics, but is allowed by UNIX. + +This option may be useful for running applications such as rcs, where UNIX +file ownership prevents changing file permissions, and DOS semantics prevent +deletion of a read only file. + +.B Default: + delete readonly = No + +.B Example: + delete readonly = Yes .SS deny hosts (S) A synonym for this parameter is 'hosts deny'. @@ -839,10 +1116,38 @@ access to services unless the specific services have their own lists to override this one. Where the lists conflict, the 'allow' list takes precedence. .B Default: - none (ie., no hosts specifically excluded) + none (i.e., no hosts specifically excluded) .B Example: deny hosts = 150.203.4. badhost.mynet.edu.au + +.SS delete veto files (S) + +This option is used when Samba is attempting to delete a directory +that contains one or more vetoed directories (see the 'veto files' option). +If this option is set to False (the default) then if a vetoed directory +contains any non-vetoed files or directories then the directory delete +will fail. This is usually what you want. + +If this option is set to True, then Samba will attempt +to recursively delete any files and directories within the vetoed +directory. This can be useful for integration with file serving +systems such as Netatalk, which create meta-files within directories +you might normally veto DOS/Windows users from seeing (eg. .AppleDouble) + +Setting 'delete veto files = True' allows these directories to be +transparently deleted when the parent directory is deleted (so long +as the user has permissions to do so). + +.B Default: + delete veto files = False + +.B Example: + delete veto files = True + +See +.B veto files + .SS dfree command (G) The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has @@ -870,24 +1175,112 @@ Note: Your script should NOT be setuid or setgid and should be owned by and remaining space will be used. .B Example: - dfree command = /usr/local/smb/dfree + dfree command = /usr/local/samba/bin/dfree Where the script dfree (which must be made executable) could be - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' +.nf + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' +.fi or perhaps (on Sys V) +.nf #!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - +.fi Note that you may have to replace the command names with full path names on some systems. .SS directory (S) See .B path. + +.SS directory mask (S) +A synonym for this parameter is 'directory mode'. + +This parameter is the octal modes which are used when converting DOS modes +to UNIX modes when creating UNIX directories. + +When a directory is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and +the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. +This parameter may be thought of as a bit-wise MASK for the UNIX +modes of a directory. Any bit *not* set here will be removed from the +modes set on a directory when it is created. + +The default value of this parameter removes the 'group' and 'other' +write bits from the UNIX mode, allowing only the user who owns the +directory to modify it. + +Following this Samba will bit-wise 'OR' the UNIX mode created from +this parameter with the value of the "force directory mode" parameter. +This parameter is set to 000 by default (ie. no extra mode bits are added). + +See the "force directory mode" parameter to cause particular mode +bits to always be set on created directories. + +See also the "create mode" parameter for masking mode bits on created +files. + +.B Default: + directory mask = 0755 + +.B Example: + directory mask = 0775 + +.SS directory mode (S) +See +.B directory mask. + +.SS dns proxy (G) + +Specifies that nmbd should (as a WINS server), on finding that a NetBIOS +name has not been registered, treat the NetBIOS name word-for-word as +a DNS name. + +Note that the maximum length for a NetBIOS name is 15 +characters, so the DNS name (or DNS alias) can likewise only be 15 +characters, maximum. + +Note also that nmbd will block completely until the DNS name is resolved. +This will result in temporary loss of browsing and WINS services. +Enable this option only if you are certain that DNS resolution is fast, +or you can live with the consequences of periodic pauses in nmbd service. + +.B Default: + dns proxy = yes + +.SS domain controller (G) + +A boolean that says whether Samba should be a domain controller or +not. Set it to "yes" to be a domain controller. + +.B Default: + domain controller = no + +.SS domain logons (G) + +If set to true, the Samba server will serve Windows 95 domain logons +for the workgroup it is in. For more details on setting up this feature +see the file DOMAINS.txt in the Samba source documentation directory. + +.B Default: + domain logons = no + +.SS domain master (G) + +Enable WAN-wide browse list collation. Local master browsers on +broadcast-isolated subnets will give samba their local browse lists, and +ask for a complete copy of the browse list for the whole wide area network. +Browser clients will then contact their local master browser, and will +receive the domain-wide browse list, instead of just the list for their +broadcast-isolated subnet. + +.B Default: + domain master = no + .SS dont descend (S) There are certain directories on some systems (eg., the /proc tree under Linux) that are either not of interest to clients or are infinitely deep @@ -895,26 +1288,176 @@ Linux) that are either not of interest to clients or are infinitely deep of directories that the server should always show as empty. Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you ma need "./proc" instead of just +descend" entries. For example you may need "./proc" instead of just "/proc". Experimentation is the best policy :-) .B Default: - none (ie., all directories are OK to descend) + none (i.e., all directories are OK to descend) .B Example: dont descend = /proc,/dev +.SS dos filetimes (S) +Under DOS and Windows, if a user can write to a file they can change +the timestamp on it. Under POSIX semantics, only the owner of the file +or root may change the timestamp. By default, Samba runs with POSIX +semantics and refuses to change the timestamp on a file if the user +smbd is acting on behalf of is not the file owner. Setting this option +to True allows DOS semantics and smbd will change the file timstamp as +DOS requires. This is a correct implementation of a previous compile-time +options (UTIME_WORKAROUND) which was broken and is now removed. + +.B Default: + dos filetimes = False + +.B Example: + dos filetimes = True + +.SS dos filetime resolution (S) +Under the DOS and Windows FAT filesystem, the finest granulatity on +time resolution is two seconds. Setting this parameter for a share +causes Samba to round the reported time down to the nearest two +second boundary when a query call that requires one second resolution +is made to smbd. + +This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. If oplocks are enabled on a share, +Visual C++ uses two different time reading calls to check if a file +has changed since it was last read. One of these calls uses a one-second +granularity, the other uses a two second granularity. As the two second +call rounds any odd second down, then if the file has a timestamp of an +odd number of seconds then the two timestamps will not match and Visual +C++ will keep reporting the file has changed. Setting this option causes +the two timestamps to match, and Visual C++ is happy. + +.B Default: + dos filetime resolution = False + +.B Example: + dos filetime resolution = True + .SS encrypt passwords (G) This boolean controls whether encrypted passwords will be negotiated -with the cient. Note that this option has no effect if you haven't -compiled in the necessary des libraries and encryption code. It -defaults to no. +with the client. Note that Windows NT 4.0 SP3 and above will by default +expect encrypted passwords unless a registry entry is changed. To use +encrypted passwords in Samba see the file docs/ENCRYPTION.txt. .SS exec (S) This is an alias for preexec +.SS fake directory create times (S) +NTFS and Windows VFAT file systems keep a create time for all files +and directories. This is not the same as the ctime - status change +time - that Unix keeps, so Samba by default reports the earliest +of the various times Unix does keep. Setting this parameter for a +share causes Samba to always report midnight 1-1-1980 as +the create time for directories. + +This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. Visual C++ generated makefiles +have the object directory as a dependency for each object file, +and a make rule to create the directory. Also, when NMAKE +compares timestamps it uses the creation time when examining +a directory. Thus the object directory will be created if it does +not exist, but once it does exist it will always have an earlier +timestamp than the object files it contains. + +However, Unix time semantics mean that the create time reported +by Samba will be updated whenever a file is created or deleted +in the directory. NMAKE therefore finds all object files in the +object directory bar the last one built are out of date compared +to the directory and rebuilds them. Enabling this option ensures +directories always predate their contents and an NMAKE build will +proceed as expected. + +.B Default: + fake directory create times = False + +.B Example: + fake directory create times = True + +.SS fake oplocks (S) + +Oplocks are the way that SMB clients get permission from a server to +locally cache file operations. If a server grants an oplock +(opportunistic lock) then the client is free to assume that it is the +only one accessing the file and it will aggressively cache file +data. With some oplock types the client may even cache file open/close +operations. This can give enormous performance benefits. + +When you set "fake oplocks = yes" Samba will always grant oplock +requests no matter how many clients are using the file. + +By enabling this option on all read-only shares or shares that you know +will only be accessed from one client at a time you will see a big +performance improvement on many operations. If you enable this option +on shares where multiple clients may be accessing the files read-write +at the same time you can get data corruption. Use this option +carefully! + +It is generally much better to use the real oplock support except for +physically read-only media such as CDROMs. + +This option is disabled by default. + +.SS follow symlinks (S) + +This parameter allows the Samba administrator to stop smbd from +following symbolic links in a particular share. Setting this +parameter to "No" prevents any file or directory that is a +symbolic link from being followed (the user will get an error). +This option is very useful to stop users from adding a symbolic +link to /etc/pasword in their home directory for instance. +However it will slow filename lookups down slightly. + +This option is enabled (ie. smbd will follow symbolic links) +by default. + +.SS force create mode (S) +This parameter specifies a set of UNIX mode bit permissions that +will *always* be set on a file created by Samba. This is done +by bitwise 'OR'ing these bits onto the mode bits of a file that +is being created. The default for this parameter is (in octel) +000. The modes in this parameter are bitwise 'OR'ed onto the +file mode after the mask set in the "create mask" parameter +is applied. + +See also the parameter "create mask" for details on masking mode +bits on created files. + +.B Default: + force create mode = 000 + +.B Example: + force create mode = 0755 + +would force all created files to have read and execute permissions +set for 'group' and 'other' as well as the read/write/execute bits +set for the 'user'. + +.SS force directory mode (S) +This parameter specifies a set of UNIX mode bit permissions that +will *always* be set on a directory created by Samba. This is done +by bitwise 'OR'ing these bits onto the mode bits of a directory that +is being created. The default for this parameter is (in octel) +0000 which will not add any extra permission bits to a created +directory. This operation is done after the mode mask in the parameter +"directory mask" is applied. + +See also the parameter "directory mask" for details on masking mode +bits on created directories. + +.B Default: + force directory mode = 000 + +.B Example: + force directory mode = 0755 + +would force all created directories to have read and execute permissions +set for 'group' and 'other' as well as the read/write/execute bits +set for the 'user'. .SS force group (S) This specifies a group name that all connections to this service @@ -943,6 +1486,21 @@ password. Once connected, all file operations will be performed as the .B Example: force user = auser +.SS getwd cache (G) +This is a tuning option. When this is enabled a cacheing algorithm will +be used to reduce the time taken for getwd() calls. This can have a +significant impact on performance, especially when widelinks is False. + +.B Default: + getwd cache = No + +.B Example: + getwd cache = Yes + +.SS group (S) +This is an alias for "force group" and is only kept for compatibility +with old versions of Samba. It may be removed in future versions. + .SS guest account (S) This is a username which will be used for access to services which are specified as 'guest ok' (see below). Whatever privileges this user has @@ -953,8 +1511,9 @@ the specified username overrides this one. One some systems the account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in -as your guest user (perhaps by using the "su -" command) and trying to -print using lpr. +as your guest user (perhaps by using the "su \-" command) and trying to +print using +.BR lpr . Note that as of version 1.9 of Samba this option may be set differently for each service. @@ -964,16 +1523,6 @@ differently for each service. .B Example: guest account = nobody -.SS getwd cache (G) -This is a tuning option. When this is enabled a cacheing algorithm will -be used to reduce the time taken for getwd() calls. This can have a -significant impact on performance, especially when widelinks is False. - -.B Default: - getwd cache = No - -.B Example: - getwd cache = Yes .SS guest ok (S) See .B public. @@ -999,6 +1548,62 @@ a dot appear as hidden files. .B Example: hide dot files = no + + +.SS hide files(S) +This is a list of files or directories that are not visible but are +accessible. The DOS 'hidden' attribute is applied to any files or +directories that match. + +Each entry in the list must be separated by a "/", which allows spaces +to be included in the entry. '*' and '?' can be used to specify multiple +files or directories as in DOS wildcards. + +Each entry must be a unix path, not a DOS path and must not include the +unix directory separator "/". + +Note that the case sensitivity option is applicable in hiding files. + +Setting this parameter will affect the performance of Samba, as +it will be forced to check all files and directories for a match +as they are scanned. + +See also "hide dot files", "veto files" and "case sensitive" + +.B Default + No files or directories are hidden by this option (dot files are + hidden by default because of the "hide dot files" option). + +.B Example + hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ + +The above example is based on files that the Macintosh client (DAVE) +creates for internal use, and also still hides all files beginning with +a dot. + +.SS homedir map (G) +If "nis homedir" is true, this parameter specifies the NIS (or YP) map +from which the server for the user's home directory should be extracted. +At present, only the Sun auto.home map format is understood. The form of +the map is: + +username server:/some/file/system + +and the program will extract the servername from before the first ':'. +There should probably be a better parsing system that copes with different +map formats and also Amd (another automounter) maps. + +NB: The -DNETGROUP option is required in the Makefile for option to work +and on some architectures the line -lrpcsvc needs to be added to the +LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX. + +See also "nis homedir" + +.B Default: + homedir map = auto.home + +.B Example: + homedir map = amd.homedir .SS hosts allow (S) See .B allow hosts. @@ -1006,10 +1611,6 @@ See See .B deny hosts. -.SS group (S) -This is an alias for "force group" and is only kept for compatability -with old versions of Samba. It may be removed in future versions. - .SS hosts equiv (G) If this global parameter is a non-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access @@ -1033,12 +1634,44 @@ or perhaps on a home network where you trust your wife and kids :-) .B Example hosts equiv = /etc/hosts.equiv +.SS include (G) + +This allows you to include one config file inside another. The file is +included literally, as though typed in place. + +It takes the standard substitutions, except %u, %P and %S + +.SS interfaces (G) + +This option allows you to setup multiple network interfaces, so that +Samba can properly handle browsing on all interfaces. + +The option takes a list of ip/netmask pairs. The netmask may either be +a bitmask, or a bitlength. + +For example, the following line: + +interfaces = 192.168.2.10/24 192.168.3.10/24 + +would configure two network interfaces with IP addresses 192.168.2.10 +and 192.168.3.10. The netmasks of both interfaces would be set to +255.255.255.0. + +You could produce an equivalent result by using: + +interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0 + +if you prefer that format. + +If this option is not set then Samba will attempt to find a primary +interface, but won't attempt to configure more than one interface. + .SS invalid users (S) This is a list of users that should not be allowed to login to this service. This is really a "paranoid" check to absolutely ensure an improper setting does not breach your security. -A name starting with @ is interpreted as a unix group. +A name starting with @ is interpreted as a UNIX group. The current servicename is substituted for %S. This is useful in the [homes] section. @@ -1051,48 +1684,87 @@ See also "valid users" .B Example invalid users = root fred admin @wheel -.SS include (G) - -This allows you to inlcude one config file inside another. the file is -included literally, as though typed in place. - -It takes the standard substitutions, except %u, %P and %S - -.SS keep alive (G) +.SS keepalive (G) The value of the parameter (an integer) represents the number of seconds between 'keepalive' packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding. -Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see "socket -options"). Basically you should only use this option if you strike -difficulties. - .B Default: - keep alive = 0 + keep alive = 300 .B Example: keep alive = 60 + +.SS lm announce (G) + +This parameter determines if Samba will produce Lanman announce +broadcasts that are needed by OS/2 clients in order for them to +see the Samba server in their browse list. This parameter can +have three values, true, false, or auto. The default is auto. +If set to False Samba will never produce these broadcasts. If +set to true Samba will produce Lanman announce broadcasts at +a frequency set by the parameter 'lm interval'. If set to auto +Samba will not send Lanman announce broadcasts by default but +will listen for them. If it hears such a broadcast on the wire +it will then start sending them at a frequency set by the parameter +'lm interval'. + +See also "lm interval". + +.B Default: + lm announce = auto + +.B Example: + lm announce = true + +.SS lm interval (G) + +If Samba is set to produce Lanman announce broadcasts needed +by OS/2 clients (see the "lm announce" parameter) this parameter +defines the frequency in seconds with which they will be made. +If this is set to zero then no Lanman announcements will be +made despite the setting of the "lm announce" parameter. + +See also "lm announce". + +.B Default: + lm interval = 60 + +.B Example: + lm interval = 120 + .SS load printers (G) A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. .B Default: - load printers = no + load printers = yes .B Example: - load printers = yes + load printers = no + +.SS local master (G) +This option allows the nmbd to become a local master browser on a +subnet. If set to False then nmbd will not attempt to become a local +master browser on a subnet and will also lose in all browsing elections. +By default this value is set to true. Setting this value to true doesn't +mean that Samba will become the local master browser on a subnet, just +that the nmbd will participate in elections for local master browser. + +.B Default: + local master = yes .SS lock directory (G) -This options specifies the directory where lock files will be placed. +This option specifies the directory where lock files will be placed. The lock files are used to implement the "max connections" option. .B Default: lock directory = /tmp/samba .B Example: - lock directory = /usr/local/samba/locks + lock directory = /usr/local/samba/var/locks + .SS locking (S) This controls whether or not locking will be performed by the server in response to lock requests from the client. @@ -1123,11 +1795,102 @@ This option takes the standard substitutions, allowing you to have separate log files for each user or machine. .B Example: - log file = /usr/local/samba/log.%m + log file = /usr/local/samba/var/log.%m .SS log level (G) see "debug level" +.SS logon drive (G) + +This parameter specifies the local path to which the home directory +will be connected (see "logon home") and is only used by NT Workstations. + +.B Example: + logon drive = h: + +.SS logon home (G) + +This parameter specifies the home directory location when a Win95 or +NT Workstation logs into a Samba PDC. It allows you to do "NET USE +H: /HOME" from a command prompt, for example. + +.B +This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. + +.B Example: + logon home = "\\\\remote_smb_server\\%U" + +.B Default: + logon home = "\\\\%N\\%U" + +.SS logon path (G) + +This parameter specifies the home directory where roaming profiles +(USER.DAT / USER.MAN files for Windows 95) are stored. + +This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. It also specifies +the directory from which the "desktop", "start menu", "nethood" and +"programs" folders, and their contents, are loaded and displayed +on your Windows 95 client. + +The share and the path must be readable by the user for the preferences +and directories to be loaded onto the Windows 95 client. The share +must be writeable when the logs in for the first time, in order that +the Windows 95 client can create the user.dat and other directories. + +Thereafter, the directories and any of contents can, if required, +be made read-only. It is not adviseable that the USER.DAT file be made +read-only - rename it to USER.MAN to achieve the desired effect +(a MANdatory profile). + +Windows clients can sometimes maintain a connection to the [homes] +share, even though there is no user logged in. Therefore, it is +vital that the logon path does not include a reference to the +homes share (i.e \\\\%N\\HOMES\profile_path will cause problems). + +.B +This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. + +.B Default: + logon path = \\\\%N\\%U\\profile + +.B Example: + logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE + +.SS logon script (G) + +This parameter specifies the batch file (.bat) or NT command file (.cmd) +to be downloaded and run on a machine when a user successfully logs in. +The file must contain the DOS style cr/lf line endings. Using a DOS-style +editor to create the file is recommended. + +The script must be a relative path to the [netlogon] service. If the +[netlogon] service specifies a path of /usr/local/samba/netlogon, and +logon script = STARTUP.BAT, then file that will be downloaded is: + +.B /usr/local/samba/netlogon/STARTUP.BAT + +The contents of the batch file is entirely your choice. A suggested +command would be to add NET TIME \\\\SERVER /SET /YES, to force every +machine to synchronise clocks with the same time server. Another use +would be to add NET USE U: \\\\SERVER\\UTILS for commonly used utilities, +or NET USE Q: \\\\SERVER\\ISO9001_QA. + +Note that it is particularly important not to allow write access to +the [netlogon] share, or to grant users write permission on the +batch files in a secure environment, as this would allow the batch +files to be arbitrarily modified. + +.B +This option takes the standard substitutions, allowing you to have +separate logon scripts for each user or machine. + +.B Example: + logon script = scripts/%U.bat + .SS lppause command (S) This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job. @@ -1137,9 +1900,11 @@ job number to pause the print job. Currently I don't know of any print spooler system that can do this with a simple option, except for the PPR system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way of implementing this is by using job priorities, where jobs having a too -low priority wont be sent to the printer. See also the lppause command. +low priority won't be sent to the printer. See also the +.B lppause +command. -If a %p is given then the printername is put in it's place. A %j is +If a %p is given then the printername is put in its place. A %j is replaced with the job number (an integer). On HPUX (see printing=hpux), if the -p%p option is added to the lpq command, the job will show up with the correct status, i.e. if the job @@ -1187,9 +1952,9 @@ order to obtain "lpq"-style printer status information. This command should be a program or script which takes a printer name as its only parameter and outputs printer status information. -Currently four styles of printer status information are supported; -BSD, SYSV, AIX and HPUX. This covers most unix systems. You control -which type is expected using the "printing =" option. +Currently six styles of printer status information are supported; BSD, +SYSV, AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You +control which type is expected using the "printing =" option. Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information @@ -1197,7 +1962,7 @@ about. To get around this, the server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid. -If a %p is given then the printername is put in it's place. Otherwise +If a %p is given then the printername is put in its place. Otherwise it is placed at the end of the command. Note that it is good practice to include the absolute path in the lpq @@ -1216,7 +1981,7 @@ order to restart or continue printing or spooling a specific print job. This command should be a program or script which takes a printer name and job number to resume the print job. See also the lppause command. -If a %p is given then the printername is put in it's place. A %j is +If a %p is given then the printername is put in its place. A %j is replaced with the job number (an integer). Note that it is good practice to include the absolute path in the lpresume @@ -1235,11 +2000,11 @@ order to delete a print job. This command should be a program or script which takes a printer name and job number, and deletes the print job. -Currently four styles of printer control are supported; BSD, SYSV, AIX -and HPUX. This covers most unix systems. You control which type is -expected using the "printing =" option. +Currently seven styles of printer control are supported; BSD, SYSV, AIX +HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control +which type is expected using the "printing =" option. -If a %p is given then the printername is put in it's place. A %j is +If a %p is given then the printername is put in its place. A %j is replaced with the job number (an integer). Note that it is good practice to include the absolute path in the lprm @@ -1269,7 +2034,7 @@ output file content is undefined. magic output = myfile.txt .SS magic script (S) This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a Unix script +executed by the server when the file is closed. This allows a UNIX script to be sent to the Samba host and executed on behalf of the connected user. Scripts executed in this way will be deleted upon completion, permissions @@ -1286,17 +2051,23 @@ marker. Magic scripts must be executable "as is" on the host, which for some hosts and some shells will require filtering at the DOS end. Magic scripts are EXPERIMENTAL and should NOT be relied upon. + .B Default: None. Magic scripts disabled. .B Example: magic script = user.csh + +.SS mangle case (S) + +See the section on "NAME MANGLING" + .SS mangled map (S) This is for those who want to directly map UNIX file names which are not representable on DOS. The mangling of names is not always what is -needed. In particular you may have documents with file extensiosn -that differ between dos and unix. For example, under unix it is common -to use .html for HTML files, whereas under dos .htm is more commonly +needed. In particular you may have documents with file extensions +that differ between DOS and UNIX. For example, under UNIX it is common +to use .html for HTML files, whereas under DOS .htm is more commonly used. So to map 'html' to 'htm' you put: @@ -1304,7 +2075,7 @@ So to map 'html' to 'htm' you put: mangled map = (*.html *.htm) One very useful case is to remove the annoying ;1 off the ends of -filenames on some CDROMS (only visible under some unixes). To do this +filenames on some CDROMS (only visible under some UNIXes). To do this use a map of (*;1 *) .B default: @@ -1313,12 +2084,8 @@ use a map of (*;1 *) .B Example: mangled map = (*;1 *) -.SS mangle case (S) - -See the section on "NAME MANGLING" - .SS mangled names (S) -This controls whether non-DOS names under Unix should be mapped to +This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored. @@ -1332,7 +2099,7 @@ the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name. - a tilde ("~") is appended to the first part of the mangled name, followed -by a two-character unique sequence, based on the origonal root name +by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters. @@ -1346,7 +2113,7 @@ final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except in the case of hidden files - see below). -- files whose Unix name begins with a dot will be presented as DOS hidden +- files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores). @@ -1358,8 +2125,8 @@ This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300. -The name mangling (if enabled) allows a file to be copied between Unix -directories from DOS while retaining the long Unix filename. Unix files can +The name mangling (if enabled) allows a file to be copied between UNIX +directories from DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from DOS and will retain the same basename. Mangled names do not change between sessions. @@ -1379,33 +2146,6 @@ software. Use this option to set it to whatever you prefer. .B Example: mangling char = ^ -.SS max log size (G) - -This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a .old extension. - -A size of 0 means no limit. - -.B Default: - max log size = 5000 - -.B Example: - max log size = 1000 - -.SS max xmit (G) - -This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems. - -.B Default: - max xmit = 65535 - -.B Example: - max xmit = 8192 - .SS mangled stack (G) This parameter controls the number of mangled names that should be cached in the Samba server. @@ -1415,7 +2155,7 @@ maintained if they are longer than 3 characters or contains upper case characters). The larger this value, the more likely it is that mangled names can be -successfully converted to correct long Unix names. However, large stack +successfully converted to correct long UNIX names. However, large stack sizes will slow most directory access. Smaller stacks save memory in the server (each stack element costs 256 bytes). @@ -1429,12 +2169,16 @@ be prepared for some surprises! mangled stack = 100 .SS map archive (S) -This controls whether the DOS archive attribute should be mapped to Unix -execute bits. The DOS archive bit is set when a file has been modified +This controls whether the DOS archive attribute should be mapped to the +UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc... +Note that this requires the 'create mask' to be set such that owner +execute bit is not masked out (ie. it must include 100). See the +parameter "create mask" for details. + .B Default: map archive = yes @@ -1442,8 +2186,12 @@ This can be quite annoying for shared source code, documents, etc... map archive = no .SS map hidden (S) -This controls whether DOS style hidden files should be mapped to Unix -execute bits. +This controls whether DOS style hidden files should be mapped to the +UNIX world execute bit. + +Note that this requires the 'create mask' to be set such that the world +execute bit is not masked out (ie. it must include 001). +See the parameter "create mask" for details. .B Default: map hidden = no @@ -1451,8 +2199,12 @@ execute bits. .B Example: map hidden = yes .SS map system (S) -This controls whether DOS style system files should be mapped to Unix -execute bits. +This controls whether DOS style system files should be mapped to the +UNIX group execute bit. + +Note that this requires the 'create mask' to be set such that the group +execute bit is not masked out (ie. it must include 010). See the parameter +"create mask" for details. .B Default: map system = no @@ -1474,23 +2226,89 @@ will be stored in the directory specified by the "lock directory" option. .B Example: max connections = 10 -.SS only user (S) -This is a boolean option that controls whether connections with -usernames not in the user= list will be allowed. By default this -option is disabled so a client can supply a username to be used by -the server. -Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the [homes] section. To get -around this you could use "user = %S" which means your "user" list -will be just the service name, which for home directories is the name -of the user. +.SS max disk size (G) +This option allows you to put an upper limit on the apparent size of +disks. If you set this option to 100 then all shares will appear to be +not larger than 100 MB in size. -.B Default: - only user = False +Note that this option does not limit the amount of data you can put on +the disk. In the above case you could still store much more than 100 +MB on the disk, but if a client ever asks for the amount of free disk +space or the total disk size then the result will be bounded by the +amount specified in "max disk size". -.B Example: - only user = True +This option is primarily useful to work around bugs in some pieces of +software that can't handle very large disks, particularly disks over +1GB in size. + +A "max disk size" of 0 means no limit. + +.B Default: + max disk size = 0 + +.B Example: + max disk size = 1000 + +.SS max log size (G) + +This option (an integer in kilobytes) specifies the max size the log +file should grow to. Samba periodically checks the size and if it is +exceeded it will rename the file, adding a .old extension. + +A size of 0 means no limit. + +.B Default: + max log size = 5000 + +.B Example: + max log size = 1000 + +.SS max mux (G) + +This option controls the maximum number of outstanding simultaneous SMB +operations that samba tells the client it will allow. You should never need +to set this parameter. + +.B Default: + max mux = 50 + +.SS max packet (G) + +A synonym for this parameter is 'packet size'. + +.SS max ttl (G) + +This option tells nmbd what the default 'time to live' of NetBIOS +names should be (in seconds) when nmbd is requesting a name using +either a broadcast or from a WINS server. You should never need to +change this parameter. + +.B Default: + max ttl = 14400 + +.SS max wins ttl (G) + +This option tells nmbd when acting as a WINS server (wins support = true) +what the maximum 'time to live' of NetBIOS names that nmbd will grant will +be (in seconds). You should never need to change this parameter. +The default is 3 days (259200 seconds). + +.B Default: + max wins ttl = 259200 + +.SS max xmit (G) + +This option controls the maximum packet size that will be negotiated +by Samba. The default is 65535, which is the maximum. In some cases +you may find you get better performance with a smaller value. A value +below 2048 is likely to cause problems. + +.B Default: + max xmit = 65535 + +.B Example: + max xmit = 8192 .SS message command (G) @@ -1540,7 +2358,7 @@ If you want to silently delete it then try "message command = rm %s". For the really adventurous, try something like this: -message command = csh -c 'csh < %s |& /usr/local/samba/smbclient \\ +message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \e -M %m; rm %s' & this would execute the command as a script on the server, then give @@ -1566,6 +2384,113 @@ kilobytes. The default is 0, which means no limit. .B Example: min print space = 2000 +.SS min wins ttl (G) + +This option tells nmbd when acting as a WINS server (wins support = true) +what the minimum 'time to live' of NetBIOS names that nmbd will grant will +be (in seconds). You should never need to change this parameter. +The default is 6 hours (21600 seconds). + +.B Default: + min wins ttl = 21600 + +.SS name resolve order (G) + +This option is used by the programs smbd, nmbd and smbclient to determine +what naming services and in what order to resolve host names to IP addresses. +This option is most useful in smbclient. The option takes a space separated +string of different name resolution options. These are "lmhosts", "host", +"wins" and "bcast". They cause names to be resolved as follows : + +lmhosts : Lookup an IP address in the Samba lmhosts file. +host : Do a standard host name to IP address resolution, using the + system /etc/hosts, NIS, or DNS lookups. This method of name + resolution is operating system depended (for instance on Solaris + this may be controlled by the /etc/nsswitch.conf file). +wins : Query a name with the IP address listed in the "wins server =" + parameter. If no WINS server has been specified this method will + be ignored. +bcast : Do a broadcast on each of the known local interfaces listed in + the "interfaces =" parameter. This is the least reliable of the + name resolution methods as it depends on the target host being + on a locally connected subnet. + +The default order is lmhosts, host, wins, bcast and these name resolution +methods will be attempted in this order. + +This option was first introduced in Samba 1.9.18p4. + +.B Default: + name resolve order = lmhosts host wins bcast + +.Example: + name resolve order = lmhosts bcast host + +This will cause the local lmhosts file to be examined first, followed +by a broadcast attempt, followed by a normal system hostname lookup. + +.SS netbios aliases (G) + +This is a list of names that nmbd will advertise as additional +names by which the Samba server is known. This allows one machine +to appear in browse lists under multiple names. If a machine is +acting as a browse server or logon server none of these names +will be advertised as either browse server or logon servers, only +the primary name of the machine will be advertised with these +capabilities. + +See also 'netbios name'. + +.B Example: + netbios aliases = TEST TEST1 TEST2 + +.SS netbios name (G) + +This sets the NetBIOS name by which a Samba server is known. By +default it is the same as the first component of the host's DNS name. +If a machine is a browse server or logon server this name (or the +first component of the hosts DNS name) will be the name that these +services are advertised under. + +See also 'netbios aliases'. + +.B Example: + netbios name = MYNAME + +.SS nis homedir (G) +Get the home share server from a NIS (or YP) map. For unix systems that +use an automounter, the user's home directory will often be mounted on +a workstation on demand from a remote server. When the Samba logon server +is not the actual home directory server, two network hops are required +to access the home directory and this can be very slow especially with +writing via Samba to an NFS mounted directory. This option allows samba +to return the home share as being on a different server to the logon +server and as long as a samba daemon is running on the home directory +server, it will be mounted on the Samba client directly from the directory +server. When Samba is returning the home share to the client, it will +consult the NIS (or YP) map specified in "homedir map" and return the +server listed there. + +.B Default: + nis homedir = false + +.B Example: + nis homedir = true + +.SS networkstation user login (G) +This global parameter (new for 1.9.18p3) affects server level security. +With this set (recommended) samba will do a full NetWkstaUserLogon to +confirm that the client really should have login rights. This can cause +problems with machines in trust relationships in which case you can +disable it here, but be warned, we have heard that some NT machines +will then allow anyone in with any password! Make sure you test it. + +.B Default: + networkstation user login = yes + +.B Example: + networkstation user login = no + .SS null passwords (G) Allow or disallow access to accounts that have null passwords. @@ -1575,6 +2500,46 @@ Allow or disallow access to accounts that have null passwords. .B Example: null passwords = yes +.SS only guest (S) +A synonym for this command is 'guest only'. + +.SS only user (S) +This is a boolean option that controls whether connections with +usernames not in the user= list will be allowed. By default this +option is disabled so a client can supply a username to be used by +the server. + +Note that this also means Samba won't try to deduce usernames from the +service name. This can be annoying for the [homes] section. To get +around this you could use "user = %S" which means your "user" list +will be just the service name, which for home directories is the name +of the user. + +.B Default: + only user = False + +.B Example: + only user = True + +.SS oplocks (S) +This boolean option tells smbd whether to issue oplocks (opportunistic +locks) to file open requests on this share. The oplock code was introduced in +Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed +of access to files on Samba servers. It allows the clients to agressively +cache files locally and you may want to disable this option for unreliable +network environments (it is turned on by default in Windows NT Servers). +For more information see the file Speed.txt in the Samba docs/ directory. + +Oplocks may be selectively turned off on certain files on a per share basis. +See the 'veto oplock files' parameter. + +.B Default: + oplocks = True + +.B Example: + oplocks = False + + .SS os level (G) This integer value controls what level Samba advertises itself as for browse elections. See BROWSING.txt for details. @@ -1585,19 +2550,19 @@ longer implemented as of version 1.7.00, and is kept only so old configuration files do not become invalid. .SS passwd chat (G) -This string coontrols the "chat" conversation that takes places +This string controls the "chat" conversation that takes places between smbd and the local password changing program to change the users password. The string describes a sequence of response-receive pairs that smbd uses to determine what to send to the passwd program and what to expect back. If the expected output is not received then the password is not changed. -This chat sequence is often quite site specific, deppending on what +This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS+ etc). The string can contain the macros %o and %n which are substituted for -the old and new passwords respectively. It can aso contain the -standard macros \\n \\r \\t and \\s to give line-feed, carriage-return, +the old and new passwords respectively. It can also contain the +standard macros \en \er \et and \es to give line-feed, carriage-return, tab and space. The string can also contain a * which matches any sequence of @@ -1611,17 +2576,18 @@ then no string is sent. Similarly, is the expect string is a fullstop then no string is expected. .B Example: - passwd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n \\ - "*Reenter NEW password*" %n\\n "*Password changed*" + passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en \e + "*Reenter NEW password*" %n\en "*Password changed*" + .B Default: - passwd chat = *old*password* %o\\n *new*password* %n\\n *new*password* %n\\n *changed* + passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed* .SS passwd program (G) The name of a program that can be used to set user passwords. This is only necessary if you have enabled remote password changing at -compile time. Any occurances of %u will be replaced with the user +compile time. Any occurrences of %u will be replaced with the user name. Also note that many passwd programs insist in "reasonable" passwords, @@ -1636,7 +2602,7 @@ Workgroups) uppercase the password before sending it. passwd program = /sbin/passwd %u .SS password level (G) -Some client/server conbinations have difficulty with mixed-case passwords. +Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! @@ -1665,7 +2631,7 @@ you probably have a slow crypt() routine. Samba now comes with a fast sure the PASSWORD_LENGTH option is correct for your system in local.h and includes.h. On most systems only the first 8 chars of a password are significant so PASSWORD_LENGTH should be 8, but on some longer -passwords are significant. The inlcudes.h file tries to select the +passwords are significant. The includes.h file tries to select the right length for your system. .B Default: @@ -1678,18 +2644,22 @@ right length for your system. By specifying the name of another SMB server (such as a WinNT box) with this option, and using "security = server" you can get Samba to -do all it's username/password validation via a remote server. +do all its username/password validation via a remote server. This options sets the name of the password server to use. It must be a -netbios name, so if the machines netbios name is different from it's -internet name then you may have to add it's netbios name to +netbios name, so if the machine's netbios name is different from its +internet name then you may have to add its netbios name to /etc/hosts. +Note that with Samba 1.9.18p4 and above the name of the password +server is looked up using the parameter "name resolve order=" and +so may resolved by any method and order described in that parameter. + The password server much be a machine capable of using the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in user level security mode. -NOTE: Using a password server means your unix box (running Samba) is +NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. @@ -1706,6 +2676,11 @@ If you list several hosts in the "password server" option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down. +If you are using a WindowsNT server as your password server then you +will have to ensure that your users are able to login from the Samba +server, as the network logon will appear to come from there rather +than from the users workstation. + .SS path (S) A synonym for this parameter is 'directory'. @@ -1718,8 +2693,8 @@ and the path should be world-writable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise. -Any occurances of %u in the path will be replaced with the username -that the client is connecting as. Any occurances of %m will be +Any occurrences of %u in the path will be replaced with the username +that the client is connecting as. Any occurrences of %m will be replaced by the name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users. @@ -1747,7 +2722,7 @@ See also preexec none (no command executed) .B Example: - postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log + postexec = echo \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log .SS postscript (S) This parameter forces a printer to interpret the print files as @@ -1771,8 +2746,8 @@ connected to. It takes the usual substitutions. An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example: -preexec = csh -c 'echo \"Welcome to %S!\" | \ - /usr/local/samba/smbclient -M %m -I %I' & +preexec = csh -c 'echo \e"Welcome to %S!\e" | \e + /usr/local/samba/bin/smbclient -M %m -I %I' & Of course, this could get annoying after a while :-) @@ -1782,15 +2757,28 @@ See also postexec none (no command executed) .B Example: - preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log + preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log .SS preferred master (G) This boolean parameter controls if Samba is a preferred master browser -for its workgroup. Setting this gives it a slight edge in elections -and also means it will automatically start an election when it starts -up. +for its workgroup. +If this is set to true, on startup, samba will force an election, +and it will have a slight advantage in winning the election. +It is recommended that this parameter is used in conjunction +with domain master = yes, so that samba can guarantee becoming +a domain master. + +Use this option with caution, because if there are several hosts +(whether samba servers, Windows 95 or NT) that are preferred master +browsers on the same subnet, they will each periodically and continuously +attempt to become the local master browser. This will result in +unnecessary broadcast traffic and reduced browsing capabilities. + +See +.B os level = nn -It is on by default. +.B Default: + preferred master = no .SS preload This is an alias for "auto services" @@ -1823,7 +2811,7 @@ below. The full path name will be used for the filename if %s is not preceded by a /. If you don't like this (it can stuff up some lpq output) then -use %f instead. Any occurances of %f get replaced by the spool +use %f instead. Any occurrences of %f get replaced by the spool filename without the full path at the front. The print command MUST contain at least one occurrence of "%s" or %f - @@ -1838,7 +2826,7 @@ If there is neither a specified print command for a printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed. -Note that printing may fail on some unixes from the "nobody" +Note that printing may fail on some UNIXes from the "nobody" account. If this happens then create an alternative guest account that can print and set the "guest account" in the [global] section. @@ -1853,10 +2841,10 @@ You may have to vary this command considerably depending on how you normally print files on your system. .B Default: - print command = lpr -r -P %p %s + print command = lpr -r -P %p %s .B Example: - print command = /usr/local/samba/myprintscript %p %s + print command = /usr/local/samba/bin/myprintscript %p %s .SS print ok (S) See .B printable. @@ -1876,33 +2864,29 @@ parameter controls only non-printing access to the resource. .B Example: printable = yes -.SS printing (G) -This parameters controls how printer status information is interpreted -on your system, and also affects the default values for the "print -command", "lpq command" and "lprm command". - -Currently three printing styles are supported. They are "printing = -bsd", "printing = sysv", "printing = hpux" and "printing = aix". - -To see what the defaults are for the other print commands when using -these three options use the "testparm" program. - - .SS printcap name (G) This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this. -For those of you without a printcap (say on SysV) you can just create a -minimal file that looks like a printcap and set "printcap name =" in -[global] to point at it. +On SystemV systems that use lpstat to list available printers you +can use "printcap name = lpstat" to automatically obtain lists of +available printers. This is the default for systems that define +SYSV at compile time in Samba (this includes most SystemV based +systems). If "printcap name" is set to lpstat on these systems then +Samba will launch "lpstat -v" and attempt to parse the output to +obtain a printer list. A minimal printcap file would look something like this: print1|My Printer 1 +.br print2|My Printer 2 +.br print3|My Printer 3 +.br print4|My Printer 4 +.br print5|My Printer 5 where the | separates aliases of a printer. The fact that the second @@ -1917,6 +2901,7 @@ will assume the file is in AIX "qconfig" format if the string .B Example: printcap name = /etc/myprintcap + .SS printer (S) A synonym for this parameter is 'printer name'. @@ -1931,9 +2916,85 @@ for any printable service that does not have its own printer name specified. .B Example: printer name = laserwriter + +.SS printer driver (S) +This option allows you to control the string that clients receive when +they ask the server for the printer driver associated with a +printer. If you are using Windows95 or WindowsNT then you can use this +to automate the setup of printers on your system. + +You need to set this parameter to the exact string (case sensitive) +that describes the appropriate printer driver for your system. +If you don't know the exact string to use then you should first try +with no "printer driver" option set and the client will give you a +list of printer drivers. The appropriate strings are shown in a +scrollbox after you have chosen the printer manufacturer. + +.B Example: + printer driver = HP LaserJet 4L + .SS printer name (S) See .B printer. + +.SS printer driver file (G) +This parameter tells Samba where the printer driver definition file, +used when serving drivers to Windows 95 clients, is to be found. If +this is not set, the default is : + +SAMBA_INSTALL_DIRECTORY/lib/printers.def + +This file is created from Windows 95 'msprint.def' files found on the +Windows 95 client system. For more details on setting up serving of +printer drivers to Windows 95 clients, see the documentation file +docs/PRINTER_DRIVER.txt. + +.B Default: + None (set in compile). + +.B Example: + printer driver file = /usr/local/samba/printers/drivers.def + +Related parameters. +.B printer driver location + +.SS printer driver location (S) +This parameter tells clients of a particular printer share where +to find the printer driver files for the automatic installation +of drivers for Windows 95 machines. If Samba is set up to serve +printer drivers to Windows 95 machines, this should be set to + +\e\eMACHINE\ePRINTER$ + +Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ +is a share you set up for serving printer driver files. For more +details on setting this up see the documentation file +docs/PRINTER_DRIVER.txt. + +.B Default: + None + +.B Example: + printer driver location = \e\eMACHINE\ePRINTER$ + +Related paramerers. +.B printer driver file + + +.SS printing (S) +This parameters controls how printer status information is interpreted +on your system, and also affects the default values for the "print +command", "lpq command" and "lprm command". + +Currently six printing styles are supported. They are "printing = +bsd", "printing = sysv", "printing = hpux", "printing = aix", +"printing = qnx" and "printing = plp". + +To see what the defaults are for the other print commands when using +these three options use the "testparm" program. + +As of version 1.9.18 of Samba this option can be set on a per printer basis + .SS protocol (G) The value of the parameter (a string) is the highest protocol level that will be supported by the server. @@ -1941,6 +3002,9 @@ be supported by the server. Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative merits of each are discussed in the README file. +Normally this option should not be set as the automatic negotiation +phase in the SMB protocol takes care of choosing the appropriate protocol. + .B Default: protocol = NT1 @@ -2037,11 +3101,65 @@ pointless and will cause you to allocate memory unnecessarily. .B Example: read size = 8192 +.SS remote announce (G) + +This option allows you to setup nmbd to periodically announce itself +to arbitrary IP addresses with an arbitrary workgroup name. + +This is useful if you want your Samba server to appear in a remote +workgroup for which the normal browse propagation rules don't +work. The remote workgroup can be anywhere that you can send IP +packets to. + +For example: + + remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF + +the above line would cause nmbd to announce itself to the two given IP +addresses using the given workgroup names. If you leave out the +workgroup name then the one given in the "workgroup" option is used +instead. + +The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known +browse masters if your network config is that stable. + +This option replaces similar functionality from the nmbd lmhosts file. + +.SS remote browse sync (G) + +This option allows you to setup nmbd to periodically request synchronisation +of browse lists with the master browser of a samba server that is on a remote +segment. This option will allow you to gain browse lists for multiple +workgroups across routed networks. This is done in a manner that does not work +with any non-samba servers. + +This is useful if you want your Samba server and all local clients +to appear in a remote workgroup for which the normal browse propagation +rules don't work. The remote workgroup can be anywhere that you can send IP +packets to. + +For example: + + remote browse sync = 192.168.2.255 192.168.4.255 + +the above line would cause nmbd to request the master browser on the +specified subnets or addresses to synchronise their browse lists with +the local server. + +The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known +browse masters if your network config is that stable. If a machine IP +address is given Samba makes NO attempt to validate that the remote +machine is available, is listening, nor that it is in fact the browse +master on it's segment. + + .SS revalidate (S) This options controls whether Samba will allow a previously validated username/password pair to be used to attach to a share. Thus if you -connect to \\\\server\\share1 then to \\\\server\\share2 it won't +connect to \e\eserver\eshare1 then to \e\eserver\eshare2 it won't automatically allow the client to request connection to the second share as the same username as the first without a password. @@ -2084,8 +3202,20 @@ The set of files that must be mirrored is operating system dependent. .B Example: root directory = /homes/smb +.SS root postexec (S) + +This is the same as postexec except that the command is run as +root. This is useful for unmounting filesystems (such as cdroms) after +a connection is closed. + +.SS root preexec (S) + +This is the same as preexec except that the command is run as +root. This is useful for mounting filesystems (such as cdroms) before +a connection is finalised. + .SS security (G) -This option does affects how clients respond to Samba. +This option affects how clients respond to Samba. The option sets the "security mode bit" in replies to protocol negotiations to turn share level security on or off. Clients decide based on this bit @@ -2097,8 +3227,8 @@ option at one stage. The alternatives are "security = user" or "security = server". If your PCs use usernames that are the same as their usernames on the -unix machine then you will want to use "security = user". If you -mostly use usernames that don't exist on the unix box then use +UNIX machine then you will want to use "security = user". If you +mostly use usernames that don't exist on the UNIX box then use "security = share". There is a bug in WfWg that may affect your decision. When in user @@ -2123,8 +3253,7 @@ This controls what string will show up in the printer comment box in print manager and next to the IPC connection in "net view". It can be any string that you wish to show to your users. -Note that it DOES NOT affect the string that appears in browse -lists. That is controlled by a nmbd command line option instead. +It also sets what will appear in browse lists next to the machine name. A %v will be replaced with the Samba version number. @@ -2136,50 +3265,52 @@ A %h will be replaced with the hostname. .B Example: server string = University of GNUs Samba Server -.SS smbrun (G) -This sets the full path to the smbrun binary. This defaults to the -value in the Makefile. +.SS set directory (S) +If 'set directory = no', then users of the service may not use the setdir +command to change directory. -You must get this path right for many services to work correctly. +The setdir command is only implemented in the Digital Pathworks client. See the +Pathworks documentation for details. -.B Default: taken from Makefile +.B Default: + set directory = no .B Example: - smbrun = /usr/local/samba/bin/smbrun - -.SS short preserve case (S) - -This controls if new short filenames are created with the case that -the client passes, or if they are forced to be the "default" case. + set directory = yes -.B Default: - short preserve case = no +.SS shared file entries (G) +This parameter has been removed (as of Samba 1.9.18 and above). The new +System V shared memory code prohibits the user from allocating the +share hash bucket size directly. -See the section on "NAME MANGLING" for a fuller discussion. +.SS shared mem size (G) +This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES. +It specifies the size of the shared memory (in bytes) to use between smbd +processes. You should never change this parameter unless you have studied +the source and know what you are doing. This parameter defaults to 1024 +multiplied by the setting of the maximum number of open files in the +file local.h in the Samba source code. MAX_OPEN_FILES is normally set +to 100, so this parameter defaults to 102400 bytes. -.SS root preexec (S) - -This is the same as preexec except that the command is run as -root. This is useful for mounting filesystems (such as cdroms) before -a connection is finalised. +.B Default + shared mem size = 102400 -.SS root postexec (S) +.SS smb passwd file (G) +This option sets the path to the encrypted smbpasswd file. This is a *VERY +DANGEROUS OPTION* if the smb.conf is user writable. By default the path +to the smbpasswd file is compiled into Samba. -This is the same as postexec except that the command is run as -root. This is useful for unmounting filesystems (such as cdroms) after -a connection is closed. +.SS smbrun (G) +This sets the full path to the smbrun binary. This defaults to the +value in the Makefile. -.SS set directory (S) -If 'set directory = no', then users of the service may not use the setdir -command to change directory. +You must get this path right for many services to work correctly. -The setdir comand is only implemented in the Digital Pathworks client. See the -Pathworks documentation for details. .B Default: - set directory = no +taken from Makefile .B Example: - set directory = yes + smbrun = /usr/local/samba/bin/smbrun .SS share modes (S) @@ -2187,15 +3318,15 @@ This enables or disables the honouring of the "share modes" during a file open. These modes are used by clients to gain exclusive read or write access to a file. -These open modes are not directly supported by unix, so they are +These open modes are not directly supported by UNIX, so they are simulated using lock files in the "lock directory". The "lock directory" specified in smb.conf must be readable by all users. The share modes that are enabled by this option are DENY_DOS, DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. -Enabling this option gives full share compatability but may cost a bit -of processing time on the unix server. They are enabled by default. +Enabling this option gives full share compatibility but may cost a bit +of processing time on the UNIX server. They are enabled by default. .B Default: share modes = yes @@ -2203,6 +3334,27 @@ of processing time on the unix server. They are enabled by default. .B Example: share modes = no +.SS short preserve case (S) + +This controls if new short filenames are created with the case that +the client passes, or if they are forced to be the "default" case. + +.B Default: + short preserve case = no + +See the section on "NAME MANGLING" for a fuller discussion. + +.SS socket address (G) + +This option allows you to control what address Samba will listen for +connections on. This is used to support multiple virtual interfaces on +the one server, each with a different configuration. + +By default samba will accept connections on any address. + +.B Example: + socket address = 192.168.2.20 + .SS socket options (G) This option (which can also be invoked with the -O command line option) allows you to set socket options to be used when talking with @@ -2222,7 +3374,7 @@ You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either mis-typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to me -(samba-bugs@anu.edu.au). +(samba-bugs@samba.anu.edu.au). Any of the supported socket options may be combined in any way you like, as long as your OS allows it. @@ -2284,9 +3436,12 @@ completely. Use these options with caution! .SS status (G) This enables or disables logging of connections to a status file that -smbstatus can read. +.B smbstatus +can read. -With this disabled smbstatus won't be able to tell you what +With this disabled +.B smbstatus +won't be able to tell you what connections are active. .B Default: @@ -2295,15 +3450,6 @@ connections are active. .B Example: status = no -.SS strip dot (G) -This is a boolean that controls whether to strup trailing dots off -filenames. This helps with some CDROMs that have filenames ending in a -single dot. - -NOTE: This option is now obsolete, and may be removed in future. You -should use the "mangled map" option instead as it is much more -general. - .SS strict locking (S) This is a boolean that controls the handling of file locking in the server. When this is set to yes the server will check every read and @@ -2322,11 +3468,42 @@ so in the vast majority of cases "strict locking = no" is preferable. .B Example: strict locking = yes +.SS strip dot (G) +This is a boolean that controls whether to strip trailing dots off +UNIX filenames. This helps with some CDROMs that have filenames ending in a +single dot. + +.B Default: + strip dot = no + +.B Example: + strip dot = yes + +.SS syslog (G) +This parameter maps how Samba debug messages are logged onto the +system syslog logging levels. Samba debug level zero maps onto +syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug +level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO. +The paramter sets the threshold for doing the mapping, all Samba +debug messages above this threashold are mapped to syslog LOG_DEBUG +messages. + +.B Default: + + syslog = 1 + +.SS syslog only (G) +If this parameter is set then Samba debug messages are logged into +the system syslog only, and not to the debug log files. + +.B Default: + syslog only = no + .SS sync always (S) This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is -false then the server will be guided by the clients request in each +false then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is true then every write will be followed by a fsync() call to ensure the data is written to disk. @@ -2348,6 +3525,27 @@ that have incorrect daylight saving time handling. .B Example: time offset = 60 +.SS time server (G) +This parameter determines if nmbd advertises itself as a time server +to Windows clients. The default is False. + +.B Default: + time server = False + +.B Example: + time server = True + +.SS unix realname (G) +This boolean parameter when set causes samba to supply the real name field +from the unix password file to the client. This is useful for setting up +mail clients and WWW browsers on systems used by more than one person. + +.B Default: + unix realname = no + +.B Example: + unix realname = yes + .SS user (S) See .B username. @@ -2357,10 +3555,10 @@ A synonym for this parameter is 'user'. Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right). -The username= line is needed only when the PC is unable to supply it's own +The username= line is needed only when the PC is unable to supply its own username. This is the case for the coreplus protocol or where your -users have different WfWg usernames to unix usernames. In both these -cases you may also be better using the \\\\server\\share%user syntax +users have different WfWg usernames to UNIX usernames. In both these +cases you may also be better using the \e\eserver\eshare%user syntax instead. The username= line is not a great solution in many cases as it means Samba @@ -2369,7 +3567,7 @@ usernames in the username= line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely. -Samba relies on the underlying unix security. This parameter does not +Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more @@ -2395,47 +3593,88 @@ on how this parameter determines access to the services. username = fred username = fred, mary, jack, jane, @users, @pcgroup +.SS username level (G) + +This option helps Samba to try and 'guess' at the real UNIX username, +as many DOS clients send an all-uppercase username. By default Samba +tries all lowercase, followed by the username with the first letter +capitalized, and fails if the username is not found on the UNIX machine. + +If this parameter is set to non-zero the behaviour changes. This +parameter is a number that specifies the number of uppercase combinations +to try whilst trying to determine the UNIX user name. The higher the number +the more combinations will be tried, but the slower the discovery +of usernames will be. Use this parameter when you have strange +usernames on your UNIX machine, such as 'AstrangeUser'. + +.B Default: + username level = 0 + +.B Example: + username level = 5 + .SS username map (G) This option allows you to to specify a file containing a mapping of usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on dos or -windows machines to those that the unix box uses. The other is to map +purposes. The most common is to map usernames that users use on DOS or +Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they can more easily share files. The map file is parsed line by line. Each line should contain a single -unix username on the left then a '=' followed by a list of usernames +UNIX username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of -the form @group in which case they will match any unix username in +the form @group in which case they will match any UNIX username in that group. The special client name '*' is a wildcard and matches any name. The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' -signs. If the supplied name matrches any of the names on the right +signs. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line. If any line begins with a '#' or a ';' then it is ignored -For example to map from he name "admin" or "administrator" to the unix +If any line begins with an ! then the processing will stop after that +line if a mapping was done by the line. Otherwise mapping continues +with every line being processed. Using ! is most useful when you have +a wildcard mapping line later in the file. + +For example to map from the name "admin" or "administrator" to the UNIX name "root" you would use root = admin administrator -Or to map anyone in the unix group "system" to the unix name "sys" you +Or to map anyone in the UNIX group "system" to the UNIX name "sys" you would use sys = @system You can have as many mappings as you like in a username map file. -Note that the remapping is applied to all occurances of -usernames. Thus if you connect to "\\\\server\\fred" and "fred" is +You can map Windows usernames that have spaces in them by using double +quotes around the name. For example: + + tridge = "Andrew Tridgell" + +would map the windows username "Andrew Tridgell" to the unix username +tridge. + +The following example would map mary and fred to the unix user sys, +and map the rest to guest. Note the use of the ! to tell Samba to stop +processing if it gets a match on that line. + + !sys = mary fred + guest = * + + +Note that the remapping is applied to all occurrences of +usernames. Thus if you connect to "\e\eserver\efred" and "fred" is remapped to "mary" then you will actually be connecting to -"\\\\server\\mary" and will need to supply a password suitable for -"mary" not "fred". The only exception to this is the username passwed +"\e\eserver\emary" and will need to supply a password suitable for +"mary" not "fred". The only exception to this is the username passed to the "password server" (if you have one). The password server will receive whatever username the client supplies without modification. @@ -2462,7 +3701,7 @@ between them then it will be taken as an lowercase:uppercase pair. If you have an editor capable of entering the characters into the config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexidecimal form +you can specify the characters in octal, decimal or hexadecimal form using the usual C notation. For example to add the single character 'Z' to the charset (which is a @@ -2473,11 +3712,20 @@ valid chars = Z valid chars = z:Z valid chars = 0132:0172 -The last two examples above actually add two characters, and alters +The last two examples above actually add two characters, and alter the uppercase and lowercase mappings appropriately. +Note that you MUST specify this parameter after the "client code page" +parameter if you have both set. If "client code page" is set after +the "valid chars" parameter the "valid chars" settings will be +overwritten. + +See also the "client code page" parameter. + .B Default +.br Samba defaults to using a reasonable set of valid characters +.br for english systems .B Example @@ -2486,9 +3734,15 @@ the uppercase and lowercase mappings appropriately. The above example allows filenames to have the swedish characters in them. +NOTE: It is actually quite difficult to correctly produce a "valid +chars" line for a particular system. To automate the process +tino@augsburg.net has written a package called "validchars" which will +automatically produce a complete "valid chars" line for a given client +system. Look in the examples subdirectory for this package. + .SS valid users (S) This is a list of users that should be allowed to login to this -service. A name starting with @ is interpreted as a unix group. +service. A name starting with @ is interpreted as a UNIX group. If this is empty (the default) then any user can login. If a username is in both this list and the "invalid users" list then access is @@ -2505,15 +3759,76 @@ See also "invalid users" .B Example valid users = greg, @pcusers + +.SS veto files(S) +This is a list of files and directories that are neither visible nor +accessible. Each entry in the list must be separated by a "/", which +allows spaces to be included in the entry. '*' and '?' can be used to +specify multiple files or directories as in DOS wildcards. + +Each entry must be a unix path, not a DOS path and must not include the +unix directory separator "/". + +Note that the case sensitivity option is applicable in vetoing files. + +One feature of the veto files parameter that it is important to be +aware of, is that if a directory contains nothing but files that +match the veto files parameter (which means that Windows/DOS clients +cannot ever see them) is deleted, the veto files within that directory +*are automatically deleted* along with it, if the user has UNIX permissions +to do so. + +Setting this parameter will affect the performance of Samba, as +it will be forced to check all files and directories for a match +as they are scanned. + +See also "hide files" and "case sensitive" + +.B Default + No files or directories are vetoed. + +.B Examples + Example 1. + Veto any files containing the word Security, + any ending in .tmp, and any directory containing the + word root. + + veto files = /*Security*/*.tmp/*root*/ + + Example 2. + Veto the Apple specific files that a NetAtalk server + creates. + + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + +.SS veto oplock files (S) +This parameter is only valid when the 'oplocks' parameter is turned on +for a share. It allows the Samba administrator to selectively turn off +the granting of oplocks on selected files that match a wildcarded list, +similar to the wildcarded list used in the 'veto files' parameter. + +.B Default + No files are vetoed for oplock grants. + +.B Examples +You might want to do this on files that you know will be heavily +contended for by clients. A good example of this is in the NetBench +SMB benchmark program, which causes heavy client contention for files +ending in .SEM. To cause Samba not to grant oplocks on these files +you would use the line (either in the [global] section or in the section +for the particular NetBench share : + + veto oplock files = /*.SEM/ + .SS volume (S) This allows you to override the volume label returned for a -share. Useful for CDROMs whos installation programs insist on a +share. Useful for CDROMs with installation programs that insist on a particular volume label. The default is the name of the share .SS wide links (S) -This parameter controls whether or not links in the Unix file system may be +This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported. @@ -2524,12 +3839,40 @@ only to areas that are outside the directory tree being exported. .B Example: wide links = no +.SS wins proxy (G) + +This is a boolean that controls if nmbd will respond to broadcast name +queries on behalf of other hosts. You may need to set this to no for +some older clients. + +.B Default: + wins proxy = no +.SS wins server (G) + +This specifies the DNS name (or IP address) of the WINS server that Samba +should register with. If you have a WINS server on your network then you +should set this to the WINS servers name. + +You should point this at your WINS server if you have a multi-subnetted +network. +.B Default: + wins server = + +.SS wins support (G) + +This boolean controls if the nmbd process in Samba will act as a WINS server. +You should not set this to true unless you have a multi-subnetted network and +you wish a particular nmbd to be your WINS server. Note that you +should *NEVER* set this to true on more than one machine in your +network. + +.B Default: + wins support = no + .SS workgroup (G) This controls what workgroup your server will appear to be in when -queried by clients. This can be different to the workgroup specified -in the nmbd configuration, but it is probably best if you set them to -the same value. +queried by clients. .B Default: set in the Makefile @@ -2537,11 +3880,6 @@ the same value. .B Example: workgroup = MYGROUP -.SS write ok (S) -See -.B writable -and -.B read only. .SS writable (S) A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'. @@ -2576,6 +3914,11 @@ See also the "read list" option .B Example: write list = admin, root, @staff +.SS write ok (S) +See +.B writable +and +.B read only. .SS write raw (G) This parameter controls whether or not the server will support raw writes when transferring data from clients. @@ -2585,6 +3928,7 @@ transferring data from clients. .B Example: write raw = no + .SH NOTE ABOUT USERNAME/PASSWORD VALIDATION There are a number of ways in which a user can connect to a service. The server follows the following steps in determining if it @@ -2595,15 +3939,15 @@ the following steps are not checked. If the service is marked "guest only = yes" then steps 1 to 5 are skipped Step 1: If the client has passed a username/password pair and that -username/password pair is validated by the unix systems password +username/password pair is validated by the UNIX system's password programs then the connection is made as that username. Note that this -includes the \\\\server\\service%username method of passing a username. +includes the \e\eserver\eservice%username method of passing a username. Step 2: If the client has previously registered a username with the system and now supplies a correct password for that username then the connection is allowed. -Step 3: The clients netbios name and any previously used user names +Step 3: The client's netbios name and any previously used user names are checked against the supplied password, if they match then the connection is allowed as the corresponding user. @@ -2614,7 +3958,7 @@ for this service. Step 5: If a "user = " field is given in the smb.conf file for the service and the client has supplied a password, and that password -matches (according to the unix systems password checking) with one of +matches (according to the UNIX system's password checking) with one of the usernames from the user= field then the connection is made as the username in the "user=" line. If one of the username in the user= list begins with a @ then that name expands to a list of names in the group @@ -2623,8 +3967,6 @@ of the same name. Step 6: If the service is a guest service then a connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password. - - .SH WARNINGS Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, @@ -2641,7 +3983,7 @@ administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. .SH VERSION -This man page is (mostly) correct for version 1.9.00 of the Samba suite, plus some +This man page is (mostly) correct for version 1.9.18 of the Samba suite, plus some of the recent patches to it. These notes will necessarily lag behind development of the software, so it is possible that your version of the server has extensions or parameter semantics that differ from or are not @@ -2653,27 +3995,25 @@ radically different (more primitive). If you are using a version earlier than 1.8.05, it is STRONGLY recommended that you upgrade. .SH OPTIONS Not applicable. - .SH FILES Not applicable. - .SH ENVIRONMENT VARIABLES Not applicable. - .SH SEE ALSO -.B smbd(8), -.B smbclient(1), -.B nmbd(8), -.B testparm(1), -.B testprns(1), -.B lpq(1), -.B hosts_access(5) +.BR smbd (8), +.BR smbclient (1), +.BR nmbd (8), +.BR testparm (1), +.BR testprns (1), +.BR lpq (1), +.BR hosts_access (5) .SH DIAGNOSTICS [This section under construction] Most diagnostics issued by the server are logged in a specified log file. The log file name is specified at compile time, but may be overridden on the -smbd (see smbd(8)) command line. +smbd command line (see +.BR smbd (8)). The number and nature of diagnostics available depends on the debug level used by the server. If you have problems, set the debug level to 3 and peruse the @@ -2684,26 +4024,25 @@ creation of this man page the source code is still too fluid to warrant describing each and every diagnostic. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing. - .SH BUGS None known. Please send bug reports, comments and so on to: .RS 3 -.B samba-bugs@anu.edu.au (Andrew Tridgell) +.B samba-bugs@samba.anu.edu.au (Andrew Tridgell) .RS 3 -or to the mailing list +or to the mailing list: .RE .B samba@listproc.anu.edu.au .RE -You may also like to subscribe to the announcement channel +You may also like to subscribe to the announcement channel: .RS 3 -samba-announce@listproc.anu.edu.au +.B samba-announce@listproc.anu.edu.au .RE To subscribe to these lists send a message to @@ -2714,6 +4053,6 @@ Errors or suggestions for improvements to the Samba man pages should be mailed to: .RS 3 -.B samba-bugs@anu.edu.au (Andrew Tridgell) +.B samba-bugs@samba.anu.edu.au (Andrew Tridgell) .RE diff --git a/docs/manpages/smbclient.1 b/docs/manpages/smbclient.1 index 5590e01296e..f4f3bbb9445 100644 --- a/docs/manpages/smbclient.1 +++ b/docs/manpages/smbclient.1 @@ -1,4 +1,4 @@ -.TH SMBCLIENT 1 17/1/1995 smbclient smbclient +.TH SMBCLIENT 1 "09 Oct 1998" "smbclient 2.0.0-alpha11" .SH NAME smbclient \- ftp-like Lan Manager client program .SH SYNOPSIS @@ -7,43 +7,54 @@ smbclient \- ftp-like Lan Manager client program [ .B password ] [ -.B -A +.B \-A ] [ -.B -E +.B \-E ] [ -.B -L +.B \-L .I host ] [ -.B -M +.B \-M .I host ] [ -.B -I +.B \-I .I IP number ] [ -.B -N +.B \-R +.I name resolve order ] [ -.B -P +.B \-N ] [ -.B -U +.B \-P +] [ +.B \-U .I username ] [ -.B -d +.B \-d .I debuglevel ] [ -.B -l +.B \-l .I log basename ] [ -.B -n +.B \-n .I netbios name ] [ -.B -O +.B \-W +.I workgroup +] [ +.B \-O .I socket options ] [ -.B -p +.B \-p .I port number -.B -T +] [ +.B \-c +.I command string +] [ +.B \-T .I tar options -.B -D +] [ +.B \-D .I initial directory ] .SH DESCRIPTION @@ -54,17 +65,17 @@ is a client that can 'talk' to a Lan Manager server. It offers an interface similar to that of the .B ftp program (see -.B ftp(1)). Operations include things like getting files from the +.BR ftp (1)). +Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. - .SH OPTIONS .B servicename .RS 3 .B servicename is the name of the service you want to use on the server. A service name takes the form -.B "\\\\\\\\server\\\\service" +.B "\e\eserver\eservice" where .B server is the netbios name of the Lan Manager server offering the desired service and @@ -73,12 +84,17 @@ is the name of the service offered. Thus to connect to the service "printer" on the Lan Manager server "lanman", you would use the servicename .RS 10 -.B "\\\\\\\\lanman\\\\printer" +.B "\e\elanman\eprinter" .RE Note that the server name required is NOT necessarily the host name of the server! The name required is a Lan Manager server name, which may or may not be the same as the hostname of the machine running the server. + +With Samba 1.9.18p4 the server name is looked up according to the +"name resolve order=" parameter in the smb.conf file, allowing an +administrator to change the order and methods by which server names +are looked up. .RE .B password @@ -87,16 +103,16 @@ be the same as the hostname of the machine running the server. password is the password required to access the specified service on the specified server. If supplied, the -.B -N +.B \-N option (suppress password prompt) is assumed. There is no default password. If no password is supplied on the command line (either here or using the -.B -U +.B \-U option (see below)) and -.B -N +.B \-N is not specified, the client will prompt for a password, even if the desired -service does not require one. (If prompted for a password and none is +service does not require one. (If no password is required, simply press ENTER to provide a null password.) Note: Some servers (including OS/2 and Windows for Workgroups) insist @@ -106,7 +122,16 @@ rejected by these servers. Be cautious about including passwords in scripts. .RE -.B -A +.B \-R name resolve order + +.RS 3 +This parameter will override the default name resolution order of the +server listed in the "name resolve order" parameter in smb.conf. This +is useful to force name resolution to take place by a particular method. +This command line parameter only exists in Samba 1.9.18p4 and above. +.RE + +.B \-A .RS 3 This parameter, if specified, causes the maximum debug level to be selected. @@ -115,21 +140,23 @@ a security issue involved, as at the maximum debug level cleartext passwords may be written to some log files. .RE -.B -L +.B \-L .RS 3 This option allows you to look at what services are available on a server. You use it as "smbclient -L host" and a list should appear. -The -I option may be useful if your netbios names don't match your +The +.B \-I +option may be useful if your netbios names don't match your tcp/ip host names or if you are trying to reach a host on another network. For example: smbclient -L ftp -I ftp.microsoft.com -will list the shares available on microsofts public server. +will list the shares available on Microsoft's public server. .RE -.B -M +.B \-M .RS 3 This options allows you to send messages, using the "WinPopup" @@ -143,22 +170,30 @@ message will be lost, and no error message will occur. The message is also automatically truncated if the message is over 1600 bytes, as this is the limit of the protocol. -One useful trick is to cat the message through smbclient. For example: +One useful trick is to cat the message through +.BR smbclient . +For example: cat mymessage.txt | smbclient -M FRED will send the message in the file "mymessage.txt" to the machine FRED. -You may also find the -U and -I options useful, as they allow you to +You may also find the +.B \-U +and +.B \-I +options useful, as they allow you to control the FROM and TO parts of the message. -Samba currently has no way of receiving WinPopup messages. +See the message command section of +.BR smb.conf (5) +for a description of how to handle incoming WinPopup messages in Samba. Note: Copy WinPopup into the startup group on your WfWg PCs if you want them to always be able to receive messages. .RE -.B -E +.B \-E .RS 3 This parameter, if specified, causes the client to write messages to the @@ -168,7 +203,7 @@ By default, the client writes messages to standard output - typically the user's tty. .RE -.B -I +.B \-I .I IP number .RS 3 @@ -185,7 +220,7 @@ There is no default for this parameter. If not supplied, it will be determined automatically by the client as described above. .RE -.B -N +.B \-N .RS 3 If specified, this parameter suppresses the normal password prompt from the @@ -196,14 +231,16 @@ Unless a password is specified on the command line or this parameter is specified, the client will request a password. .RE -.B -O +.B \-O .I socket options -.RS 3 - -See the socket options section of smb.conf(5) for details +.RS 3 +See the socket options section of +.BR smb.conf (5) +for details. .RE -.B -P + +.B \-P .RS 3 If specified, the service requested will be connected to as a printer service @@ -213,7 +250,7 @@ will not be applicable for such a connection. By default, services will be connected to as NON-printer services. .RE -.B -U +.B \-U .I username .RS 3 @@ -237,21 +274,28 @@ If no is supplied and neither environment variable exists the user name will be empty. +If the USER environment variable containts a '%' character, everything +after that will be treated as a password. This allows you to set the +environment variable to be +.B USER=username%password +so that a password is not passed on the command line (where it may +be seen by the ps command). + If the service you are connecting to requires a password, it can be supplied using the -.B -U +.B \-U option, by appending a percent symbol ("%") then the password to .I username. For example, to attach to a service as user "fred" with password "secret", you would specify -.B -U +.B \-U .I fred%secret on the command line. Note that there are no spaces around the percent symbol. If you specify the password as part of .I username then the -.B -N +.B \-N option (suppress password prompt) is assumed. If you specify the password as a parameter AND as part of @@ -269,10 +313,10 @@ rejected by these servers. Be cautious about including passwords in scripts. .RE -.B -d +.B \-d .I debuglevel -.RS 3 +.RS 3 debuglevel is an integer from 0 to 5. The default value if this parameter is not specified is zero. @@ -288,7 +332,7 @@ use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic. .RE -.B -l +.B \-l .I log basename .RS 3 @@ -312,9 +356,8 @@ log.client.out (containing outbound transaction data) The log files generated are never removed by the client. .RE -.RE -.B -n +.B \-n .I netbios name .RS 3 @@ -323,10 +366,18 @@ uppercase) as its netbios name. This parameter allows you to override the host name and use whatever netbios name you wish. .RE -.B -p -.I port number +.B \-W +.I workgroup + .RS 3 +Override what workgroup is used for the connection. This may be needed +to connect to some servers. +.RE + +.B \-p +.I port number +.RS 3 port number is a positive integer value. The default value if this parameter is not specified is 139. @@ -336,15 +387,29 @@ the server. The standard (well-known) port number for the server is 139, hence the default. This parameter is not normally specified. +.RE -.B -T +.B \-T .I tar options -.RS3 -where tar options are one or more of c,x,I,X,b,g,N or a; used as: +.RS 3 +where +.I tar options +consists of one or more of +.BR c , +.BR x , +.BR I , +.BR X , +.BR b , +.BR g , +.BR q , +.BR N +or +.BR a ; +used as: .LP smbclient -.B "\\\\\\\\server\\\\share" +.B "\e\eserver\eshare" \-TcxIXbgNa [ .IR blocksize @@ -354,21 +419,30 @@ smbclient ] .IR tarfile [ -.IR filenames.... +.IR filenames ... ] -.RS3 +.RS 3 .B c Create a tar file on UNIX. Must be followed by the name of a tar file, -tape device or "-" for standard output. (May be useful to set debugging -low (-d0)) to avoid corrupting your tar file if using "-"). Mutually -exclusive with the x flag. +tape device or "\-" for standard output. (May be useful to set debugging +low +.RB ( -d0 )) +to avoid corrupting your tar file if using "\-"). Mutually +exclusive with the +.B x +flag. .B x -Extract (restore) a local tar file back to a share. Unless the -D +Extract (restore) a local tar file back to a share. Unless the +.B \-D option is given, the tar files will be restored from the top level of -the share. Must be followed by the name of the tar file, device or "-" -for standard input. Mutually exclusive with the c flag. +the share. Must be followed by the name of the tar file, device or "\-" +for standard input. Mutually exclusive with the +.B c +flag. Restored files have theuir creation times (mtime) set to the date saved in +the tar file. Directories currently do not get their creation dates restored +properly. .B I Include files and directories. Is the default behaviour when @@ -389,49 +463,93 @@ blocks. .B g Incremental. Only back up files that have the archive bit set. Useful -only with the c flag. +only with the +.B c +flag. + +.B q +Quiet. Keeps tar from printing diagnostics as it works. This is the +same as tarmode quiet. .B N Newer than. Must be followed by the name of a file whose date is compared against files found on the share during a create. Only files newer than the file specified are backed up to the tar file. Useful -only with the c flag. +only with the +.B c +flag. .B a Set archive bit. Causes the archive bit to be reset when a file is backed -up. Useful with the g (and c) flags. +up. Useful with the +.B g +(and +.BR c ) +flags. .LP +.B Long File Names + +smbclient's tar option now supports long file names both on backup and +restore. However, the full path name of the file must be less than 1024 bytes. +Also, when a tar archive is created, smbclient's tar option places all files +in the archive with relative names, not absolute names. + +.B Filenames ... + +All file names can be given as DOS path names (with \e as the component +separator) or as UNIX path names (with / as the component separator). + .B Examples -smbclient \\\\mypc\\myshare "" -N -Tx backup.tar +smbclient \e\emypc\emyshare "" -N -Tx backup.tar Restore from tar file backup.tar into myshare on mypc (no password on share). -smbclient \\\\mypc\\myshare "" -N -TXx backup.tar users/docs +smbclient \e\emypc\emyshare "" -N -TXx backup.tar users/docs Restore everything except users/docs -smbclient \\\\mypc\\myshare "" -N -Tc backup.tar users/docs +smbclient \e\emypc\emyshare "" -N -Tc backup.tar users/docs Create a tar file of the files beneath users/docs. +smbclient \e\emypc\emyshare "" -N -tc backup.tar users\edocs + +Create the same tar file as above, but now use a DOS path name. + +smbclient \e\emypc\emyshare "" -N -Tc backup.tar \e* + +Create a tar file of all the files and directories in the share. +.RE .RE -.B -D +.B \-D .I initial directory -.RS3 - +.RS 3 Change to initial directory before starting. Probably only of any use -with the tar (\-T) option. +with the tar +.RB ( \-T ) +option. +.RE +.B \-c +.I command string -.RE +.RS 3 +command string is a semicolon separated list of commands to be +executed instead of prompting from stdin. +.B \-N +is implied by +.BR \-c . +This is particularly useful in scripts and for printing stdin to +the server, e.g. \-c 'print \-'. +.RE .SH OPERATIONS -Once the client is running, the user is presented with a prompt, "smb: \\>". -The backslash ("\\") indicates the current working directory on the server, +Once the client is running, the user is presented with a prompt, "smb: \e>". +The backslash ("\e") indicates the current working directory on the server, and will change if the current working directory is changed. The prompt indicates that the client is ready and waiting to carry out a user @@ -573,7 +691,9 @@ Copy the file called from the server to the machine running the client. If specified, name the local copy .I local file name. -Note that all transfers in smbclient are binary. See also the +Note that all transfers in +.B smbclient +are binary. See also the .B lowercase command. .RE @@ -637,7 +757,7 @@ when using the and .B mget commands. This is often useful when copying (say) MSDOS files from a server, -because lowercase filenames are the norm on Unix systems. +because lowercase filenames are the norm on UNIX systems. .RE .RE @@ -747,8 +867,9 @@ operation - refer to the .B recurse and .B mask -commands for more information. Note that all transfers in smbclient are -binary. See also the +commands for more information. Note that all transfers in +.B smbclient +are binary. See also the .B lowercase command. .RE @@ -791,8 +912,9 @@ operation - refer to the .B recurse and .B mask -commands for more information. Note that all transfers in smbclient are -binary. +commands for more information. Note that all transfers in +.B smbclient +are binary. .RE .RE @@ -866,7 +988,9 @@ Copy the file called from the machine running the client to the server. If specified, name the remote copy .I remote file name. -Note that all transfers in smbclient are binary. See also the +Note that all transfers in +.B smbclient +are binary. See also the .B lowercase command. .RE @@ -927,17 +1051,16 @@ None. Toggle directory recursion for the commands .B mget and -.B mput -. +.BR mput . When toggled ON, these commands will process all directories in the source -directory (ie., the directory they are copying -.I from -) and will recurse into any that match the mask specified to the command. Only +directory (i.e., the directory they are copying +.IR from ) +and will recurse into any that match the mask specified to the command. Only files that match the mask specified using the .B mask command will be retrieved. See also the -.mask +.B mask command. When recursion is toggled OFF, only files from the current working @@ -990,11 +1113,13 @@ Remove the specified directory (user access privileges permitting) .RE .B Description: .RS 3 -Performs a tar operation - see -T command line option above. Behaviour +Performs a tar operation - see the +.B \-T +command line option above. Behaviour may be affected by the .B tarmode -command (see below). Using the g (incremental) and N (newer) will affect -tarmode settings. Note that using the "-" option with tar x may not +command (see below). Using g (incremental) and N (newer) will affect +tarmode settings. Note that using the "\-" option with tar x may not work - use the command line option instead. .RE .RE @@ -1035,7 +1160,7 @@ on all files it backs up (implies read/write share). .RS 3 .B Parameters .RS 3 -.I <filename> <perm=[+|-]rsha> +.I <filename> <perm=[+|\-]rsha> .RE .B Description @@ -1047,14 +1172,13 @@ setmode myfile +r would make myfile read only. .RE .RE - .SH NOTES Some servers are fussy about the case of supplied usernames, passwords, share names (aka service names) and machine names. If you fail to connect try giving all parameters in uppercase. It is often necessary to use the -.B -n +.B \-n option when connecting to some types of servers. For example OS/2 LanManager insists on a valid netbios name being used, so you need to supply a valid name that would be known to @@ -1063,10 +1187,8 @@ the server. .B smbclient supports long file names where the server supports the LANMAN2 protocol. - .SH FILES Not applicable. - .SH ENVIRONMENT VARIABLES .B USER .RS 3 @@ -1074,12 +1196,12 @@ The variable USER may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords. .RE - .SH INSTALLATION The location of the client program is a matter for individual system administrators. The following are thus suggestions only. -It is recommended that the client software be installed under the /usr/local +It is recommended that the client software be installed under the +/usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The client program itself should be executable by all. The client should NOT be setuid or setgid! @@ -1088,8 +1210,11 @@ The client log files should be put in a directory readable and writable only by the user. To test the client, you will need to know the name of a running Lan manager -server. It is possible to run the smbd (see -.B smbd(8)) as an ordinary user - running that server as a daemon on a +server. It is possible to run +.B smbd +(see +.BR smbd (8)) +as an ordinary user - running that server as a daemon on a user-accessible port (typically any port number over 1024) would provide a suitable test server. .SH VERSION @@ -1100,8 +1225,7 @@ the client has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B smbd(8) - +.BR smbd (8) .SH DIAGNOSTICS [This section under construction] @@ -1118,16 +1242,14 @@ creation of this man page the source code is still too fluid to warrant describing each and every diagnostic. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing. - .SH BUGS None known. .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -This man page written by Karl Auer (Karl.Auer@anu.edu.au) - See -.B smb.conf(5) for a full list of contributors and details on how to +.BR smb.conf (5) +for a full list of contributors and details on how to submit bug reports, comments etc. diff --git a/docs/manpages/smbd.8 b/docs/manpages/smbd.8 index bae41b2c479..fbc4b6e8c1f 100644 --- a/docs/manpages/smbd.8 +++ b/docs/manpages/smbd.8 @@ -1,46 +1,51 @@ -.TH SMBD 8 17/1/1995 smbd smbd +.TH SMBD 8 "09 Oct 1998" "smbd 2.0.0-alpha11" .SH NAME smbd \- provide SMB (aka LanManager) services to clients .SH SYNOPSIS .B smbd [ -.B -D +.B \-D ] [ -.B -a +.B \-a ] [ -.B -d +.B \-o +] [ +.B \-d .I debuglevel ] [ -.B -l +.B \-l .I log file ] [ -.B -p +.B \-p .I port number ] [ -.B -O +.B \-O .I socket options ] [ -.B -s +.B \-s .I configuration file ] .SH DESCRIPTION This program is part of the Samba suite. .B smbd -is a server that can provide most SMB services. The -server provides filespace and printer services to clients using the SMB -protocol. This is compatible with the LanManager protocol, and can -service LanManager clients. +is a server that can provide most SMB services. The server provides +filespace and printer services to clients using the SMB protocol. This +is compatible with the LanManager protocol, and can service LanManager +clients. These include MSCLIENT 3.0 for DOS, Windows for Workgroups, +Windows 95, Windows NT, OS/2, DAVE for Macintosh, and smbfs for Linux. An extensive description of the services that the server can provide is given in the man page for the configuration file controlling the attributes of those services (see -.B smb.conf(5)). This man page will not describe the services, but +.BR smb.conf (5)). +This man page will not describe the services, but will concentrate on the administrative aspects of running the server. Please note that there are significant security implications to running this server, and -.B smb.conf(5) should be regarded as mandatory reading before proceeding with +.BR smb.conf (5) +should be regarded as mandatory reading before proceeding with installation. A session is created whenever a client requests one. Each client gets a copy @@ -48,11 +53,13 @@ of the server for each session. This copy then services all connections made by the client during that session. When all connections from its client are are closed, the copy of the server for that client terminates. -The configuration file is automatically reloaded if it changes. You -can force a reload by sending a SIGHUP to the server. - +The configuration file, and any files that it includes, are automatically +reloaded every minute, if they change. You can force a reload by sending a +SIGHUP to the server. Reloading the configuration file will not affect +connections to any service that is already established. Either the user +will have to disconnect from the service, or smbd killed and restarted. .SH OPTIONS -.B -D +.B \-D .RS 3 If specified, this parameter causes the server to operate as a daemon. That is, @@ -62,18 +69,25 @@ appropriate port. By default, the server will NOT operate as a daemon. .RE -.B -a +.B \-a + +.RS 3 +If this parameter is specified, each new connection will append log messages +to the log file. This is the default. +.RE + +.B \-o .RS 3 -If this parameter is specified, the log files will be overwritten with each -new connection. By default, the log files will be appended to. +If this parameter is specified, the log files will be overwritten when opened. +By default, the log files will be appended to. .RE -.B -d +.B \-d .I debuglevel .RS 3 -debuglevel is an integer from 0 to 5. +debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero. @@ -88,7 +102,7 @@ use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic. .RE -.B -l +.B \-l .I log file .RS 3 @@ -113,14 +127,16 @@ log.out (containing outbound transaction data) The log files generated are never removed by the server. .RE -.B -O +.B \-O .I socket options .RS 3 -See the socket options section of smb.conf(5) for details +See the socket options section of +.BR smb.conf (5) +for details .RE -.B -p +.B \-p .I port number .RS 3 @@ -135,10 +151,14 @@ user rather than as root, most systems will require you to use a port number greater than 1024 - ask your system administrator for help if you are in this situation. +In order for the server to be useful by most clients, should you configure +it on a port other than 139, you will require port redirection services +on port 139, details of which are outlined in rfc1002.txt section 4.3.5. + This parameter is not normally specified except in the above situation. .RE -.B -s +.B \-s .I configuration file .RS 3 @@ -148,9 +168,9 @@ The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See -.B smb.conf(5) for more information. +.BR smb.conf (5) +for more information. .RE - .SH FILES .B /etc/inetd.conf @@ -179,23 +199,23 @@ mapping of service name (eg., netbios-ssn) to service port (eg., 139) and protocol type (eg., tcp). See the section "INSTALLATION" below. .RE -.B /usr/local/smb/smb.conf +.B /usr/local/samba/lib/smb.conf .RS 3 This file describes all the services the server is to make available to clients. See -.B smb.conf(5) for more information. +.BR smb.conf (5) +for more information. .RE -.RE - .SH LIMITATIONS -On some systems smbd cannot change uid back to root after a setuid() call. +On some systems +.B smbd +cannot change uid back to root after a setuid() call. Such systems are called "trapdoor" uid systems. If you have such a system, you will be unable to connect from a client (such as a PC) as two different users at once. Attempts to connect the second user will result in "access denied" or similar. - .SH ENVIRONMENT VARIABLES .B PRINTER @@ -206,13 +226,12 @@ use the value of this variable (or "lp" if this variable is not defined) as the name of the printer to use. This is not specific to the server, however. .RE - .SH INSTALLATION The location of the server and its support files is a matter for individual system administrators. The following are thus suggestions only. It is recommended that the server software be installed under the -/usr/local hierarchy, in a directory readable by all, writeable only +/usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The server program itself should be executable by all, as users may wish to run the server themselves (in which case it will of course run with their privileges). The server should NOT be @@ -220,7 +239,7 @@ setuid. On some systems it may be worthwhile to make smbd setgid to an empty group. This is because some systems may have a security hole where daemon processes that become a user can be attached to with a debugger. Making the smbd file setgid to an empty group may prevent -this hole from being exploited. This secrity hole and the suggested +this hole from being exploited. This security hole and the suggested fix has only been confirmed on Linux at the time this was written. It is possible that this hole only exists in Linux, as testing on other systems has thus far shown them to be immune. @@ -239,9 +258,10 @@ modified to suit your needs. The remaining notes will assume the following: .RS 3 -smbd (the server program) installed in /usr/local/smb +.B smbd +(the server program) installed in /usr/local/samba/bin -smb.conf (the configuration file) installed in /usr/local/smb +smb.conf (the configuration file) installed in /usr/local/samba/lib log files stored in /var/adm/smblogs .RE @@ -255,9 +275,13 @@ TCP-wrapper may be used for extra security. When you've decided, continue with either "RUNNING THE SERVER AS A DAEMON" or "RUNNING THE SERVER ON REQUEST". .SH RUNNING THE SERVER AS A DAEMON -To run the server as a daemon from the command line, simply put the "-D" option +To run the server as a daemon from the command line, simply put the +.B \-D +option on the command line. There is no need to place an ampersand at the end of the -command line - the "-D" option causes the server to detach itself from the +command line - the +.B \-D +option causes the server to detach itself from the tty anyway. Any user can run the server as a daemon (execute permissions permitting, of @@ -273,7 +297,7 @@ port number, log file location, configuration file location and debug level as desired: .RS 3 -/usr/local/smb/smbd -D -l /var/adm/smblogs/log -s /usr/local/smb/smb.conf +/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log -s /usr/local/samba/lib/smb.conf .RE (The above should appear in your initialisation script as a single line. @@ -282,7 +306,9 @@ this man page. If the above appears as more than one line, please treat any newlines or indentation as a single space or TAB character.) If the options used at compile time are appropriate for your system, all -parameters except the desired debug level and "-D" may be omitted. See the +parameters except the desired debug level and +.B \-D +may be omitted. See the section "OPTIONS" above. .SH RUNNING THE SERVER ON REQUEST If your system uses a meta-daemon such as inetd, you can arrange to have the @@ -294,8 +320,9 @@ assistance of your system administrator to modify the system files. You will probably want to set up the name server .B nmbd at the same time as -the smbd - refer to the man page -.B nmbd(8). +.B smbd +- refer to the man page +.BR nmbd (8). First, ensure that a port is configured in the file /etc/services. The well-known port 139 should be used if possible, though any port may be used. @@ -313,11 +340,14 @@ Next, put a suitable line in the file /etc/inetd.conf (in the unlikely event that you are using a meta-daemon other than inetd, you are on your own). Note that the first item in this line matches the service name in /etc/services. Substitute appropriate values for your system in this line (see -.B inetd(8)): +.BR inetd (8)): .RS 3 -netbios-ssn stream tcp nowait root /usr/local/smb/smbd -d1 --l/var/adm/smblogs/log -s/usr/local/smb/smb.conf +.\" turn off right adjustment +.ad l +netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd -d1 +-l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf +.ad .RE (The above should appear in /etc/inetd.conf as a single line. Depending on @@ -355,27 +385,28 @@ meta-daemon. Some versions of inetd will reread their configuration tables if they receive a HUP signal. If your machine's name is "fred" and your name is "mary", you should now be -able to connect to the service "\\\\fred\\mary". +able to connect to the service "\e\efred\emary". To properly test and experiment with the server, we recommend using the smbclient program (see -.B smbclient(1)). +.BR smbclient (1)). .SH VERSION -This man page is (mostly) correct for version 1.9.00 of the Samba suite, plus some -of the recent patches to it. These notes will necessarily lag behind +This man page is (mostly) correct for version 1.9.00 of the Samba suite, +plus some of the recent patches to it. These notes will necessarily lag behind development of the software, so it is possible that your version of the server has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B hosts_access(5), -.B inetd(8), -.B nmbd(8), -.B smb.conf(5), -.B smbclient(1), -.B testparm(1), -.B testprns(1) - +.BR hosts_access (5), +.BR inetd (8), +.BR nmbd (8), +.BR smb.conf (5), +.BR smbclient (1), +.BR testparm (1), +.BR testprns (1) +.BR rfc1001.txt +.BR rfc1002.txt .SH DIAGNOSTICS [This section under construction] @@ -393,15 +424,29 @@ describing each and every diagnostic. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing. +.SH SIGNALS + +In version 1.9.18 and above the debug log level of smbd may be raised +by sending it a SIGUSR1 (kill -USR1 <smbd-pid>) and lowered by sending +it a SIGUSR2 (kill -USR2 <smbd-pid>). This is to allow transient problems +to be diagnosed, whilst still running at a normally low log level. + +Note that as the signal handlers send a debug write, they are not +re-entrant in smbd. This you should wait until smbd is in a state of +waiting for an incoming smb before issuing them. It is possible to +make the signal handlers safe by un-blocking the signals before the +select call and re-blocking them after, however this would affect +performance. + .SH BUGS None known. .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -This man page written by Karl Auer (Karl.Auer@anu.edu.au) See -.B smb.conf(5) for a full list of contributors and details on how to +.BR smb.conf (5) +for a full list of contributors and details on how to submit bug reports, comments etc. diff --git a/docs/manpages/smbmnt.8 b/docs/manpages/smbmnt.8 new file mode 100644 index 00000000000..c980ce635a1 --- /dev/null +++ b/docs/manpages/smbmnt.8 @@ -0,0 +1,96 @@ +.TH SMBMNT 8 "09 Oct 1998" "smbmnt 2.0.0-alpha11" +.SH NAME +smbmnt \- mount smb file system +.SH SYNOPSIS +.B smbmnt +.B mount-point +[ +.B -u +.I uid +] [ +.B -g +.I gid +] [ +.B -f +.I file mode +] [ +.B -d +.I dir mode +] + +.SH DESCRIPTION +.B smbmnt +is a helper application used by the +.BI smbmount (8) +program to do the actual mounting. +.B smbmnt +is meant to be installed setuid root so that normal users can mount +their smb shares. It checks whether the user has write permissions +on the mount point and then mounts the directory. + +The +.B smbmnt +program is normally invoked by a mount command to +.BI smbmount , +and the command line arguments are passed directly to +.B smbmnt. + +.SH OPTIONS +.B -u +.I uid, +.B -g +.I gid +.RS 3 +A Lan Manager server does not tell us anything about the owner of a +file, but Unix requires that each file have an owner and a group it belongs +to. With +.B -u +and +.B -g +you can tell smbmount which id's it should assign to the files in the +mounted directory. + +The defaults for these values are the current uid and gid. +.RE + +.B -f +.I file mode, +.B -d +.I dir mode +.RS 3 +Like +.B -u +and +.B -g, +these options are also used to bridge differences in concepts between +Lan Manager and Unix. Lan Manager does not know anything about file +permissions, so +.B smbmnt +must be told which permissions it should assign to the mounted files +and directories. + +The values must be given as octal numbers. The default values are taken +from the current umask, where the file mode is the current umask, +and the dir mode adds execute permissions where the file mode gives +read permissions. + +Note that these permissions can differ from the rights the server +gives to us. If you do not have write permissions on the server, +you should choose a file mode that matches your actual permissions. +This certainly cannot override the restrictions imposed by the server. + +In addition to specifying the file mode, the +.B -f +argument can be used to specify certain bug-fix workarounds. +This allows bug fixes to be enabled on a per mount-point basis, +rather than being compiled into the kernel. +The required bug fixes are specified by prepending an (octal) value +to the file mode. +For information on the available bug workarounds, refer to the +.B smbfs.txt +file in the Linux kernel Documentation directory. +.RE + +.SH SEE ALSO +.B smbmount(8) + diff --git a/docs/manpages/smbmount.8 b/docs/manpages/smbmount.8 new file mode 100644 index 00000000000..90cc697a39e --- /dev/null +++ b/docs/manpages/smbmount.8 @@ -0,0 +1,44 @@ +.TH SMBMOUNT 8 "09 Oct 1998" "smbmount 2.0.0-alpha11" +.SH NAME +smbmount \- mount smb file system +.SH SYNOPSIS +.B smbmount +[ +.B options +] + +.SH DESCRIPTION +.B smbmount +is a stripped-down version of the +.BI smbclient (1) +program used to mount smbfs shares. It implements only the mount command, +which then calls the +.BI smbmnt (8) +program to do the actual mount. +.B smbmount +itself accepts most of the options that +.B smbclient +does. See the +.BI smbclient (1) +manpage for details. + +To mount an smb file system, I suggest using the option +.B -c +for smbmount to pass the mount command. For example, use + +smbmount "\\\\server\\tmp" -c 'mount /mnt -u 123 -g 456' + +to mount the tmp share of server on /mnt, giving it a local uid 123 +and a local gid 456. + +The arguments supplied to the mount command are passed directly to the +.B smbmnt +utility for processing. +Refer to the +.BI smbmnt (8) +manpage for details. + +.SH SEE ALSO +.BI smbmnt (8), +.BI smbclient (1) + diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 new file mode 100644 index 00000000000..4f2658736f6 --- /dev/null +++ b/docs/manpages/smbpasswd.8 @@ -0,0 +1,138 @@ +.TH SMBPASSWD 8 "09 Oct 1998" "smbpasswd 2.0.0-alpha11" +.SH NAME +smbpasswd \- change a users smb password in the smbpasswd file. +.SH SYNOPSIS +.B smbpasswd +[ +.B \-a +] [ +.B \-r +remote_machine +] [ +.B username +] +.SH DESCRIPTION + +This program is part of the Samba suite. + +.B smbpasswd +allows a user to change their encrypted smb password which +is stored in the smbpasswd file (usually kept in the +.I private +directory under the +.I Samba +directory hierarchy. Ordinary users can only run the command +with no options. It will prompt them for their old smb password +and then ask them for their new password twice, to ensure that +the new password was typed correctly. No passwords will +be echoed on the screen whilst being typed. If you have a blank +smb password (specified by the string "NO PASSWORD" in the +smbpasswd file) then just press the <Enter> key when asked +for your old password. + +.B New for 1.9.18p4. +smbpasswd will now allow a user to change their password +on a Windows NT server. To use this add the +.I \-r +.I \<remote_machine\> +paramter to the smbpasswd command. The machine name is looked +up using the "name resolve order" parameter defined in the +smb.conf [global] section. Note that when changing a Windows +NT password for a domain user, +.I \<remote machine\> +must be the name of the Primary domain controller. + +To allow users to change their passwords from "NO PASSWORD" +in the smbpasswd file to a valid password the administrator +must set the following parameter in the [global] section of +the smb.conf : + +null passwords = true + +This is +.B NOT +recommended as a general policy, it is recommended that +new users be assigned a default password instead. + +The +.I \-a +and +.I username +options can only be used by a user running as root. + +.SH OPTIONS +.I \-a + +.RS 3 +Specifies that the username following should be added to +the +.I smbpasswd +file, with the new password typed (type <Enter> for the +old password). This option is ignored if the username +following already exists in the +.I smbpasswd +file and it is treated like a regular change password +command. Note that the user to be added +.B must +already exist in the system password file (usually /etc/passwd) +else the request to add the user will fail. + +.RE +.I username + +.RS 3 +You may only specify a username to the smbpasswd command +if you are running as root. Only root should have the +permission to modify other users smb passwords. + +.RE +.RE +.SH INSTALLATION + +The location of the server and its support files is a matter for individual +system administrators. The following are thus suggestions only. + +It is recommended that the +.B smbpasswd +program be installed in the /usr/local/samba/bin directory. This should be +a directory readable by all, writeable only by root. The program should be +executable by all. The program +.B must not +be setuid root. + +.SH VERSION + +This man page is correct for version 1.9.18p4 of the Samba suite. +These notes will necessarily lag behind +development of the software, so it is possible that your version of +the program has extensions or parameter semantics that differ from or are not +covered by this man page. Please notify these to the address below for +rectification. +.SH SEE ALSO +.BR smbd (8), +.BR smb.conf (5) +.SH +.B BUGS + +.RE +The +.B smbpasswd +command is only useful if +.I Samba +has been set up to use encrypted passwords. See the file +.I ENCRYPTION.txt +in the docs directory for details on how to do this. + +.SH CREDITS +.RE +The original Samba software and related utilities were created by +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper +of the Source for this project. smbpasswd and the encrypted password +file code was written by Jeremy Allison (samba-bugs@samba.anu.edu.au). + +This man page was written by Jeremy Allison. Bug reports to samba-bugs@samba.anu.edu.au. + +See +.BR smb.conf (5) +for a full list of contributors and details of how to +submit bug reports, comments etc. diff --git a/docs/manpages/smbrun.1 b/docs/manpages/smbrun.1 index 1608d3bb345..a1ee7e43bac 100644 --- a/docs/manpages/smbrun.1 +++ b/docs/manpages/smbrun.1 @@ -1,4 +1,4 @@ -.TH SMBRUN 1 17/1/1995 smbrun smbrun +.TH SMBRUN 1 "09 Oct 1998" "smbrun 2.0.0-alpha11" .SH NAME smbrun \- interface program between smbd and external programs .SH SYNOPSIS @@ -12,7 +12,7 @@ is a very small 'glue' program, which runs shell commands for the .B smbd daemon (see -.B smbd(8)). +.BR smbd (8)). It first changes to the highest effective user and group ID that it can, then runs the command line provided using the system() call. This program is @@ -30,14 +30,13 @@ The PATH variable set for the environment in which .B smbrun is executed will affect what executables are located and executed if a fully-qualified path is not given in the command. - .SH INSTALLATION The location of the server and its support files is a matter for individual system administrators. The following are thus suggestions only. It is recommended that the .B smbrun -program be installed under the /usr/local hierarchy, in a directory readable +program be installed under the /usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The program should be executable by all. The program should NOT be setuid or setgid! .SH VERSION @@ -48,23 +47,28 @@ the program has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B smbd(8), -.B smb.conf(8) +.BR smbd (8), +.BR smb.conf (8) .SH DIAGNOSTICS -If smbrun cannot be located or cannot be executed by +If +.B smbrun +cannot be located or cannot be executed by +.B smbd +then appropriate messages will be found in the .B smbd -then appropriate messages will be found in the smbd logs. Other diagnostics are +logs. Other diagnostics are dependent on the shell-command being run. It is advisable for your shell commands to issue suitable diagnostics to aid trouble-shooting. .SH BUGS None known. .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -This man page was written by Karl Auer (Karl.Auer@anu.edu.au) +This man page was written by Karl Auer. Bug reports to samba-bugs@samba.anu.edu.au. See -.B smb.conf(5) for a full list of contributors and details of how to +.BR smb.conf (5) +for a full list of contributors and details of how to submit bug reports, comments etc. diff --git a/docs/manpages/smbstatus.1 b/docs/manpages/smbstatus.1 index 76dc50cbb53..acb3340d273 100644 --- a/docs/manpages/smbstatus.1 +++ b/docs/manpages/smbstatus.1 @@ -1,41 +1,74 @@ -.TH SMBSTATUS 1 17/1/1995 smbstatus smbstatus +.TH SMBSTATUS 1 "09 Oct 1998" "smbstatus 2.0.0-alpha11" .SH NAME smbstatus \- report on current Samba connections .SH SYNOPSIS .B smbstatus -[-d] -[-s +[ +.B \-b +] [ +.B \-d +] [ +.B \-L +] [ +.B \-p +] [ +.B \-S +] [ +.B \-s .I configuration file +] [ +.b \-u +.i username ] .SH DESCRIPTION This program is part of the Samba suite. .B smbstatus -is a very simple program to list the current Samba connections +is a very simple program to list the current Samba connections. -Just run the program and the output is self explanatory. You can offer -a configuration filename to override the default. The default is -CONFIGFILE from the Makefile. +Just run the program and the output is self explanatory. +.SH OPTIONS +.B \-b +gives brief output. -Option -.I -d +.B \-d gives verbose output. -.I -p -print a list of smbd processes and exit. Useful for scripting. +.B \-L +causes smbstatus to only list locks. +.B \-p +print a list of +.B smbd +processes and exit. Useful for scripting. + +.B \-S +causes smbstatus to only list shares. + +.B \-s +.I configuration file +.RS 3 +The default configuration file name is determined at compile time. +The file specified contains the configuration details required by the server. +See +.BR smb.conf (5) +for more information. + +.B \-u +.I username +selects information relevant to .B username only. + +.RE .SH ENVIRONMENT VARIABLES Not applicable. - .SH INSTALLATION The location of the server and its support files is a matter for individual system administrators. The following are thus suggestions only. It is recommended that the .B smbstatus -program be installed under the /usr/local hierarchy, in a directory readable +program be installed under the /usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The program itself should be executable by all. - .SH VERSION This man page is (mostly) correct for version 1.9.00 of the Samba suite, plus some of the recent patches to it. These notes will necessarily lag behind @@ -44,9 +77,10 @@ the program has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B smb.conf(5), -.B smbd(8) +.BR smb.conf (5), +.BR smbd (8) See -.B smb.conf(5) for a full list of contributors and details on how to +.BR smb.conf (5) +for a full list of contributors and details on how to submit bug reports, comments etc. diff --git a/docs/manpages/smbtar.1 b/docs/manpages/smbtar.1 index 0f1c38c271f..fc80eed9a68 100644 --- a/docs/manpages/smbtar.1 +++ b/docs/manpages/smbtar.1 @@ -1,45 +1,51 @@ -.TH SMBTAR 1 18/2/96 smbtar smbtar +.TH SMBTAR 1 "09 Oct 1998" "smbtar 2.0.0-alpha11" .SH NAME smbtar \- shell script for backing up SMB shares directly to UNIX tape drive .SH SYNOPSIS .B smbtar .B \-s .I server -.B [ \-p +[ +.B \-p .I password -.B ] -.B [ \-x +] [ +.B \-x .I service -.B ] -.B [ \-X ] -.B [ \-d +] [ +.B \-X +] [ +.B \-d .I directory -.B ] -.B [ \-u +] [ +.B \-u .I user -.B ] -.B [ \-t +] [ +.B \-t .I tape -.B ] -.B [ \-b +] [ +.B \-b .I blocksize -.B ] -.B [ \-N +] [ +.B \-N .I filename -.B ] -.B [ \-i ] -.B [ \-r ] -.B [ \-l ] -.B [ \-v ] +] [ +.B \-i +] [ +.B \-r +] [ +.B \-l +.I log level +] [ +.B \-v +] .I filenames... - .SH DESCRIPTION This program is an extension to the Samba suite. .B smbtar -is a very small shell script on top of smbclient, which dumps SMB -shares directly to tape. - +is a very small shell script on top of +.BR smbclient , +which dumps SMB shares directly to tape. .SH OPTIONS .B \-s .I server @@ -92,13 +98,15 @@ The user id to connect as. Default: UNIX login name. .RS 3 Tape device. May be regular file or tape device. Default: Tape environmental variable; if not set, a file called -.I tar.out. +.IR tar.out . .RE .B \-b .I blocksize .RS 3 -Blocking factor. Defaults to 20. See tar(1) for a fuller explanation. +Blocking factor. Defaults to 20. See +.BR tar (1) +for a fuller explanation. .RE .B \-N @@ -120,48 +128,52 @@ Restore. Files are restored to the share from the tar file. .RE .B \-l +.I log level .RS 3 -Debug level. Corresponds to -d flag on smbclient(1). +Log (debug) level. Corresponds to +.B \-d +flag of +.BR smbclient (1). .RE - .SH ENVIRONMENT VARIABLES The TAPE variable specifies the default tape device to write to. May -be overidden with the -t option. - +be overridden with the +.B \-t +option. .SH BUGS -The smbtar script has different options from ordinary tar and tar -called from smbclient. - +The +.B smbtar +script has different options from ordinary tar and tar +called from +.BR smbclient . .SH CAVEATS Sites that are more careful about security may not like the way the script handles PC passwords. Backup and restore work on entire shares, -should work on file lists. - +should work on file lists. smbtar works best with GNU tar and may +not work well with other versions. .SH VERSION This man page is correct for version 1.9.15p8 of the Samba suite. - .SH SEE ALSO -.B smbclient -(8), -.B smb.conf -(8) +.BR smbclient (8), +.BR smb.conf (8) .SH DIAGNOSTICS See diagnostics for .B smbclient command. - .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. Ricky Poulten (poultenr@logica.co.uk) wrote the tar extension and this -man page. The smbtar script was heavily rewritten and improved by +man page. The +.B smbtar +script was heavily rewritten and improved by Martin Kraemer <Martin.Kraemer@mch.sni.de>. Many thanks to everyone who suggested extensions, improvements, bug fixes, etc. See -.B smb.conf -(5) for a full list of contributors and details of how to submit bug reports, +.BR smb.conf (5) +for a full list of contributors and details of how to submit bug reports, comments etc. diff --git a/docs/manpages/smbumount.8 b/docs/manpages/smbumount.8 new file mode 100644 index 00000000000..2e950b8f19e --- /dev/null +++ b/docs/manpages/smbumount.8 @@ -0,0 +1,28 @@ +.TH SMBUMOUNT 8 "09 Oct 1998" "smbumount 2.0.0-alpha11" +.SH NAME +smbumount \- umount for normal users +.SH SYNOPSIS +.B smbumount +.B mount-point + +.SH DESCRIPTION +With this program, normal users can unmount smb-filesystems, provided +that it is suid root. + +.B smbumount +has been written to give normal linux-users more control over their +resources. It is safe to install this program suid root, because only +the user who has mounted a filesystem is allowed to unmount it again. + +For root it is not necessary to use smbumount. The normal umount +program works perfectly well, but it would certainly be problematic to +make umount setuid root. + +.SH OPTIONS +.B mount-point +.RS 3 +.B mount-point +is the directory you want to unmount. + +.SH SEE ALSO +.B smbmount(8) diff --git a/docs/manpages/testparm.1 b/docs/manpages/testparm.1 index 4a0ffcbc489..8681d0328d4 100644 --- a/docs/manpages/testparm.1 +++ b/docs/manpages/testparm.1 @@ -1,4 +1,4 @@ -.TH TESTPARM 1 17/1/1995 testparm testparm +.TH TESTPARM 1 "09 Oct 1998" "testparm 2.0.0-alpha11" .SH NAME testparm \- check an smbd configuration file for internal correctness .SH SYNOPSIS @@ -18,7 +18,9 @@ is a very simple test program to check an .B smbd configuration file for internal correctness. If this program reports no problems, you can use -the configuration file with confidence that smbd will successfully +the configuration file with confidence that +.B smbd +will successfully load the configuration file. Note that this is NOT a guarantee that the services specified in the @@ -56,18 +58,18 @@ parameter is supplied, or strange things may happen. .SH FILES .B smb.conf .RS 3 -This is usually the name of the configuration file used by smbd. +This is usually the name of the configuration file used by +.BR smbd . .RE .SH ENVIRONMENT VARIABLES Not applicable. - .SH INSTALLATION The location of the server and its support files is a matter for individual system administrators. The following are thus suggestions only. It is recommended that the .B testparm -program be installed under the /usr/local hierarchy, in a directory readable +program be installed under the /usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The program itself should be executable by all. The program should NOT be setuid or setgid! .SH VERSION @@ -78,8 +80,8 @@ the program has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B smb.conf(5), -.B smbd(8) +.BR smb.conf (5), +.BR smbd (8) .SH DIAGNOSTICS The program will issue a message saying whether the configuration file loaded OK or not. This message may be preceded by errors and warnings if the file @@ -93,12 +95,15 @@ Other messages are self-explanatory. None known. .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -The testparm program and this man page were written by Karl Auer -(Karl.Auer@anu.edu.au) +The +.B testparm +program and this man page were written by Karl Auer. Bug reports to +samba-bugs@samba.anu.edu.au. See -.B samba(7) for a full list of contributors and details on how to +.BR samba (7) +for a full list of contributors and details on how to submit bug reports, comments etc. diff --git a/docs/manpages/testprns.1 b/docs/manpages/testprns.1 index f1c3d3ef020..7cabadd81e6 100644 --- a/docs/manpages/testprns.1 +++ b/docs/manpages/testprns.1 @@ -1,4 +1,4 @@ -.TH TESTPRNS 1 17/1/1995 testprns testprns +.TH TESTPRNS 1 "09 Oct 1998" "testprns 2.0.0-alpha11" .SH NAME testprns \- check printer name for validity with smbd .SH SYNOPSIS @@ -30,11 +30,12 @@ file, single printer names and sets of aliases separated by vertical bars syntax is done beyond that required to extract the printer name. It may be that the print spooling system is more forgiving or less forgiving than +.BR testprns . +However, if .B testprns -however if -.B testprns -finds the printer then smbd should do as well. - +finds the printer then +.B smbd +should do so as well. .RE .I printcapname @@ -52,18 +53,17 @@ will attempt to scan the printcap file specified at compile time .B /etc/printcap .RS 3 This is usually the default printcap file to scan. See -.B printcap(5)). +.BR printcap (5)). .RE .SH ENVIRONMENT VARIABLES Not applicable. - .SH INSTALLATION The location of the server and its support files is a matter for individual system administrators. The following are thus suggestions only. It is recommended that the .B testprns -program be installed under the /usr/local hierarchy, in a directory readable +program be installed under the /usr/local/samba hierarchy, in a directory readable by all, writeable only by root. The program should be executable by all. The program should NOT be setuid or setgid! .SH VERSION @@ -74,9 +74,9 @@ the program has extensions or parameter semantics that differ from or are not covered by this man page. Please notify these to the address below for rectification. .SH SEE ALSO -.B printcap(5), -.B smbd(8), -.B smbclient(1) +.BR printcap (5), +.BR smbd (8), +.BR smbclient (1) .SH DIAGNOSTICS If a printer is found to be valid, the message "Printer name <printername> is valid" will be displayed. @@ -84,7 +84,9 @@ valid" will be displayed. If a printer is found to be invalid, the message "Printer name <printername> is not valid" will be displayed. -All messages that would normally be logged during operation of smbd are +All messages that would normally be logged during operation of +.B smbd +are logged by this program to the file .I test.log in the current directory. The program runs at debuglevel 3, so quite extensive @@ -96,12 +98,15 @@ Other messages are self-explanatory. None known. .SH CREDITS The original Samba software and related utilities were created by -Andrew Tridgell (samba-bugs@anu.edu.au). Andrew is also the Keeper +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper of the Source for this project. -The testprns program and this man page were written by Karl Auer -(Karl.Auer@anu.edu.au) +The +.B testprns +program and this man page were written by Karl Auer. Bug reports to +samba-bugs@samba.anu.edu.au. See -.B samba(7) for a full list of contributors and details of how to +.BR samba (7) +for a full list of contributors and details of how to submit bug reports, comments etc. diff --git a/docs/samba.lsm b/docs/samba.lsm index 503ba1ec94b..36abbba769a 100644 --- a/docs/samba.lsm +++ b/docs/samba.lsm @@ -7,11 +7,11 @@ Desc3 = SMB compatible clients such as WinNT, WfWg, OS/2 Desc4 = and Pathworks. It also includes a ftp-style unix client Desc5 = and a netbios nameserver. Author = Andrew Tridgell -AuthorEmail = samba-bugs@anu.edu.au +AuthorEmail = samba-bugs@samba.anu.edu.au Maintainer = Andrew Tridgell -MaintEmail = samba-bugs@anu.edu.au -Site1 = nimbus.anu.edu.au -Path1 = pub/tridge/samba/ +MaintEmail = samba-bugs@samba.anu.edu.au +Site1 = samba.anu.edu.au +Path1 = pub/samba/ File1 = samba-latest.tar.gz FileSize1 = 200K Required1 = Ansi-C compiler and a TCP/IP network. diff --git a/docs/textdocs/Application_Serving.txt b/docs/textdocs/Application_Serving.txt new file mode 100644 index 00000000000..16d3f03ac1b --- /dev/null +++ b/docs/textdocs/Application_Serving.txt @@ -0,0 +1,59 @@ +!== +!== Application_Serving.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributed: January 7, 1997 +Updated: March 24, 1998 +Contributor: John H Terpstra <samba-bugs@samba.anu.edu.au> + Copyright (C) 1997 - John H Terpstra +Status: Current + +Subject: Using a Samba share as an administrative share for MS Office, etc. +============================================================================== + +Problem: +======== +Microsoft Office products can be installed as an administrative installation +from which the application can either be run off the administratively installed +product that resides on a shared resource, or from which that product can be +installed onto workstation clients. + +The general mechanism for implementing an adminstrative installation involves +running: + X:\setup /A, where X is the drive letter of either CDROM or floppy + +This installation process will NOT install the product for use per se, but +rather results in unpacking of the compressed distribution files into a target +shared folder. For this process you need write privilidge to the share and it +is desirable to enable file locking and share mode operation during this +process. + +Subsequent installation of MS Office from this share will FAIL unless certain +precautions are taken. This failure will be caused by share mode operation +which will prevent the MS Office installation process from re-opening various +dynamic link library files and will cause sporadic file not found problems. + +Solution: +========= +1. As soon as the administrative installation (unpacking) has completed + set the following parameters on the share containing it: + [MSOP95] + path = /where_you_put_it + comment = Your comment + volume = "The_CD_ROM_Label" + read only = yes + available = yes + share modes = no + locking = no + browseable = yes + public = yes + +2. Now you are ready to run the setup program from the Microsoft Windows +workstation as follows:- + \\"Server_Name"\MSOP95\msoffice\setup + +MS Office Sharing - Please note: +================================ + +Workgroup Templates should be stored on an ordinary writable or read-only share +but USER templates MUST be stored on a writable share _OR_ on the users' local +machine. diff --git a/docs/textdocs/BROWSING-Config.txt b/docs/textdocs/BROWSING-Config.txt new file mode 100644 index 00000000000..f16f5944c85 --- /dev/null +++ b/docs/textdocs/BROWSING-Config.txt @@ -0,0 +1,218 @@ +!== +!== BROWSING-Config.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Date: July 5, 1998 +Contributor: John H Terpstra <jht@samba.anu.edu.au> + +Subject: Cross Subnet Browsing / Cross Workgroup Browsing +=============================================================================== + +OVERVIEW: +========= + +This document should be read in conjunction with BROWSING.txt and may +be taken as the fast track guide to implementing browsing across subnets +and / or across workgroups (or domains). WINS is the best tool for resolution +of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling +except by way of name to address mapping. + + +DISCUSSION: +=========== + +Firstly, all MS Windows networking is based on SMB (Server Message +Block) based messaging. SMB messaging is implemented using NetBIOS. Samba +implements NetBIOS by encapsulating it over TCP/IP. MS Windows products can +do likewise. NetBIOS based networking uses broadcast messaging to affect +browse list management. When running NetBIOS over TCP/IP this uses UDP +based messaging. UDP messages can be broadcast or unicast. + +Normally, only unicast UDP messaging can be forwarded by routers. The +"remote announce" parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the "remote browse sync" +parameter of smb.conf implements browse list collation using unicast UDP. + +Secondly, in those networks where Samba is the only SMB server technology +wherever possible nmbd should be configured on one (1) machine as the WINS +server. This makes it easy to manage the browsing environment. If each network +segment is configured with it's own Samba WINS server, then the only way to +get cross segment browsing to work is by using the "remote announce" and +the "remote browse sync" parameters to your smb.conf file. + +If only one WINS server is used then the use of the "remote announce" and the +"remote browse sync" parameters should NOT be necessary. + +Samba WINS does not support MS-WINS replication. This means that when setting up +Samba as a WINS server there must only be one nmbd configured as a WINS server +on the network. Some sites have used multiple Samba WINS servers for redundancy +(one server per subnet) and then used "remote browse sync" and "remote announce" +to affect browse list collation across all segments. Note that this means +clients will only resolve local names, and must be configured to use DNS to +resolve names on other subnets in order to resolve the IP addresses of the +servers they can see on other subnets. This setup is not recommended, but is +mentioned as a practical consideration (ie: an 'if all else fails' scenario). + +Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list and it can take up to 45 +minutes to stabilise, particularly across network segments. + + +A) Use of the "Remote Announce" parameter +------------------------------------------ +The "remote announce" parameter of smb.conf can be used to forcibly ensure +that all the NetBIOS names on a network get announced to a remote network. +The syntax of the "remote announce" parameter is: + + remote announce = a.b.c.d [e.f.g.h] ... +_or_ + remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... + +where: + a.b.c.d: is either the LMB (Local Master Browser) IP address + e.f.g.h: or the broadcst address of the remote network. + ie: the LMB is at 192.168.1.10, or the address + could be given as 192.168.1.255 where the netmask + is assumed to be 24 bits (255.255.255.0). + When the remote announcement is made to the broadcast + address of the remote network every host will receive + our announcements. This is noisy and therefore + undesirable but may be necessary if we do NOT know + the IP address of the remote LMB. + + WORKGROUP: is optional and can be either our own workgroup + or that of the remote network. If you use the + workgroup name of the remote network then our + NetBIOS machine names will end up looking like + they belong to that workgroup, this may cause + name resolution problems and should be avoided. + + +B) Use of the "Remote Browse Sync" parameter +-------------------------------------------- + +The "remote browse sync" parameter of smb.conf is used to announce to +another LMB that it must synchronise it's NetBIOS name list with our +Samba LMB. It works ONLY if the Samba server that has this option is +simultaneously the LMB on it's network segment. + +The syntax of the "remote browse sync" parameter is: + + remote browse sync = a.b.c.d + +where: + a.b.c.d: is either the IP address of the remote LMB or else + is the network broadcast address of the remote segment. + + +C) Use of WINS +-------------- + +Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly +recommended. Every NetBIOS machine registers it's name together with a +name_type value for each of of several types of service it has available. +eg: It registers it's name directly as a unique (the type 0x03) name. +It also registers it's name if it is running the lanmanager compatible +server service (used to make shares and printers available to other users) +by registering the server (the type 0x20) name. + +All NetBIOS names are up to 15 characters in length. The name_type variable +is added to the end of the name - thus creating a 16 character name. Any +name that is shorter than 15 characters is padded with spaces to the 15th +character. ie: All NetBIOS names are 16 characters long (including the +name_type information). + +WINS can store these 16 character names as they get registered. A client +that wants to log onto the network can ask the WINS server for a list +of all names that have registered the NetLogon service name_type. This saves +broadcast traffic and greatly expedites logon processing. Since broadcast +name resolution can not be used across network segments this type of +information can only be provided via WINS _or_ via statically configured +"lmhosts" files that must reside on all clients in the absence of WINS. + +WINS also serves the purpose of forcing browse list synchronisation by all +LMB's. LMB's must synchronise their browse list with the DMB (domain master +browser) and WINS helps the LMB to identify it's DMB. By definition this +will work only within a single workgroup. Note that the domain master browser +has NOTHING to do with what is referred to as an MS Windows NT Domain. The +later is a reference to a security environment while the DMB refers to the +master controller for browse list information only. + +Use of WINS will work correctly only if EVERY client TCP/IP protocol stack +has been configured to use the WINS server/s. Any client that has not been +configured to use the WINS server will continue to use only broadcast based +name registration so that WINS may NEVER get to know about it. In any case, +machines that have not registered with a WINS server will fail name to address +lookup attempts by other clients and will therefore cause workstation access +errors. + +To configure Samba as a WINS server just add "wins support = yes" to the +smb.conf file [globals] section. + +To configure Samba to register with a WINS server just add +"wins server = a.b.c.d" to your smb.conf file [globals] section. + +DO NOT EVER use both "wins support = yes" together with "wins server = a.b.c.d" +particularly not using it's own IP address. + + +D) Do NOT use more than one (1) protocol on MS Windows machines +--------------------------------------------------------------- + +A very common cause of browsing problems results from installing more than +one protocol on an MS Windows machine. + +Every NetBIOS machine take part in a process of electing the LMB (and DMB) +every 15 minutes. A set of election criteria is used to determine the order +of precidence for winning this election process. A machine running Samba or +Windows NT will be biased so that the most suitable machine will predictably +win and thus retain it's role. + +The election process is "fought out" so to speak over every NetBIOS network +interface. In the case of a Windows 9x machine that has both TCP/IP and IPX +installed and has NetBIOS enabled over both protocols the election will be +decided over both protocols. As often happens, if the Windows 9x machine is +the only one with both protocols then the LMB may be won on the NetBIOS +interface over the IPX protocol. Samba will then lose the LMB role as Windows +9x will insist it knows who the LMB is. Samba will then cease to function +as an LMB and thus browse list operation on all TCP/IP only machines will +fail. + +The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! + + +E) Name Resolution Order +======================== + +Resolution of NetBIOS names to IP addresses can take place using a number +of methods. The only ones that can provide NetBIOS name_type information +are: + WINS: the best tool! + LMHOSTS: is static and hard to maintain. + Broadcast: uses UDP and can not resolve names across + remote segments. + +Alternative means of name resolution includes: + /etc/hosts: is static, hard to maintain, and lacks name_type info. + DNS: is a good choice but lacks essential name_type info. + +Many sites want to restrict DNS lookups and want to avoid broadcast name +resolution traffic. The "name resolve order" parameter is of great help here. +The syntax of the "name resolve order" parameter is: + + name resolve order = wins lmhosts bcast host +_or_ + name resolve order = wins lmhosts (eliminates bcast and host) + +the default is: + name resolve order = host lmhost wins bcast + +where: + "host" refers the the native methods used by the Unix system + to implement the gethostbyname() function call. This is normally + controlled by: + /etc/host.conf + /etc/nsswitch.conf + /etc/resolv.conf + +=============================================================================== diff --git a/docs/textdocs/BROWSING.txt b/docs/textdocs/BROWSING.txt index 8a09d2274fb..2095830add6 100644 --- a/docs/textdocs/BROWSING.txt +++ b/docs/textdocs/BROWSING.txt @@ -1,60 +1,69 @@ +!== +!== BROWSING.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Author/s: Many (Thanks to Luke, Jeremy, Andrew, etc.) +Updated: July 5, 1998 +Status: Current - For VERY Advanced Users ONLY + +Summary: This describes how to configure Samba for improved browsing. +===================================================================== + +OVERVIEW: +========= +SMB networking provides a mechanism by which clients can access a list +of machines that are available within the network. This list is called +the browse list and is heavily used by all SMB clients. Configuration +of SMB browsing has been problematic for some Samba users, hence this +document. + +Browsing will NOT work if name resolution from NetBIOS names to IP +addresses does not function correctly. Use of a WINS server is highly +recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. +WINS allows remote segment clients to obtain NetBIOS name_type information +that can NOT be provided by any other means of name resolution. + +===================================================================== + BROWSING ======== - -Samba now fully supports browsing. The browsing is supported by nmbd -and is also controlled by options in the smb.conf file (see -smb.conf(5)). - -Samba can act as a browse master for a workgroup, but currently cannot -act as a domain controller. The ability to be a domain controller will -be added in a later version. +Samba now fully supports browsing. The browsing is supported by nmbd +and is also controlled by options in the smb.conf file (see smb.conf(5)). + +Samba can act as a local browse master for a workgroup and the ability +for samba to support domain logons and scripts is now available. See +DOMAIN.txt for more information on domain logons. + +Samba can also act as a domain master browser for a workgroup. This +means that it will collate lists from local browse masters into a +wide area network server list. In order for browse clients to +resolve the names they may find in this list, it is recommended that +both samba and your clients use a WINS server. + +Note that you should NOT set Samba to be the domain master for a +workgroup that has the same name as an NT Domain: on each wide area +network, you must only ever have one domain master browser per workgroup, +regardless of whether it is NT, Samba or any other type of domain master +that is providing this service. + +[Note that nmbd can be configured as a WINS server, but it is not +necessary to specifically use samba as your WINS server. NTAS can +be configured as your WINS server. In a mixed NT server and +samba environment on a Wide Area Network, it is recommended that +you use the NT server's WINS server capabilities. In a samba-only +environment, it is recommended that you use one and only one nmbd +as your WINS server]. To get browsing to work you need to run nmbd as usual, but will need to use the "workgroup" option in smb.conf to control what workgroup Samba becomes a part of. -The -G option is most useful for simple setups where Samba is browsable -in only one workgroup. In more complex cases the lmhosts file is -better. - -Be very careful setting up your lmhosts file. An incorrectly setup -lmhosts file can have disasterous results for your net! - -A simple lmhosts file might be: - -# This is a simple lmhosts file -# -# This is a host alias. Anyone querying this name -# will get the specified IP -192.0.2.17 SMBDATA -# -# first put ourselves in workgroup MYGROUP using -# our own net address -0.0.0.0 MYGROUP G - -Note in the above that I overrode what workgroup Samba is in using the -G flag. Also note that the 0.0.0.0 address is used, which will be -automatically replaced with the broadcast address for groups, and with -the local IP address for other entries. - Samba also has a useful option for a Samba server to offer itself for -browsing on another subnet. - -This works by the lmhosts file specifying a broadcast address on the -other network to use to find a browse master for the workgroup. - -For example if you wanted yourself to appear in the workgroup STAFF on -the network which has a broadcast of 192.0.3.255 then this entry would -do the trick: - -# put ourselves in the STAFF workgroup on the other subnet -192.0.3.255 STAFF G - -Notice the G at the end! It is very important you include this as this -entry without the G could cause a broadcast storm! +browsing on another subnet. It is recommended that this option is only +used for 'unusual' purposes: announcements over the internet, for +example. See "remote announce" in the smb.conf man page. If something doesn't work then hopefully the log.nmb file will -help you track down the problem. Try a debug level of 2 or 3 for +help you track down the problem. Try a debug level of 2 or 3 for finding problems. Note that if it doesn't work for you, then you should still be able to @@ -62,84 +71,487 @@ type the server name as \\SERVER in filemanager then hit enter and filemanager should display the list of available shares. Some people find browsing fails because they don't have the global -"guest account" set to a valid account. Remember that the IPC$ +"guest account" set to a valid account. Remember that the IPC$ connection that lists the shares is done as guest, and thus you must have a valid guest account. Also, a lot of people are getting bitten by the problem of too many -parameters on the command line of nmbd in inetd.conf. This trick is to +parameters on the command line of nmbd in inetd.conf. This trick is to not use spaces between the option and the parameter (eg: -d2 instead -of -d 2), and to not use the -B and -N options. New versions of nmbd +of -d 2), and to not use the -B and -N options. New versions of nmbd are now far more likely to correctly find your broadcast and network -addess, so in most cases these aren't needed. +address, so in most cases these aren't needed. The other big problem people have is that their broadcast address, -netmask or IP address is wrong (specified with the -B, -N and -I -options to nmbd). +netmask or IP address is wrong (specified with the "interfaces" option +in smb.conf) + + +BROWSING ACROSS SUBNETS +======================= + +With the release of Samba 1.9.17(alpha1 and above) Samba has been +updated to enable it to support the replication of browse lists +across subnet boundaries. New code and options have been added to +achieve this. This section describes how to set this feature up +in different settings. + +To see browse lists that span TCP/IP subnets (ie. networks separated +by routers that don't pass broadcast traffic) you must set up at least +one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing +NetBIOS name to IP address translation to be done by doing a direct +query of the WINS server. This is done via a directed UDP packet on +port 137 to the WINS server machine. The reason for a WINS server is +that by default, all NetBIOS name to IP address translation is done +by broadcasts from the querying machine. This means that machines +on one subnet will not be able to resolve the names of machines on +another subnet without using a WINS server. + +Remember, for browsing across subnets to work correctly, all machines, +be they Windows 95, Windows NT, or Samba servers must have the IP address +of a WINS server given to them by a DHCP server, or by manual configuration +(for Win95 and WinNT, this is in the TCP/IP Properties, under Network +settings) for Samba this is in the smb.conf file. + +How does cross subnet browsing work ? +===================================== + +Cross subnet browsing is a complicated dance, containing multiple +moving parts. It has taken Microsoft several years to get the code +that achieves this correct, and Samba lags behind in some areas. +However, with the 1.9.17 release, Samba is capable of cross subnet +browsing when configured correctly. + +Consider a network set up as follows : + + (DMB) + N1_A N1_B N1_C N1_D N1_E + | | | | | + ------------------------------------------------------- + | subnet 1 | + +---+ +---+ + |R1 | Router 1 Router 2 |R2 | + +---+ +---+ + | | + | subnet 2 subnet 3 | + -------------------------- ------------------------------------ + | | | | | | | | + N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D + (WINS) + +Consisting of 3 subnets (1, 2, 3) conneted by two routers +(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines +on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume +for the moment that all these machines are configured to be in the +same workgroup (for simplicities sake). Machine N1_C on subnet 1 +is configured as Domain Master Browser (ie. it will collate the +browse lists for the workgroup). Machine N2_D is configured as +WINS server and all the other machines are configured to register +their NetBIOS names with it. + +As all these machines are booted up, elections for master browsers +will take place on each of the three subnets. Assume that machine +N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on +subnet 3 - these machines are known as local master browsers for +their particular subnet. N1_C has an advantage in winning as the +local master browser on subnet 1 as it is set up as Domain Master +Browser. + +On each of the three networks, machines that are configured to +offer sharing services will broadcast that they are offering +these services. The local master browser on each subnet will +receive these broadcasts and keep a record of the fact that +the machine is offering a service. This list of records is +the basis of the browse list. For this case, assume that +all the machines are configured to offer services so all machines +will be on the browse list. + +For each network, the local master browser on that network is +considered 'authoritative' for all the names it receives via +local broadcast. This is because a machine seen by the local +master browser via a local broadcast must be on the same +network as the local master browser and thus is a 'trusted' +and 'verifiable' resource. Machines on other networks that +the local master browsers learn about when collating their +browse lists have not been directly seen - these records are +called 'non-authoritative'. + +At this point the browse lists look as follows (these are +the machines you would see in your network neighborhood if +you looked in it on a particular network right now). + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + +Note that at this point all the subnets are separate, no +machine is seen across any of the subnets. + +Now examine subnet 2. As soon as N2_B has become the local +master browser it looks for a Domain master browser to synchronize +its browse list with. It does this by querying the WINS server +(N2_D) for the IP address associated with the NetBIOS name +WORKGROUP<1B>. This name was registerd by the Domain master +browser (N1_C) with the WINS server as soon as it was booted. + +Once N2_B knows the address of the Domain master browser it +tells it that is the local master browser for subnet 2 by +sending a MasterAnnouncement packet as a UDP port 138 packet. +It then synchronizes with it by doing a NetServerEnum2 call. This +tells the Domain Master Browser to send it all the server +names it knows about. Once the domain master browser receives +the MasterAnnouncement packet it schedules a synchronization +request to the sender of that packet. After both synchronizations +are done the browse lists look like : + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + +Servers with a (*) after them are non-authoritative names. + +At this point users looking in their network neighborhood on +subnets 1 or 2 will see all the servers on both, users on +subnet 3 will still only see the servers on their own subnet. + +The same sequence of events that occured for N2_B now occurs +for the local master browser on subnet 3 (N3_D). When it +synchronizes browse lists with the domain master browser (N1_A) +it gets both the server entries on subnet 1, and those on +subnet 2. After N3_D has synchronized with N1_C and vica-versa +the browse lists look like. + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*), + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Servers with a (*) after them are non-authoritative names. + +At this point users looking in their network neighborhood on +subnets 1 or 3 will see all the servers on all sunbets, users on +subnet 2 will still only see the servers on subnets 1 and 2, but not 3. + +Finally, the local master browser for subnet 2 (N2_B) will sync again +with the domain master browser (N1_C) and will recieve the missing +server entries. Finally - and as a steady state (if no machines +are removed or shut off) the browse lists will look like : + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*), + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Servers with a (*) after them are non-authoritative names. + +Synchronizations between the domain master browser and local +master browsers will continue to occur, but this should be a +steady state situation. + +If either router R1 or R2 fails the following will occur: + +1) Names of computers on each side of the inaccessible network fragments +will be maintained for as long as 36 minutes, in the network neighbourhood +lists. + +2) Attempts to connect to these inaccessible computers will fail, but the +names will not be removed from the network neighbourhood lists. + +3) If one of the fragments is cut off from the WINS server, it will only +be able to access servers on its local subnet, by using subnet-isolated +broadcast NetBIOS name resolution. The effects are similar to that of +losing access to a DNS server. + +Setting up a WINS server +======================== + +Either a Samba machine or a Windows NT Server machine may be set up +as a WINS server. To set a Samba machine to be a WINS server you must +add the following option to the smb.conf file on the selected machine : +in the [globals] section add the line + + wins support = yes + +Versions of Samba previous to 1.9.17 had this parameter default to +yes. If you have any older versions of Samba on your network it is +strongly suggested you upgrade to 1.9.17 or above, or at the very +least set the parameter to 'no' on all these machines. + +Machines with "wins support = yes" will keep a list of all NetBIOS +names registered with them, acting as a DNS for NetBIOS names. + +You should set up only ONE wins server. Do NOT set the +"wins support = yes" option on more than one Samba server. + +To set up a Windows NT Server as a WINS server you need to set up +the WINS service - see your NT documentation for details. Note that +Windows NT WINS Servers can replicate to each other, allowing more +than one to be set up in a complex subnet environment. As Microsoft +refuse to document these replication protocols Samba cannot currently +participate in these replications. It is possible in the future that +a Samba->Samba WINS replication protocol may be defined, in which +case more than one Samba machine could be set up as a WINS server +but currently only one Samba server should have the "wins support = yes" +parameter set. + +After the WINS server has been configured you must ensure that all +machines participating on the network are configured with the address +of this WINS server. If your WINS server is a Samba machine, fill in +the Samba machine IP address in the "Primary WINS Server" field of +the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs +in Windows 95 or Windows NT. To tell a Samba server the IP address +of the WINS server add the following line to the [global] section of +all smb.conf files : + + wins server = <name or IP address> + +where <name or IP address> is either the DNS name of the WINS server +machine or its IP address. + +Note that this line MUST NOT BE SET in the smb.conf file of the Samba +server acting as the WINS server itself. If you set both the +"wins support = yes" option and the "wins server = <name>" option then +nmbd will fail to start. + +There are two possible scenarios for setting up cross subnet browsing. +The first details setting up cross subnet browsing on a network containing +Windows 95, Samba and Windows NT machines that are not configured as +part of a Windows NT Domain. The second details setting up cross subnet +browsing on networks that contain NT Domains. + +Setting up Browsing in a WORKGROUP +================================== + +To set up cross subnet browsing on a network containing machines +in up to be in a WORKGROUP, not an NT Domain you need to set up one +Samba server to be the Domain Master Browser (note that this is *NOT* +the same as a Primary Domain Controller, although in an NT Domain the +same machine plays both roles). The role of a Domain master browser is +to collate the browse lists from local master browsers on all the +subnets that have a machine participating in the workgroup. Without +one machine configured as a domain master browser each subnet would +be an isolated workgroup, unable to see any machines on any other +subnet. It is the presense of a domain master browser that makes +cross subnet browsing possible for a workgroup. + +In an WORKGROUP environment the domain master browser must be a +Samba server, and there must only be one domain master browser per +workgroup name. To set up a Samba server as a domain master browser, +set the following option in the [global] section of the smb.conf file : + + domain master = yes + +The domain master browser should also preferrably be the local master +browser for its own subnet. In order to achieve this set the following +options in the [global] section of the smb.conf file : + + domain master = yes + local master = yes + preferred master = yes + os level = 65 + +The domain master browser may be the same machine as the WINS +server, if you require. + +Next, you should ensure that each of the subnets contains a +machine that can act as a local master browser for the +workgroup. Any NT machine should be able to do this, as will +Windows 95 machines (although these tend to get rebooted more +often, so it's not such a good idea to use these). To make a +Samba server a local master browser set the following +options in the [global] section of the smb.conf file : + + domain master = no + local master = yes + preferred master = yes + os level = 65 + +Do not do this for more than one Samba server on each subnet, +or they will war with each other over which is to be the local +master browser. + +The "local master" parameter allows Samba to act as a local master +browser. The "preferred master" causes nmbd to force a browser +election on startup and the "os level" parameter sets Samba high +enough so that it should win any browser elections. + +If you have an NT machine on the subnet that you wish to +be the local master browser then you can disable Samba from +becoming a local master browser by setting the following +options in the [global] section of the smb.conf file : + + domain master = no + local master = no + preferred master = no + os level = 0 + +Setting up Browsing in a DOMAIN +=============================== + +If you are adding Samba servers to a Windows NT Domain then +you must not set up a Samba server as a domain master browser. +By default, a Windows NT Primary Domain Controller for a Domain +name is also the Domain master browser for that name, and many +things will break if a Samba server registers the Domain master +browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC. + +For subnets other than the one containing the Windows NT PDC +you may set up Samba servers as local master browsers as +described. To make a Samba server a local master browser set +the following options in the [global] section of the smb.conf +file : + + domain master = no + local master = yes + preferred master = yes + os level = 65 + +If you wish to have a Samba server fight the election with machines +on the same subnet you may set the "os level" parameter to lower +levels. By doing this you can tune the order of machines that +will become local master browsers if they are running. For +more details on this see the section "FORCING SAMBA TO BE THE MASTER" +below. + +If you have Windows NT machines that are members of the domain +on all subnets, and you are sure they will always be running then +you can disable Samba from taking part in browser elections and +ever becoming a local master browser by setting following options +in the [global] section of the smb.conf file : + + domain master = no + local master = no + preferred master = no + os level = 0 FORCING SAMBA TO BE THE MASTER ============================== Who becomes the "master browser" is determined by an election process -using broadcasts. Each election packet contains a number of parameters +using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the -election. By default Samba uses a very low precedence and thus loses +election. By default Samba uses a very low precedence and thus loses elections to just about anyone else. If you want Samba to win elections then just set the "os level" global -option in smb.conf to a higher number. It defaults to 0. Using 33 +option in smb.conf to a higher number. It defaults to 0. Using 34 would make it win all elections over every other system (except other samba systems!) -A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A +A "os level" of 2 would make it beat WfWg and Win95, but not NTAS. A NTAS domain controller uses level 32. The maximum os level is 255 +If you want samba to force an election on startup, then set the +"preferred master" global option in smb.conf to "yes". Samba will +then have a slight advantage over other potential master browsers +that are not preferred master browsers. Use this parameter with +care, as if you have two hosts (whether they are windows 95 or NT or +samba) on the same local subnet both set with "preferred master" to +"yes", then periodically and continually they will force an election +in order to become the local master browser. + +If you want samba to be a "domain master browser", then it is +recommended that you also set "preferred master" to "yes", because +samba will not become a domain master browser for the whole of your +LAN or WAN if it is not also a local master browser on its own +broadcast isolated subnet. + +It is possible to configure two samba servers to attempt to become +the domain master browser for a domain. The first server that comes +up will be the domain master browser. All other samba servers will +attempt to become the domain master browser every 5 minutes. They +will find that another samba server is already the domain master +browser and will fail. This provides automatic redundancy, should +the current domain master browser fail. + + MAKING SAMBA THE DOMAIN MASTER ============================== The domain master is responsible for collating the browse lists of -multiple subnets so that browsing can occur between subnets. You can +multiple subnets so that browsing can occur between subnets. You can make samba act as the domain master by setting "domain master = yes" -in smb.conf. By default it will not be a domain master. +in smb.conf. By default it will not be a domain master. + +Note that you should NOT set Samba to be the domain master for a +workgroup that has the same name as an NT Domain. When samba is the domain master and the master browser it will listen -for master announcements from other subnets and then contact them to -synchronise browse lists. +for master announcements (made roughly every twelve minutes) from local +master browsers on other subnets and then contact them to synchronise +browse lists. If you want samba to be the domain master then I suggest you also set -the "os level" high enough to make sure it wins elections. +the "os level" high enough to make sure it wins elections, and set +"preferred master" to "yes", to get samba to force an election on +startup. -NOTIFYING THE DOMAIN CONTROLLER -=============================== +Note that all your servers (including samba) and clients should be +using a WINS server to resolve NetBIOS names. If your clients are only +using broadcasting to resolve NetBIOS names, then two things will occur: + +a) your local master browsers will be unable to find a domain master + browser, as it will only be looking on the local subnet. -If you have a domain controller for the domain which Samba is a part -of then you should add the line "domain controller = address" to -smb.conf. "address" can either be a name available via DNS or a IP -address or a broadcast address. If it is a broadcast address then -Samba will look for a domain controller on that network. +b) if a client happens to get hold of a domain-wide browse list, and + a user attempts to access a host in that list, it will be unable to + resolve the NetBIOS name of that host. -When Samba is the master browser it will regularly contact the domain -controller to synchronise browse lists. +If, however, both samba and your clients are using a WINS server, then: +a) your local master browsers will contact the WINS server and, as long as + samba has registered that it is a domain master browser with the WINS + server, your local master browser will receive samba's ip address + as its domain master browser. + +b) when a client receives a domain-wide browse list, and a user attempts + to access a host in that list, it will contact the WINS server to + resolve the NetBIOS name of that host. as long as that host has + registered its NetBIOS name with the same WINS server, the user will + be able to see that host. NOTE ABOUT BROADCAST ADDRESSES ============================== If your network uses a "0" based broadcast address (for example if it -ends in a 0) then you will strike problems. Windows for Workgroups +ends in a 0) then you will strike problems. Windows for Workgroups does not seem to support a 0's broadcast and you will probably find that browsing and name lookups won't work. -You have a few options: - -1) change to a 1's broadcast on your unix server. These often end in -.255 (check with your local network guru for details) -2) set the nmbd broadcast to a 1's based address on the command line using -the -B option. This only works if your network setup listens on both -0s and 1s based broadcasts. The -B option can only control what -address it sends to, not what it listens on. +MULTIPLE INTERFACES +=================== +Samba now supports machines with multiple network interfaces. If you +have multiple interfaces then you will need to use the "interfaces" +option in smb.conf to configure them. See smb.conf(5) for details. diff --git a/docs/textdocs/BUGS.txt b/docs/textdocs/BUGS.txt index e0fd6951477..2c0b4f0613f 100644 --- a/docs/textdocs/BUGS.txt +++ b/docs/textdocs/BUGS.txt @@ -1,31 +1,34 @@ -This file describes how to report Samba bugs. +!== +!== BUGS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Samba Team +Updated: June 27, 1997 ->> The email address for bug reports is samba-bugs@anu.edu.au << - -(NOTE: This mail may not be in place yet. If you have troubles with it -then use samba-bugs@arvidsjaur.anu.edu.au) +Subject: This file describes how to report Samba bugs. +============================================================================ +>> The email address for bug reports is samba-bugs@samba.anu.edu.au << Please take the time to read this file before you submit a bug -report. Also, please see if it has changed between releases, as I -may be changing the bug reporting mechanism sometime soon. +report. Also, please see if it has changed between releases, as we +may be changing the bug reporting mechanism at some time. Please also do as much as you can yourself to help track down the -bug. I only develop Samba in my spare time and I receive far more mail -about it than I can possibly answer, so you have a much higher chance -of an answer and a fix if you send me a "developer friendly" bug -report that lets me fix it fast. +bug. Samba is maintained by a dedicated group of people who volunteer +their time, skills and efforts. We receive far more mail about it than +we can possibly answer, so you have a much higher chance of an answer +and a fix if you send us a "developer friendly" bug report that lets +us fix it fast. Do not assume that if you post the bug to the comp.protocols.smb -newsgroup that I will read it. I do read all postings to the samba -mailing list (see the README). If you suspect that your problem is not -a bug but a configuration problem then it is better to send it to the -Samba mailing list, as there are (at last count) 1900 other users on +newsgroup or the mailing list that we will read it. If you suspect that your +problem is not a bug but a configuration problem then it is better to send +it to the Samba mailing list, as there are (at last count) 5000 other users on that list that may be able to help you. You may also like to look though the recent mailing list archives, which are conveniently accessible on the Samba web pages -at http://lake.canberra.edu.au/pub/samba/ +at http://samba.anu.edu.au/samba/ GENERAL INFO @@ -36,6 +39,8 @@ errors. Look in your log files for obvious messages that tell you that you've misconfigured something and run testparm to test your config file for correct syntax. +Have you run through DIAGNOSIS.txt? This is very important. + If you include part of a log file with your bug report then be sure to annotate it with exactly what you were doing on the client at the time, and exactly what the results were. @@ -54,6 +59,7 @@ To set the debug level use "log level =" in your smb.conf. You may also find it useful to set the log level higher for just one machine and keep separate logs for each machine. To do this use: +log level = 10 log file = /usr/local/samba/lib/log.%m include = /usr/local/samba/lib/smb.conf.%m @@ -63,6 +69,15 @@ put any smb.conf commands you want, for example "log level=" may be useful. This also allows you to experiment with different security systems, protocol levels etc on just one machine. +The smb.conf entry "log level =" is synonymous with the entry +"debuglevel =" that has been used in older versions of Samba and +is being retained for backwards compatibility of smb.conf files. + +As the "log level =" value is increased you will record a significantly +increasing level of debugging information. For most debugging operations +you may not need a setting higher than 3. Nearly all bugs can be tracked +at a setting of 10, but be prepared for a VERY large volume of log data. + INTERNAL ERRORs --------------- @@ -115,7 +130,7 @@ where it occurred. PATCHES ------- -The best sort of bug report is one that includes a fix! If you send me +The best sort of bug report is one that includes a fix! If you send us patches please use "diff -u" format if your version of diff supports it, otherwise use "diff -c4". Make sure your do the diff against a clean version of the source and let me know exactly what version you diff --git a/docs/textdocs/CVS_ACCESS.txt b/docs/textdocs/CVS_ACCESS.txt new file mode 100644 index 00000000000..cee7af02b78 --- /dev/null +++ b/docs/textdocs/CVS_ACCESS.txt @@ -0,0 +1,124 @@ +!== +!== CVS_ACCESS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Modified from the Web pages by Jeremy Allison. +Date: 23 Dec 1997 +Status: Current + +How to get access to Samba source code via cvs. +=============================================== + +CVS Access to samba.anu.edu.au +------------------------------ + +The machine samba.anu.edu.au runs a publicly accessible CVS +repository for access to the source code of several packages, +including samba, rsync and jitterbug. This document describes +how to get anonymous read-only access to this source code. + +Access via cvsweb +----------------- + +You can access the source code via your favourite WWW browser. +This allows you to access the contents of individual files in +the repository and also to look at the revision history and +commit logs of individual files. You can also ask for a diff +listing between any two versions on the repository. + +Use the URL : http://samba.anu.edu.au/cgi-bin/cvsweb + +Access via cvs +-------------- + +You can also access the source code via a normal cvs client. +This gives you much more control over you can do with the +repository and allows you to checkout whole source trees +and keep them uptodate via normal cvs commands. This is the +preferred method of access if you are a developer and not +just a casual browser. + +To download the latest cvs source code, point your +browser at the URL : + +http://www.cyclic.com/ + +and click on the 'How to get cvs' link. CVS is free +software under the GNU GPL (as is Samba). + +To gain access via anonymous cvs use the following steps. +For this example it is assumed that you want a copy of the +samba source code. For the other source code repositories +on this system just substitute the correct package name + +1. Install a recent copy of cvs. All you really need is a + copy of the cvs client binary. + +2. Run the command + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login + +When it asks you for a password type 'cvs' (not including +the quotes). + +3. Run the command + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba + +This will create a directory called samba containing the +latest samba source code. This currently corresponds to the +1.9.18alpha development tree. + +4. Whenever you want to merge in the latest code changes use +the following command from within the samba directory: + + cvs update -d -P + +NOTE: If you instead want the latest source code for the +1.9.17 stable tree then replace step 4 with the command: + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_1_9_17 samba + +Access to the NT DOMAIN Controller code +--------------------------------------- + +The Samba PDC code is being separately developed on a +branch named BRANCH_NTDOM. To gain access to the latest +source code (this changes daily) do the following: + +1). Log onto cvs + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login + +When it asks you for a password type 'cvs' (not including +the quotes). + +2). Check out the BRANCH_NTDOM by typing : + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba + +This will create a directory called samba containing the +latest snapshot of the domain controller code. + +3). To keep this code up to date after it has been +changed in the cvs repository, cd into the samba +directory you created above and type : + + cvs update -d -P + +How it's done. +-------------- + +If you are interested in how anonymous cvs access is set up and +want to set it up on your own system then you might like to checkout +the pserver source code using the the command : + + cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co pserver + +You really have to know what you are doing to do this. Please don't +email samba-bugs with basic cvs or unix security questions. + +Reporting problems. +------------------- + +If you have any problems with this system please email +samba-bugs@samba.anu.edu.au. diff --git a/docs/textdocs/DHCP-Server-Configuration.txt b/docs/textdocs/DHCP-Server-Configuration.txt new file mode 100644 index 00000000000..d4047d8bf73 --- /dev/null +++ b/docs/textdocs/DHCP-Server-Configuration.txt @@ -0,0 +1,203 @@ +!== +!== DHCP-Server-Configuration.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Subject: DHCP Server Configuration for SMB Clients +Date: March 1, 1998 +Contributor: John H Terpstra <jht@samba.anu.edu.au> +Support: This is an unsupported document. Refer to documentation that is + supplied with the ISC DHCP Server. Do NOT email the contributor + for ANY assistance. +=============================================================================== + +Background: +=========== + +We wish to help those folks who wish to use the ISC DHCP Server and provide +sample configuration settings. Red Hat Linux 5.0 is one operating system that +comes supplied with the ISC DHCP Server. ISC DHCP is available from + ftp://ftp.isc.org/isc/dhcp + +Incorrect configuration of MS Windows clients (Windows95, Windows NT Server and +Workstation) will lead to problems with browsing and with general network +operation. Windows 95 users often report problems where the TCP/IP and related +network settings will inadvertantly become reset at machine start-up resulting +in loss of configuration settings. This results in increased maintenance +overheads as well as serious user frustration. + +In recent times users on one mailing list incorrectly attributed the cause of +network operating problems to incorrect configuration of Samba. + +One user insisted that the only way to provent Windows95 from periodically +performing a full system reset and hardware detection process on start-up was +to install the NetBEUI protocol in addition to TCP/IP. + +In the first place, there is NO need for NetBEUI. All Microsoft Windows clients +natively run NetBIOS over TCP/IP, and that is the only protocol that is +recognised by Samba. Installation of NetBEUI and/or NetBIOS over IPX will +cause problems with browse list operation on most networks. Even Windows NT +networks experience these problems when incorrectly configured Windows95 +systems share the same name space. It is important that only those protocols +that are strictly needed for site specific reasons should EVER be installed. + +Secondly, and totally against common opinion, DHCP is NOT an evil design but is +an extension of the BOOTP protocol that has been in use in Unix environments +for many years without any of the melt-down problems that some sensationalists +would have us believe can be experienced with DHCP. In fact, DHCP in covered by +rfc1541 and is a very safe method of keeping an MS Windows desktop environment +under control and for ensuring stable network operation. + +While it is true that the Microsoft DHCP server that comes with Windows NT +Server provides only a sub-set of rfc1533 functionality this is hardly an issue +in those sites that already have a large investment and commitment to Unix +systems and technologies. The current state of the art of the DHCP Server +specification in covered in rfc2132. + +This document aims to provide enough background information so that the +majority of site can without too much hardship get the Internet Software +Consortium's (ISC) DHCP Server into operation. The key benefits of using DHCP +includes: + +1) Automated IP Address space management and maximised re-use of available IP +Addresses, + +2) Automated control of MS Windows client TCP/IP network configuration, + +3) Automatic recovery from start-up and run-time problems with Windows95. + + + +Client Configuration for SMB Networking: +======================================== +SMB network clients need to be configured so that all standard TCP/IP name to +address resolution works correctly. Once this has been achieved the SMB +environment provides additional tools and services that act as helper agents in +the translation of SMB (NetBIOS) names to their appropriate IP Addresses. One +such helper agent is the NetBIOS Name Server (NBNS) or as Microsoft called it +in their Windows NT Server implementation WINS (Windows Internet Name Server). + +A client needs to be configured so that it has a unique Machine (Computer) +Name. This can NOT be done via DHCP and must be assigned when MS Windows +networking is first installed. All remaining TCP/IP networking parameters can +be assigned via DHCP. These include: + +a) IP Address, +b) Netmask, +c) Gateway (Router) Address, +d) DNS Domain Name, +e) DNS Server addresses, +f) WINS (NBNS) Server addresses, +g) IP Forwarding, +h) Timezone offset, +i) Node Type, + +Other assignments can be made from a DHCP server too, but the above cover the +major needs. + + +DHCP Server Installation: +========================= +It is assumed that you will have obtained a copy of the GPL'd ISC DHCP server +source files from ftp://ftp.isc.org/isc/dhcp, it is also assumed that you have +compiled the sources and have installed the binary files. + +The following simply serves to provide sample configuration files to enable +dhcpd to operate. The sample files assume that your site is configured to use +private IP network address space using the Class B range of 172.16.1.0 - +172.16.1.255 and is using a netmask of 255.255.255.0 (ie:24 bits). It is +assumed that your router to the outside world is at 172.16.1.254 and that your +Internet Domain Name is bestnet.com.au. The IP Address range 172.16.1.100 to +172.16.1.240 has been set aside as your dynamically allocated range. In +addition, bestnet.com.au have two print servers that need to obtain settings +via BOOTP. The machine linux.bestnet.com.au has IP address 172.16.1.1 and is +you primary Samba server with WINS support enabled by adding the parameter to +the /etc/smb.conf file: [globals] wins support = yes. The dhcp lease time will +be set to 20 hours. + +Configuration Files: +==================== +Before dhcpd will run you need to install a file that speifies the +configuration settings, and another that holds the database of issued IP +addresses. On many systems these are stored in the /etc directory on the Unix +system. + +Example /etc/dhcpd.conf: +======================== +server-identifier linux.bestnet.com.au; + +subnet 172.16.1.0 netmask 255.255.255.0 { + range 172.16.1.100 172.16.1.240; + default-lease-time 72000; + max-lease-time 144000; + option subnet-mask 255.255.255.0; + option broadcast-address 172.16.1.255; + option routers 172.16.1.254; + option domain-name-servers 172.16.1.1, 172.16.1.2; + option domain-name "bestnet.com.au"; + option time-offset 39600; + option ip-forwarding off; + option netbios-name-servers 172.16.0.1; + option netbios-dd-server 172.16.0.1; + option netbios-node-type 8; +} + +group { + next-server 172.16.1.10; + option subnet-mask 255.255.255.0; + option domain-name "bestnet.com.au"; + option domain-name-servers 172.16.1.1, 172.16.0.2; + option netbios-name-servers 172.16.0.1; + option netbios-dd-server 172.16.0.1; + option netbios-node-type 8; + option routers 172.16.1.240; + option time-offset 39600; + host lexmark1 { + hardware ethernet 06:07:08:09:0a:0b; + fixed-address 172.16.1.245; + } + host epson4 { + hardware ethernet 01:02:03:04:05:06; + fixed-address 172.16.1.242; + } +} + + +Creating the /etc/dhcpd.leases file: +==================================== +At a Unix shell create an empty dhcpd.leases file in the /etc directory. +You can do this by typing: cp /dev/null /etc/dhcpd.leases + + +Setting up a route table for all-ones addresses: +================================================ +Quoting from the README file that comes with th eISC DHCPD Server: + + BROADCAST + +In order for dhcpd to work correctly with picky DHCP clients (e.g., +Windows 95), it must be able to send packets with an IP destination +address of 255.255.255.255. Unfortunately, Linux insists on changing +255.255.255.255 into the local subnet broadcast address (here, that's +192.5.5.223). This results in a DHCP protocol violation, and while +many DHCP clients don't notice the problem, some (e.g., all Microsoft +DHCP clients) do. Clients that have this problem will appear not to +see DHCPOFFER messages from the server. + +It is possible to work around this problem on some versions of Linux +by creating a host route from your network interface address to +255.255.255.255. The command you need to use to do this on Linux +varies from version to version. The easiest version is: + + route add -host 255.255.255.255 dev eth0 + +On some older Linux systems, you will get an error if you try to do +this. On those systems, try adding the following entry to your +/etc/hosts file: + +255.255.255.255 all-ones + +Then, try: + + route add -host all-ones dev eth0 + + +For more information please refer to the ISC DHCPD Server documentation. diff --git a/docs/textdocs/DIAGNOSIS.txt b/docs/textdocs/DIAGNOSIS.txt index 6681bdc4bcb..31845386123 100644 --- a/docs/textdocs/DIAGNOSIS.txt +++ b/docs/textdocs/DIAGNOSIS.txt @@ -1,5 +1,11 @@ -DIAGNOSING YOUR SAMBA SERVER -============================ +!== +!== DIAGNOSIS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell +Updated: October 14, 1997 + +Subject: DIAGNOSING YOUR SAMBA SERVER +=========================================================================== This file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem @@ -11,7 +17,7 @@ carefully choose them so later tests only use capabilities verified in the earlier tests. I would welcome additions to this set of tests. Please mail them to -samba-bugs@anu.edu.au +samba-bugs@samba.anu.edu.au If you send me an email saying "it doesn't work" and you have not followed this test procedure then you should not be surprised if I @@ -23,10 +29,12 @@ ASSUMPTIONS In all of the tests I assume you have a Samba server called BIGSERVER and a PC called ACLIENT. I also assume the PC is running windows for -workgroups with a recent copy of the microsoft tcp/ip stack. The -procedure is similar for other types of clients. +workgroups with a recent copy of the microsoft tcp/ip stack. Alternatively, +your PC may be running Windows 95 or Windows NT (Workstation or Server). + +The procedure is similar for other types of clients. -I also assume you know the name of a available share in your +I also assume you know the name of an available share in your smb.conf. I will assume this share is called "tmp". You can add a "tmp" share like by adding the following to smb.conf: @@ -36,15 +44,28 @@ smb.conf. I will assume this share is called "tmp". You can add a read only = yes -THESE TESTS ASSUME VERSION 1.9.15 OR LATER OF THE SAMBA SUITE. SOME +THESE TESTS ASSUME VERSION 1.9.16 OR LATER OF THE SAMBA SUITE. SOME COMMANDS SHOWN DID NOT EXIST IN EARLIER VERSIONS +Please pay attention to the error messages you receive. If any error message +reports that your server is being unfriendly you should first check that you +IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf +file points to name servers that really do exist. + +Also, if you do not have DNS server access for name resolution please check +that the settings for your smb.conf file results in "dns proxy = no". The +best way to check this is with "testparm smb.conf" + TEST 1: ------- -run the command "testparm". If it reports any errors then your -smb.conf configuration file is faulty. +In the directory in which you store your smb.conf file, run the command +"testparm smb.conf". If it reports any errors then your smb.conf +configuration file is faulty. + +Note: Your smb.conf file may be located in: /etc + Or in: /usr/local/samba/lib TEST 2: @@ -60,13 +81,18 @@ run ping. If you get a message saying "host not found" or similar then your DNS software or /etc/hosts file is not correctly setup. It is possible to run samba without DNS entries for the server and client, but I assume -you do have correct entries for the remainder of these tests. +you do have correct entries for the remainder of these tests. + +Another reason why ping might fail is if your host is running firewall +software. You will need to relax the rules to let in the workstation +in question, perhaps by allowing access from another subnet (on Linux +this is done via the ipfwadm program.) TEST 3: ------- -run the command "smbclient -L BIGSERVER -U%" on the unix box. You +Run the command "smbclient -L BIGSERVER" on the unix box. You should get a list of available shares back. If you get a error message containing the string "Bad password" then @@ -77,7 +103,7 @@ temporarily remove any "hosts allow", "hosts deny", "valid users" or "invalid users" lines. If you get a "connection refused" response then the smbd server could -not be run. If you installed it in inetd.conf then you probably edited +not be running. If you installed it in inetd.conf then you probably edited that file incorrectly. If you installed it as a daemon then check that it is running, and check that the netbios-ssn port is in a LISTEN state using "netstat -a". @@ -86,16 +112,28 @@ If you get a "session request failed" then the server refused the connection. If it says "your server software is being unfriendly" then its probably because you have invalid command line parameters to smbd, or a similar fatal problem with the initial startup of smbd. Also -check your config file for syntax errors with "testparm". +check your config file (smb.conf) for syntax errors with "testparm" +and that the various directories where samba keeps its log and lock +files exist. + +Another common cause of these two errors is having something already running +on port 139, such as Samba (ie: smbd is running from inetd already) or +something like Digital's Pathworks. Check your inetd.conf file before trying +to start smbd as a daemon, it can avoid a lot of frustration! + +And yet another possible cause for failure of TEST 3 is when the subnet mask +and / or broadcast address settings are incorrect. Please check that the +network interface IP Address / Broadcast Address / Subnet Mask settings are +correct and that Samba has correctly noted these in the log.nmb file. TEST 4: ------- -run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the +Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the IP address of your Samba server back. If you don't then nmbd is incorrectly installed. Check your inetd.conf -if yu run it from there, or that the daemon is running and listening +if you run it from there, or that the daemon is running and listening to udp port 137. One common problem is that many inetd implementations can't take many @@ -103,6 +141,7 @@ parameters on the command line. If this is the case then create a one-line script that contains the right parameters and run that from inetd. + TEST 5: ------- @@ -110,14 +149,13 @@ run the command "nmblookup -B ACLIENT '*'" You should get the PCs IP address back. If you don't then the client software on the PC isn't installed correctly, or isn't started, or you -got the name of the PC wrong. Note that you probably won't get a "node -status response" from the PC due to a bug in the microsoft netbios -nameserver implementation (it responds to the wrong port number). +got the name of the PC wrong. + TEST 6: ------- -run the command "nmblookup -d 2 '*'" +Run the command "nmblookup -d 2 '*'" This time we are trying the same as the previous test but are trying it via a broadcast to the default broadcast address. A number of @@ -128,29 +166,21 @@ hosts. If this doesn't give a similar result to the previous test then nmblookup isn't correctly getting your broadcast address through its -automatic mechanism. In this case you should experiment with the -B -option which allows you to manually specify the broadcast address, -overriding the automatic detection. You should try different broadcast -addresses until your find the one that works. It will most likely be -something like a.b.c.255 as microsoft tcpip stacks only listen on 1's -based broadcast addresses. If you get stuck then ask your local -networking guru for help (and show them this paragraph). - -If you find you do need the -B option (ie. the automatic detection -doesn't work) then you should add the -B option with the right -broadcast address for your network to the command line of nmbd in -inetd.conf or in the script you use to start nmbd as a daemon. Once -you do this go back to the "nmblookup __SAMBA__ -B BIGSERVER" test to -make sure you have it running properly. +automatic mechanism. In this case you should experiment use the +"interfaces" option in smb.conf to manually configure your IP +address, broadcast and netmask. If your PC and server aren't on the same subnet then you will need to use the -B option to set the broadcast address to the that of the PCs subnet. +This test will probably fail if your subnet mask and broadcast address are +not correct. (Refer to TEST 3 notes above). + TEST 7: ------- -run the command "smbclient '\\BIGSERVER\TMP'". You should then be +Run the command "smbclient '\\BIGSERVER\TMP'". You should then be prompted for a password. You should use the password of the account you are logged into the unix box with. If you want to test with another account then add the -U <accountname> option to the command @@ -168,6 +198,8 @@ compile in support for them in smbd - you have a mixed case password and you haven't enabled the "password level" option at a high enough level - the "path =" line in smb.conf is incorrect. Check it with testparm +- you enabled password encryption but didn't create the SMB encrypted +password file Once connected you should be able to use the commands "dir" "get" "put" etc. Type "help <command>" for instructions. You should @@ -199,11 +231,16 @@ same fixes apply as they did for the "smbclient -L" test above. In particular, make sure your "hosts allow" line is correct (see the man pages) +If you get "specified computer is not receiving requests" or similar +it probably means that the host is not contactable via tcp services. +Check to see if the host is running tcp wrappers, and if so add an entry in +the hosts.allow file for your client (or subnet, etc.) + TEST 9: -------- -run the command "net use x: \\BIGSERVER\TMP". You should be prompted +Run the command "net use x: \\BIGSERVER\TMP". You should be prompted for a password then you should get a "command completed successfully" message. If not then your PC software is incorrectly installed or your smb.conf is incorrect. make sure your "hosts allow" and other config @@ -221,17 +258,24 @@ TEST 10: From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you -specified in the Makefile). You should be able to double click on the -name of the server and get a list of shares. If you get a "invalid +specified in smb.conf). You should be able to double click on the name +of the server and get a list of shares. If you get a "invalid password" error when you do then you are probably running WinNT and it is refusing to browse a server that has no encrypted password -capability and is in user level security mode. +capability and is in user level security mode. In this case either set +"security = server" AND "password server = Windows_NT_Machine" in your +smb.conf file, or enable encrypted passwords AFTER compiling in support +for encrypted passwords (refer to the Makefile). Still having troubles? ---------------------- Try the mailing list or newsgroup, or use the tcpdump-smb utility to -sniff the problem. +sniff the problem. The official samba mailing list can be reached at +samba@samba.anu.edu.au. To find out more about samba and how to +subscribe to the mailing list check out the samba web page at + http://samba.anu.edu.au/samba +Also look at the other docs in the Samba package! diff --git a/docs/textdocs/DNIX.txt b/docs/textdocs/DNIX.txt index 51005e6ec8c..0b52e22de48 100644 --- a/docs/textdocs/DNIX.txt +++ b/docs/textdocs/DNIX.txt @@ -1,3 +1,6 @@ +!== +!== DNIX.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== DNIX has a problem with seteuid() and setegid(). These routines are needed for Samba to work correctly, but they were left out of the DNIX C library for some reason. diff --git a/docs/textdocs/DOMAIN.txt b/docs/textdocs/DOMAIN.txt index 31e19675fae..60f47ff882b 100644 --- a/docs/textdocs/DOMAIN.txt +++ b/docs/textdocs/DOMAIN.txt @@ -1,68 +1,372 @@ -Samba now supports domain logons and network logon scripts. The -support is still experimental, but it seems to work. +!== +!== DOMAIN.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Samba Team +Updated: June 27, 1997 -The support is also not complete. Samba does not yet support the -sharing of the SAM database with other systems yet, or remote -administration. Support for these kind of things should be added -sometime in the future. +Subject: Network Logons and Roving Profiles +=========================================================================== + +A domain and a workgroup are exactly the same thing in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server (samba does not +support this, but NT server and other systems based on NT server do). + +The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +However the network browsing functionality of domains and workgroups is +identical and is explained in BROWSING.txt. + +Issues related to the single-logon network model are discussed in this +document. Samba supports domain logons, network logon scripts, and user +profiles. The support is still experimental, but it seems to work. + +The support is also not complete. Samba does not yet support the sharing +of the Windows NT-style SAM database with other systems. However this is +only one way of having a shared user database: exactly the same effect can +be achieved by having all servers in a domain share a distributed NIS or +Kerberos authentication database. + +When an SMB client in a domain wishes to logon it broadcast requests for a +logon server. The first one to reply gets the job, and validates its +password using whatever mechanism the Samba administrator has installed. +It is possible (but very stupid) to create a domain where the user +database is not shared between servers, ie they are effectively workgroup +servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely +involved with domains. + +Another thing commonly associated with single-logon domains is remote +administration over the SMB protocol. Again, there is no reason why this +cannot be implemented with an underlying username database which is +different from the Windows NT SAM. Support for the Remote Administration +Protocol is planned for a future release of Samba. + +The domain support works for WfWg, and Win95 clients and NT 4.0 and 3.51. +Domain support is currently at an early experimental stage for NT 4.0 and +NT 3.51. Support for Windows OS/2 clients is still being worked on and is +still experimental. + +Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. +It is possible to specify: the profile location; script file to be loaded +on login; the user's home directory; and for NT a kick-off time could also +now easily be supported. + +With NT Workstations, all this does not require the use or intervention of +an NT 4.0 or NT 3.51 server: Samba can now replace the logon services +provided by an NT server, to a limited and experimental degree (for example, +running "User Manager for Domains" will not provide you with access to +a domain created by a Samba Server). + +With Win95, the help of an NT server can be enlisted, both for profile storage +and for user authentication. For details on user authentication, see +security_level.txt. For details on profile storage, see below. -The domain support only works for WfWg and Win95 clients. Support for -NT and OS/2 clients is still being worked on. Using these features you can make your clients verify their logon via -the Samba server and make clients run a batch file when they logon to -the network. The latter is particularly useful. +the Samba server; make clients run a batch file when they logon to +the network and download their preferences, desktop and start menu. + + +Configuration Instructions: Network Logons +========================================== + +To use domain logons and profiles you need to do the following: + -To use domain logons you need to do the following: +1) Setup nmbd and smbd by configuring smb.conf so that Samba is + acting as the master browser. See <your OS>_INSTALL.txt and BROWSING.txt + for details. -1) Setup nmbd and smbd and configure the smb.conf so that Samba is -acting as the master browser. See INSTALL.txt and BROWSING.txt for -details. +2) Setup a WINS server (see NetBIOS.txt) and configure all your clients + to use that WINS service. -2) create a share called [netlogon] in your smb.conf. This share should -be readable by all users, and probably should not be writeable. This -share will hold your network logon scripts. +3) Create a share called [netlogon] in your smb.conf. This share should + be readable by all users, and probably should not be writeable. This + share will hold your network logon scripts, and the CONFIG.POL file + (Note: for details on the CONFIG.POL file, how to use it, what it is, + refer to the Microsoft Windows NT Administration documentation. + The format of these files is not known, so you will need to use + Microsoft tools). For example I have used: [netlogon] path = /data/dos/netlogon writeable = no - guest ok = yes + guest ok = no +Note that it is important that this share is not writeable by ordinary +users, in a secure environment: ordinary users should not be allowed +to modify or add files that another user's computer would then download +when they log in. -3) in the [global] section of smb.conf set the following: +4) in the [global] section of smb.conf set the following: domain logons = yes logon script = %U.bat -the choice of batch file is, of course, up to you. The above would +The choice of batch file is, of course, up to you. The above would give each user a separate batch file as the %U will be changed to their username automatically. The other standard % macros may also be -used. You can make the btch files come from a subdirectory by using -soemthing like: +used. You can make the batch files come from a subdirectory by using +something like: logon script = scripts\%U.bat -4) create the batch files to be run when the user logs in. If the batch -file doesn't exist then no batch file will be run. +5) create the batch files to be run when the user logs in. If the batch + file doesn't exist then no batch file will be run. In the batch files you need to be careful to use DOS style cr/lf line endings. If you don't then DOS may get confused. I suggest you use a DOS editor to remotely edit the files if you don't know how to produce DOS style files under unix. -5) Use smbclient with the -U option for some users to make sure that -the \\server\NETLOGON share is available, the batch files are visible -and they are readable by the users. - -6) you will probabaly find that your clients automatically mount the -\\SERVER\NETLOGON share as drive z: while logging in. You can put some -useful programs there to execute from the batch files. +6) Use smbclient with the -U option for some users to make sure that + the \\server\NETLOGON share is available, the batch files are + visible and they are readable by the users. +7) you will probabaly find that your clients automatically mount the + \\SERVER\NETLOGON share as drive z: while logging in. You can put + some useful programs there to execute from the batch files. NOTE: You must be using "security = user" or "security = server" for -domain logons to work correctly. Share level security won't work +domain logons to work correctly. Share level security won't work correctly. + +Configuration Instructions: Setting up Roaming User Profiles +================================================================ + +In the [global] section of smb.conf set the following (for example): + + logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath + +The default for this option is \\%N\%U\profile, namely +\\sambaserver\username\profile. The \\N%\%U service is created +automatically by the [homes] service. + +If you are using a samba server for the profiles, you _must_ make the +share specified in the logon path browseable. Windows 95 appears to +check that it can see the share and any subdirectories within that share +specified by the logon path option, rather than just connecting straight +away. It also attempts to create the components of the full path for +you. If the creation of any component fails, or if it cannot see any +component of the path, the profile creation / reading fails. + +[lkcl 26aug96 - we have discovered a problem where Windows clients can +maintain a connection to the [homes] share in between logins. The +[homes] share must NOT therefore be used in a profile path.] + + +Windows 95 +---------- + +When a user first logs in on Windows 95, the file user.DAT is created, +as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options "preserve case = yes", "short case preserve = yes" and +"case sensitive = no" in order to maintain capital letters in shortcuts +in any of the profile folders. + +The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file. + +2) On the Windows 95 machine, go to Control Panel | Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. + +3) On the Windows 95 machine, go to Control Panel | Network | + Client for Microsoft Networks | Preferences. Select 'Log on to + NT Domain'. Then, ensure that the Primary Logon is 'Client for + Microsoft Networks'. Press OK, and this time allow the computer + to reboot. + +Under Windows 95, Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, if you ask me. + +You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password. + +Once the user has been successfully validated, the Windows 95 machine +will inform you that 'The user has not logged on before' and asks you +if you wish to save the user's preferences? Select 'yes'. + +Once the Windows 95 client comes up with the desktop, you should be able +to examine the contents of the directory specified in the "logon path" +on the samba server and verify that the "Desktop", "Start Menu", +"Programs" and "Nethood" folders have been created. + +These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then :-). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set. + +If you have made the folders / files read-only on the samba server, +then you will get errors from the w95 machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the w95 machine, check the unix file +permissions and ownership rights on the profile directory contents, +on the samba server. + + +If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time". + + +1) instead of logging in under the [user, password, domain] dialog], + press escape. + +2) run the regedit.exe program, and look in: + + HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + + you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. + + [Exit the registry editor]. + +3) WARNING - before deleting the contents of the directory listed in + the ProfilePath (this is likely to be c:\windows\profiles\username), + ask them if they have any important files stored on their desktop + or in their start menu. delete the contents of the directory + ProfilePath (making a backup if any of the files are needed). + + This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. + +4) search for the user's .PWL password-cacheing file in the c:\windows + directory, and delete it. + +5) log off the windows 95 client. + +6) check the contents of the profile path (see "logon path" described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. + + +If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as tcpdump or netmon.exe, and +look for any error reports. + +If you have access to an NT server, then first set up roaming profiles +and / or netlogons on the NT server. Make a packet trace, or examine +the example packet traces provided with NT server, and see what the +differences are with the equivalent samba trace. + + +Windows NT Workstation 4.0 +-------------------------- + +When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the "logon path" parameter, in exactly the same way as it +can for Win95. [lkcl 10aug97 - i tried setting the path to +\\samba-server\homes\profile, and discovered that this fails because +a background process maintains the connection to the [homes] share +which does _not_ close down in between user logins. you have to +have \\samba-server\%L\profile, where user is the username created +from the [homes] share]. + +There is a parameter that is now available for use with NT Profiles: +"logon drive". This should be set to "h:" or any other drive, and +should be used in conjunction with the new "logon home" parameter. + +The entry for the NT 4.0 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension) +[lkcl 10aug97 - i found that the creation of the .PDS directory failed, +and had to create these manually for each user, with a shell script. +also, i presume, but have not tested, that the full profile path must +be browseable just as it is for w95, due to the manner in which they +attempt to create the full profile path: test existence of each path +component; create path component]. + +In the profile directory, NT creates more folders than 95. It creates +"Application Data" and others, as well as "Desktop", "Nethood", +"Start Menu" and "Programs". The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown. + +You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one. + +[lkcl 10aug97 - i notice that NT Workstation tells me that it is +downloading a profile from a slow link. whether this is actually the +case, or whether there is some configuration issue, as yet unknown, +that makes NT Workstation _think_ that the link is a slow one is a +matter to be resolved]. + +[lkcl 20aug97 - after samba digest correspondance, one user found, and +another confirmed, that profiles cannot be loaded from a samba server +unless "security = user" and "encrypt passwords = yes" (see the file +ENCRYPTION.txt) or "security = server" and "password server = ip.address. +of.yourNTserver" are used. either of these options will allow the NT +workstation to access the samba server using LAN manager encrypted +passwords, without the user intervention normally required by NT +workstation for clear-text passwords]. + +[lkcl 25aug97 - more comments received about NT profiles: the case of +the profile _matters_. the file _must_ be called NTuser.DAT or, for +a mandatory profile, NTuser.MAN]. + + +Windows NT Server +----------------- + +There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords. + + + +Sharing Profiles between W95 and NT Workstation 4.0 +--------------------------------------------------- + +The default logon path is \\%N\U%. NT Workstation will attempt to create +a directory "\\samba-server\username.PDS" if you specify the logon path +as "\\samba-server\username" with the NT User Manager. Therefore, you +will need to specify (for example) "\\samba-server\username\profile". +NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which +is more likely to succeed. + +If you then want to share the same Start Menu / Desktop with W95, you will +need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 +this has its drawbacks: i created a shortcut to telnet.exe, which attempts +to run from the c:\winnt\system32 directory. this directory is obviously +unlikely to exist on a Win95-only host]. + +If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory. + +[lkcl 25aug97 - there are some issues to resolve with downloading of +NT profiles, probably to do with time/date stamps. i have found that +NTuser.DAT is never updated on the workstation after the first time that +it is copied to the local workstation profile directory. this is in +contrast to w95, where it _does_ transfer / update profiles correctly]. + diff --git a/docs/textdocs/DOMAIN_CONTROL.txt b/docs/textdocs/DOMAIN_CONTROL.txt new file mode 100644 index 00000000000..05dd99d3fe0 --- /dev/null +++ b/docs/textdocs/DOMAIN_CONTROL.txt @@ -0,0 +1,121 @@ +!== +!== DOMAIN_CONTROL.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Initial Release: August 22, 1996 +Contributor: John H Terpstra <samba-bugs@samba.anu.edu.au> + Copyright (C) 1996-1997 - John H Terpstra +Updated: July 5, 1998 +Status: Current + +Subject: Windows NT Domain Control & Samba +============================================================================ + +****NOTE:**** +============= +The term "Domain Controller" and those related to it refer to one specific +method of authentication that can underly an SMB domain. Domain Controllers +prior to Windows NT Server 3.1 were sold by various companies and based on +private extensions to the LAN Manager 2.1 protocol. Windows NT introduced +Microsoft-specific ways of distributing the user authentication database. +See DOMAIN.txt for examples of how Samba can participate in or create +SMB domains based on shared authentication database schemes other than the +Windows NT SAM. + +Microsoft Windows NT Domain Control is an extremely complex protocol. +We have received countless requests to implement Domain Control in Samba. +The 1.9.18 release of Samba contains experimental code to implement +this. Please read the file docs/NTDOMAIN.txt for more information on this. +============================================================================ + +Windows NT Server can be installed as either a plain file and print server +(WORKGROUP workstaion or server) or as a server that participates in Domain +Control (DOMAIN member, Primary Domain controller or Backup Domain controller). + +The same is true for OS/2 Warp Server, Digital Pathworks and other similar +products, all of which can participate in Domain Control along with Windows NT. +However only those servers which have licenced Windows NT code in them can be +a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.) + +To many people these terms can be confusing, so let's try to clear the air. + +Every Windows NT system (workstation or server) has a registry database. +The registry contains entries that describe the initialisation information +for all services (the equivalent of Unix Daemons) that run within the Windows +NT environment. The registry also contains entries that tell application +software where to find dynamically loadable libraries that they depend upon. +In fact, the registry contains entries that describes everything that anything +may need to know to interact with the rest of the system. + +The registry files can be located on any Windows NT machine by opening a +command prompt and typing: + dir %SystemRoot%\System32\config + +The environment variable %SystemRoot% value can be obtained by typing: + echo %SystemRoot% + +The active parts of the registry that you may want to be familiar with are +the files called: default, system, software, sam and security. + +In a domain environment, Microsoft Windows NT domain controllers participate +in replication of the SAM and SECURITY files so that all controllers within +the domain have an exactly identical copy of each. + +The Microsoft Windows NT system is structured within a security model that +says that all applications and services must authenticate themselves before +they can obtain permission from the security manager to do what they set out +to do. + +The Windows NT User database also resides within the registry. This part of +the registry contains the user's security identifier, home directory, group +memberships, desktop profile, and so on. + +Every Windows NT system (workstation as well as server) will have its own +registry. Windows NT Servers that participate in Domain Security control +have a database that they share in common - thus they do NOT own an +independent full registry database of their own, as do Workstations and +plain Servers. + +The User database is called the SAM (Security Access Manager) database and +is used for all user authentication as well as for authentication of inter- +process authentication (ie: to ensure that the service action a user has +requested is permitted within the limits of that user's privileges). + +The Samba team have produced a utility that can dump the Windows NT SAM into +smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and +/pub/samba/pwdump on your nearest Samba mirror for the utility. This +facility is useful but cannot be easily used to implement SAM replication +to Samba systems. + +Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers +can participate in a Domain security system that is controlled by Windows NT +servers that have been correctly configured. At most every domain will have +ONE Primary Domain Controller (PDC). It is desirable that each domain will +have at least one Backup Domain Controller (BDC). + +The PDC and BDCs then participate in replication of the SAM database so that +each Domain Controlling participant will have an up to date SAM component +within its registry. + +Samba can NOT at this time function as a Domain Controller for any of these +security services, but like all other domain members can interact with the +Windows NT security system for all access authentication. + +When Samba is configured with the 'security = server' option and the +'password server = Your_Windows_NT_Server_Name' option, then it will +redirect all access authentication to that server. This way you can +use Windows NT to act as your password server with full support for +Microsoft encrypted passwords. + +Note also, that since release of samba-1.9.18 we now support native encrypted +passwords too. To enable encrypted password handling several things need to be +done: + 1) In smb.conf [globals]: + encrypt passwords = yes + smbpasswd file = /path/smbpasswd +the standard path is /usr/local/samba/private/smbpasswd but this may be +platform specific. + + 2) Use "smbpasswd -a" to add all users to the smbpasswd file. + +Above all read all the documentation for encrypted password support - you will +need it! diff --git a/docs/textdocs/ENCRYPTION.txt b/docs/textdocs/ENCRYPTION.txt index 046b473e9a1..c5fa2b74677 100644 --- a/docs/textdocs/ENCRYPTION.txt +++ b/docs/textdocs/ENCRYPTION.txt @@ -1,9 +1,16 @@ - LanManager / Samba Password Encryption. - --------------------------------------- +!== +!== ENCRYPTION.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Jeremy Allison <samba-bugs@samba.anu.edu.au> +Updated: March 19, 1998 +Note: Please refer to WinNT.txt also -With the development of LanManager compatible password encryption for -Samba, it is now able to validate user connections in exactly the same -way as a LanManager or Windows NT server. +Subject: LanManager / Samba Password Encryption. +============================================================================ + +With the development of LanManager and Windows NT compatible password +encryption for Samba, it is now able to validate user connections in +exactly the same way as a LanManager or Windows NT server. This document describes how the SMB password encryption algorithm works and what issues there are in choosing whether you want to use @@ -13,15 +20,19 @@ and the "PROS and CONS" section. How does it work ? ------------------ - LanManager encryption is somewhat similar to UNIX password +LanManager encryption is somewhat similar to UNIX password encryption. The server uses a file containing a hashed value of a -users password. This is created by taking the users paintext +users password. This is created by taking the users plaintext password, capitalising it, and either truncating to 14 bytes (or padding to 14 bytes with null bytes). This 14 byte value is used as two 56 bit DES keys to encrypt a 'magic' eight byte value, forming a 16 byte value which is stored by the server and client. Let this value be known as the *hashed password*. +Windows NT encryption is a higher quality mechanism, consisting +of doing an MD4 hash on a Unicode version of the users password. This +also produces a 16 byte hash value that is non-reversible. + When a client (LanManager, Windows for WorkGroups, Windows 95 or Windows NT) wishes to mount a Samba drive (or use a Samba resource) it first requests a connection and negotiates the protocol that the client @@ -31,7 +42,7 @@ Samba server after the reply is sent and is known as the *challenge*. The challenge is different for every client connection. -The client then uses the hashed password (16 byte value described +The client then uses the hashed password (16 byte values described above), appended with 5 null bytes, as three 56 bit DES keys, each of which is used to encrypt the challenge 8 byte value, forming a 24 byte value known as the *response*. @@ -39,6 +50,9 @@ value known as the *response*. In the SMB call SMBsessionsetupX (when user level security is selected) or the call SMBtconX (when share level security is selected) the 24 byte response is returned by the client to the Samba server. +For Windows NT protocol levels the above calculation is done on +both hashes of the users password and both responses are returned +in the SMB call, giving two 24 byte values. The Samba server then reproduces the above calculation, using it's own stored value of the 16 byte hashed password (read from the smbpasswd @@ -52,8 +66,8 @@ is this allowed access. If not then the client did not know the correct password and is denied access. Note that the Samba server never knows or stores the cleartext of the -users password - just the 16 byte hashed function derived from it. Also -note that the cleartext password or 16 byte hashed value are never +users password - just the 16 byte hashed values derived from it. Also +note that the cleartext password or 16 byte hashed values are never transmitted over the network - thus increasing security. IMPORTANT NOTE ABOUT SECURITY @@ -63,10 +77,10 @@ The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix scheme typically sends clear text passwords over the nextwork when logging in. This is bad. The SMB encryption scheme never sends the cleartext -password over the network but it does store the 16 byte hashed value -on disk. This is also bad. Why? Because the 16 byte hashed value is a -"password equivalent". You cannot derive the users password from it, -but it could potentially be used in a modified client to gain access +password over the network but it does store the 16 byte hashed values +on disk. This is also bad. Why? Because the 16 byte hashed values are a +"password equivalent". You cannot derive the users password from them, +but they could potentially be used in a modified client to gain access to a server. This would require considerable technical knowledge on behalf of the attacker but is perfectly possible. You should thus treat the smbpasswd file as though it contained the cleartext @@ -108,17 +122,18 @@ ftp ftp) which send plain text passwords over the net, so not sending them for SMB isn't such a big deal. -- the SMB encryption code in Samba is new and has only had limited -testing. We have tried hard to make it secure but in any new -implementation of a password scheme there is the possability of an -error. - +Note that Windows NT 4.0 Service pack 3 changed the default for +permissible authentication so that plaintext passwords are *never* +sent over the wire. The solution to this is either to switch to +encrypted passwords with Samba or edit the Windows NT registry to +re-enable plaintext passwords. See the document WinNT.txt for +details on how to do this. The smbpasswd file. ------------------- - In order for Samba to participate in the above protocol it must -be able to look up the 16 byte hashed value given a user name. +In order for Samba to participate in the above protocol it must +be able to look up the 16 byte hashed values given a user name. Unfortunately, as the UNIX password value is also a one way hash function (ie. it is impossible to retrieve the cleartext of the users password given the UNIX hash of it) then a separate password file @@ -162,14 +177,16 @@ chmod 600 smbpasswd. The format of the smbpasswd file is -username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Long name:user home dir:user shell +username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Long name:user home dir:user shell Although only the username, uid, and XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sections are significant and are looked at in the Samba code. It is *VITALLY* important that there by 32 'X' characters between the -two ':' characters - the smbpasswd and Samba code will fail to validate -any entries that do not have 32 characters between ':' characters. +two ':' characters in the XXX sections - the smbpasswd and Samba code +will fail to validate any entries that do not have 32 characters +between ':' characters. The first XXX section is for the Lanman password +hash, the second is for the Windows NT version. When the password file is created all users have password entries consisting of 32 'X' characters. By default this disallows any access @@ -185,12 +202,21 @@ NO PASSWORD Eg. To clear the password for user bob, his smbpasswd file entry would look like : -bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:Bob's full name:/bobhome:/bobshell +bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Bob's full name:/bobhome:/bobshell If you are allowing users to use the smbpasswd command to set their own passwords, you may want to give users NO PASSWORD initially so they do not have to enter a previous password when changing to their new -password (not recommended). +password (not recommended). In order for you to allow this the +smbpasswd program must be able to connect to the smbd daemon as +that user with no password. Enable this by adding the line : + +null passwords = true + +to the [global] section of the smb.conf file (this is why the +above scenario is not recommended). Preferebly, allocate your +users a default password to begin with, so you do not have +to enable this on your server. Note : This file should be protected very carefully. Anyone with access to this file can (with enough knowledge of the protocols) gain @@ -200,25 +226,31 @@ normal unix /etc/passwd file. The smbpasswd Command. ---------------------- - The smbpasswd command maintains the 32 byte password field in +The smbpasswd command maintains the two 32 byte password fields in the smbpasswd file. If you wish to make it similar to the unix passwd or yppasswd programs, install it in /usr/local/samba/bin (or your main -Samba binary directory) and make it setuid root. +Samba binary directory). -Note that if you do not do this then the root user will have to set all -users passwords. +Note that as of Samba 1.9.18p4 this program MUST NOT BE INSTALLED +setuid root (the new smbpasswd code enforces this restriction so +it cannot be run this way by accident). -To set up smbpasswd as setuid root, change to the Samba binary install -directory and then type (as root) : +smbpasswd now works in a client-server mode where it contacts +the local smbd to change the users password on its behalf. This +has enormous benefits - as follows. -chown root smbpasswd -chmod 4555 smbpasswd +1). smbpasswd no longer has to be setuid root - an enourmous +range of potential security problems is eliminated. -If smbpasswd is installed as setuid root then you would use it as -follows. +2). smbpasswd now has the capability to change passwords +on Windows NT servers (this only works when the request is +sent to the NT Primary Domain Controller if you are changing +an NT Domain users password). + +To run smbpasswd as a normal user just type : smbpasswd -Old SMB password: <type old alue here - just hit return if there is NO PASSWORD> +Old SMB password: <type old value here - or hit return if there was no old password > New SMB Password: < type new value > Repeat New SMB Password: < re-type new value > @@ -238,15 +270,8 @@ forgotten their passwords. smbpasswd is designed to work in the same way and be familiar to UNIX users who use the passwd or yppasswd commands. -NOTE. As smbpasswd is designed to be installed as setuid root I would -appreciate it if everyone examined the source code to look for -potential security flaws. A setuid program, if not written properly can -be an open door to a system cracker. Please help make this program -secure by reporting all problems to me (the author, Jeremy Allison). - -My email address is :- - -jra@vantive.com +For more details on using smbpasswd refer to the man page which +will always be the definitive reference. Setting up Samba to support LanManager Encryption. -------------------------------------------------- @@ -255,27 +280,15 @@ This is a very brief description on how to setup samba to support password encryption. More complete instructions will probably be added later. -1) get and compile the libdes libraries. the source is available from -nimbus.anu.edu.au in pub/tridge/libdes/libdes.tar.92-10-13.gz - -2) enable the encryption stuff in the Samba makefile, making sure you -point it to the libdes library and include file (it needs des.h) -The entries you need to uncomment are the four lines after the comment :- - -# This is for SMB encrypted (lanman) passwords. +1) compile and install samba as usual -Note that you may have to change the variable DES_BASE to -point at the place where you installed the DES library. - -3) compile and install samba as usual - -4) f your system can't compile the module getsmbpass.c then remove the +2) if your system can't compile the module getsmbpass.c then remove the -DSMBGETPASS define from the Makefile. -5) enable encrypted passwords in smb.conf by adding the line +3) enable encrypted passwords in smb.conf by adding the line "encrypt passwords = yes" in the [global] section -6) create the initial smbpasswd password file in the place you +4) create the initial smbpasswd password file in the place you specified in the Makefile. A simple way to do this based on your existing Makefile (assuming it is in a reasonably standard format) is like this: @@ -300,34 +313,18 @@ If this fails then you will find that you will need entries that look like this: # SMB password file. -tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Andrew Tridgell:/home/tridge:/bin/tcsh +tridge:148:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:Andrew Tridgell:/home/tridge:/bin/tcsh note that the uid and username fields must be right. Also, you must get the number of X's right (there should be 32). -If you wish, install the smbpasswd program as suid root. - -chown root /usr/local/samba/bin/smbpasswd -chmod 4555 /usr/local/samba/bin/smbpasswd - -7) set the passwords for users using the smbpasswd command. For +5) set the passwords for users using the smbpasswd command. For example, as root you could do "smbpasswd tridge" -8) try it out! +6) try it out! Note that you can test things using smbclient, as it also now supports encryption. -NOTE TO USA Sites that Mirror Samba ------------------------------------ - -The DES library is considered a munition in the USA. Under US Law it is -illegal to export this software, or to put it in a freely available ftp -site. - -Please do not mirror the DES directory from the site on nimbus.anu.edu.au - -Thank you, - -Jeremy Allison. - +============================================================================== +Footnote: Please refer to WinNT.txt also diff --git a/docs/textdocs/Faxing.txt b/docs/textdocs/Faxing.txt new file mode 100644 index 00000000000..a91bf7e4059 --- /dev/null +++ b/docs/textdocs/Faxing.txt @@ -0,0 +1,223 @@ +!== +!== Faxing.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Gerhard Zuber <zuber@berlin.snafu.de> +Date: August 5th 1997. +Status: Current + +Subject: F A X I N G with S A M B A +========================================================================== + +This text describes how to turn your SAMBA-server into a fax-server +for any environment, especially for Windows. + Author: Gerhard Zuber <zuber@berlin.snafu.de> + Version: 1.4 + Date: 04. Aug. 1997 + +Requirements: + UNIX box (Linux preferred) with SAMBA and a faxmodem + ghostscript package + mgetty+sendfax package + pbm package (portable bitmap tools) + +FTP sites: + sunsite.unc.edu:/pub/Linux/system/Serial/mgetty+sendfax* + tsx-11.mit.edu:/pub/linux/sources/sbin/mgetty+sendfax + ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/mgetty1.1.6-May05.tar.gz + + pbm10dec91.tgz + ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/pbm10dec91.tgz + sunsite.unc.edu: ..../apps/graphics/convert/pbmplus-10dec91-bin.tar.gz + ftp.gwdg.de/pub/linux/grafik/pbmplus.src.tar.Z (this is 10dec91 source) + or ??? pbm10dec91.tgz pbmplus10dec91.tgz + + +making mgetty+sendfax running: +============================== + + go to source tree: /usr/src/mgetty+sendfax + cp policy.h-dist policy.h + + change your settings: valid tty ports, modem initstring, Station-Id + +#define MODEM_INIT_STRING "AT &F S0=0 &D3 &K3 &C1\\\\N2" + +#define FAX_STATION_ID "49 30 12345678" + +#define FAX_MODEM_TTYS "ttyS1:ttyS2:ttyS3" + + Modem initstring is for rockwell based modems + if you want to use mgetty+sendfax as PPP-dialin-server, + define AUTO_PPP in Makefile: + +CFLAGS=-O2 -Wall -pipe -DAUTO_PPP + + compile it and install the package. + edit your /etc/inittab and let mgetty running on your preferred + ports: + +s3:45:respawn:/usr/local/sbin/mgetty ttyS2 vt100 + + now issue a + kill -HUP 1 + and enjoy with the lightning LEDs on your modem + your now are ready to receive faxes ! + + + if you want a PPP dialin-server, edit + /usr/local/etc/mgetty+sendfax/login.config + +/AutoPPP/ - ppp /usr/sbin/pppd auth debug passive modem + + + Note: this package automatically decides between a fax call and + a modem call. In case of modem call you get a login prompt ! + +Tools for printing faxes: +========================= + + your incomed faxes are in: + /var/spool/fax/incoming + + print it with: + + for i in * + do + g3cat $i | g3tolj | lpr -P hp + done + + in case of low resolution use instead: + + g3cat $i | g3tolj -aspect 2 | lpr -P hp + + + g3cat is in the tools-section, g3tolj is in the contrib-section + for printing to HP lasers. + + If you want to produce files for displaying and printing with Windows, use + some tools from the pbm-package like follow + + g3cat $i | g3topbm - | ppmtopcx - >$i.pcx + + and view it with your favourite Windows tool (maybe paintbrush) + + +Now making the fax-server: +=========================== + + fetch the file + mgetty+sendfax/frontends/winword/faxfilter + + and place it in + + /usr/local/etc/mgetty+sendfax/ + + prepare your faxspool file as mentioned in this file + edit fax/faxspool.in and reinstall or change the final + /usr/local/bin/faxspool too. + + if [ "$user" = "root" -o "$user" = "fax" -o \ + "$user" = "lp" -o "$user" = "daemon" -o "$user" = "bin" ] + + find the first line and change the second. + + make sure you have pbmtext (from the pbm-package). This is + needed for creating the small header line on each page. + Notes on pbmplus: + Some peoples had problems with precompiled binaries (especially + at linux) with a shared lib libgr.so.x.x. The better way is + to fetch the source and compile it. One needs only pbmtext for + generating the small line on top of each page /faxheader). Install + only the individual programs you need. If you install the full + package then install pbmplus first and then mgetty+sendfax, because + this package has some changed programs by itself (but not pbmtext). + + make sure your ghostscript is functional. You need fonts ! + I prefer these from the OS/2 disks + + prepare your faxheader + /usr/local/etc/mgetty+sendfax/faxheader + + edit your /etc/printcap file: + +# FAX +lp3|fax:\ + :lp=/dev/null:\ + :sd=/usr/spool/lp3:\ + :if=/usr/local/etc/mgetty+sendfax/faxfilter:sh:sf:mx#0:\ + :lf=/usr/spool/lp3/fax-log: + + + + + edit your /usr/local/samba/lib/smb.conf + + so you have a smb based printer named "fax" + + +The final step: +=============== + + Now you have a printer called "fax" which can be used via + TCP/IP-printing (lpd-system) or via SAMBA (windows printing). + + On every system you are able to produce postscript-files you + are ready to fax. + + On Windows 3.1 95 and NT: + + Install a printer wich produces postscript output, + e.g. apple laserwriter + + connect the "fax" to your printer + + + Now write your first fax. Use your favourite wordprocessor, + write, winword, notepad or whatever you want, and start + with the headerpage. + + Usually each fax has a header page. It carries your name, + your address, your phone/fax-number. + + It carries also the recipient, his address and his *** fax + number ***. Now here is the trick: + + Use the text: + Fax-Nr: 123456789 + as the recipients fax-number. Make sure this text does not + occur in regular text ! Make sure this text is not broken + by formatting information, e.g. format it as a single entity. + (Windows Write and Win95 Wordpad are functional, maybe newer + versions of Winword are breaking formatting information). + + The trick is that postscript output is human readable and + the faxfilter program scans the text for this pattern and + uses the found number as the fax-destination-number. + + Now print your fax through the fax-printer and it will be + queued for later transmission. Use faxrunq for sending the + queue out. + + Notes of SAMBA smb.conf: + Simply use fall through from the samba printer to the unix + printer. Sample: + + + printcap name = /etc/printcap + print command = /usr/bin/lpr -r -P %p %s + lpq command = /usr/bin/lpq -P %p + lprm command = /usr/bin/lprm -P %p %j + + +[fax] + comment = FAX (mgetty+sendfax) + path = /tmp + printable = yes + public = yes + writable = no + create mode = 0700 + browseable = yes + guest ok = no + + + diff --git a/docs/textdocs/GOTCHAS.txt b/docs/textdocs/GOTCHAS.txt new file mode 100644 index 00000000000..3cf699732b5 --- /dev/null +++ b/docs/textdocs/GOTCHAS.txt @@ -0,0 +1,71 @@ +!== +!== GOTCHAS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +This file lists Gotchas to watch out for: +========================================================================= +Item Number: 1.0 +Description: Problem Detecting Interfaces +Symptom: Workstations do NOT see Samba server in Browse List +OS: RedHat - Rembrandt Beta 2 +Platform: Intel +Date: August 16, 1996 +Submitted By: John H Terpstra +Details: + By default RedHat Rembrandt-II during installation adds an + entry to /etc/hosts as follows:- + 127.0.0.1 loopback "hostname"."domainname" + + This causes Samba to loop back onto the loopback interface. + The result is that Samba fails to communicate correctly with + the world and therefor may fail to correctly negotiate who + is the master browse list holder and who is the master browser. + +Corrective Action: Delete the entry after the word loopback + in the line starting 127.0.0.1 +========================================================================= +Item Number: 2.0 +Description: Problems with MS Windows NT Server network logon service +Symptom: Loss of Domain Logon Services and failed Windows NT / 95 + logon attempts. +OS: All Unix systems with Windows NT Domain Control environments. +Platform: All +Date: February 1, 1997 +Submitted By: John H Terpstra +Details: + Samba is configured for Domain logon control in a network + where a Windows NT Domain Primary Controller is running. + + Case 1: + The Windows NT Server is shut down, then restarted. Then + the Samba server is reconfigured so that it NO LONGER offers + Domain logon services. Windows NT and 95 workstations can no + longer log onto the domain. Ouch!!! + + Case 2: + The Windows NT Server which is running the Network logon + Service is shut down and restarted while Samba is a domain + controller offering the Domain LogOn service. Windows NT + Workstation and Server can no longer log onto the network. + + Cause: + Windows NT checks at start up to see if any domain logon + controllers are already running within the domain. It finds + Samba claiming to offer the service and therefore does NOT + start its Network Logon Service. + + Windows NT needs the Windows NT network logon service to gain + from its Domain controller's SAM database the security + identifier for the user loging on. + +Work-around: Stop the Samba nmbd and smbd processes, then on the Windows + NT Primary Domain Controller start the Network Logon Service. + Now restart the Samba nmbd and smbd services. + + Better still: DO NOT CONFIGURE SAMBA AS THE NETWORK LOGON + SERVER, DO NOT SET SAMBA TO BE THE DOMAIN MASTER, DO NOT + SET SAMBA TO OS LEVEL GREATER THAN 0. + + ie: Let Windows NT Server be the Domain Logon server, the + domain master browser and do NOT interfere with any aspect + of Microsoft Windows NT Domain Control. +========================================================================= diff --git a/docs/textdocs/HINTS.txt b/docs/textdocs/HINTS.txt index 953650bdd3e..a0ebe5a2ff7 100644 --- a/docs/textdocs/HINTS.txt +++ b/docs/textdocs/HINTS.txt @@ -1,3 +1,13 @@ +!== +!== HINTS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Many +Updated: Not for a long time! + +Subject: A collection of hints +Status: May be useful information but NOT current +=============================================================================== + Here are some random hints that you may find useful. These really should be incorporated in the main docs someday. @@ -40,7 +50,7 @@ Jim barry has written an excellent drag-and-drop cr/lf converter for windows. Just drag your file onto the icon and it converts the file. Get it from -ftp://nimbus.anu.edu.au/pub/tridge/samba/contributed/fixcrlf.zip +ftp://samba.anu.edu.au/pub/samba/contributed/fixcrlf.zip ---------------------- HINT: Use the "username map" option diff --git a/docs/textdocs/INSTALL.sambatar b/docs/textdocs/INSTALL.sambatar index 388e2a3eb6f..413f54d3c65 100644 --- a/docs/textdocs/INSTALL.sambatar +++ b/docs/textdocs/INSTALL.sambatar @@ -1,3 +1,9 @@ +Contributor: Ricky Poulten <poultenr@logica.co.uk> +Date: Unknown +Status: Current + +Subject: Using smbtar +============================================================================= Please see the readme and the man page for general info. diff --git a/docs/textdocs/MIRRORS.txt b/docs/textdocs/MIRRORS.txt new file mode 100755 index 00000000000..d03c676cc08 --- /dev/null +++ b/docs/textdocs/MIRRORS.txt @@ -0,0 +1,6 @@ +!== +!== MIRRORS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== + +For a list of web and ftp mirrors please see +http://samba.anu.edu.au/samba/ diff --git a/docs/textdocs/Macintosh_Clients.txt b/docs/textdocs/Macintosh_Clients.txt new file mode 100644 index 00000000000..3ce6b65a3fc --- /dev/null +++ b/docs/textdocs/Macintosh_Clients.txt @@ -0,0 +1,26 @@ +!== +!== Macintosh_Clients.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +> Are there any Macintosh clients for Samba? + +Yes. Thursby now have a CIFS Client / Server called DAVE - see +http://www.thursby.com/ + +They test it against Windows 95, Windows NT and samba for +compatibility issues. At the time of writing, DAVE was at version +1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from +the Thursby web site (the speed of finder copies has been greatly +enhanced, and there are bug-fixes included). + +Alternatives - There are two free implementations of AppleTalk for +several kinds of UNIX machnes, and several more commercial ones. +These products allow you to run file services and print services +natively to Macintosh users, with no additional support required on +the Macintosh. The two free omplementations are Netatalk, +http://www.umich.edu/~rsug/netatalk/, and CAP, +http://www.cs.mu.oz.au/appletalk/atalk.html. What Samba offers MS +Windows users, these packages offer to Macs. For more info on these +packages, Samba, and Linux (and other UNIX-based systems) see +http://www.eats.com/linux_mac_win.html + + diff --git a/docs/textdocs/NTDOMAIN.txt b/docs/textdocs/NTDOMAIN.txt new file mode 100644 index 00000000000..a151d589242 --- /dev/null +++ b/docs/textdocs/NTDOMAIN.txt @@ -0,0 +1,155 @@ +!== +!== NTDOMAIN.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.anu.edu.au) + Copyright (C) 1997 Luke Kenneth Casson Leighton +Created: October 20, 1997 +Updated: October 29, 1997 + +Subject: NT Domain Logons +=========================================================================== + +As of 1.9.18alpha1, Samba supports logins for NT 3.51 and 4.0 Workstations, +without the need, use or intervention of NT Server. This document describes +how to set this up. Over the continued development of the 1.9.18alpha +series, this process (and therefore this document) should become simpler. + +One useful thing to do is to get this version of Samba up and running +with Win95 profiles, as you would for the current stable version of +Samba (currently at 1.9.17p4), and is fully documented. You will need +to set up encrypted passwords. Even if you don't have any Win95 machines, +using your Samba Server to store the profile for one of your NT Workstation +users is a good test that you have 1.9.18alpha1 correctly configured *prior* +to attempting NT Domain Logons. + +The support is still experimental, so should be used at your own risk. + +NT is not as robust as you might have been led to believe: during the +development of the Domain Logon Support, one person reported having to +reinstall NT from scratch: their workstation had become totally unuseable. + +[further reports on ntsec@iss.net by independent administrators showing + similar symptoms lead us to believe that the SAM database file may be + corruptible. this _is_ recoverable (or, at least the machine is accessible), + by deleting the SAM file, under which circumstances all user account details + are lost, but at least the Administrator can log in with a blank password. + this is *not* possible except if the NT system is installed in a FAT + partition.] + +This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest. + + +Domain Logons using latest cvs source +===================================== + +1) compile samba with -DNTDOMAIN + +2) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out + of date: you no longer need the DES libraries, but other than that, + ENCRYPTION.txt is current). + + at this point, you ought to test that your samba server is accessible + correctly with encrypted passwords, before progressing with any of the + NT workstation-specific bits: it's up to you. + +3) [ for each workstation, add a line to smbpasswd with a username of MACHINE$ + and a password of "machine". this process will be automated in further + releases. lkcl02nov97 - done, as of 1.9.18alpha11! added new options + "domain hosts allow/deny" too :-) ] + +4) if using NT server to log in, run the User Manager for Domains, and + add the capability to "Log in Locally" to the policies, which you would + have to do even if you were logging in to another NT PDC instead of a + Samba PDC. + +5) set up the following parameters in smb.conf + +; substitute your workgroup here + workgroup = SAMBA + +; DO NOT add the redundant "domain sid = " parameter as this has +; been superseded by code that automatically generates a random +; sid for you. +; domain sid = redundant. + +; tells workstations to use SAMBA as its Primary Domain Controller. + domain logons = yes + +6) make sure samba is running before the next step is carried out. if + this is your first time, just for fun you might like to switch the + debug log level to about 10. the NT pipes produces some very pretty + output when decoding requests and generating responses, which would + be particularly useful to see in tcpdump at some point. + +7) In the NT Network Settings, change the domain to SAMBA. Do + not attempt to create an account using the other part of the dialog: + it will fail at present. + + You should get a wonderful message saying "Welcome to the SAMBA Domain." + + If you don't, then please first increase your debug log levels and also + get a tcpdump (or preferably NetMonitor) trace and examine it carefully. + You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't, + then you probably don't have "domain logons = yes" or there is some other + problem in resolving the NetBIOS name SAMBA<1c>. + + On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one + for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE + or two. + + You may see a pipe connection to a wksta service being refused: this + is acceptable, we have found. You may also see a "Net Server Get Info" + being issued on the srvsvc pipe. + + Assuming you got the Welcome message, go through the obligatory reboot... + +8) When pressing Ctrl-Alt-Delete, the NT login box should have three entries. + If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete + and the appearance of this login dialog, then there might be a problem: + at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request + + The domain box should have two entries: the hostname and the SAMBA domain. + Any local accounts are under the hostname domain, from which you will be + able to shut down the machine etc. At present, we do not specify that + the NT user logging in is a member of any groups, so will have no + priveleges, including the ability to shut down the machine [lkcl02nov97 - + done, as of samba-1.9.18alpha3! see "domain admin/guest users" and + "domain groups" parameters]. + + Select the SAMBA domain, and type in a valid username and password for + which there is a valid entry in the samba server's smbpasswd LM/NT OWF + database. At present, the password is ignored, to allow access to the + domain, but *not* ignored for accesses to Samba's SMB services: that's + completely separate from the SAM Logon process. Even if you log in a + user to a domain, your users will still need to connect to Samba SMB + shares with valid username / passwords, for that share. + + You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET, + and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response + can be approximately 600 bytes) as it contains user info. + + Also, there will probably be a "Net Server Get Info" and a "Net Share Enum" + amongst this lot. If the SAM Logon is successful, the dialog should + disappear, and a standard SMB connection established to download the + profile specified in the SAM Logon (if it was). + + At this point, you _may_ encounter difficulties in creating a remote + profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If + this occurs, then either find an existing profile on the samba server and + copy it into the location specified by the "logon path" smb.conf parameter + for the user logging in, or log in on the local machine, and use the + System | Profiles control panel to make a copy of the _local_ profile onto + the samba server. This process is described and documented in the NT + Help Files. + +9) Play around. Look at the Samba Server: see if it can be found in the + browse lists. Check that it is accessible; run some applications. + Generally stress things. Laugh a lot. Logout of the NT machine + (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in + two users simultaneously. Try logging the same user in twice. + Make Samba fall over, and then send bug reports to us, with NTDOM: at + the start of the subject line, as "samba-bugs@samba.anu.edu.au". + +Your reports, testing, patches, criticism and encouragement will help us +get this right. + diff --git a/docs/textdocs/NetBIOS.txt b/docs/textdocs/NetBIOS.txt new file mode 100644 index 00000000000..4384a5f42fe --- /dev/null +++ b/docs/textdocs/NetBIOS.txt @@ -0,0 +1,155 @@ +!== +!== NetBIOS.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: lkcl - samba-bugs@arvidsjaur.anu.edu.au + Copyright 1997 Luke Kenneth Casson Leighton +Date: March 1997 +Status: Current +Updated: 12jun97 + +Subject: Definition of NetBIOS Protocol and Name Resolution Modes +============================================================================= + +======= +NETBIOS +======= + +NetBIOS runs over the following tranports: TCP/IP; NetBEUI and IPX/SPX. +Samba only uses NetBIOS over TCP/IP. For details on the TCP/IP NetBIOS +Session Service NetBIOS Datagram Service, and NetBIOS Names, see +rfc1001.txt and rfc1002.txt. + +NetBEUI is a raw NetBIOS frame protocol implementation that allows NetBIOS +datagrams to be sent out over the 'wire' embedded within LLC frames. +NetBEUI is not required when using NetBIOS over TCP/IP protocols and it +is preferable NOT to install NetBEUI if it can be avoided. + +IPX/SPX is also not required when using NetBIOS over TCP/IP, and it is +preferable NOT to install the IPX/SPX transport unless you are using Novell +servers. At the very least, it is recommended that you do not install +'NetBIOS over IPX/SPX'. + +[When installing Windows 95, you will find that NetBEUI and IPX/SPX are +installed as the default protocols. This is because they are the simplest +to manage: no Windows 95 user-configuration is required]. + + +NetBIOS applications (such as samba) offer their services (for example, +SMB file and print sharing) on a NetBIOS name. They must claim this name +on the network before doing so. The NetBIOS session service will then +accept connections on the application's behalf (on the NetBIOS name +claimed by the application). A NetBIOS session between the application +and the client can then commence. + +NetBIOS names consist of 15 characters plus a 'type' character. This is +similar, in concept, to an IP address and a TCP port number, respectively. +A NetBIOS-aware application on a host will offer different services under +different NetBIOS name types, just as a host will offer different TCP/IP +services on different port numbers. + +NetBIOS names must be claimed on a network, and must be defended. The use +of NetBIOS names is most suitable on a single subnet; a Local Area Network +or a Wide Area Network. + +NetBIOS names are either UNIQUE or GROUP. Only one application can claim a +UNIQUE NetBIOS name on a network. + +There are two kinds of NetBIOS Name resolution: Broadcast and Point-to-Point. + + +================= +BROADCAST NetBIOS +================= + +Clients can claim names, and therefore offer services on successfully claimed +names, on their broadcast-isolated subnet. One way to get NetBIOS services +(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and +SMB file/print sharing: see cifs4.txt) working on a LAN or WAN is to make +your routers forward all broadcast packets from TCP/IP ports 137, 138 and 139. + +This, however, is not recommended. If you have a large LAN or WAN, you will +find that some of your hosts spend 95 percent of their time dealing with +broadcast traffic. [If you have IPX/SPX on your LAN or WAN, you will find +that this is already happening: a packet analyzer will show, roughly +every twelve minutes, great swathes of broadcast traffic!]. + + +============ +NBNS NetBIOS +============ + +rfc1001.txt describes, amongst other things, the implementation and use +of, a 'NetBIOS Name Service'. NT/AS offers 'Windows Internet Name Service' +which is fully rfc1001/2 compliant, but has had to take specific action +with certain NetBIOS names in order to make it useful. (for example, it +deals with the registration of <1c> <1d> <1e> names all in different ways. +I recommend the reading of the Microsoft WINS Server Help files for full +details). + +Samba also offers WINS server capabilities. Samba does not interact +with NT/AS (WINS replication), so if you have a mixed NT server and +Samba server environment, it is recommended that you use the NT server's +WINS capabilities, instead of samba's WINS server capabilities. + +The use of a WINS server cuts down on broadcast network traffic for +NetBIOS name resolution. It has the effect of pulling all the broadcast +isolated subnets together into a single NetBIOS scope, across your LAN +or WAN, while avoiding the use of TCP/IP broadcast packets. + +When you have a WINS server on your LAN, WINS clients will be able to +contact the WINS server to resolve NetBIOS names. Note that only those +WINS clients that have registered with the same WINS server will be +visible. The WINS server _can_ have static NetBIOS entries added to its +database (usually for security reasons you might want to consider putting +your domain controllers or other important servers as static entries, +but you should not rely on this as your sole means of security), but for +the most part, NetBIOS names are registered dynamically. + +[It is important to mention that samba's browsing capabilities (as a WINS +client) must have access to a WINS server. if you are using samba also +as a WINS server, then it will have a direct short-cut into the WINS +database. + +This provides some confusion for lots of people, and is worth mentioning +here: a Browse Server is NOT a WINS Server, even if these services are +implemented in the same application. A Browse Server _needs_ a WINS server +because a Browse Server is a WINS client, which is _not_ the same thing]. + +Clients can claim names, and therefore offer services on successfully claimed +names, on their broadcast-isolated subnet. One way to get NetBIOS services +(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and +SMB file/print sharing: see cifs6.txt) working on a LAN or WAN is to make +your routers forward all broadcast packets from TCP/IP ports 137, 138 and 139. +You will find, however, if you do this on a large LAN or a WAN, that your +network is completely swamped by NetBIOS and browsing packets, which is why +WINS was developed to minimise the necessity of broadcast traffic. + +WINS Clients therefore claim names from the WINS server. If the WINS +server allows them to register a name, the client's NetBIOS session service +can then offer services on this name. Other WINS clients will then +contact the WINS server to resolve a NetBIOS name. + + +======================= +Samba WINS Capabilities +======================= + +To configure samba as a WINS server, you must add "wins support = yes" to +the [global] section of your smb.conf file. This will enable WINS server +capabilities in nmbd. + +To configure samba as a WINS client, you must add "wins server = x.x.x.x" +to the [global] section of your smb.conf file, where x.x.x.x is the TCP/IP +address of your WINS server. The browsing capabilities in nmbd will then +register (and resolve) WAN-wide NetBIOS names with this WINS server. + +Note that if samba has "wins support = yes", then the browsing capabilities +will _not_ use the "wins server" option to resolve NetBIOS names: it will +go directly to the internal WINS database for NetBIOS name resolution. It +is therefore invalid to have both "wins support = yes" and +"wins server = x.x.x.x". Note, in particular, that if you configure the +"wins server" parameter to be the ip address of your samba server itself +(as might one intuitively think), that you will run into difficulties. +Do not use both parameters! + + diff --git a/docs/textdocs/OS2-Client-HOWTO.txt b/docs/textdocs/OS2-Client-HOWTO.txt new file mode 100644 index 00000000000..ef7c5e4899c --- /dev/null +++ b/docs/textdocs/OS2-Client-HOWTO.txt @@ -0,0 +1,64 @@ +!== +!== OS2-Client-HOWTO.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== + + +Q. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba? + +A. A more complete answer to this question can be found on: + http://carol.wins.uva.nl/~leeuw/samba/warp.html + + Basically, you need three components: + + * The File and Print Client ('IBM Peer') + * TCP/IP ('Internet support') + * The "NetBIOS over TCP/IP" driver ('TCPBEUI') + + Installing the first two together with the base operating system on a blank + system is explained in the Warp manual. If Warp has already been installed, + but you now want to install the networking support, use the "Selective + Install for Networking" object in the "System Setup" folder. + + Adding the "NetBIOS over TCP/IP" driver is not described in the manual and + just barely in the online documentation. Start MPTS.EXE, click on OK, click + on "Configure LAPS" and click on "IBM OS/2 NETBIOS OVER TCP/IP" in + 'Protocols'. This line is then moved to 'Current Configuration'. Select + that line, click on "Change number" and increase it from 0 to 1. Save this + configuration. + + If the Samba server(s) is not on your local subnet, you can optionally add + IP names and addresses of these servers to the "Names List", or specify a + WINS server ('NetBIOS Nameserver' in IBM and RFC terminology). For Warp + Connect you may need to download an update for 'IBM Peer' to bring it on + the same level as Warp 4. See the webpage mentioned above. + + +Q. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for + Samba? + +A. You can use the free Microsoft LAN Manager 2.2c Client for OS/2 from + ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/ + See http://carol.wins.uva.nl/~leeuw/lanman.html for more information on + how to install and use this client. In a nutshell, edit the file \OS2VER + in the root directory of the OS/2 boot partition and add the lines + + 20=setup.exe + 20=netwksta.sys + 20=netvdd.sys + + before you install the client. Also, don't use the included NE2000 driver + because it is buggy. Try the NE2000 or NS2000 driver from + <a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/"> + ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead. + + +Q. Are there any other issues when OS/2 (any version) is used as a client? + +A. When you do a NET VIEW or use the "File and Print Client Resource Browser", + no Samba servers show up. This can be fixed by a patch from + http://carol.wins.uva.nl/~leeuw/samba/fix.html + The patch will be included in a later version of Samba. It also fixes a + couple of other problems, such as preserving long filenames when objects + are dragged from the Workplace Shell to the Samba server. + + diff --git a/docs/textdocs/PRINTER_DRIVER.txt b/docs/textdocs/PRINTER_DRIVER.txt new file mode 100644 index 00000000000..5f7caa83fb1 --- /dev/null +++ b/docs/textdocs/PRINTER_DRIVER.txt @@ -0,0 +1,240 @@ +!== +!== PRINTER_DRIVER.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +========================================================================== + Supporting the famous PRINTER$ share + + Jean-Francois.Micouleau@utc.fr, 10/26/97 + modified by herb@sgi.com 1/2/98 + +=========================================================================== + +Disclaimer: + + This ONLY works with Windows 95 + It does NOT work with Windows NT 4 + + +Goal: + + When you click on a samba shared printer, you can now install the driver + automatically onto the Windows 95 machine, as you would from an NT server. + +How To: + + It's a three step config. + + First, create a new directory, where you will put the driver files, and + make a share in smb.conf pointing to it. + + Example: + + [printer$] + path=/usr/local/samba/printer + public=yes + writable=no + browseable=yes + + Second, you have to build the list of drivers required for a specific + printer. This is the most complicated thing to do. Get the files + 'msprint.inf' and 'msprint2.inf' from Windows 95, the easiest way is to + grab them from a working Windows 95 computer. They are usually located + in 'c:\windows\inf'. Look in them for the printer you have. Run the new + program 'make_printerdef' with the file name and the printer name as + parameters. If you have drivers for an unsupported or updated printer, + first install these drivers on an Windows 95 system. There will be a + file created in your inf directory named 'oem?.inf' (where the ? is some + number). Use this file instead of msprint.inf. + + Example: (from the /usr/local/samba/lib directory) + + make_printerdef msprint.inf "Apple LaserWriter" >> printers.def + + The program will print out a list of required files to stderr. + Copy all the files listed into the directory you created in step 1. + If you have "preserve case = yes" make sure your files names match + EXACTLY the names listed. + + Third, you need to add 2 new parameters in smb.conf. One is in the + [global] section, called 'printer driver file' pointing to the printer + description file you just created, and the other in each printer share, + called 'printer driver location' pointing to where the client will get + the drivers. Don't forget to set correctly the printer driver parameter + to the Windows printer name. + + Example: + + [global] + printer driver file=/usr/local/samba/lib/printers.def + + [lp] + comment = My old printer laser + browseable = yes + printable = yes + public = yes + writable = no + create mode = 0700 + printer driver=Apple LaserWriter + printer driver location=\\%h\PRINTER$ + + %h will expand to the computer name, and PRINTER$ is the name of the + share created in step one. + + +If it doesn't work for you, don't send flame ! It worked for me. In case of +trouble don't hesitate to send me a mail with your smb.conf file and +printers.def + + +******* added by herb@sgi.com + +For those of you who like to know the details, and in case I have guessed +wrong on some of the fields - The following is the format of the entries +in the printers.def file: (entries are 1 single line - they are split here +for readability) + +<Long Printer Name>:<Driver File Name>:<Data File Name>:<Help File Name>: +<Language Monitor Name>:<Default Data Type>:<Comma Separated list of Files> + +The <Help File Name> and the <Language Monitor Name> can be empty. +If no <Driver File Name> or <Data File Name> are specified in the inf file, +these will default to the section name for the printer. + +The following is an excerpt from the MSPRINT2.INF file on a WIN95 machine. +I have deleted all but the entries relating to installing a driver for the +"QMS ColorScript 100 Model 30" printer. Using this "file" I'll try to +explain how the printers.def file is created. + +make_printerdef is run with the first argument being the name of this +file (MSPRINT2.INF in this case) and the second argument being the +name of the printer ("QMS ColorScript 100 Model 30" in this case). + +The printer name is first found in the "Model section" to obtain the +name of the "Installer Section" (this is the name after the equal sign). +We ignore the alternate name. + +The "Installer Section" contains entries for "CopyFiles" and "DataSection". +The "CopyFiles" line gives a list of all the required files for this +printer. If the name begins with an @ it is the name of a file (after +you strip off the @), otherwise it is the name of a "Copy Section" which +in turn is a list of files required. This printer has one file listed +"QCS30503.SPD" and two sections "COLOR_QMS_100_30" and "PSCRIPT". The +"COLOR_QMS_100_30" section is listed in the "[DestinationDirs]" as +having a value of 23. This means that all files listed in this section +should go into the "color" subdirectory. The list of files to copy for +this printer is thus: + +QCS30503.SPD,color\QMS10030.ICM,PSCRIPT.DRV,PSCRIPT.HLP,PSCRIPT.INI, +TESTPS.TXT,APPLE380.SPD,FONTS.MFM,ICONLIB.DLL,PSMON.DLL + +From the "Data Section" we obtain values for "DriverFile", "HelpFile", +and "LanguageMonitor". The % around the value for "LanguageMonitor" +indicates that it is a string that can be localized so its actual value +is obtained from the "[Strings]" section. The "Data Section" could also +have contained an entry for "DefaultDataType". + +Using the information we have obtained we can now construct the entry +for the printers.def file. + +<Long Printer Name> -> QMS ColorScript 100 Model 30 (name given + on the command line) +<Driver File Name> -> PSCRIPT.DRV (given in Data Section) +<Data File Name> -> QCS30503.SPD (defaults to Install Section name) +<Help File Name> -> PSCRIPT.HLP (given in Data Section) +<Language Monitor Name> -> PostScript Language Monitor (given in Data Section) +<Default Data Type> -> RAW (default if not specified) + + +So.... the enty (actually one line but split here for readability) would +be: + +QMS ColorScript 100 Model 30:PSCRIPT.DRV:QCS30503.SPD: +PSCRIPT.HLP:PostScript Language Monitor:RAW: +QCS30503.SPD,color\QMS10030.ICM,PSCRIPT.DRV,PSCRIPT.HLP,PSCRIPT.INI, +TESTPS.TXT,APPLE380.SPD,FONTS.MFM,ICONLIB.DLL,PSMON.DLL + +---------------------- Info from MSPRINT2.INF ------------------------ +; +; The Manufacturer section lists all of the manufacturers that we will +; display in the Dialog box + +[Manufacturer] +"QMS" + + +; +; Model sections. Each section here corresponds with an entry listed in the +; [Manufacturer] section, above. The models will be displayed in the order +; that they appear in the INF file. +; +; Each model lists a variation of its own name as a compatible ID. This +; is done primarily as an optimization during upgrade. +; +[QMS] +"QMS ColorScript 100 Model 30" = QCS30503.SPD,QMS_ColorScript_100_Model_30 + + +; +; Installer Sections +; +; These sections control file installation, and reference all files that +; need to be copied. The section name will be assumed to be the driver +; file, unless there is an explicit DriverFile section listed. +; +[QCS30503.SPD] +CopyFiles=@QCS30503.SPD,COLOR_QMS_100_30,PSCRIPT +DataSection=PSCRIPT_DATA + +; Copy Sections +; +; Lists of files that are actually copied. These sections are referenced +; from the installer sections, above. Only create a section if it contains +; two or more files (if we only copy a single file, identify it in the +; installer section, using the @filename notation) or if it's a color +; profile (since the DestinationDirs can only handle sections, and not +; individual files). +; +[COLOR_QMS_100_30] +QMS10030.ICM + +[PSCRIPT] +PSCRIPT.DRV +PSCRIPT.HLP +PSCRIPT.INI +TESTPS.TXT +APPLE380.SPD +FONTS.MFM +ICONLIB.DLL +PSMON.DLL + + +; +; Data Sections +; +; These sections contain data that is shared between devices. +; +[PSCRIPT_DATA] +DriverFile=PSCRIPT.DRV +HelpFile=PSCRIPT.HLP +LanguageMonitor=%PS_MONITOR% + + +; +; Color profiles go to the colors directory. All other files go to the +; system directory +; + +[DestinationDirs] +DefaultDestDir=11 +COLOR_QMS_100_30=23 +COLOR_TEKTRONIX_200I=23 +COLOR_TEKTRONIX_III_PXI=23 + + +; +; Localizable Strings +; +[Strings] +MS="Microsoft" +PS_MONITOR="PostScript Language Monitor,PSMON.DLL" + diff --git a/docs/textdocs/PROFILES.txt b/docs/textdocs/PROFILES.txt new file mode 100644 index 00000000000..a52e1366041 --- /dev/null +++ b/docs/textdocs/PROFILES.txt @@ -0,0 +1,388 @@ +!== +!== PROFILES.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributors: Bruce Cook <BC3-AU@bigfoot.com> + Copyright (C) 1998 Bruce Cook + + John Terpstra <samba-bugs@samba.anu.edu.au> + Copyright (C) 1998 John H. Terpstra + + Wolfgang Ratzka <ratzka@hrz.uni-marburg.de> + Copyright (C) 1998 Wolfgang Ratzka + +Created: April 11, 1998 +Updated: April 11, 1998 + +Subject: User Profiles +=========================================================================== + +From BC3-AU@bigfoot.com Sat Apr 11 13:36:05 1998 +Date: Sat, 11 Apr 1998 17:13:49 +1000 +From: Bruce Cook <BC3-AU@bigfoot.com> +To: Multiple recipients of list <samba-ntdom@samba.anu.edu.au> +Subject: RE: A question about NT Domains + +Luke Kenneth Casson Leighton writes: + > On Fri, 10 Apr 1998, Jean-Francois Micouleau wrote: + > + > > On Fri, 10 Apr 1998, Luke Kenneth Casson Leighton wrote: + > > + > > > ah, then i need to explain better. two or more users have identical + > > > profiles. say only one user installs a program which adds additional keys + > > > into the registry. those keys, as i understand it, will *not* be removed + > > > from HKEY_LOCAL_USER when subsequent users log in. + > > + > > under W95 or NT ? + > + > my experience is with Win95, but i expect the same for NT, and have been + > told that it is so by someone who runs NT admin training courses. + > + > > and why do you want to have one profile shared between multiples users ? + > + > you don't. how did you get that impression? i said multiple users with + > identical profiles, not multiple users sharing one profile. + +In my experience with both Win95 and NT, is that the HKEY_LOCAL_USER information +is stored in USER.dat or NTuser.DAT for NT. ALL of this branch is in this file +and there is no overlap between any two users (Unless you have '95 set up +to use a single common profile). + +[** lkcl: see jht's message for conditions under which an overlap can occur **] + +The HKEY_LOCAL_MACHINE branch is machine based, and shared by all users of that +machine. + + +[And now for a whole stack of caveats] + +1. User start menu paths are not stored in the registry (obviously) they're + a directory structure that located by settings in HKEY_LOCAL_USER. + + If you want start menues / desktop / favorites to be individual to a user + you must set up your user registry so these can be located individually. + The easiest tool to manage this is the policy editor. + +2. When you log onto 'Doze 95, it has to find the user registry. + + + If you have specified a common profile, a "default user" USER.DAT is used. + + If you have specified individualised profiles, then USER.DAT will be found + by the following formula: + + 1. if NET USE x: /HOME was used at startup, try for x:\USER.DAT (where + x: is any drive letter from A to Z. + if no USER.DAT is found go to step 3 + + 2. if no home is specified in a mapping, + ...\windows\profiles\username\USER.DAT is used. If no USER.DAT exists + go to step 3. + + 3. If neither of the previous two found a USER.DAT, then it will use + a prototype USER.DAT which it will later save to the above specified + path when the user logs out. + + The interesting thing here is that the prototype USER.DAT used here + is actually a copy of the last USER.DAT used on this machine. (This + may be the effect that the original poster is seeing) + + 4. As discussed above the start menu and desktop are specified in the + registry contained within USER.DAT. When a new USER.DAT is created + from a prototype, new directories are created for the start menu and + desktop ACCORDING TO HOW THE COPIED PROTOTYPE DEFINES THEM. + + So if the prototype USER.DAT says that start menu is in H:\Start Menu + but programs folder is C:\windows\start menu\programs, then the + H:\start menu will be created, and the existing machine programs + folder used. + + This means that is is important when creating roving profiles to get + your prototype USER.DAT and general user directory structure set up + exactly as you want it, and then make a copy of it that you know will + be safe from modification. When creating a new user you then copy + this prototype into the new user area, so that the new user doesn't + just inherit what the previous user had. + + +3. When you log onto 'Doze NT, it has to find the user registry. + + + NT is easier to see what's going on, but follows much the same rules as + '95. The big difference being that 'NT gets its profile location from + the login server when it's logged in. (On an NT system have a look at user + manager/user/profile - you will see that you can specify the user profile + path) Under NT3.51 this profile path was a path to NTuser.DAT, on 4.0 this + seems to be a path to a directory structure (haven't played with many NT4 + servers) + + I'm not sure how this works in samba, as I haven't yet tried the NT_DOM stuff + yet (Luke: I assume you have a keyword for this?) + +[lkcl: nt workstations should look in exactly the same places for things on + samba or other SMB servers as they do on an NT server, as long as that + SMB server looks like NT. if anyone finds that something fails, alert + us on samba-bugs@samba.anu.edu.au and we'll look into it]. + + When an NT system find a user without a NTuser.DAT, it copies from a + prototype that it stores especially for this purpose, so while unlike '95 + the user doesn't get whatever happened last on the machine, the user will + get a fairly minimalist configuration. + +[[jht: +When a Win95 machine logs onto a Windows NT Domain the Win95 machine looks +for the presence of a file called Config.Pol in the following location: + \\"Authenticating Server"\NETLOGON +It reads this file and uses it to ammend both the desktop environment as well +as the file %WinDir%\Profiles\%USERNAME%\User.DAT. As with Windows NT, on log +out this file gets written back to the profile server into the %USERNAME% +directory in the profile share. + +It is thus possible to share a common desktop profile between Windows NT and +Windows 9x. +:jht]] + + +4. There are a *LOT* of reasons that the 'doze machine might not find USER.DAT + and therefore default to a prototype. + + 1. Can't execute logon script & therefore no /HOME mapping (Most common) + .Make sure the script exists + .that you have your logon script set right + .Netlogon share must exist + .Protection/ownership of the script and share + + 2. no /HOME mapping in the logon script + + 3. no home path specified in /etc/smb.conf (Or no home mapping set + up for that user in NT's user manager) + + 4. Protection/ownership of the user directory + + 5. protection/ownership of USER.DAT + + 6. basic networking problems + .Is the networking available (Test it by manually mapping + to both the user share and netlogon share) + .Was the networking working during logon ? + + 7. Has it defaulted to a prototype, and then had you map the home + directory afterwards ? - This will result in the bad prototype + being written into the users home, and them being stuck with it, + (Just replace USER.DAT again) + + +5. Interesting NOTE + + When '95 is performing the logon script, the HKEY_LOCAL_USERS has + NOT been mapped from the USER.DAT. What has been mapped at this stage + is the prototype registry (last one used). + + I assume the reason for this is that '95 is waiting for the logon + script to complete so that it can identify where the user's home + directory is. + + If at this point you attempt to do anything that uses the USER registry, + (installing something for example or reading something from the user + registry) you will actually be operating on the machine stored prototype + profile not the user profile. This means that nothing will realy + happen to the user setup (No menu items, no settings etc). + + To get around this you can name a process in the "run once" entries in + the HKEY_LOCAL_MACHINE branch, and these "run once" processes will be + executed once the USER.DAT is loaded, and all the user directories are + accessible. + + +To sum up: + + NET USE H: /HOME + is the key to getting your user profiles loaded from a server. + NET USE H: \\server\homes + Won't get it right without a lot of stuffing about. + + Windoze '95 goes through a lot to bring you your user profile and + if anything goes wrong during this process, it will drop back to + using whatever profile was last used on the machine. + + +From samba@aquasoft.com.au Sat Apr 11 13:48:54 1998 +Date: Sat, 11 Apr 1998 09:34:08 +1000 +From: Samba Bugs <samba@aquasoft.com.au> +To: Multiple recipients of list <samba-ntdom@samba.anu.edu.au> +Subject: Re: A question about NT Domains + +Just for the sake of completeness I thought I'd add a bit to this. +Let's be clear about which files affect registry changes (or contents). + +Under NT, open a command prompt interface: +cd %SystemRoot%\System32\config +dir + +The standard registry files are: + Default - all component default settings + System - all HKLM\System entries + Software - all HKLM\Software entries + Security - Domain/Machine releated User Rights & Privs. + SAM - the Security Access Manager database (ie:Passwords etc.) + +[[jht: +The SAM and Security files are the only files that get synchronised between +Windows NT Domain Controllers. +:jht]] + +These are used by EVERYTHING!! + +When a user logs in the following files get checked: + 1) \\"Authenticating Server"\NETLOGON\NTConfig.Pol + 2) %SystemRoot%\Profiles\Policies\NTConfig.Pol + this one is a copy of the last NTConfig.Pol downloaded + from (1) above - if available. + 3) %SystemRoot%\Policies\%UserName%\NTUser.DAT + +[[jht: +The System Policy Editor on Windows NT can be used to create both the +Windows 95 "Config.Pol" file, as well as the Windows NT "NTConfig.Pol" +file. To create the Windows 95 policy file you MUST load the Windows 95 +policy template BEFORE creating the Config.Pol file. +:jht]] + +The later, is first obtained from a profile server if the User_Init_Info +passed from the Domain Logon Server specifies use of a roaming profile. +If item (3) does NOT exist and/or NO default profile is available one gets +created from the system default settings PLUS the last loaded file at item +(2) above. + +The HKCU is always unique to the currently logged in user, BUT if the +currently logged in user is using a shared profile that has NOT been made +exclusive then on logout the HKCU will be written over the top of the +source files. That is why Mandatory profiles are essential when sharing a +roaming profile. + +On Sat, 11 Apr 1998, Wolfgang Ratzka wrote: + +> Luke Kenneth Casson Leighton wrote: +> +> > my experience is with Win95, but i expect the same for NT, and have been +> > told that it is so by someone who runs NT admin training courses. +> +> On NT it is quite definitely not so. HKCU will always be loaded completely from +> the user's NTuser.dat file and unloaded again after logout. +> In fact HKCU is not a proper registry hive but a symbolic reference to the subkey of +> HKEY_USERS that corresponds to the current user. If more than one user +> is active on an NT machine (on plain vanilla NT this *is* possible if you have +> services running as a non-system user; on WinFrame or Hydra multiple users +> can be logged in) you will see several subkeys of HKU that correspond to +> the active users and don't interfere with each other. +> +> Of course some settings that a user can change do not go into the HKCU hive +> but into HKLM, most notably the screen resolution and the number of colours +> (you can use policies to prevent user's from changing these). +> Some applications put information that should go into HKCU into HKLM instead. +> (Hall of Shame: Netscape Communicator, Microsoft Office 97 [User dictionaries!]...). +> Others just use plain good old INI files in their program directory or even +> in \WINNT\SYSTEM32. Those changes will not be user specific but machine +> specific and those programs will cause trouble, when one tries to run them +> on WinFrame or Hydra... :-). +> +> Summarizing: +> +> Q: Will the next user inherit a previous user's additions +> to the HKCU registry hive? +> A: Quite definitely not. + +Correct. + +> +> Q: Can a user foul up the configuration for the next user? +> A: Quite definitely yes! + +See above. Yes, but not if correctly configured. + +> +> Q: Is this discussion out of place on the samba-ntdom list? +> A: Errr.... + +Errr... Really? I think it is. Do we, or do we not, want to help people to +gain stable and dependable use of samba? + +> -- +> Wolfgang Ratzka (dialing in from home) + +Cheers, +John H Terpstra (Also from home!!!!) + +============================================================================= +Further notes by Bruce Cook + +Date: Sun, 12 Apr 1998 14:12:22 +1000 +From: Bruce Cook <BC3-AU@bigfoot.com> +Subject: Re: Win95 / NT Profiles (was: RE: A question about NT Domains) + +Ah yes I knew there was something I forgot. +here it is for completeness. + +============================================================================= + +When a user logs into a specific machine for the first time, they will be +told that they've never logged into the machine, and would they like to +store the user setting for future use. + +If the user answers NO, they will be nagged about this every time they +log into the machine until they say YES. (How about it MS, could we +possible do something about this feature?) + +When the user answers YES, thereafter upon logging out of the machine, +a copy of the user's profile is also written onto the machines local disk +for later use. + +When a user logs into a machine where his/her profile has previously been +saved, a comparison is made between the date of the profile copy kept on +the machine, and the date of the profile stored on the server. In theory +the server date should be later or the same. + +If the local machine date is later than the server date, the client +machine will tell you the the settings on the local machine are more +recent than those of the server, and would you like to user them instead. + +This occurs for a couple of reasons: + 1. Server not available when the user logs out + 2. Date mismatch between the server and the client + (I always use NET TIME \\server /SET /YES in my logon scripts) + + +Logging in with NO server available. + +In some cases a client will want to log into a network with no server +available. (Portables away from the office, or a dead server) + +This can only happen if the administrator has NOT set the machine to +give access only upon password verification from the server. +(If the admin has done this, it can be circumvented by restarting + the machine in safe mode, and running poledit, or regedit and + disabling that feature) + +If you are able to log in while the server is unavailable, you have +two choices + 1. Log in as a user that previously stored a profile + (The password won't have to match unless the machine + is set up to store passwords) + + 2. log in as the default user (bit the cancel button or escape key) + +If you choose to use your profile stored on the local machine, there are +several things you should be wary of: + 1. the profile stored on the machine will be a copy of the last + profile used when you logged into THAT machine. You may get + quite an old profile. + 2. When you log out, that local profile is garunteed to be later + than the one on the server, and if the server is available, or + you later log into that machine when the server is available + you could overwrite the good server profile with a bogus profile. + + +Technique note: + I set portable computers up so that they don't use roaming profiles, + rather they have a single profile kept on the machine. This means + that a user has the same desktop look an feel regardless of where + they are. This follows the philosophy that laptops tend to be used + by only one person. diff --git a/docs/textdocs/PROJECTS b/docs/textdocs/PROJECTS index cf903f2c6dd..07f82c74d94 100644 --- a/docs/textdocs/PROJECTS +++ b/docs/textdocs/PROJECTS @@ -14,35 +14,37 @@ then please let me know! Also, if you are listed below and you have any corrections or updates then please let me know. Email contact: -samba-bugs@anu.edu.au +samba-bugs@samba.anu.edu.au ======================================================================== Documentation and FAQ Docs and FAQ files for the Samba suite of software. -Contact Karl.Auer@anu.edu.au +Contact samba-bugs@samba.anu.edu.au with the diffs. These are urgently +required. -Mark Preston is now working on a set of formatted docs for Samba. -Contact mpreston@sghms.ac.uk +The FAQ is being added to on an ad hoc basis, see the web pages for info. -Docs are currently up to date with version, 1.7.07. FAQ being added to -as questions arise. +Mark Preston was working on a set of formatted docs for Samba. Is this +still happening? Contact mpreston@sghms.ac.uk -Status last updated 27th September 1994 +Status last updated 2nd October 1996 ======================================================================== ======================================================================== Netbeui support -This aims to produce patches so that Samba can be used with clients +This aimed to produce patches so that Samba can be used with clients that do not have TCP/IP. It will try to remain as portable as possible. - -Contact Brian.Onn@Canada.Sun.COM (Brian Onn) - -The project is just startup up. - -Status last updated 4th October 1994 +Contact Brian.Onn@Canada.Sun.COM (Brian Onn) Unfortunately it died, and +although a lot of people have expressed interest nobody has come forward +to do it. The Novell port (see Samba web pages) includes NetBEUI +functionality in a proprietrary library which should still be helpful as +we have the interfaces. Alan Cox (a.cox@li.org) has the information +required to write the state machine if someone is going to do the work. + +Status last updated 2nd October 1996 ======================================================================== ======================================================================== @@ -52,21 +54,11 @@ A mountable smb filesystem for Linux using the userfs userspace filesystem Contact lendecke@namu01.gwdg.de (Volker Lendecke) -Currently this is at version 0.2. It works but is really only for -people with some knowledge and experience of Linux kernel hacking. - -Status last updated 23rd August 1994 -======================================================================== - -======================================================================== -Nmbd - -Aims to produce a complete rfc1001/1002 implementation. The current -nmbd is a partial implementation. - -Contact Fabrice Cetre (cetre@ifhpserv.insa-lyon.fr) +This works really well, and is measurably more efficient than commercial +client software. It is now part of the Linux kernel. Long filename support +is in use. -Status last updated 23rd August 1994 +Status last updated June 1997 ======================================================================== ======================================================================== diff --git a/docs/textdocs/Passwords.txt b/docs/textdocs/Passwords.txt index e06876fecae..21e39d4a657 100644 --- a/docs/textdocs/Passwords.txt +++ b/docs/textdocs/Passwords.txt @@ -1,5 +1,12 @@ -NOTE ABOUT PASSWORDS -==================== +!== +!== Passwords.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Unknown +Date: Unknown +Status: Current + +Subject: NOTE ABOUT PASSWORDS +============================================================================= Unix systems use a wide variety of methods for checking the validity of a password. This is primarily controlled with the Makefile defines @@ -33,7 +40,7 @@ only written and tested for AFS 3.3 and later. SECURITY = SERVER ================= -Samba can use a remote server to do it's username/password +Samba can use a remote server to do its username/password validation. This allows you to have one central machine (for example a NT box) control the passwords for the Unix box. diff --git a/docs/textdocs/Printing.txt b/docs/textdocs/Printing.txt new file mode 100644 index 00000000000..aadbe41ff43 --- /dev/null +++ b/docs/textdocs/Printing.txt @@ -0,0 +1,132 @@ +!== +!== Printing.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Unknown <samba-bugs@samba.anu.edu.au> +Date: Unknown +Status: Current + +Subject: Dubugging Printing Problems +============================================================================= + +This is a short description of how to debug printing problems with +Samba. This describes how to debug problems with printing from a SMB +client to a Samba server, not the other way around. For the reverse +see the examples/printing directory. + +Please send enhancements to this file to samba-bugs@samba.anu.edu.au + +Ok, so you want to print to a Samba server from your PC. The first +thing you need to understand is that Samba does not actually do any +printing itself, it just acts as a middleman between your PC client +and your Unix printing subsystem. Samba receives the file from the PC +then passes the file to a external "print command". What print command +you use is up to you. + +The whole things is controlled using options in smb.conf. The most +relevant options (which you should look up in the smb.conf man page) +are: + print command + lpq command + lprm command + +Samba should set reasonable defaults for these depending on your +system type, but it isn't clairvoyant. It is not uncommon that you +have to tweak these for local conditions. + +On my system I use the following settings: + + print command = lpr -r -P%p %s + lpq command = lpq -P%p + lprm command = lprm -P%p %j + +The % bits are "macros" that get dynamically replaced with variables +when they are used. The %s gets replaced with the name of the spool +file that Samba creates and the %p gets replaced with the name of the +printer. The %j gets replaced with the "job number" which comes from +the lpq output. + +When I'm debugging printing problems I often replace these command +with pointers to shell scripts that record the arguments, and the +contents of the print file. A simple example of this kind of things +might be: + + print command = cp %s /tmp/tmp.print + +then you print a file and look at the /tmp/tmp.print file to see what +is produced. Try printing this file with lpr. Does it work? If not +then your problem with with your lpr system, not with Samba. Often +people have problems with their /etc/printcap file or permissions on +various print queues. + +Another common problem is that /dev/null is not world writeable. Yes, +amazing as it may seem, some systems make /dev/null only writeable by +root. Samba uses /dev/null as a place to discard output from external +commands like the "print command" so if /dev/null is not writeable +then nothing will work. + +Other really common problems: + +- lpr isn't in the search path when Samba tries to run it. Fix this by +using the full path name in the "print command" + +- the user that the PC is trying to print as doesn't have permission +to print. Fix your lpr system. + +- you get an extra blank page of output. Fix this in your lpr system, +probably by editing /etc/printcap. It could also be caused by +incorrect setting on your client. For example, under Win95 there is a +option Printers|Printer Name|(Right +Click)Properties|Postscript|Advanced| that allows you to choose if a +Ctrl-D is appended to all jobs. This will affect if a blank page is +output. + +- you get raw postscript instead of nice graphics on the output. Fix +this either by using a "print command" that cleans up the file before +sending it to lpr or by using the "postscript" option in smb.conf. + +Note that you can do some pretty magic things by using your +imagination with the "print command" option and some shell +scripts. Doing print accounting is easy by passing the %U option to a +print command shell script. You could even make the print command +detect the type of output and its size and send it to an appropriate +printer. + +If the above debug tips don't help, then maybe you need to bring in +the bug gun, system tracing. See Tracing.txt in this directory. + +===================================================================== +From Caldera Inc., the following documentation has been contributed: + + +8.6 Setting up a raw SAMBA printer. + +Note: this is not a guide on setting up SAMBA. It merely addresses creating a printer configuration that will allow the output of regular (i.e. not PostScript) Windows printer drivers to print through SAMBA. + +Regular Windows printer drivers can be used to print via SAMBA, but you must set up a raw printer entry in "/etc/printcap" to accomplish this. Also, a print command will need to be specified in "/etc/smb.conf" that forces binary printing. + +The best way to start is to use printtool under X to create a new entry specifically for this printer. All you really need for it to do is create the necessary directories and set the permissions correctly, so don't worry about setting up a filter for a specific printer. Filters are not going to be used at all for this entry. + +Next, go into "/etc" and edit the printcap entry you just created, changing it to look like this (if you named it something other than raw, the entry name and spool directory should be changed here to match): + +raw:\ + :rw:sh: \ + :lp=/dev/lp1: \ + :sd=/var/spool/lpd/raw: \ + :fx=flp: + +When this is done and saved, edit the section of the smb.conf file that applies to the printer. Make sure the name of the section (enclosed in brackets) matches the name of the raw printer you just set up, then go down a line or two and add this line: + +print command = lpr -b -P%p %s + +Save the file, change to "/etc/rc.d/init.d", and type the following commands +to restart the necessary daemons: + +./lpd stop +./lpd start +./smb stop +./smb start + +At this point you should be ready to use the various printer drivers on +your Windows clients for printing. +============================================================================= + diff --git a/docs/textdocs/README.DCEDFS b/docs/textdocs/README.DCEDFS index f84b84bb686..da9bb2197da 100644 --- a/docs/textdocs/README.DCEDFS +++ b/docs/textdocs/README.DCEDFS @@ -1,9 +1,8 @@ -============================================================================= - - Basic DCE/DFS Support for SAMBA 1.9.13 - - Jim Doyle <doyle@oec.com> 06-02-95 +Contributor: Jim Doyle <doyle@oec.com> +Date: 06-02-95 +Status: Current but needs updating +Subject: Basic DCE/DFS Support for SAMBA 1.9.13 ============================================================================= Functionality: diff --git a/docs/textdocs/README.jis b/docs/textdocs/README.jis index 2ac6716a6f6..50ff0cced74 100644 --- a/docs/textdocs/README.jis +++ b/docs/textdocs/README.jis @@ -14,6 +14,10 @@ $B$rL\E*$H$7$F$$$^$9!#$=$N$?$a!"F|K\8lBP1~$O!"I,MW:G>.8B$7$+9T$J$C$F$*$j$^$;$s!#(B + $BF|K\8lBP1~$7$?(B samba $B$rMxMQ$9$k$?$a$K$O!"%3%s%Q%$%k$9$k;~$K!"I,$:!"(BKANJI $B$NDj5A$rDI(B + $B2C$7$F$/$@$5$$!#$3$N%*%W%7%g%s$r;XDj$7$F$$$J$$>l9g$O!"F|K\8l$N%U%!%$%kL>$r@5$7$/07(B + $B$&$3$H$O$G$-$^$;$s!#!J%3%s%Q%$%k$K$D$$$F$O!"2<5-(B 3. $B$r;2>H$7$F2<$5$$!K(B + 2. $BMxMQJ}K!(B (1) $BDI2C$7$?%Q%i%a!<%?(B @@ -34,6 +38,12 @@ $B$N(B16$B?J?t$rB3$1$k7A<0$K$J$j$^$9!#(B $B$3$3$G!"(B':' $B$rB>$NJ8;z$KJQ99$7$?$$>l9g$O!"(Bhex $B$N8e$m$K$=$NJ8;z$r;XDj$7$^$9!#(B $BNc$($P!"(B@$B$rJQ$o$j$K;H$$$?$$>l9g$O!"(B'hex@'$B$N$h$&$K;XDj$7$^$9!#(B + cap: 7 bits $B$N(B ASCII $B%3!<%I0J30$N%3!<%I$r0J2<$N7A<0$GI=$9J}<0$H$$$&E@$G$O(B + hex$B$HF1MM$G$9$,!"(BCAP (The Columbia AppleTalk Package)$B$H8_49@-$r;}$DJQ49(B + $BJ}<0$H$J$C$F$$$^$9!#(Bhex$B$H$N0c$$$O(B0x80$B0J>e$N%3!<%I$N$_(B':80'$B$N$h$&$KJQ49(B + $B$5$l!"$=$NB>$O(BASCII$B%3!<%I$G8=$5$l$^$9!#(B + $BNc$($P!"(B'$B%*%U%#%9(B'$B$H$$$&L>A0$O!"(B':83I:83t:83B:83X'$B$H$J$j$^$9!#(B + JIS $B%3!<%I$K$D$$$F$O!"0J2<$NI=$r;2>H$7$F2<$5$$!#(B $B(#(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(!(!(!(!(!($(B $B(";XDj(B $B("4A;z3+;O("4A;z=*N;("%+%J3+;O("%+%J=*N;("1Q?t3+;O("Hw9M(B $B("(B @@ -90,6 +100,8 @@ $B%$%kL>$O!"(BEUC $B%3!<%I$K$J$j$^$9!#$3$3$G;XDj$7$?%3!<%I7O$O!"%5!<%P5Z$S%/%i%$%"%s%H(B $B%W%m%0%i%`$N%G%U%)%k%H$KCM$J$j$^$9!#(B + $B>0!"%*%W%7%g%sCf$N(B \ $B$d(B " $B$bK:$l$:$K;XDj$7$F2<$5$$!#(B + 3. $B@)8B;v9`(B (1) $B4A;z%3!<%I(B @@ -104,21 +116,34 @@ $B$A$c$s$H$7$?%9%Z%C%/$,$h$/$o$+$i$J$+$C$?$N$G$9$,!"0l1~!"(BDOS/V $B$NF0:n$HF1$8F0:n$r9T$J(B $B$&$h$&$K$J$C$F$$$^$9!#(B +(4) $B%m%s%0%U%!%$%kL>$K$D$$$F(B + Windows NT/95 $B$G$O!"%m%s%0%U%!%$%kL>$,07$($^$9!#%m%s%0%U%!%$%kL>$r(B 8.3 $B%U%)!<%^%C%H(B + $B$G07$&$?$a$K!"(Bmangling $B$7$F$$$^$9$,!"$3$NJ}K!$O!"(BNT $B$d(B 95 $B$,9T$J$C$F$$$k(B mangling $B$H(B + $B$O0[$J$j$^$9$N$GCm0U$7$F2<$5$$!#(B + 4. $B>c32Ey$N%l%]!<%H$K$D$$$F(B $BF|K\8l$N%U%!%$%kL>$K4X$7$F!"J8;z2=$1Ey$N>c32$,$"$l$P!";d$K%l%]!<%H$7$FD:$1$l$P9,$$$G(B $B$9!#$?$@$7!"%*%j%8%J%k$+$i$NLdBjE@$d<ALd$K$D$$$F$O!"%*%j%8%J%k$N:n<T$XD>@\Ld$$9g$o$;$k(B $B$+!"$b$7$/$O%a!<%j%s%0%j%9%H$J$I$X%l%]!<%H$9$k$h$&$K$7$F2<$5$$!#(B +$B%l%]!<%H$5$l$k>l9g!"MxMQ$5$l$F$$$k4D6-(B(UNIX $B5Z$S(B PC $BB&$N(BOS$B$J$I(B)$B$H$G$-$^$7$?$i@_Dj%U%!(B +$B%$%k$d%m%0$J$I$rE:IU$7$FD:$1$k$H9,$$$G$9!#(B + 5. $B$=$NB>(B - hex $B7A<0$NJQ49J}K!$O!"(B + $B%3!<%IJQ49$O0J2<$NJ}!9$,:n$i$l$?%W%m%0%i%`$rMxMQ$7$F$$$^$9!#(B - $BBgLZ!wBgDM!&C^GH(B <ohki@gssm.otsuka.tsukuba.ac.jp>$B;a(B + hex $B7A<0(B $BBgLZ!wBgDM!&C^GH(B <ohki@gssm.otsuka.tsukuba.ac.jp>$B;a(B + cap $B7A<0(B $BI%ED(B $BF;O:(B (michiro@po.iijnet.or.jp)(michiro@dms.toppan.co.jp)$B;a(B - $B$,:n$i$l$?%3!<%I$rMxMQ$7$F$$$^$9!#(B + $B$=$NB>!"$?$/$5$s$NJ}!9$+$i$$$m$$$m$H8f65<($$$?$@$-$"$j$,$H$&$4$6$$$^$7$?!#:#8e$H$b$h(B +$B$m$7$/$*4j$$CW$7$^$9!#(B 1994$BG/(B10$B7n(B28$BF|(B $BBh#1HG(B 1995$BG/(B 8$B7n(B16$BF|(B $BBh#2HG(B +1995$BG/(B11$B7n(B24$BF|(B $BBh#3HG(B +1996$BG/(B 5$B7n(B13$BF|(B $BBh#4HG(B + $BF#ED(B $B?r(B fujita@ainix.isac.co.jp diff --git a/docs/textdocs/README.sambatar b/docs/textdocs/README.sambatar index 26829952eb6..af7250c2a49 100644 --- a/docs/textdocs/README.sambatar +++ b/docs/textdocs/README.sambatar @@ -1,3 +1,11 @@ +Contributor/s: Martin.Kraemer <Martin.Kraemer@mch.sni.de> + and Ricky Poulten (ricky@logcam.co.uk) +Date: Unknown - circa 1994 +Status: Obsoleted - smbtar has been a stable part of Samba + since samba-1.9.13 + +Subject: Sambatar (now smbtar) +============================================================================= This is version 1.4 of my small extension to samba that allows PC shares to be backed up directly to a UNIX tape. It only has been tested under diff --git a/docs/textdocs/Recent-FAQs.txt b/docs/textdocs/Recent-FAQs.txt new file mode 100644 index 00000000000..6e7899a34f0 --- /dev/null +++ b/docs/textdocs/Recent-FAQs.txt @@ -0,0 +1,289 @@ +!== +!== Recent-FAQs.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Samba-bugs@samba.anu.edu.au +Date: July 5, 1998 +Status: Current + +============================================================================= +Subject: Recent FAQ answers to common questions / problems +============================================================================= +Contents: NetWkstaUserLogon + Not listening for calling name + System Error 1240 + Trapdoor UID + User Access Control + Using NT to Browse Samba Shares + setup.exe and 16 bit programs + smbclient -N + +NetWkstaUserLogon +================= +FAQ answer about the new password server code: + +In 1.9.18 you can disable the NetWkstaUserLogon call at compile time +in local.h and from 1.9.18p3 you can now disable it from an option in +your smb.conf. + +The password server behaviour changed because we discovered that bugs +in some NT servers allowed anyone to login with no password if they +chose an account name that did not exist on the password server. The +NT password server was saying "yes, it's OK to login" even when the +account didn't exist at all! Adding the NetWkstaUserLogon call fixed +the problem, and follows the "recommended" method that MS have +recently documented for pass through authentication. + +The problem now is that some NT servers (in particular NT +workstation?) don't support the NetWkstaUserLogon call. The call also +doesn't work for accounts in trust relationships. + +The eventual solution for this will be to replace the password server +code in Samba with NT domain code as that is developed. For now you +have the choice of compiling Samba either with or without the +NetWkstaUserLogon call in the password server code. + +In 1.9.18p3 the following was added (copied from the 1.9.18p3 release +notes): + +In the [global] section of smb.conf : + +networkstation user login + +This code (submitted by Rob Nielsen) allows the code many people +were having problems with that queries an NT password server to +be turned off at runtime rather than compile time. Please see the +documentation in the smb.conf manual page for details. This is a +security option - it must only be turned off after checks have been +made to ensure that your NT password server does not suffer from the +bug this code was meant to protect against ! + +In 1.9.18 you can enable/disable this call in local.h. In 1.9.17p5 +you could apply the following patch. Applying this patch will make +the password server code behave like the code in earlier versions +of Samba. If you do this then please ensure that you test to see +that users are prevented from logging in if they give a bogus +username/password. You may have a NT server that is affected by the +bug that this code is designed to avoid. + + +--- password.c 1997/10/21 10:09:28 1.25.2.4 ++++ password.c 1997/12/31 06:43:06 +@@ -1619,6 +1619,7 @@ + } + + ++#if 0 + if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) { + DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost)); + cli_tdis(&cli); +@@ -1638,6 +1639,7 @@ + cli_tdis(&cli); + return False; + } ++#endif + + DEBUG(3,("password server %s accepted the password\n", cli.desthost)); +=============================================================================== + +Not listening for calling name +============================== + +> Session request failed (131,129) with myname=HOBBES destname=CALVIN +> Not listening for calling name + +If you get this when talking to a Samba box then it means that your +global "hosts allow" or "hosts deny" settings are causing the Samba +server to refuse the connection. + +Look carefully at your "hosts allow" and "hosts deny" lines in the +global section of smb.conf. + +It can also be a problem with reverse DNS lookups not functioning +correctly, leading to the remote host identity not being able to +be confirmed, but that is less likely. +=============================================================================== + +System Error 1240 +================= +System error 1240 means that the client is refusing to talk +to a non-encrypting server. Microsoft changed WinNT in service +pack 3 to refuse to connect to servers that do not support +SMB password encryption. + +There are two main solutions: + +1) enable SMB password encryption in Samba. See ENCRYPTION.txt in the +Samba docs + +2) disable this new behaviour in NT. See WinNT.txt in the +Samba docs +=============================================================================== + +Trapdoor UID +============ +> Log message "you appear to have a trapdoor uid system" + +This can have several causes. It might be because you are using a uid +or gid of 65535 or -1. This is a VERY bad idea, and is a big security +hole. Check carefully in your /etc/passwd file and make sure that no +user has uid 65535 or -1. Especially check the "nobody" user, as many +broken systems are shipped with nobody setup with a uid of 65535. + +It might also mean that your OS has a trapdoor uid/gid system :-) + +This means that once a process changes effective uid from root to +another user it can't go back to root. Unfortunately Samba relies on +being able to change effective uid from root to non-root and back +again to implement its security policy. If your OS has a trapdoor uid +system this won't work, and several things in Samba may break. Less +things will break if you use user or server level security instead of +the default share level security, but you may still strike +problems. + +The problems don't give rise to any security holes, so don't panic, +but it does mean some of Samba's capabilities will be unavailable. +In particular you will not be able to connect to the Samba server as +two different uids at once. This may happen if you try to print as a +"guest" while accessing a share as a normal user. It may also affect +your ability to list the available shares as this is normally done as +the guest user. + +Complain to your OS vendor and ask them to fix their system. + +Note: the reason why 65535 is a VERY bad choice of uid and gid is that +it casts to -1 as a uid, and the setreuid() system call ignores (with +no error) uid changes to -1. This means any daemon attempting to run +as uid 65535 will actually run as root. This is not good! +=============================================================================== + +User Access Control +=================== +> In windows when i set up a share in "user mode" i get the message: +> "You cannot view the list of users at this time. Please try again later." +> +> I know you have lists of users for access and aliasing purposes, but i +> have read nothing to support the idea that these lists control the Domain +> Users List... + +Samba does NOT at this time support user mode access control for Window 9x +of for NT. This is a priority item and requires full implementation of the NT SMB +protocol calls. Samba-1.9.19 will go into alpha in about 2 months time and will +have a more full implementation of the NT SMB protocols to support Domain Client +interoperability. When we can see that this has been succesful we wil then implement +the NT SMB Server components. This will probably be released as Samba-2.0 + +Samba-1.9.18p5 is scheduled to go out within 14 days. This will close off the 1.9.18 +branch and then opens the way to progress 1.9.19. + +I hope this answers your concerns adequately. +=============================================================================== + +Using NT to Browse Samba Shares +=============================== +> WIN-NT workstations (nt4.0, service pack 3) +> samba with +> security = user +> encrypt passwords = yes +> guest account = guest +> +> start the explorer on a win-nt workstation and select network. I find +> my unix server running samba, but I can not see the list of shares +> unless I am a user, who is known in the smbpasswd of the unix machine. +> The guest account "guest" exists on my unix machine. For testing I even +> made him a regular user with a password. +> +> With my network monitor I can see, that the win-nt workstation uses the +> current login, to connect to IPC$ on the samba server +> (for example "administrator"), not the guest account. + +This is exactly how Windows NT works. You MUST have a valid account on the Windows +NT box you are trying to see the resource list on. If your currently logged in +account details do NOT match an account on the NT machine you are trying to access +then you will be presented with a logon box for that machine. When you enter the +name of an account on that machine / domain, together with a valid password then +the resource list is made available. If the account details are not correct then +no resource list is shown. + +Samba follows the behaviour of Windows NT exactly. + +Warning:Warning:Warning: +======================== +Samba can be compiled with the GUEST_SESSION_SETUP option at 0,1 or 2. +The default is 0. If this is set to 1 or 2 then Windows NT machines that DO NOT +have an account on the Samba server will see the resource list. The down side of this +is that legitimate users may then be refused access to their legitimate resources. +Setting this option creates serious security holes. DO NOT DO IT. Samba has the +value of this option set at 0 - NOT WITHOUT REASON!!!! + +******> Warning:Warning:Warning: ****> Do not tamper with this setting!!! +=============================================================================== + +setup.exe and 16 bit programs +============================= +Running 16 bit programs from Windows NT on a Samba mapped drive +--------------------------------------------------------------- + +The Windows NT redirector has a bug when running against a +Samba or Windows 95 mapped drive and attempting to run a +16 bit executable. + +The problem occurs when the pathname to a 16 bit executable +contains a non 8.3 filename complient directory component, +Windows NT will fail to load the program and complain it +cannot find the path to the program. + +It can be verified that this is a bug in Windows NT and +not Samba as the same problem can be reproduced exactly +when attempting to run the same program with the same +pathname from a Windows 95 server (ie. the problem still +exists even with no Samba server involved). + +Microsoft have been made aware of this problem, it is +unknown if they regard it as serious enough to provide +a fix for this. + +One of the reasons this problem is reported frequently +is that InstallShield setup.exe executables are frequently +written as 16 bit programs, and so hit this problem. + +As a workaround, you may create (on a Samba server at +least) a symbolic link with an 8.3 complient name to +the non 8.3 complient directory name, and then the 16 +bit program will run. Alternatively, use the 8.3 +complient mangled name to specify the path to run +the binary. + +This will be fixed when Samba adds the NT-specific +SMB calls (currently targeted for the next major +Samba release), as once the NT SMB calls are used +this problem no longer occurs (which is why the +problem doesn't occur when running against a drive +mapped to a Windows NT server). + +Regards, + + Jeremy Allison. + Samba Team. +=============================================================================== + +smbclient -N +============ +> When getting the list of shares available on a host using the command +> smbclient -N -L <server> +> the program always prompts for the password if the server is a Samba server. +> It also ignores the "-N" argument when querying some (but not all) of our +> NT servers. + +No, it does not ignore -N, it is just that your server rejected the +null password in the connection, so smbclient prompts for a password +to try again. + +To get the behaviour that you probably want use + smbclient -L host -U% + +this will set both the username and password to null, which is +an anonymous login for SMB. Using -N would only set the password +to null, and this is not accepted as an anonymous login for most +SMB servers. +=============================================================================== + diff --git a/docs/textdocs/RoutedNetworks.txt b/docs/textdocs/RoutedNetworks.txt new file mode 100644 index 00000000000..ece9d1cc64d --- /dev/null +++ b/docs/textdocs/RoutedNetworks.txt @@ -0,0 +1,67 @@ +!== +!== RoutedNetworks.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +#NOFNR Flag in LMHosts to Communicate Across Routers
+
+ Last reviewed: May 5, 1997
+ Article ID: Q103765
+ The information in this article applies to:
+
+ Microsoft Windows NT operating system version 3.1
+ Microsoft Windows NT Advanced Server version 3.1
+
+ SUMMARY
+
+ Some of the LAN Manager for UNIX and Pathworks servers may have
+problems in communicating across routers with
+ Windows NT workstations. The use of #NOFNR flag in the LMHosts
+file solves the problem.
+
+ MORE INFORMATION
+
+ When you are communicating with a server across a router in a IP
+routed environment, the LMHosts file is used to
+ resolve Workstation name-to-IP address mapping. The LMHosts
+entry for a remote machine name provides the IP
+ address for the remote machine. In Lan Manager 2.x, providing
+the LMHosts entry eliminates the need to do a Name
+ Query broadcast to the local domain and instead a TCP session is
+established with the remote machine. Windows NT
+ performs the same function in a different way.
+
+ When an LMHosts entry exists for a remote server, Windows NT
+will not send a Name Query broadcast to the local
+ subnet and instead send a directed Name Query to the remote
+server. If the remote server does not respond to the Name
+ Query, further communications (TCP SYN, and so on) will not take
+place. This was done to eliminate the performance
+ issues when trying to connect to a remote machine when it was
+not available (down).
+
+ Some of the older LAN Manager for UNIX and DEC Pathworks servers
+do not respond to directed Name Queries sent
+ by Windows NT. In that case, the users will see an error 53
+(Path not found), even though they have specified the
+ LMHosts entries correctly. A new LMHosts flag #NOFNR was added
+to solve this problem. By specifying the
+ #NOFNR flag on the same line where the name resolution
+information for the server is provided, the directed Name
+ Query can be avoided. For example:
+
+ 130.20.1.1 mylmxserver #PRE #NOFNR
+
+
+ Note that this will only apply to mylmxserver and not to any
+other entries in the LMHosts file. To set
+ a global flag, an entry could be added in the registry. To
+completely remove any directed Name
+ Queries sent from a Windows NT machine, create the following
+value in
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nbt\Parameters:
+
+ NoDirectedFNR REG_DWORD 1
+
+
+ This will cause the directed Name Queries to not go out for any
+remote machines.
\ No newline at end of file diff --git a/docs/textdocs/SCO.txt b/docs/textdocs/SCO.txt index 1b3801471f7..44debb3d482 100644 --- a/docs/textdocs/SCO.txt +++ b/docs/textdocs/SCO.txt @@ -1,4 +1,14 @@ -There is an annoying TCPIP bug in SCO Unix. This causes orruption when +!== +!== SCO.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Geza Makay <makayg@math.u-szeged.hu> +Date: Unknown +Status: Obsolete - Dates to SCO Unix v3.2.4 approx. + +Subject: TCP/IP Bug in SCO Unix +============================================================================ + +There is an annoying TCPIP bug in SCO Unix. This causes corruption when transferring files with Samba. Geza Makay (makayg@math.u-szeged.hu) sends this information: diff --git a/docs/textdocs/SMBTAR.notes b/docs/textdocs/SMBTAR.notes index a23cbf2b325..679d776f56c 100644 --- a/docs/textdocs/SMBTAR.notes +++ b/docs/textdocs/SMBTAR.notes @@ -1,3 +1,9 @@ +Contributor: Unknown +Date: 1994 +Status: Mostly Current - refer man page + +Subject: Smbtar +============================================================================ Intro ----- @@ -37,4 +43,4 @@ newer filename into its own with sambatar. This causes tar (or get, mget, etc) to only copy files newer than the specified file name. Could be used against the previous nights (or whatever) log file to implement incremental -backups.
\ No newline at end of file +backups. diff --git a/docs/textdocs/SSLeay.txt b/docs/textdocs/SSLeay.txt new file mode 100644 index 00000000000..ca46ba0e400 --- /dev/null +++ b/docs/textdocs/SSLeay.txt @@ -0,0 +1,392 @@ +!== +!== SSLeay.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Christian Starkjohann <cs@obdev.at> +Date: May 29, 1998 +Status: + +Subject: Compiling and using samba with SSL support +============================================================================ + +What is SSL and SSLeay? +======================= +SSL (Secure Socket Layer) is a protocol for encrypted and authenticated data +transport. It is used by secure web servers for shopping malls, telebanking +and things like that. + +SSLeay is a free implementation of the SSL protocol. It is available from + + ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ + +The current version while these lines are written is 0.9.0. Encryption is +plagued by legal problems of all kinds. For a discussion of these please +read the documentation of SSLeay, which is available at + + http://www.psy.uq.edu.au/~ftp/Crypto/ + +To compile samba with SSL support, you must first compile and install SSLeay. +SSLeay consists of a library (which can be linked to other applications like +samba) and several utility programs needed for key generation, certification +etc. SSLeay installs to /usr/local/ssl/ by default. + + +Compiling samba with SSLeay +=========================== +1. Get and install SSLeay. The rest of this documentation assumes that you + have installed it at the default location, which is /usr/local/ssl/. + I have used SSLeay 0.9.0, but samba will probably also work with other + versions (but not with versions older than 0.6). +2. Modify the Makefile. At the end of the configurable section you can find + the SSL definitions. You can find them quickly by searching for SSL_ROOT. + Unremark the definitions and modify SSL_ROOT if necessary. +3. Compile and install as usual. + + +Configuring SSL in samba +======================== +Before you configure SSL, you should know the basics of cryptography and how +SSL relates to all of this. A basic introduction can be found further down in +this document. The following variables in the "[global]" section of the +configuration file are used to configure SSL: + +ssl = yes + This variable enables or disables the entire SSL mode. If it is set to + "no", the SSL enabled samba behaves exactly like the non-SSL samba. If set + to "yes", it depends on the variables "ssl hosts" and "ssl hosts resign" + whether an SSL connection will be required. +ssl hosts = +ssl hosts resign = 192.168. + These two variables define whether samba will go into SSL mode or not. If + none of them is defined, samba will allow only SSL connections. If the + "ssl hosts" variable lists hosts (by IP-address, IP-address range, net + group or name), only these hosts will be forced into SSL mode. If the + "ssl hosts resign" variable lists hosts, only these hosts will NOT be + forced into SSL mode. The syntax for these two variables is the same as + for the "hosts allow" and "hosts deny" pair of variables, only that the + subject of the decision is different: It's not the access right but + whether SSL is used or not. See the man page of smb.conf (section about + "allow hosts") for details. The above example requires SSL connections + from all hosts outside the local net (which is 192.168.*.*). +ssl CA certDir = /usr/local/ssl/certs + This variable defines where to look up the Certification Autorities. The + given directory should contain one file for each CA that samba will trust. + The file name must be the hash value over the "Distinguished Name" of the + CA. How this directory is set up is explained later in this document. All + files within the directory that don't fit into this naming scheme are + ignored. You don't need this variable if you don't verify client + certificates. +ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + This variable is a second way to define the trusted CAs. The certificates + of the trusted CAs are collected in one big file and this variable points + to the file. You will probably only use one of the two ways to define your + CAs. The first choice is preferable if you have many CAs or want to be + flexible, the second is perferable if you only have one CA and want to + keep things simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates. +ssl server cert = /usr/local/ssl/certs/samba.pem + This is the file containing the server's certificate. The server _must_ + have a certificate. The file may also contain the server's private key. + See later for how certificates and private keys are created. +ssl server key = /usr/local/ssl/private/samba.pem + This file contains the private key of the server. If this variable is not + defined, the key is looked up in the certificate file (it may be appended + to the certificate). The server _must_ have a private key and the + certificate _must_ match this private key. +ssl client cert = /usr/local/ssl/certs/smbclient.pem + The certificate in this file is used by smbclient if it exists. It's needed + if the server requires a client certificate. +ssl client key = /usr/local/ssl/private/smbclient.pem + This is the private key for smbclient. It's only needed if the client + should have a certificate. +ssl require clientcert = yes + If this variable is set to "yes", the server will not tolerate connections + from clients that don't have a valid certificate. The directory/file + given in "ssl CA certDir" and "ssl CA certFile" will be used to look up + the CAs that issued the client's certificate. If the certificate can't be + verified positively, the connection will be terminated. + If this variable is set to "no", clients don't need certificates. Contrary + to web applications you really _should_ require client certificates. In + the web environment the client's data is sensitive (credit card numbers) + and the server must prove to be trustworthy. In a file server environment + the server's data will be sensitive and the clients must prove to be + trustworthy. +ssl require servercert = yes + If this variable is set to "yes", the smbclient will request a certificate + from the server. Same as "ssl require clientcert" for the server. +ssl ciphers = ??? + This variable defines the ciphers that should be offered during SSL + negotiation. You should not set this variable unless you know what you do. +ssl version = ssl2or3 + This enumeration variable defines the versions of the SSL protocol that + will be used. "ssl2or3" allows dynamic negotiation of SSL v2 or v3, "ssl2" + results SSL v2, "ssl3" results in SSL v3 and "tls1" results in TLS v1. TLS + (Transport Layer Security) is the (proposed?) new standard for SSL. The + default value is "ssl2or3". +ssl compatibility = no + This variable defines whether SSLeay should be configured for bug + compatibility with other SSL implementations. This is probably not + desirable because currently no clients with SSL implementations other than + SSLeay exist. + + +Running samba with SSLeay +========================= +Samba is started as usual. The daemon will ask for the private key's pass +phrase before it goes to background if the private key has been encrypted. +If you start smbd from inetd, this won't work. Therefore you must not encrypt +your private key if you run smbd from inetd. + +Windows clients will try to connect to the SSL enabled samba daemon and they +will fail. This can fill your log with failed SSL negotiation messages. To +avoid this, you can either not run nmbd (if all clients use DNS to look up +the server), which will leave the Windows machine unaware of the server, or +list all (local) Windows machines in the "ssl hosts resign" variable. + + +About certificates +================== +Secure samba servers will not be set up for public use as it is the case with +secure web servers. Most installations will probably use it for distributed +offices that use parts of the internet for their intranet, for access to a +web server that's physically hosted by the provider or simply for teleworking. +All these applications work with a known group of users that can easily agree +on a certification authority. The CA can be operated by the company and the +policy for issuing certificates can be determined by the company. If samba is +configured to verify client certificates, it (currently) only verifies +whether a valid certificate exists. It does not verify any of the data within +the certificate (although it prints some of the data to the log file). + + +Which clients are available that support SSL? +============================================= +Currently there are only smbclient which is part of the samba package and +Sharity. Shariy versions newer than 0.14 in the beta branch and 1.01 in the +main branch can be compiled with SSLeay. Sharity is a CIFS/SMB client +implementation for Unix. It is a commercial product, but it is available in +source code and the demo-mode allows access to the first three layers of the +mounted directory hierarchy. Licenses for universities and students are free. +Sharity is available at + + http://www.obdev.at/Products/Sharity.html + + + +########################################################################### +Basics about Cryptography and SSL(eay) +########################################################################### + +There are many good introductions to cryptography. I assume that the reader +is familiar with the words "encryption", "digital signature" and RSA. If you +don't know these terms, please read the cryptography FAQ part 6 and 7, which +is posted to the usenet newsgroup sci.crypt. It is also available from + + ftp://rtfm.mit.edu/pub/usenet/news.answers/cryptography-faq +and + http://www.cis.ohio-state.edu/hypertext/faq/usenet/cryptography-faq + +I'll concentrate on the questions specific to SSL and samba here. + + +What is a certificate? +====================== +A certificate is issued by an issuer, usually a "Certification Authority" +(CA), who confirms something by issuing the certificate. The subject of this +confirmation depends on the CA's policy. CAs for secure web servers (used for +shopping malls etc.) usually only attest that the given public key belongs the +the given domain name. Company-wide CAs might attest that you are an employee +of the company, that you have permissions to use a server or whatever. + + +What is an X.509 certificate technically? +========================================= +Technically, the certificate is a block of data signed by the certificate +issuer (the CA). The relevant fields are: + - unique identifier (name) of the certificate issuer + - time range during that the certificate is valid + - unique identifier (name) of the certified subject + - public key of the certified subject + - the issuer's signature over all of the above +If this certificate should be verified, the verifier must have a table of the +names and public keys of trusted CAs. For simplicity, these tables are lists +of certificates issued by the respective CAs for themselves (self-signed +certificates). + + +What are the implications of this certificate structure? +======================================================== + - Because the certificate contains the subject's public key, the + certificate and the private key together are all that's needed to encrypt + and decrypt. + - To verify certificates, you need the certificates of all CAs you trust. + - The simplest form of a dummy-certificate is one that's signed by the + subject itself. + - A CA is needed. The client can't simply issue local certificates for + servers it trusts because the server determines which certificate it + presents. + + + +########################################################################### +Setting up files and directories for SSLeay +########################################################################### + +The first thing you should do is to change your PATH environment variable to +include the bin directory of SSLeay. E.g.: + + PATH=$PATH:/usr/local/ssl/bin + +Then you should set up SSLeay's random number generator. The state of this +random number generator is held in the file ".rnd" in your home directory. To +set a reasonable random seed, you need random data. Create a random file with + + cat >/tmp/rfile.txt + +Then type random keys on your keyboard for about one minute. Then type the +EOF character (^D) to terminate input. You may also use your favorite editor +to create the random file, of course. Now you can create a dummy key to +initialize the random number generator: + + ssleay genrsa -rand /tmp/rfile.txt > /dev/null + rm -f /tmp/rfile.txt + +Don't forget to delete the file /tmp/rfile.txt. It's more or less equivalent +to your private key! + + +How to create a keypair +======================= +This is done with 'genrsa' for RSA keys and 'gendsa' for DSA keys. For an RSA +key with 512 bits which is written to the file "key.pem" type: + + ssleay genrsa -des3 512 > key.pem + +You will be asked for a pass phrase to protect this key. If you don't want to +protect your private key with a pass phrase, just omit the parameter "-des3". +If you want a different key size, replace the parameter "512". You really +should use a pass phrase. + +If you want to remove the pass phrase from a key use: + + ssleay rsa -in key.pem -out newkey.pem + +And to add or change a pass phrase: + + ssleay rsa -des3 -in key.pem -out newkey.pem + + +How to create a dummy certificate +================================= +If you still have your keypair in the file "key.pem", the command + + ssleay req -new -x509 -key key.pem -out cert.pem + +will write a self-signed dummy certificate to the file "cert.pem". This can +be used for testing or if only encryption and no certification is needed. +Please bear in mind that encryption without authentication (certification) +can never be secure. It's open to (at least) "man-in-the-middle" attacks. + + +How to create a certificate signing request +=========================================== +You must not simply send your keypair to the CA for signing because it +contains the private key which _must_ be kept secret. A signing request +consists of your public key and some additional information you want to have +bound to that key by the certificate. If you operate a secure web server, +this additional information will (among other things) contain the URL of +your server in the field "Common Name". The certificate signing request is +created from the keypair with the following command (assuming that the key +pair is still in "key.pem"): + + ssleay req -new -key key.pem -out csr.pem + +This command will ask you for the information which must be included in the +certificate and will write the signing request to the file "csr.pem". This +signing request is all the CA needs for signing, at least technically. Most +CAs will demand bureaucratic material and money, too. + + +How to set up a Certification Authority (CA) +============================================ +Being a certification authority requires a database that holds the CA's +keypair, the CA's certificate, a list of all signed certificates and other +information. This database is kept in a directory hierarchy below a +configurable starting point. The starting point must be configured in the +ssleay.conf file. This file is at /usr/local/ssl/lib/ssleay.conf if you have +not changed the default installation path. + +The first thing you should do is to edit this file according to your needs. +Let's assume that you want to hold the CA's database at the directory +"/usr/local/ssl/CA". Change the variable "dir" in section "CA_default" to +this path. You may also want to edit the default settings for some variables, +but the values given should be OK. This path is also contained in the shell +script CA.sh, which should be at "/usr/local/ssl/bin/CA.sh". Change the path +in the shell script: + + CATOP=/usr/local/ssl/CA + CAKEY=./cakey.pem # relative to $CATOP/ + CACERT=./cacert.pem # relative to $CATOP/private/ + +Then create the directory "/usr/local/ssl/CA" and make it writable for the +user that operates the CA. You should also initialize SSLeay as CA user (set +up the random number generator). Now you should call the shell script CA.sh +to set up the initial database: + + CA.sh -newca + +This command will ask you whether you want to use an existing certificate or +create one. Just press enter to create a new key pair and certificate. You +will be asked the usual questions for certificates: the country, state, city, +"Common Name", etc. Enter the appropriate values for the CA. When CA.sh +finishes, it has set up a bunch of directories and files. A CA must publish +it's certificate, which is in the file "/usr/local/ssl/CA/cacert.pem". + + +How to sign a certificate request +================================= +After setting up the CA stuff, you can start signing certificate requests. +Make sure that the SSLeay utilities know where the configuration file is. +The default is compiled in, if you don't use the default location, add the +parameter "-config <cfg-file>". Make also sure that the configuration file +contains the correct path to the CA database. If all this is set up properly, +you can sign the request in the file "csr.pem" with the command: + + ssleay ca -policy policy_anything -days 365 -infiles csr.pem >cert.pem + +The resulting certificate (and additional information) will be in "cert.pem". +If you want the certificate to be valid for a period different from 365 days, +simply change the "-days" parameter. + + +How to install a new CA certificate +=================================== +Whereever a certificate must be checked, the CA's certificate must be +available. Let's take the common case where the client verifies the server's +certificate. The case where the server verfies the client's certificate works +the same way. The client receives the server's certificate, which contains +the "Distinguished Name" of the CA. To verify whether the signature in this +certificate is OK, it must look up the public key of that CA. Therefore each +client must hold a database of CAs, indexed by CA name. This database is best +kept in a directory where each file contains the certificate of one CA and is +named after the hashvalue (checksum) of the CA's name. This section describes +how such a database is managed technically. Whether or not to install (and +thereby trust) a CA is a totally different matter. + +The client must know the directory of the CA database. This can be configured. +There may also be a configuration option to set up a CA database file which +contains all CA certs in one file. Let's assume that the CA database is kept +in the directory "/usr/local/ssl/certs". The following example assumes that +the CA's certificate is in the file "cacert.pem" and the CA is known as +"myCA". To install the certificate, do the following: + + cp cacert.pem /usr/local/ssl/cers/myCA.pem + cd /usr/local/ssl/certs + ln -s myCA.pem `ssleay x509 -noout -hash < myCA.pem`.0 + +The last command creates a link from the hashed name to the real file. + +From now on all certificates signed by the myCA authority will be accepted by +clients that use the directory "/usr/local/ssl/certs/" as their CA certificate +database. + + + diff --git a/docs/textdocs/Speed.txt b/docs/textdocs/Speed.txt index 5dfd70323b1..fee111b6ec2 100644 --- a/docs/textdocs/Speed.txt +++ b/docs/textdocs/Speed.txt @@ -1,8 +1,14 @@ -This file tries to outline the ways to improve the speed of a Samba server. +!== +!== Speed.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell +Date: January 1995 +Status: Current -Andrew Tridgell -January 1995 +Subject: Samba performance issues +============================================================================ +This file tries to outline the ways to improve the speed of a Samba server. COMPARISONS ----------- @@ -30,6 +36,47 @@ hardware Samba should certainly be competitive in speed with other systems. +OPLOCKS +------- + +Oplocks are the way that SMB clients get permission from a server to +locally cache file operations. If a server grants an oplock +(opportunistic lock) then the client is free to assume that it is the +only one accessing the file and it will agressively cache file +data. With some oplock types the client may even cache file open/close +operations. This can give enormous performance benefits. + +With the release of Samba 1.9.18 we now correctly support opportunistic +locks. This is turned on by default, and can be turned off on a share- +by-share basis by setting the parameter : + +oplocks = False + +We recommend that you leave oplocks on however, as current benchmark +tests with NetBench seem to give approximately a 30% improvement in +speed with them on. This is on average however, and the actual +improvement seen can be orders of magnitude greater, depending on +what the client redirector is doing. + +Previous to Samba 1.9.18 there was a 'fake oplocks' option. This +option has been left in the code for backwards compatibility reasons +but it's use is now deprecated. A short summary of what the old +code did follows. + +Old 'fake oplocks' option - deprecated. +--------------------------------------- + +Samba can also fake oplocks, by granting a oplock whenever a client +asks for one. This is controlled using the smb.conf option "fake +oplocks". If you set "fake oplocks = yes" then you are telling the +client that it may agressively cache the file data for all opens. + +Enabling 'fake oplocks' on all read-only shares or shares that you know +will only be accessed from one client at a time you will see a big +performance improvement on many operations. If you enable this option +on shares where multiple clients may be accessing the files read-write +at the same time you can get data corruption. + SOCKET OPTIONS -------------- @@ -80,7 +127,10 @@ MAX XMIT At startup the client and server negotiate a "maximum transmit" size, which limits the size of nearly all SMB commands. You can set the maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. +in smb.conf. Note that this is the maximum size of SMB request that +Samba will accept, but not the maximum size that the *client* will accept. +The client maximum receive size is sent to Samba by the client and Samba +honours this limit. It defaults to 65536 bytes (the maximum), but it is possible that some clients may perform better with a smaller transmit unit. Trying values @@ -111,7 +161,20 @@ no". This will gain you a lot in opening and closing files but will mean that (in some cases) the system won't force a second user of a file to open the file read-only if the first has it open read-write. For many applications that do their own locking this -doesn't matter, but for some it may. +doesn't matter, but for some it may. Most Windows applications +depend heavily on "share modes" working correctly and it is +recommended that the Samba share mode support be left at the +default of "on". + +The share mode code in Samba has been re-written in the 1.9.17 +release following tests with the Ziff-Davis NetBench PC Benchmarking +tool. It is now believed that Samba 1.9.17 implements share modes +similarly to Windows NT. + +NOTE: In the most recent versions of Samba there is an option to use +shared memory via mmap() to implement the share modes. This makes +things much faster. See the Makefile for how to enable this. + LOG LEVEL --------- @@ -187,7 +250,7 @@ Samba supports reading files via memory mapping them. One some machines this can give a large boost to performance, on others it makes not difference at all, and on some it may reduce performance. -To enable you you have to recompile Samba with the -DUSE_MMAP=1 option +To enable you you have to recompile Samba with the -DUSE_MMAP option on the FLAGS line of the Makefile. Note that memory mapping is only used on files opened read only, and @@ -239,6 +302,7 @@ person even reported a speed drop of a factor of 30 when he went from It probably depends a lot on your hardware, and the type of unix box you have at the other end of the link. + MY RESULTS ---------- @@ -263,10 +327,3 @@ smbclient running on another linux box. Maybe I'll add those results here someday ... -COMMENTS --------- - -If you've read this far then please give me some feedback! Which of -the above suggestions worked for you? - -Mail the samba mailing list or samba-bugs@anu.edu.au diff --git a/docs/textdocs/Speed2.txt b/docs/textdocs/Speed2.txt new file mode 100644 index 00000000000..30dcd8405b7 --- /dev/null +++ b/docs/textdocs/Speed2.txt @@ -0,0 +1,60 @@ +!== +!== Speed2.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Paul Cochrane <paulc@dth.scot.nhs.uk> +Organization: Dundee Limb Fitting Centre +Date: Fri, 10 Apr 1998 +Subject: Samba SPEED.TXT comment +============================================================================= + +This might be relevant to Client Tuning. I have been trying various methods +of getting win95 to talk to Samba quicker. The results I have come up with +are: + +1. Install the W2setup.exe file from www.microsoft.com. This is an +update for the winsock stack and utilities which improve performance. + +2. Configure the win95 TCPIP registry settings to give better +perfomance. I use a program called MTUSPEED.exe which I got off the +net. There are various other utilities of this type freely available. +The setting which give the best performance for me are: + +(a) MaxMTU Remove +(b) RWIN Remove +(c) MTUAutoDiscover Disable +(d) MTUBlackHoleDetect Disable +(e) Time To Live Enabled +(f) Time To Live - HOPS 32 +(g) NDI Cache Size 0 + +3. I tried virtually all of the items mentioned in the document and +the only one which made a difference to me was the socket options. It +turned out I was better off without any!!!!! + +In terms of overall speed of transfer, between various win95 clients +and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE +drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT. + +The figures are: Put Get +P166 client 3Com card: 420-440kB/s 500-520kB/s +P100 client 3Com card: 390-410kB/s 490-510kB/s +DX4-75 client NE2000: 370-380kB/s 330-350kB/s + +I based these test on transfer two files a 4.5MB text file and a 15MB +textfile. The results arn't bad considering the hardware Samba is +running on. It's a crap machine!!!! + +The updates mentioned in 1 and 2 brought up the transfer rates from +just over 100kB/s in some clients. + +A new client is a P333 connected via a 100MB/s card and hub. The +transfer rates from this were good: 450-500kB/s on put and 600+kB/s +on get. + +Looking at standard FTP throughput, Samba is a bit slower (100kB/s +upwards). I suppose there is more going on in the samba protocol, but +if it could get up to the rate of FTP the perfomance would be quite +staggering. + +Paul Cochrane + diff --git a/docs/textdocs/Support.txt b/docs/textdocs/Support.txt index d71bdaf7b3e..c2ff75adcdf 100644 --- a/docs/textdocs/Support.txt +++ b/docs/textdocs/Support.txt @@ -1,55 +1,550 @@ +!== +!== Support.txt for Samba release 2.0 +!== The Samba Consultants List ========================== -This is a list of people who are prepared to install and support Samba. -Note that in most countries nobody should admit to "supplying" Samba, since -there is then an implied warranty with possibly onerous legal obligations. -Just downloading and installing it isn't supply in this sense, but advertising -"run our Samba for best results" may be so. +This is a list of companies who are prepared to support Samba +commercially. We do not do check any of this information for +accuracy, we just report what companies say about themselves in +the hope that it will be useful. -Being on this list does not imply any sort of endorsement by anyone, it is just -provided in the hope that it will be useful. +Note that the organisations listed below will expect you to pay for +The support that they offer. We have been told that several people +assumed this was a list of kindly companies offering free commercial +support! + +For free support use the Samba mailing list and the comp.protocols.smb +newsgroup. If you want to be added to the list, or want your entry modified then -contact the address below. They are currently listed in the -order that they were received. If it gets too big we may organise it -by region. Please make sure to include a header line giving the region -and country, eg CANBERRA - AUSTRALIA. +contact the address below. Please make sure to include a header line +giving the region and country, eg CANBERRA - AUSTRALIA, and use a +similar format to the existing entries. + +The Samba Team reserves the right not to add support providers. + +You can contact the maintainers at samba-bugs@samba.anu.edu.au + +The support list has now been re-arranged into geographical areas +and are sorted by state/region/town within these areas. +These are currently: + +Region Number of entries +---------------------------------------------------- + AFRICA 2 + AMERICA - MEXICO/CENTRAL & SOUTH 5 + AMERICA - USA 39 + ASIA 1 + AUSTRALIA & NEW ZEALAND 20 + CANADA 10 + EUROPE 41 + MIDDLE EAST 1 + +AFRICA +====== + +------------------------------------------------------------------------------ +GAUTENG - SOUTH AFRICA -You can contact the maintainers at samba-bugs@anu.edu.au +Company: Obsidian Systems +Street Addr: Boskruin Office Park Unit 3, Bosbok street, Randpark Ridge + Gauteng, 2156, South Africa. +Postal Addr: PO Box 4938, Cresta, South Africa, 2118 +Contact no's: +2711 792-6500/38, Fax: +2711-792-6522 + Cell: +2783-379-6889/90/91 or +2783-377-4946 or +27832660199 +Our level of experience: Low level programming and support for all samba +security and compatability issues. We use Samba in South African Schools +and commercial companies as an affordable solution for LAN and WAN +networking. +For futher information, please consult our website www.obsidian.co.za ------------------------------------------------------------------------------ -BRISBANE - AUSTRALIA -Brett Worth -Select Computer Technology - Brisbane -431 Logan Road -Stones Corner QLD 4120 -E-Mail: brett@sct.com.au ------------------------------------------------------------------------------ +JOHANNESBURG - SOUTH AFRICA + + Company: Symphony Research (Pty) Ltd + Contact: Dr Evan Summers, <evan@sr.co.za>, tel 011 728-5742. +keywords: Samba on Linux, support and consulting + Johannesburg (South Africa) ------------------------------------------------------------------------------ -CANBERRA - AUSTRALIA -Paul Blackman (ictinus@lake.canberra.edu.au, Ph. 06 2012518) is -available for consultation. Paul's Samba background is with -Solaris 2.3/4 and WFWG/Win95 machines. Paul is also the maintainer -of the SAMBA Web Pages. + + + + + + +AMERICA - CENTRAL & SOUTH +========================= + + +------------------------------------------------------------------------------ +ARGENTINA - SOUTH AMERICA + +Buenos Aires - Argentina + +Guillermo Sansovic +Email: gui@usa.net +Arkham Software +Rivadavia 923 Piso 8 +1002 Buenos Aires +Argentina + +Tel: + 54 1 345-0645 + +At Arkham Software we have been working with Unix systems since 1986. We do +intranets, software development and system integration. Our experience ith +Samba dates from 1995. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -READING - ENGLAND +CHILE - SOUTH AMERICA + +Company: Magic Consulting Group/Magic Dealer +Street Addr: Alberto Reyes #035 Barrio Bellavista + Providencia Santiago +Contact no's: +56 2 365 19 18, Fax: +56 2 365 14 55 + +Contact Person: Marcelo Bartsch or Roy Zderich + +Email contact: +Samba Support : samba@mg.dyn.ml.org +Other NET OS Support : othernetos@mg.dyn.ml.org +Other Questions : networks@mg.dyn.ml.org +General Info: info@mg.dyn.ml.org + +Our level of experience: support for all Samba and Linux security and +compatability issues. We use Samba in our local network and we have +experience instaling it on some other locations. we also provide +techincal support for Linux, Novell, Windows NT, OS/2 and other +Operating Systems. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +HONDURAS - CENTRAL AMERICA + +Open Systems, S.A. + +Open Systems, S.A. provides support to SAMBA in SCO UnixWare 2.X: + +Server Platform: SCO UnixWare 2.X +Client Platform: Windows NT, Windows 95, WFW (3.11), DOS. + +Open Systems, S.A. also provides consulting services and technical +support in the following server platforms since 1987: + +SCO Open Server 3.0 and 5.0 +SCO UnixWare 2.X (SVR4.2MP) +UNIX SVR4 (NCR, UNISYS) + +Contact: +Selim Jose Miselem +Open Systems, S.A. +Centro Comercial Dallas +San Pedro Sula, Honduras, Central America +Tel/Fax 011 (504) 529868 +e-mail: selim@opensys.hn +URL: http://www.opensys.hn +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GUADALAJARA, JAL.. - MEXICO + +Leonardo Madrigal del Valle +E-mail: lmadrig@acnet.net +Phone: (3) 1228260 + +Samba experience: +Server: Samba 1.9.15 and above with any kind of unix system. +We have been doing many development projects on Windows (NT/95), +Macintosh, UNIX and embedded system platforms in the area of networking +drivers and applications during the last few years. + +In regards to SAMBA, we have a lot of experience in SMB/CIFS protocol +development. We have special expertise in porting SAMBA to embedded system +environments for NT/WIN95/WFW client/server connectivity. +Client: WinNT, Win95, WfWg, Win 3.1 & LAN WorkPlace. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +VILLAHERMOSA, TAB. - MEXICO + +Carlos Enrique García Díaz +E-mail: cgarcia@tnet.net.mx +Phone: (93) 12-33-91 + +Samba experience: +Server: Samba 1.9.15 and above with Solaris (Sparc & x86), SG Irix 5.2 - 6.3, +AIX 3.2, DEC OSF1 v4.0, DG/UX v4.11, SunOS. +Client: WinNT, Win95, WfWg, Win 3.1 & LAN WorkPlace. +------------------------------------------------------------------------------ + + + + + + + +AMERICA - USA +============= + +------------------------------------------------------------------------------ +ARIZONA - USA + +Stephen Greenberg +Nick Temple +Coactiv Systems Inc. +4625 S. Lakeshore Drive, suite 401 +Tempe, AZ 85282 +(602) 345 4114 +(602) 345 4105 fax +steveg@coactiv.net + +We are LAN/WAN integrators who specialize in the standard fare (i.e. Novell +and NT) as well as UNIX, NTRIGUE and SAMBA. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ARIZONA - USA + + +PSN Internet Service +4700 N. Central #107 +Phoenix, AZ 85012 +Phone: (602) 266-0911 Fax: (602) 248-8153 Web: http://www.psn.net/vpn/ +Contacts: Michael Almond or Joseph H. Hickman sales@psn.net, samba-support@psn.net -Philip Hands | E-Mail: info@hands.com -Philip Hands Computing Ltd. | Tel: +44 1734 476287 Fax: 1734 474655 -Unit 1, Cherry Close, Caversham, Reading RG4 8UP UK +PSN Internet Service has implemented many VPN's using SAMBA for our customers. We can help +you configure your servers or provide storage space on our servers. PSN has POPs +throughout the US. -Samba experience: SVR4,SVR3.2 & Linux <--> WfWg, W3.1, OS2 and MS-LanMan +Michael Almond +Planet Systems Network of America, Inc. +602-266-0911 x2001 +http://www.psn.net ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -ILLONOIS - USA +BAY AREA, SILICON VALLEY CALIFORNIA - USA + +Adital Corp. + +7291 Coronado Dr. ,Suite 4 San-Jose Ca 95129 + +Phone : (408) 257-7717 Fax : (408) 257-7772 E-Mail: ephi@adital.com + +Contact: Ephi Dror, Director of software development. + +Adital is a company that specialized in networking products development. +We have been doing many development projects on Windows (NT/95), Macintosh, +UNIX and embedded system platforms in the area of networking drivers and +applications during the last few years. In regards to SAMBA, we have a lot +of experience in SMB/CIFS protocol development. + +We have special expertise in porting SAMBA to embedded system environments for +NT/WIN95/WFW client/server connectivity. + +We can help you defining and specifying your product as well as designing, +implementing, testing, upgrading and maintaining it. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SAN FRANCISCO BAY AREA - USA + +Alex Davis --- President of FTL +Faster Than Light, 2570 Ocean Ave. #114, San Francisco, California, 94132 +HTTP://www.ftl.net/ EMAIL:davis@ftl.net TEL:415.334.2922 FAX:415.337.6135 + +We are located in the "Bay Area" of California, USA. We provide +consultant and training for Unix, Windows, Macintosh applications, +and hardware. We also provide Internet access to many of the local +companies as a part of our "one-stop-shop" model. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SAN FRANCISCO BAY AREA - USA + +2125 Hamilton Ave. Suite 100 +San Jose, CA 95125 +888-ACCLAIM [Inside California] +(408) 879 - 3100 +(408) 377-4900 [Fax] + +We can provide commercial support for Samba. We have created additional +scripts that we can add to the Samba distribution to create an installation in +Sun Solaris "package add" format. We are a Sun Reseller, but we can also +support Samba on HP, SGI, Linux, in addition to Sun Solaris Sparc/X86. + +To find out more about our company, look at our website: + http://www.acclaim.com +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BAY AREA, BERKELEY CALIFORNIA - USA + +Vortex Technology Services + +2467 Warring St Suite 206, Berkeley CA 94704 + +Phone/Fax : (510) 540-VTEX E-Mail: support@vtex.net + (510) 540-8839 + +Contact: Paul Puey, Chief Network Consultant/Engineer + +Vortex Technology is a fast growing technical service company based in +Berkeley, California. Our Co-founders are composed entirely of UC +Berkeley engineering graduates with a broad range of skills in the +technical consultation fields. We provide bay area companies with +professional web site and database design, LAN and WAN consultation, and +custom programming. We ourselves use a mixed NT / Linux Samba server +environment in our office. We are very experienced with Samba +administration as well as administration of UNIX and NT networks. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +CALIFORNIA - USA + +Cliff Skolnick +Steam Tunnel Operations +900 Tennessee St, suite 22 +San Francisco, CA 94107 +http://www.steam.com/ +(415) 920-3800 +cliff@steam.com +------------------------------------------------------------------------------ + +----------------------------------------------------------------------- +SOUTHERN CALIFORNIA - USA + +Michael St. Laurent +Serving Los Angeles and Orange Counties. Please contact via email. +rowl@earthlink.net +Michael St. Laurent +Hartwell Corporation +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SOUTHERN CALIFORNIA - USA + +Yuri Diomin +Yuri Software +13791 Ruette Le Parc, Ste. C +Del Mar, CA 92014 +Phone: 619-350-8541 +Fax: 619-350-7641 +yuri@yurisw.com +http://www.yurisw.com + +We have been supporting Samba in commercial installations for several years +on a variety of client and server platforms. We have extensive experience +in all aspects of UNIX-Windows connectivity solutions for mixed platform +corporate setups. We are a contributor to Samba source code. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +NORTH CAROLINA - USA + +Whole Systems Solutions, Inc. + + Whole Systems Solutions, Inc. has been running Samba since the +1.6 release. We specialize in small to medium sized business network +solutions. Whole Systems Solutions, Inc. provides outsourcing of IT to +enhance employee abilities therefore improving productivity. Through +software beta testing and development network of NT, NetWare, Unix, and +Win clients we have developed a vast knowledge base for support. Our +clients choose us for service and support that exceeds their +expectations. Your business depends on your computers. Your computers +should depend on WSS. + +Jay M. Eisenberg Whole Systems Solutions, Inc. +President +Web: http://www.wss.net +Phone: (910) 297-4977 +Email: jay@wss.net +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FORT COLLINS, COLORADO - USA + +Granite Computing Solutions +ATTN: Brian Grossman +P.O. Box 270103 +Fort Collins, CO 80527-0103 +U.S.A. +Tel: +1 (970) 225-2370 +Email: granite@SoftHome.Net WWW: http://www.SoftHome.Net/granite/ + +Information services, including WfWG, NT, Apple <=> Unix interoperability. +WWW solutions. WWW education. Unix education. Custom software +development - eg. http://www.SoftHome.Net/modsim/. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +COLORADO - USA + +Daylight Software +1062 Lexington Lane +Estes Park, CO 80517 USA +(970) 586-6058 + +We have experience with Samba under SunOS, Solaris and Linux, +and also with Windows NT and Microsoft Lan Manager. + +Contact: daylight@frii.net + +Chris Howard Daylight Software +daylight@frii.net Estes Park, Colorado USA +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FLORIDA - USA + +Swaney & Associates, Inc. +ATTN: Stephen Swaney + 2543 Lincoln Avenue + Miami, Florida 33133 + U.S.A + (305) 860-0570 + +Specializing in: + High Availability system & networks + UNIX to PC connectivity + Market Data systems + Messaging Systems (Sendmail & Microsoft Exchange) +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FLORIDA - USA + +Progressive Computer Concepts, Inc. +1371 Cassat Avenue +Jacksonville, FL 32205 +info@progressive-comp.com +800-580-2640 - 904-389-3236 - 904-389-6584 fax + +Related Products and Services: + ncLinux (Network Computer) consulting, installations, and turnkey + networks. Multi-user NT and Samba consulting, installation and + administration (both remote and onsite), Internet and Intranet + connectivity, LAN and WAN, firewall installation, security, + troubleshooting and training, custom LAN/WAN/Intranet business + systems development, WWW/CGI development (e.g. database gateways, + catalogs). +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FLORIDA - USA + +Ten Twenty-Six Enterprises, Inc. +1616 Illinois Street, Orlando FL 32803 + +http://www.ten26.com/ + +Email: samba@ten26.com + +Tel: 407 898-2519 + +We are a commercial network and computer consulting firm providing +hardware sales and network support. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FLORIDA - USA + +TradeWeb +Bill Harris +(407) 657-8649 +bill@tradeweb.net + +http://www.tradeweb.net + +We have been working with SAMBA since 1995 and support it in a number of +large organizations. We are available to Companies in the Central +Florida area. We are well familiar in the integration of SAMBA and NT +and in SAMBA configuration on AIX, SCO, Linux And SUN Solaris. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FLORIDA - USA + +The PC Doctor +Tampa Bay Interactive +1314 Tampa Rd STE 120 +Palm Harbor, FL 34683 + +ph 813.781-2209 +fx 813.571-3805 + +Contacts: Jared Hall: jhall@tbi.net + System Operations: support@tbi.net + +Tampa Bay Interactive provides complete Internet solutions for the Small +Office and Home Office. Specializing in Intel-Based UNIX systems; Linux, +BSD/OS, FreeBSD, SCO. Proxy Server specialists. + +~~ Jared Hall ~~~~~~~ Tampa Bay Interactive +~~~~~~~~~~~~~~~~~~~~~ 1314 Tampa Rd, #120 +~~ jhall@tbi.net ~~~~ Palm Harbor, FL 34683 +~~ (813) 781-2209 ~~~ (http://www.tbi.net) + +Telecom Corner - http://www.tbi.net/~jhall +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GEORGIA - USA + +Hoppe Computer Services +2171 Brooks Road +Dacula(Atlanta), Georgia 30019 +770-995-5099 fax 770-338-3885 + +Supporting the Atlanta, Georgia USA area for two and a half years. +In the computer field for 22 years. + +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GEORGIA - USA + +Region: ATLANTA, GA - USA +Company: Advanced Application Development, Inc. +Address: 4383 Burnleigh Chase + Roswell, GA 30075 +Telephone: (770) 552-4248 +email: support@aad.com +Contact Name: Rich Vaughn + rvaughn@aad.com + +Provides consulting, development and system integration +services for businesses throughout the Southeastern US. +We have been using Samba on various UNIX platforms for +several years and are familiar with porting and configuration +issues. Visit our web site at http://www.aad.com. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +IOWA - USA + +Afan Ottenheimer +JEONET +PO Box 1282 +Iowa City, IA 52244 +Phone: 319-338-6353 +Fax: 319-338-6353 +Email: afan@jeonet.com +WWW: http://www.jeonet.com/jeonet/ + +Specializing in systems integration, database, and advanced web +site design since 1995. Have extensive experience in +Linux<->NT<->Windows 3.11<->Windows 95 interaction using SAMBA. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ILLINOIS - USA Information One, Inc. 736 Hinman Ave, Suite 2W @@ -61,103 +556,566 @@ Providing custom Internet and networking solutions. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ +ILLINOIS - USA + +Honesty Communications Inc. +1001 W 75th St Suite 179A-200 +Woodridge, IL 60517 + +http://www.honesty.com +support@honesty.com + +(630) 964-8441 +(708) 399-8158 Emergency Pager + +Serving as 'Technical Support for Technical Support' to numerous +companies across the country Honesty Communications provides +solutions for all situations with + +We can provide Samba installation, configuration, and security analysis +as well as on-going support, training and upgrades. We also provide +custom programming and a slew of other services. + +Expertise includes: + + UNIX, Windows 95, Windows NT, Windows 3.x, OS/2, Programming (C/C++, + Java, Visual Basic, Visual C, etc.), Support, Training +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +KANSAS- USA + +NT Integrators +901 Kentucky Street +Suite 105 +Lawrence, KS 66044 +785-842-1100 + +http://www.ntintegrators.com/ +email: ballard@ntii.net + +Consulting company that does NT/Linux/Samba/etc integration and support. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +MISSOURI/KANSAS - USA + +DLP, Inc. +303 N. Jeffreys Street +Pleasant Hill, MO 64080-1331 +USA +816-540-5167 - voice +816-540-5218 - fax + +DLP, Inc. offers cost-effective networking solutions to small and +medium-sized businesses in the greater Kansas City area using a +combination of MS-Windows 95/NT workstations and Linux servers running +samba. Services offered include complete system setup and configuration +of new installations and enhancement and administration of existing +installations. Other available services include installation and setup of +intranets using the popular Apache web server. + +Please contact Dave Parker via email or call toll free from the greater +Kansas City area: + + 540-5167 - voice + 540-5218 - fax + +email: dlparker@dlpinc00.com +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +MASSACHUSETT - USA + +Tim Riker +506 Walpole St. +Norwood, MA 02062-1719 +timr@pop3.silverplatter.com +1(781)255-2014 +http://webspirs.silverplatter.com/~timr/ + +Experienced with Samba installations on multiple platforms and +architectures. +See resume on the web for more info. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +LAS VEGAS, NEVADA - USA + +DPN, Inc. Las Vegas NV + +(702) 873-3282 Ph. +(702) 873-3913 Fax +Email duane@dpn.com + +Can provide commercial support for samba running on any version of +SCO above 3.0 and for Linux. We currently have installed and are +supporting several versions of samba on over 25 client sites across +the US, in addition to our 6 in-house samba servers. Our largest client +site has approx. 100 users. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +NEW JERSEY - USA + +William J. Maggio +LAN & Computer Integrators, Inc. +242 Old New Brunswick Road Email: bmaggio@lci.com +Suite 440 Voice: 908-981-1991 +Piscataway, NJ 08855 Fax : 908-981-1858 + + Specializing in Internet connectivity and security, Sun integration and + high speed, enterprise network design and deployment. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +NEW YORK - USA + +Psytronics +99 Leroy Street +Binghamton, NY 13905 + +info@psytronics.com +www.psytronics.com + +Psytronics is an authorized Red Hat Support Partner. Psytronics offers +e-mail, phone, and on-site support as well as remote network +administration services. We specialize in Linux/Windows heterogeneous +network integration, custom software development, and Internet/Intranet +server configuration. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +OREGON - USA + +Warren Birnbaum +Birnbaum Associates +2934 N.E. 18th Avenue +Portland, OR 97212 +Phone: 503-282-6329 +Fax: 503-288-7074 +birnbaum@teleport.com + +I have been supporting Samba in commercial installations for several +years on HP-UX and Solaris server platforms. I have installed Samba on +over 80 servers used by over 7000 users. I am a contributor to Samba +source code. + +I can provide Samba installation, configuration, and custom coding +as well as on-going support. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +TEXAS - USA + +Jody Winston +xprt Computer Consulting, Inc. +731 Voyager +Houston, TX 77062 +(281) 480 8649, jody@sccsi.com + +We have been supporting software from the Free Software Foundation and +other groups such as Linux for over 8 years. The base rate is 150.00 +US dollars per hour. Please contact us for more information on our +rates and services. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +TEXAS - USA + +The Solutions Group +P.O. Box 31400 +Houston, TX 77231-1400 + +Voice: (713) 729-2602 +Fax: (713) 723-9387 +Email: chuckb@LinuxTX.com + +The Solutions Group provides support for Linux, Solaris, and SCO UNIX. +We specialize in mixed environments using Samba. We are certified NT +as well as UNIX specialists. We can provide onsite support in the +Houston area and remote support in any other areas. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +UNITED STATES + +Stelias Computing is the developer of the InfoMagic Workgroup Server, a +Linux distribution customized for use as a PC and Macintosh file and +print server (using Samba and netatalk respectively). Stelias also +offers custom system programming and Samba support contracts. + +For information about the InfoMagic Workgroup Server contact InfoMagic: + http://www.infomagic.com/ + questions@infomagic.com + voice: 800-800-6613 or 520-526-9565 + fax: 520-526-9573 + +To contact Stelias about custom arrangments, send email to +info@stelias.com. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +USA / CANADA + +Shakeel Software Systems. - USA/Canada + +Shakeel Ahmed Rao +E-mail: sarao@ibm.net +Phone: (773) 695-0104 USA (519) 570-0468 Canada + + +Expertise in implementing Samba in Unix/NT/WIN95 client/server environments. +Have successfully implemented SAMBA for Hewlett Packard and IBM intranets. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +USA - VIRGINIA + +Commonwealth Technical Services, Inc. +13618 Hull Street Road +Suite 300 +Midlothian, VA 23112 +bcaudle@ctsi.net +www.ctsi.net +804-639-5400 + +Commonwealth Technical Services supports Samba systems on various UNIX platforms, +as well as providing hardware, software, and consulting services for UNIX and Windows +networks and the Internet. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +WASHINGTON DC METRO - USA + +Asset Software, Inc. has been running Samba since the 1.6 release on various +platforms, including SunOS 4.x, Solaris 2.x, IRIX 4.x and 5.x, Linux 1.1x, +1.2x, and 1.3x, and BSD UNIX 4.3 and above. We specialize in small office +network solutions and provide services to enhance a small office's +operations. Primarily a custom software operation, our vast knowledge of +Windows, DOS, Unix, Windows NT, MacOS, and OS/2 enable us to provide quality +technical assistance to the small office environment at a reasonable price. +Our upcoming multi-mailbox mail client, IQ Mail, enables users with more +than one mailbox to send and retrieve their mail from a single, consistent +mail client running in Windows. + +David J. Fenwick Asset Software, Inc. +President djf@assetsw.com +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +WASHINGTON STATE - USA + +Brian Meyer +Personal Data Services +9792 Edmonds Way Suite 121 +Seattle, Washington 98020 USA +Voice: (206) 365-8212 +E-mail: admin@pdsnorth.com +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +WASHINGTON - USA + Olympic Peninsula Consulting; 1241 Lansing Ave W., Bremerton, WA 98312-4343 telephone 1+ 360 792 6938; mailto:opc@aa.net; http://www.aa.net/~opc; Unix Systems and TCP/IP Network design, programming, and administration. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -SolutionS R Us has been in business for 3+ years providing viable 3rd -party support in system/network administration. With our own Linux -distribution which we're constantly improving to make it the best and -using it to provide total solutions for companies which are open to -using Linux. +WASHINGTON STATE - USA + +INTERNET: bill@Celestial.COM Bill Campbell; Celestial Systems, Inc. +UUCP: camco!bill PO Box 820; 2835 82nd Avenue S.E. S-100 +FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 +URL: http://www.celestial.com/ -Mauro DePalma <mauro@sru.com> +We provide support for Samba and many other Unix related systems. Our +primary systems are SCO, Caldera Linux, and Solaris on Sun systems. + +Celestial has been in business since late 1984 working primarily on +medium to large Unix systems. More information is available on our +web site, http://www.celestial.com/. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -BIELEFELD - GERMANY +WASHINGTON STATE - USA -I am located in Bielefeld/Germany and have been doing Unix consultancy -work for the past 8 years throughout Germany and the rest of Europe. I -can be contacted by email at <jpm@mens.de> or via phone at +49 521 -9225922 or telefax at +49 521 9225924. +Jeff Clithero jeff@octopi.com APPGEN Vertical +Interstellar Octopus, Ltd. Voice 360-379-1754 Accounting Solutions +1829 Lincoln St. PgVm 800-893-9517 Integration Services +Port Townsend, WA USA FAX 360-379-1753 Sales and Support + +We support SAMBA commercially. + +In the US/Canada we provide 800 number for our clients and can go +onsite to customers in the Northwest US and Vancouver, BC areas. ------------------------------------------------------------------------------ + + +ASIA +==== + ------------------------------------------------------------------------------ -CANBERRA - AUSTRALIA +SEOUL - KOREA -Ben Elliston -Faculty of Information Sciences and Engineering -University of Canberra AUSTRALIA -E-mail: ben@ise.canberra.edu.au (Uni) +MultiMedia KOREA Inc, E-Mail : info@seoul.korea.co.kr +Internet,WWW,Network Support Group, TEL : +82-02-597-1631 + FAX : +82-02-521-4463 +SeoChoGu SeoChoDong 1537-6 WWW : http://www.korea.co.kr +JungAng B/D #401 +SEOUL KOREA + +SAMBA Experience : SunOS, Solaris, Linux, SCO-Unix, Win95/NT/3.1 ------------------------------------------------------------------------------ + + + + + +AUSTRALIA & NEW ZEALAND +======================= + ------------------------------------------------------------------------------ -PALERMO - ITALY +ADELAIDE - AUSTRALIA -Francesco Cardinale -E-Mail: cardinal@palermo.italtel.it -Samba experience: SVR3.2, SOLARIS, ULTRIX, LINUX <--> DOS LAN-MAN, WFW +Richard Sharpe, sharpe@ns.aus.com +NS Computer Software and Services P/L +PO Box 86, +Ingle Farm, SA 5098 +Australia + +Contact: Richard Sharpe + Ph: +61-8-281-0063 (08-281-0063) AH + FAX:+61-8-250-2080 (08-250-2080) + +Located in Adelaide, South Australia. + +Proficient with Digital UNIX, ULTRIX, SunOS, Linux, Win 95, WfWg, Win NT. ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -SYDNEY - AUSTRALIA +ADELAIDE - AUSTRALIA -John Terpstra - Aquasoft (jht@aquasoft.com.au) -Business: +612 524 4040 -Home: +612 540 3154 -Shoephone: +612 414 334422 (aka 0414 334422) +Loftus Computing Services +191 Flinders Street +Adelaide 5000 +South Australia + +Phone: +61 8 8407 7577 +Fax: +61 8 8407 7501 +Email: support@loftuscomp.com.au + + +SAMBA Experience : SunOS, Solaris, SCO-Unix, Free BSD, Win95/NT/3.1 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -ONTARIO - CANADA +CANBERRA - AUSTRALIA -Strata Software Limited, Kanata Ontario CANADA -Tel: +1 (613) 591-1922 Fax: +1 (613) 591-3485 -Email: sales@strataware.com WWW: http://www.strataware.com/ +Paul Blackman (ictinus@lake.canberra.edu.au, Ph. 06 2012518) is +available for consultation. Paul's Samba background is with +Solaris 2.3/4 and WFWG/Win95 machines. Paul is also the maintainer +of the SAMBA Web Pages. +------------------------------------------------------------------------------ -Strata Software Limited is a software development and consulting group -specializing in data communications (TCP/IP and OSI), X.400, X.500 and -LDAP, and X.509-based security. We have Samba experience with Windows NT, -Windows 95, and Windows for Workgroups clients with Linux, Unixware -(SVR4), and HP-UX servers. +------------------------------------------------------------------------------ +CANBERRA - AUSTRALIA + +Ben Elliston +E-mail: bje@air.net.au +Samba systems: Solaris 2.x, Linux, HP-UX. ------------------------------------------------------------------------------ ----------------------------------------------------------------------- -SYDNEY - AUSTRALIA +MELBOURNE - AUSTRALIA -We are a Unix & Windows developer with a consulting & support component. -In business since 1981 with experience on Sun, hp, sgi, IBM rs6000 plus -Windows, NT and Win95, Using Samba since September 94. -CodeSmiths, 22 Darley Road, MANLY 2095 NSW; 977 1979; fax: 977 2116 -philm@esi.com.au (Australia; New South Wales; SYDNEY; North East) +Michael Ciavarella +Cybersoruce Pty Ltd. +8/140 Queen Street +Melbourne VIC 3000 +Phone: +61-3-9642-5997 +Fax: +61-3-9642-5998 +Email: mikec@cyber.com.au +WWW: http://www.cyber.com.au + +Cybersource specialises in TCP/IP network integration and Open Systems +administration. Cybersource is an Australian-owned and operated +company, with clients including some of Australia's largest financial, +petrochemical and state government organisations. ----------------------------------------------------------------------- ------------------------------------------------------------------------------ -EDINBUGH - SCOTLAND +MELBOURNE - AUSTRALIA + +Company Name DARX Consulting +Postal Address PO Box 12329 + A'Beckett St PO + Melbourne 3000 +Area of Service Melb Metro and SE Suburbs +Phone +61 3 9822 1216 +Email info@darx.com.au -Charlie Hussey email charlie@edina.demon.co.uk -Edina Software Limited tel 0131 657 1129 -4 James Street fax 0131 669 9092 -Edinburgh EH15 2DS +We provide setup and support of samba based systems as well as +Novell/NT Systems. +----------------------------------------------------------------------- -SAMBA experience: SCO UNIX <=> WfWg ------------------------------------------------------------------------------ +N.T - AUSTRALIA + +Open Systems Network SupportServer Platforms - +Unix/Linux +Client Platforms - Windows3.1/95/NT, Macintosh, Unix/Linux-- +David Schroeder Darwin Network Services +Ph/Fax (08) 8932 1156 PO Box 82383 +(Int) +61 8 8932 1156 Casuarina N.T +Email: djsc@it.ntu.edu.au Australia 0811 +----------------------------------------------------------------------- ------------------------------------------------------------------------------ -LONDON - ENGLAND +NEW SOUTH WALES - AUSTRALIA + +BITcom Telecommunications Phone: (02) 9747 0011 +P.O. Box 15 Int'l: +61 2 9747 0011 +Burwood NSW 2134 Australia Fax: (02) 9747 6918 +Contact: Craig Bevins Email: consult@bitcom.net.au + +BITcom is an open systems and networking consultancy. We have been +doing Open Systems since long before the term was coined, a key staff +member having participated in the IEEE working group which produced +the POSIX standard for Un*x-like systems in 1988. + +We tend to have a Unix orientation (all flavours) but our focus is on +getting the job done and we are happy to employ other technologies which +fit. Heck, we even use and support Microsoft's products! Our areas +of expertise cover general Unix consultancy, support for public domain +and GNUish software, PC LAN -> Unix integration, Internet, WWW and local +and wide-area network design, implementation and security. We have a +collective masochistic streak and actually enjoy hacking on sendmail +configuration. We are an AUSTEL-licenced telecommunications and data +cabler and hold a NSW security industry licence. + +We know Windows NT, LANMAN, PC-NFS and others. We use, recommend and +support Samba and have done so since 1994. +------------------------------------------------------------------------------ -Mark H. Preston, -Network Analyst, | Email : mpreston@sghms.ac.uk -Computer Unit, | Tel : +44 (0)181 725-5434 -St. George's Hospital Med School, | Fax : +44 (0)181 725-3583 -London SW17 ORE. | WWW : http://www.sghms.ac.uk +------------------------------------------------------------------------------ +PERTH - AUSTRALIA -Samba Experience: -Server: Solaris 2.3 & 2.4, Irix 5.2 & 5.3 -Client: WinNT, Win95, WfWg, Win3.1, Ms-LanMan, DHCP support +Bruce Cook - Synonet Corporation. +E-mail: bcook@wantree.com.au +Mobile: 015 999 330 (International +61 15 999 330) +Experience: Samba on FreeBSD, Linux, Solaris (Sparc), Sunos-4 + Microsoft networking using NT/NTAS, Win95, WFW311, DOS +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PERTH - AUSTRALIA + +Geoff Allan Phone: +61 8 9325 9922 +Office Information Fax: +61 8 9325 9938 +Perth, Western Australia Mobile: 0412 903 659 +Email: geoffa@officeinfo.com.au + +Office Information has been in existence since 1991. We are (amongst +other things) systems integrators with experts in Unix, Linux, Novell, +NT and the other DOS & Windows platforms. We also have a number of +Clients for whom we have installed and supported Samba. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PERTH - AUSTRALIA + +CONDOR Technology Pty Ltd +12 Walker Avenue, +West Perth, WA, 6005. + +Phone: +61-8-9322-2377 +Fax: +61-8-9322-2380 (fax) +Mail: sales@condor.com.au + +As UNIX specialists since 1989, the team at Condor +provide unmatched expert advice for UNIX file serving, +communication, intranet, World Wide Web and mail servers. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +QUEENSLAND - AUSTRALIA + +OPAL BROOK Pty Ltd. +Dave Forden +The Software Systems & Technology Consulting Specialists +Unit 120 Admiralty Towers 1, 35 Howard Street BRISBANE QLD 4000 +Business: 38318251 +Mobile: 041 996 5577 +email: opalbrk@bit.net.au +web: http://bit.net.au/~opalbrk + +ON SITE: FOCUS98 Project - Queensland Department of Natural Resources +fordendk@exchange.lands.qld.gov.au +Unit6 Level3 Anzac Square Building Brisbane +(07) 3227 6265 + +My company provides general Unix based development and support services in +Brisbane. + +Personally, I have been using SAMBA for about 2 years and have implemented +it on several different Unix platforms including HPUX, Linux, Dynix, and +Solaris. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +QUEENSLAND - AUSTRALIA + +Plugged In Software Pty Ltd +PO Box 4130 +4/242 Hawken Drive +St. Lucia South, Qld 4067 +Australia +http://www.plugged.net.au +info@plugged.net.au ++61 7 3876 7140 ++61 7 3876 7142 (fax) +Point of Contact: David Wood +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SYDNEY - AUSTRALIA + +Philip Rhoades +Pricom Pty Ltd +http://www.pricom.com.au = http://203.12.131.20 +GPO Box 3411 Sydney NSW 2001 Australia +Ph: +61:0411:185652 +Fax: +61:2:9959-3481 +E-mail: philr@mail.austasia.net +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SYDNEY - AUSTRALIA + +John Terpstra - Aquasoft (jht@aquasoft.com.au) +Business: +612 9524 4040 +Home: +612 9540 3154 +Mobile: +612 414 334422 (aka 0414 334422) +Samba Experience: Member of Samba-Team. Long term contributor to Samba + Samba on BSD/OS, Solaris (Sparc & x86), ISC Unix, SCO Unix + NCR SVR4, Linux, UnixWare, IBM, HP, DEC, Others. + Training Instructor in Windows NT, wide area networking + over TCP/IP. Providing paid-for support for Public Domain + Software and Linux. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SYDNEY - AUSTRALIA + +We are a Unix & Windows developer with a consulting & support component. +In business since 1981 with experience on Sun, hp, sgi, IBM rs6000 plus +Windows, NT and Win95, Using Samba since September 94. +CodeSmiths, 22 Darley Road, MANLY 2095 NSW; 977 1979; fax: 977 2116 +philm@esi.com.au (Australia; New South Wales; SYDNEY; North East) ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ @@ -179,126 +1137,186 @@ info@eram.esi.com.au Voice:+61-2-9063377 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -CHANTILLY - USA +WELLINGTON - NEW ZEALAND + +David Gempton +Computer Consultant +UNIX & PC Networking specialist +TTC Technology Training Consulting +PO Box 5444 +Lambton Quay Wellington +New Zealand +Phone (025) 518-574 +Email: ttcdg@cyberspace.co.nz +------------------------------------------------------------------------------ + + -Intelligent Decisions, Inc. -ATTN: Richard Bullington -14121 Parke Long Ct. #104 -Chantilly, VA 22021 -U.S.A. -(703) 803-8070 -rbullington@intdec.com -Samba experience: Linux, DEC ULTRIX <=> WFWG 3.11, Windows NT 3.5 -Specializing in World Wide Web related UNIX-to-PC connectivity. + + +CANADA +====== + ------------------------------------------------------------------------------ +ALBERTA - CANADA + +GDS & Associates Systems Ltd. +1010 First Edmonton Place +10665 Jasper Ave. +Edmonton, AB +Canada T5J 3S9 + +http://www.gds.ca/ + ++1 403 426 4484 +FAX: 426 2898 + +Contact: Iain O'Cain <iocain@gds.ca> +GDS is an information management consulting company with headquarters in +Regina, Saskatchewan, and offices across Western Canada. The Edmonton +office offers Systems Management services covering a variety of Unix and +similar server operating systems. ------------------------------------------------------------------------------ -FORT COLLINS, CO - USA -Granite Computing Solutions -ATTN: Brian Grossman -Box 270103 -Fort Collins, CO 80527-0103 -U.S.A. -(970) 225-2370 -granite@fortnet.org +------------------------------------------------------------------------------ +ALBERTA - CANADA -Information services, including WfWG, NT, Apple <=> Unix interoperability. +Distributed Computing Experts Corp. +407, 1167 Kensington Cres. N.W. +Calgary, Alberta T2N 1X7 -Our standard advertisement says: +Tel: +1 (403) 630-5931 Fax: +1 (403) 278-8437 +Email: WWW: http://www.dcexpert.ab.ca -> Unix workstations, servers and custom systems < ->> WWW and Unix education << ->>> Enterprise and departmental computing solutions <<< ->>> Backup & restore <<< ->> Software forensics << -> Data translation < + +Distributed Computing Experts Corp. (DC Experts) is an +Information Systems Consultancy in Calgary. We can provide +systems administration and systems programming for IBM AIX, Sun +Solaris, Hewlett-Packard HP-UX, DEC Digital Unix, Silicon +Graphics IRIX, BSD, Linux, and Windows NT. Management of TCP/IP +network infrastructures, security consultanting, Internet +firewalls and configuration of Internet services are also a +forte. Our personnel have been installing and configuring Samba +since 1995. ------------------------------------------------------------------------------ ----------------------------------------------------------- -Adelaide, Australia +------------------------------------------------------------------------------ +ONTARIO - CANADA -NS Computer Software and Services P/L -PO Box 86 -Ingle Farm -SA 5098 +Strata Software Limited, Kanata Ontario CANADA +Tel: +1 (613) 591-1922 Fax: +1 (613) 591-3485 +Email: sales@strataware.com WWW: http://www.strataware.com/ -Contact: Richard Sharpe - Ph: +61-8-281-0063 (08-281-0063) AH - FAX:+61-8-250-2080 (08-250-2080) +Strata Software Limited is a software development and consulting group +specializing in data communications (TCP/IP and OSI), X.400, X.500 and +LDAP, and X.509-based security. We have Samba experience with Windows NT, +Windows 95, and Windows for Workgroups clients with Linux, Unixware +(SVR4), and HP-UX servers. +------------------------------------------------------------------------------ -Experience with: ULTRIX, Digital UNIX, SunOS, WfW 3.11, Win95, WNT 3.51 +------------------------------------------------------------------------------ +ONTARIO - CANADA ----------------------------------------------------------- +WW Works Inc. +3201 Maderna Road +Burlington, Ontario +Canada L7M 2W4 ----------------------------------------------------------- -TECTONIC LIMITED -WESTWOOD -78 LOUGHBOROUGH ROAD -QUORN -LEICESTERSHIRE -LE12 8DX +Contact: Wade Weppler +(905) 332-5844 +FAX: (905) 332-5535 -TELEPHONE 01509-620922 -FAX 01509-620933 +Information Systems Sales and Consulting. +Specializing in Turnkey Windows NT Network environments with emphasis on +Legacy UNIX System integration using Samba. +------------------------------------------------------------------------------ -CONTACT DAVID ROBINSON +------------------------------------------------------------------------------ +ONTARIO - CANADA -WE ARE UNIX ORIENTATED BUT ALSO SPECIALISE IN PC TO UNIX COMMUNICATIONS, WE -KNOW AND UNDERSTAND PC-NFS, (HENCE OUR INTEREST IN SAMBA). -WE SUPPORT SUNOS, SOLARIS 1.X AND 2.X, HP-UX 9.0 AND 10.0, OSF (or DEC UNIX, -whichever you prefer), WinNT, WfWG and Win95. +Sound Software Ltd. +20 Abelard Avenue +Brampton, Ontario Canada +905 452 0504 +sales@telly.org +www.telly.org -WE ARE ALREADY TALKING TO A COUPLE OF VERY LARGE SAMBA USERS HERE IN THE UK. -WE WOULD LIKE TO SUPPORT THEM (AND MANY MORE), WOULD YOU PLEASE CONTACT ME ON: -david@tectonic.demon.co.uk ----------------------------------------------------------- +Sound Software company is a Caldera Business Partner, providing support for +Samba and other applications running under Caldera Linux. +------------------------------------------------------------------------------ ----------------------------------------------------------- -MIAMI, FL - USA +------------------------------------------------------------------------------ +ONTARIO - CANADA -Swaney & Associates, Inc. -ATTN: Stephen Swaney - 2543 Lincoln Avenue - Miami, Florida 33133 - U.S.A - (305) 860-0570 +GenX Internet Laboratories Inc. +20 Madison Ave. +Toronto, Ontario, Canada +M5R 1S2 -Specializing in: - High Availability system & networks - UNIX to PC connectivity - Market Data systems - Messaging Systems (Sendmail & Microsoft Exchange) ----------------------------------------------------------- +GenX Internet Labs is engaged in systems integration and +the design and development of software for use over the +internet and intranets. +We install, support and can resolve most system/Samba problems +on Linux. We are also an internet provider and use Samba to +provide a remote office solution to our customers. This solution +provides access to the shared resources on a corporate lan. ------------------------------------------------------------------------------ -NEW JERSEY - USA -William J. Maggio -LAN & Computer Integrators, Inc. -242 Old New Brunswick Road Email: bmaggio@lci.com -Suite 440 Voice: 908-981-1991 -Piscataway, NJ 08855 Fax : 908-981-1858 +------------------------------------------------------------------------------ +ONTARIO - CANADA - Specializing in Internet connectivity and security, Sun integration and - high speed, enterprise network design and deployment. +FSC Internet +The FSC Building +188 Davenport Rd +Toronto, Ontario +Canada M5R 1J2 + +(416) 921-4280 +fax (416) 966-2451 + +info@fscinternet.com + +FSC Internet is one of Canada's largest UNIX and NT networking +consulting firms. FSC's clients include numerous top-tier +corporations (e.g. Mazda, Heinz), as well as mid-sized companies +(e.g. the Vermont Telephone Company) and the public sector. FSC +provides full consulting, implementation, support, and training +services for all UNIX and NT network applications, including a +special focus on internetworking (extensive Samba experience), +security, high-performance Web applications, and Intranets. Please +email us at info@fscinternet.com or call us at (416) 921-4280 for +further information. ------------------------------------------------------------------------------ -FAREHAM - ENGLAND +------------------------------------------------------------------------------ +ONTARIO - CANADA -High Field Technology Ltd -Little Park Farm Road, Segensworth West, -Fareham, Hants PO15 5SJ, UK. -sales@hft.co.uk tel +44 148 957 0111 fax +44 148 957 0555 +MIS Incorporated, London Ontario CANADA +Tel: +1 (519) 673-3777 Fax: +1 (519) 673-4292 +Email: samba-support@netcontech.com -Company skills: Real time hardware and software systems +MIS Incorporated is a Microsoft Certified Solution Provider, +and system support group specializing in applying Windows +front ends to high end relational database servers. Samba +support available on any unix platform in conjunction with +WFW, Windows-NT, Win95, OS/2. Dial-in support +nation-wide, or on-site anywhere in Ontario. +------------------------------------------------------------------------------ -Samba experience: BSD/OS, Linux, LynxOS <==> WFWG, NT +------------------------------------------------------------------------------ +OTTAWA - CANADA +Russell McOrmond +Open Systems Internet Consultant +Serving individuals and organizations in the Ottawa (Ontario, Canada) area. +voice: (613) 235-7584 FAX: (613) 230-1258 +russell@flora.org , http://www.flora.org/russell/work/ ------------------------------------------------------------------------------ ------------------------------------------------------------------------ +------------------------------------------------------------------------------ QUEBEC - CANADA Dataden Computer Systems @@ -316,61 +1334,814 @@ configuring and maintaining Samba for clients for 1-1/2 years now. We have samba installations on Linx, SunOS and DEC OSF. Our biggest site has 4 Suns and 3 Linux servers running Samba which are serving a network of about 50 PC's running WFWg and Win95. ------------------------------------------------------------------------ +------------------------------------------------------------------------------ ------------------------------------------------------------------------ -CALIFORNIA - USA -Ron Halstead -Open Systems Consulting -3098-4 Lakemont Drive -San Ramon, CA 94583 (San Francisco Bay Area) -(510) 735-7529 -halstead@ix.netcom.com ------------------------------------------------------------------------ ------------------------------------------------------------------------ -MELBOURNE - AUSTRALIA -Michael Ciavarella -Cybersoruce Pty Ltd. -8/140 Queen Street -Melbourne VIC 3000 -Phone: +61-3-9642-5997 -Fax: +61-3-9642-5998 -Email: mikec@cyber.com.au -WWW: http://www.cyber.com.au -Cybersource specialises in TCP/IP network integration and Open Systems -administration. Cybersource is an Australian-owned and operated -company, with clients including some of Australia's largest financial, -petrochemical and state government organisations. ------------------------------------------------------------------------ ------------------------------------------------------------------------ -SOUTHERN CALIFORNIA - USA + +EUROPE +====== -Michael St. Laurent -Serving Los Angeles and Orange Counties. Please contact via email. -rowl@earthlink.net -Michael St. Laurent -Hartwell Corporation ------------------------------------------------------------------------------ -WASHINGTON DC METRO - USA +VIENNA - AUSTRIA -Asset Software, Inc. has been running Samba since the 1.6 release on various -platforms, including SunOS 4.x, Solaris 2.x, IRIX 4.x and 5.x, Linux 1.1x, -1.2x, and 1.3x, and BSD UNIX 4.3 and above. We specialize in small office -network solutions and provide services to enhance a small office's -operations. Primarily a custom software operation, our vast knowledge of -Windows, DOS, Unix, Windows NT, MacOS, and OS/2 enable us to provide quality -technical assistance to the small office environment at a reasonable price. -Our upcoming multi-mailbox mail client, IQ Mail, enables users with more -than one mailbox to send and retrieve their mail from a single, consistent -mail client running in Windows. +Company: Peter-Paul Witta +Contact: Peter-Paul Witta, paul@ping.at +keywords: SAMBA, Unix, Linux, OS/2, WinNT, Win95, Support, Consulting, + Installation, System Administration. + +Experience: Domain Browsing, Logon-Scripts, SAMBA Integration into Domains, + SAMBA as Domain Master, Printing, Faxing with IntraFax (our own Fax product), + Sendfax and Samba. + +Feel free to call: +43-1-6171288 + +Various ranges of consulting and maintenenace contracts available. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BRUSSELS - BELGIUM + +Phidani Software SPRL +Rue de l'autonomie, 1 +1070 Brussels +Belgium +Tel : +32 (2) 5220663 +Fax: +32 (2) 5220930 + +We provide commercial support in Belgium to large organisations +(eg: N.A.T.O., Unisys, E.C.C. ...) +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SOFIA - BULGARIA + +National Laboratory for Computer Virology and SEA Ltd. + +We work mainly in the following fields: + +* Design and testing of antivirus and computer security related software + and hardware; +* Data aquisition equipment +* Network design and consulting. + +Samba is our most common network tool for the export of data collected on +UNIX machines to PC clients, file services and simple client/server +processing schemes. + +Samba experience: Linux, Ultrix, Solaris, AIX, RiscOS. + +Client experience: LanMan, WFW, Win 95, Win NT. + +Address: + +National Laboratory for Computer Virology BAS, +Akad. G. Bonchev Str. bl.8, +Sofia 1113, +Bulgaria +E-mail:sales@nlcv.acad.bg +URL http://www.nlcv.acad.bg + +SEA Ltd, +Akad G.Bonchev Str bl. 8, rm 225, +Sofia 1113. +Bulgaria +E-mail:nmechkov@virbus.bg +URL http://www.orgchm.acad.bg/~sealtd +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PRAHA (PRAGUE) - CZECH + +AGC Praha, +David Doubrava +Sokolovska 141 +PRAHA 8 +180 00 + +Tel: +42 (2) 6600 2202 Fax: +42 (2) 683 02 55 +Email: ddoubrava@agc.cz WWW: http://corwin.agc.cz/ + +I have Samba experience with Windows NT, +Windows 95, and Windows for Workgroups clients with Linux and HP-UX +servers. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +CAMBRIDGE - ENGLAND + +Mark Ayliffe MBCS, Technical Consultant +Protechnic Computers Limited http://www.prot.demon.co.uk +7 Signet Court Tel +44 1223 314855 +Swann's Road Fax +44 1223 368168 +Cambridge CB5 8LA +England + + +Protechnic Computers Limited has experience of installing and +maintaining Samba on the following platforms: + +HP/UX 9.0x, 10.1x & 10.2x +DG/UX, Motorola and Intel +Digital UNIX +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +CORNWALL - ENGLAND + +Starstream Communications Ltd +Unit 9 +Moss Side Industrial Estate +Callington +Cornwall +PL17 7DU +United Kingdom + +Phone +44 1579 384072 Fax +44 1579 384267 + +Contact : Terry Moore-Read terry@starstream.co.uk + +Website : http://www.ndu-star.demon.co.uk shortly moving to +http://www.starstream.co.uk +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +FAREHAM - ENGLAND + +High Field Technology Ltd +Little Park Farm Road, Segensworth West, +Fareham, Hants PO15 5SJ, UK. +sales@hft.co.uk tel +44 148 957 0111 fax +44 148 957 0555 + +Company skills: Real time hardware and software systems + +Samba experience: BSD/OS, Linux, LynxOS <==> WFWG, NT + +------------------------------------------------------------------------------ -David J. Fenwick Asset Software, Inc. -President djf@assetsw.com ------------------------------------------------------------------------------ +LEICESTERSHIRE ENGLAND + +TECTONIC LIMITED +WESTWOOD +78 LOUGHBOROUGH ROAD +QUORN +LOUGHBOROUGH +LEICESTERSHIRE +LE12 8DX +UNITED KINGDOM + +Telephone: +44 (0) 1509 620922 Fax: +44 (0) 1509 620933 + +Contact: Nick Berry nick.berry@tectonic.co.uk +Tectonic is a Unix specialist company, with the expertise to provide +consultancy and integrated solutions for a wide range of Information +Technology needs. We support three major Unix operating systems (Solaris, +AIX and HP-UX) and PC operating systems including Windows NT, Windows 95 +and Windows for Workgroups. Tectonic is truly an Open Systems company. + +Tectonic has been using Samba in house and providing support since 1995. +We currently support a dozen large organizations in varying business +sectors including business critical areas. + +Tectonic provides Samba support, technical expertise, upgrades and +information bulletins. + +For more information about support please contact: +nick.berry@tectonic.co.uk + +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +LONDON - ENGLAND + +Mark H. Preston, +Network Analyst, | Email : mpreston@sghms.ac.uk +Computer Unit, | Tel : +44 (0)181 725-5434 +St. George's Hospital Med School, | Fax : +44 (0)181 725-3583 +London SW17 ORE. | WWW : http://www.sghms.ac.uk + +Samba Experience: +Server: Solaris 2.3 & 2.4, Irix 5.2 & 5.3 +Client: WinNT, Win95, WfWg, Win3.1, Ms-LanMan, DHCP support +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +LONDON - ENGLAND + +Name: Paul Dunne +Address: 30 Onslow Gardens + London + N10 3JU + UK +Phone: +44 (0)181-374 8194 +Fax: None +E-mail: paul@tiny1.demon.co.uk +URL: http://www.tiny1.demon.co.uk + +Contact: Paul Dunne +Type of support: E-mail and onsite. + +Expertise: Installing and troubleshooting Samba, on Linux and Win95. +Sample prices: Basic rate £30/hour. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +NEWCASTLE UPOON TYNE - ENGLAND + +New Mode Technology Limited, Newcastle Upon Tyne, UK +Tel 07050 606 991 Fax 07050 606 992 +EMAIL : newmode@unforgettable.com. + +Support Available: + +Consultancy + +Design and Implementation of Networking solutions based on Samba and other +protocols. Integration and migration between Unix and NT. + +All consultants are Microsoft Certified, and have implemented and suported Samba +for several large clients on AIX and Solaris. + +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +READING - ENGLAND + +Philip Hands | E-Mail: info@hands.com Tel:+44 118 9545656 +Philip Hands Computing Ltd. | Mobile: +44 802 242989 Fax:+44 118 9474655 +Unit 1, Cherry Close, Caversham, Reading RG4 8UP ENGLAND + +Samba experience: + Server platforms: Linux,SVR4,SVR3.2 & Sequent ptx + Clients: WfWg, W3.1, OS2 and MS-LanMan +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PARIS - FRANCE + +ALCOVE +12, place Indira GANDHI +92230 GENNEVILLIERS +FRANCE + +Email: alcove@alcove.fr +Web: http://www.alcove.fr + +Tél : 33 1 47 33 82 84 +Fax : 33 1 47 33 76 98 +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BERLIN - GERMANY + +Name: innominate + Multifunktionale Serverloesungen und IT-Dienstleistungen + +Address: Gipsstrasse 3, 10119 Berlin +Country: Germany +Phone: +49 30 308 806-0 +Fax: +49 30 308 806-77 +EMail: info@innominate.de +Web: http://innominate.de + +Type of support: vor Ort, Email, Fernzugriff ueber Internet/ISDN, + +Wir verfuegen ueber umfangreiche Erfahrung mit Samba, vor allem +in Intranetumgebungen. Neben Beratung, Dienstleistung +und Schulung bieten wir auch individuell vorkonfigurierte +Kommunikationsserver ("Lingo") auf der Basis von Linux an. +Neben anderen Modulen (ISDN/Internet/Intranet/Email/Proxy +u.a.) ist in Lingo ein Fileserver-Modul auf Samba-Basis inklusive +einem mehrstufigen Firewallsystem enthalten. +Außerdem verfuegt Lingo ueber eine grafische Administrations- +oberflaeche, mit der z.B. das Hinzufuegen von neuen Benutzern +von jedem Client per WWW-Browser moeglich ist. + +Prices: Komplettpreise fuer Lingo nach Vereinbarung + 120 DM/Stunde fuer Dienstleistung + Schulung nach Vereinbarung +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BERLIN - GERMANY + +Ing. Buero Buehler +Dipl.-Ing. Frank Buehler +Paul-Krause-Str. 5 +14129 Berlin +Germany + +Phone: +49/(0)177/825 33 80 Fax: +49/(0)30/803-3039 +mailto:fb@hydmech.fb12.TU-Berlin.de + +We install and maintain small to middle sized Linux-Windows +networks within the Berlin area and are available for consulting and +questions about networking, Linux, database systems and electronics. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BERLIN - GERMANY + +Name : Jan Riedinger + Unix, Networks, Security +Address: Oldenburger Str. 29 + 10551 Berlin + +Phone : +49 30 395 82 47 +FAX : +49 30 397 319 64 +Email : uns@intrail.de + +Taetigkeitschwerpunkte: + Administration heterogener Netzwerke (Unix, Novell, MS Windows XX, Macintosh) + Konzeption und Installation von Unix basierten Firewalls + Installation von Unix basierten Internet-Servern (News, WWW, Mail, Ftp, DNS + NIS, NIS+) + Internetanbindung (Routerkonfiguration) + Erstellung von Individualsoftware (C, C++, Java, Perl, Pascal) und WEB-Seiten +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BIELEFELD - GERMANY + +I am located in Bielefeld/Germany and have been doing Unix consultancy +work for the past 8 years throughout Germany and the rest of Europe. I +can be contacted by email at <jpm@mens.de> or via phone at +49 521 +9225922 or telefax at +49 521 9225924. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BIELEFELD - GERMANY + +Name : media engineering gmbh +Address: Bleichstr. 77a , D-33607 Bielefeld +Phone : +49-521-1365640 +Fax : +49-521-1365642 +eMail : info@media-eng.bielefeld.com +URL : http://www.media-eng.bielefeld.com/ +Contact: Dipl.Ing. Hartmut Holzgraefe + +Type of support: phone, eMail, inhouse, remote administration +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +DREIEICH - GERMANY + +A. G. Schindler <schindler@az1.de> +c/o Alpha Zero One Gmbh +Frankfurter Str. 141 +D - 63303 Dreieich +Germany + +AZ1 is a company of Value Added Resellers (VARs) of Digital Equipment +Corp. products and solution provider for Industry Applications. + +We're providing commercial support for Samba running on DEC hardware +under Digital Unix (R), Digital OpenVMS (R) and Linux. + +Contract based and hotline support available. Fast response on-site +support coming soon for the Franfurt / Main area. + +Pathworks or WinNT to Samba migrators welcome ! + +Please contact us via: schindler@az1.de +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GOETTINGEN - GERMANY + +Service Network GmbH +Hannah Vogt Str. 1 +37085 Goettingen +Germany +Phone: +49-551-507775 +Fax: +49-551-507776 +http://www.sernet.de/ +samba@sernet.de + +SerNet is a company doing LAN consulting and training. We offer +Internet access for our customers. We have experience with many +different kinds of Unix, especially Linux, as well as NetWare and NT. +Volker Lendecke, one of our our founders and a Samba Team member, +has gained a lot of SMB/CIFS and NetWare experience writing smbfs and +ncpfs, the Linux kernel file systems that enable Linux to access +Windows NT and other SMB/CIFS servers, and NetWare Servers. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GREIFSWALD - GERMANY + +Mr. Frank Rautenberg, Mr. Heiko Boesel, Mr. Jan Holz +UniCon Computersysteme GmbH +Ziegelhof 20 +D-17489 Greifswald +email: samba@unicon-gmbh.com +www: http://www.unicon-gmbh.com + +We use Samba and we provide support for our customers. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +MUENCHEN - GERMANY + +CONSYS GmbH +Landsberger Str. 402 +81241 München +Germany +Phone: +49-89-5808181 +Fax: +49-89-588776 +http://www.consys.de/ +mailto:samba@consys.de + + +CONSYS is a software company. We have experience especially with SCO Unix +and other Unix systems, as well as with Windows 95 and NT. +We are a Premium Partner of SCO and know and have used samba for four years. +Our engineers know a lot about the installation of SCO Unix. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GREECE + +Yiorgos Adamopoulos +Electrical and Computer Engineer +email: adamo@InterWorks.org + +I can provide Samba support for the following operating systems throughout the +whole of Greece: Windows 3.11/95/NT, Ultrix, HP-UX, NetBSD, OpenBSD, SunOS, +Solaris, Linux, Irix. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +SZEGED - HUNGARY + + Name: Geza Makay + Institute: Jozsef Attila University of Szeged + Mail: Bolyai Institute, Aradi vertanuk tere 1. + H-6720, Szeged, Hungary + Tel: (62) 454-091 (Hungary's code: 36) + Fax/Message: (62) 326-246 (Hungary's code: 36) + E-mail: makayg@math.u-szeged.hu + World Wide Web: http://www.math.u-szeged.hu/ +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +MILANO - ITALY + +INFERENTIA S.p.A. +Via Tacito 6 +20137 MILANO (MI) +ITALY +tel: +39 2 599281 +fax: +39 2 59928221 +contact: Consulting Division +e-mail: consulting@inferentia.it +www: http://www.inferentia.it + +INFERENTIA Consulting is available for establishing commercial support +contracts on Samba integration with Microsoft Networks-based LANs. +We can offer a solid experience with: +- All flavours of Windows (Workgroups, 95, NT) +- IBM AIX, Digital UNIX, Sun Solaris, Linux, HP/UX +- geographically distributed networks with WAN links +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ITALY + +InfoTecna di Cesana D. & C. s.n.c. +Via Cesana e Villa, 29 +20046 Biassono (Mi) + +Tel: ++39 39 2324054 +Fax: ++39 39 2324054 + +e-mail: infotecn@tin.it +URL: http://space.tin.it/internet/dsbragio + +We provide Samba support along with generic Linux support. Specifically we +have implemented a powerful Fax servicing system for Samba with Win95/NT +clients. Details could be found at our URL, currently, only in Italian. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ABANO TERME (PADOVA) - ITALY + +PROFUSO di Zanetti Giuseppe - Studio di Consulenza Informatica +Abano Terme (PD) - ITALY +profuso@profuso.com +http://www.profuso.com/ +Phone: ++39 49 8059070 / ++39 348 2220811 + +We provide all possible support for Linux, UNIX, +development, security and system integration. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PALERMO - ITALY + +Francesco Cardinale +E-Mail: cardinal@palermo.italtel.it +Samba experience: SVR3.2, SOLARIS, ULTRIX, LINUX <--> DOS LAN-MAN, WFW +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +PISA - ITALY + +I3 ICUBE s.r.l. +Via Pascoli 8 +56125 PISA (PI) +ITALY +tel: 050/503202 +fax: 050/504617 +contact person: Marco Bizzarri +e-mail: m.bizzarri@icube.it +www: http://www.icube.it/ + +Our company offers commercial support to integrate eterogenous networks. +We can provide support for the following architectures: + +Windows: +Windows for Workgroup +Windows 95 +Windows NT + +Unix: +Linux +Solaris +Digital Unix + +Macintosh +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ROME - ITALY + +Company: Pantheon Srl + Via del Tritone 132 + 00187 ROME - ITALY + +Phone/Fax: +39 6 47823666 +URL: http://www.pantheon.it + +Contact: Dario Centofanti <dario@pantheon.it> + +Pantheon provide support for SaMBa and other TCP/IP applications running +under Linux. We are also an internet provider. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +ITALY + +Sedac S.a.S. + +Piazza XX Settembre, 68 +62012 Civitanova Marche (MC) +Italy + +Tel. : +39 (733) 810257-817064 +Fax : +39 (733) 819008 +PPP : +39 (733) 819009 +E-mail : sedac@cognigni.com +WWW : http://www.cognigni.com/sedac + +La Sedac S.a.S. e' specializzata nell'implementazione ed amministrazione di +reti eterogenee LAN/WAN basate sui sistemi operativi SCO Open Server, SCO +Unix, Windows NT e Windows 95. +Su tali piattaforme installiamo, configuriamo e supportiamo pienamente il +Samba. + +Sedac S.a.S. is specialized in the implementation and administration of +heterogeneous LAN/WAN networks based on SCO Open Server, SCO Unix, Windows +NT and Windows 95 operating systems. +On these platforms we fully install, configure and support Samba. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +TREVISO - ITALY + +Company: SMC Computers S.r.l. +Via Roma 4/D +Lancenigo di Villorba 31020 (TV) + +Telephone number: +39-422-608408 +FAX Number : +39-422-608043 +EMail : smc@smc.it +WWW Address : www.smc.it + +Our company is specialized in LAN/WAN connectivity on Unix and +Windows platforms, RDBMS, Data Warehousing. +We currently port, install and support Samba on the following +Unix platforms : +HP/UX, SunOS 4, SunOS 5, Sinix, Mips, IRIX , AIX, SCO, Linux +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +VICENZA - ITALY + +Company: AVnet srl +Address: via Fogazzaro, 2 + 36015 SCHIO (VI) + ITALY +phone: 0445/511445 +fax: 0445/511449 +contact: Giovanni Panozzo + +e-mail: samba@avnet.it + + +AVnet provides consulting and support on all problems +regarding unix-to-win networking. We operate as ISP and we +offer in depth TCP/IP knowledge for lan, intranet and WANs. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +LUXEMBOURG - EUROPE + +E.C.C. sa +11, Rue Bettlange +L-9657 HARLANGE +Grand-Duche de Luxembourg +Tel. +352 93615 (from 09/97: +352 993615) +Fax +352 93569 (from 09/97: +352 993569) +oontact person: Stefaan A Eeckels +email: Stefaan.Eeckels@ecc.lumail + +We're located in Luxembourg, and recently provided support +for Samba at Eurostat (the European Commision), who are using +Samba to integrate Windows NT workstations in their Solaris +/ Windows3.1 network. All in all, things run rather smoothly now. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +DELFT - NETHERLANDS + +BitWizard B.V. +van Bronckhorststraat 12 +2612 XV Delft +The Netherlands +Tel: +31-15-2137555 +Fax: +31-15-2138217 +Email: samba@BitWizard.nl +http: http://www.bitwizard.nl/ + +Specific activities: + + - Linux support + - GNU software support + - Linux device driver writing + - Data recovery + +BitWizard supports freely distributable software, +especially quality products like "Samba". +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +GRONINGEN - THE NETHERLANDS + +Company: Le Reseau netwerksystemen BV +Address: Bieslookstraat 31 +City: Groningen +Zip: NL-9731 HH +Country: The Netherlands + +We already offer commercial support on Linux and other Unices. Together with +an application house we have developed a office automation environment which +heavily depends on Samba. This environment consists of a Linux application +server which is also the Samba server. A NT server for standard office +applications. A firewall for Internet connectivity. And a large number of +DOS/Win3.x/W95 clients that connect to the different machines. User's home +directories are mounted through Sambe. + +We also support other Unices like Solaris, SunOS, HP-UX, Digital Unix and +AIX. + +Sincerely, + +Arthur Donkers +Le Reseau + +email : arthur@reseau.nl +phone : (+31) 595 552431 +URL http://www.reseau.nl +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +NIJMEGEN - THE NETHERLANDS + +Xtended Internet (http://www.xtdnet.nl/) + +Broerdijk 27 Postbus 170 Tel: 31-24-360 39 19 +6523 GM Nijmegen 6500 AD Nijmegen Fax: 31-24-360 19 99 +The Netherlands The Netherlands info@xtdnet.nl +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +UTRECHT - NETHERLANDS + +Van den Hout Creative Communications +Koos van den Hout +Email : koos@kzdoos.xs4all.nl +Phone : +31-30-2871002 +Fax : +31-30-2817051 +Samba experience: Setup and configuration for Linux, Solaris, web +publishing related usage. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +WROCLAW - POLAND + +Name: Sergiusz Pawlowicz +Institute: Wroclaw University of Technology +Mail: room 120A, Prusa 53/55, Wroclaw 50-370, Poland +Tel: +48(71)206450 +Fax: +48(71)212448 +E-mail: ser@pwr.wroc.pl +WWW: http://www.arch.pwr.wroc.pl/ +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +CLUJ - ROMANIA + +CompAs Software, Ltd. +Calea Dorobantilor 38, PO Box 285/1 +3400 Cluj, Romania +tel: +40-64-431317, +40-64-431327 +fax: +40-64-195239 + +Contact: Gabriel Juncu (gjuncu@compas.dntcj.ro) + +Samba Experience: +Servers: Linux & Samba 1.9.16 and above +Clients: MS Client for DOS 3.0, LanMan Client 2.xx, + WfW, Windows'95, Windows NT +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +VETLANDA - SWEDEN + + IBS Industridata AB + Box 95 + 574 21 VETLANDA + SWEDEN + +Phone: +46-383-16065 +Fax: +46-8-287905 +E-mail: samba@ibs.se +http://www.id.ibs.se/ibsid + +We have offices in about 20 cities in Sweden and can provide commercial +support for Samba. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ +BERN - SWITZERLAND + +Charles Bueche e-mail : cbueche@worldcom.ch +Les Morels 9 phone : +41.(0)79.330.00.70 +2515 Preles fax : +41.(0)32.315.52.16 +Switzerland + +I have used Samba for more than 4 years across several +large Swiss companies. I offer support on planing, +configuration and maintenance of Samba. My primary +platform is Sun Solaris, but I can also support +Samba on SunOS, HP, DEC-UNIX, or Linux. + +Other duties includes security audits (Inter- & Intranet), +Sun High Availability and Checkpoint Firewall-1. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ + + + + +MIDDLE EAST +=========== + +------------------------------------------------------------------------------ +ISRAEL + +Sela Systems +10 Ha'Kishon St. +Bnei-Brak +Israel 51203 +Phone: +972-3-6190999 +Fax: +972-3-6190992 +Email: info@sela.co.il + +We have been involved in Samba projects since 1995. +We have several large-scale clients using Samba in their network +and getting support from us. We also provide Unix/NT/Novell/Win95 +system and network services and solutions. Our company also provides +courses and training in many aspects of systems and networking, +including TCP/IP and Samba. +------------------------------------------------------------------------------ + +------------------------------------------------------------------------------ diff --git a/docs/textdocs/Tracing.txt b/docs/textdocs/Tracing.txt new file mode 100644 index 00000000000..f3038799340 --- /dev/null +++ b/docs/textdocs/Tracing.txt @@ -0,0 +1,96 @@ +!== +!== Tracing.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell <samba-bugs@samba.anu.edu.au> +Date: Old +Status: Questionable + +Subject: How to trace samba system calls for debugging purposes +============================================================================= + +This file describes how to do a system call trace on Samba to work out +what its doing wrong. This is not for the faint of heart, but if you +are reading this then you are probably desperate. + +Actually its not as bad as the the above makes it sound, just don't +expect the output to be very pretty :-) + +Ok, down to business. One of the big advantages of unix systems is +that they nearly all come with a system trace utility that allows you +to monitor all system calls that a program is making. This is +extremely using for debugging and also helps when trying to work out +why something is slower than you expect. You can use system tracing +without any special compilation options. + +The system trace utility is called different things on different +systems. On Linux systems its called strace. Under SunOS 4 its called +trace. Under SVR4 style systems (including solaris) its called +truss. Under many BSD systems its called ktrace. + +The first thing you should do is read the man page for your native +system call tracer. In the discussion below I'll assume its called +strace as strace is the only portable system tracer (its available for +free for many unix types) and its also got some of the nicest +features. + +Next, try using strace on some simple commands. For example, "strace +ls" or "strace echo hello". + +You'll notice that it produces a LOT of output. It is showing you the +arguments to every system call that the program makes and the +result. Very little happens in a program without a system call so you +get lots of output. You'll also find that it produces a lot of +"preamble" stuff showing the loading of shared libraries etc. Ignore +this (unless its going wrong!) + +For example, the only line that really matters in the "strace echo +hello" output is: + +write(1, "hello\n", 6) = 6 + +all the rest is just setting up to run the program. + +Ok, now you're famialiar with strace. To use it on Samba you need to +strace the running smbd daemon. The way I tend ot use it is to first +login from my Windows PC to the Samba server, then use smbstatus to +find which process ID that client is attached to, then as root I do +"strace -p PID" to attach to that process. I normally redirect the +stderr output from this command to a file for later perusal. For +example, if I'm using a csh style shell: + + strace -f -p 3872 >& strace.out + +or with a sh style shell: + + strace -f -p 3872 > strace.out 2>&1 + +Note the "-f" option. This is only available on some systems, and +allows you to trace not just the current process, but any children it +forks. This is great for finding printing problems caused by the +"print command" being wrong. + +Once you are attached you then can do whatever it is on the client +that is causing problems and you will capture all the system calls +that smbd makes. + +So how do you interpret the results? Generally I search thorugh the +output for strings that I know will appear when the problem +happens. For example, if I am having touble with permissions on a file +I would search for that files name in the strace output and look at +the surrounding lines. Another trick is to match up file descriptor +numbers and "follow" what happens to an open file until it is closed. + +Beyond this you will have to use your initiative. To give you an idea +of wehat you are looking for here is a piece of strace output that +shows that /dev/null is not world writeable, which causes printing to +fail with Samba: + +[pid 28268] open("/dev/null", O_RDWR) = -1 EACCES (Permission denied) +[pid 28268] open("/dev/null", O_WRONLY) = -1 EACCES (Permission denied) + +the process is trying to first open /dev/null read-write then +read-only. Both fail. This means /dev/null has incorrect permissions. + +Have fun! + +(please send updates/fixes to this file to samba-bugs@samba.anu.edu.au) diff --git a/docs/textdocs/UNIX-SMB.txt b/docs/textdocs/UNIX-SMB.txt index b2c064215cf..41c66960588 100644 --- a/docs/textdocs/UNIX-SMB.txt +++ b/docs/textdocs/UNIX-SMB.txt @@ -1,3 +1,12 @@ +!== +!== UNIX-SMB.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell <samba-bugs@samba.anu.edu.au> +Date: April 1995 + +Subject: Discussion of NetBIOS in a Unix World +============================================================================ + This is a short document that describes some of the issues that confront a SMB implementation on unix, and how Samba copes with them. They may help people who are looking at unix<->PC @@ -6,9 +15,6 @@ interoperability. It was written to help out a person who was writing a paper on unix to PC connectivity. -Andrew Tridgell -April 1995 - Usernames ========= @@ -85,19 +91,17 @@ passwords they are in trouble. Samba can try to cope with this by either using the "password level" option which causes Samba to try the offered password with up to the specified number of case changes, or by using the "password server" -option which allows Samba to do it's validation via another machine +option which allows Samba to do its validation via another machine (typically a WinNT server). -Samba also doesn't support the password encryption method used by SMB -clients. This is because the spec isn't sufficiently detailed for an -implementation (although Jeremy Allison is working on it, to try and -work it out). Also, there is a fundamental problem with what we -understand so far in the algorithm, as it seems that the server would -need to store somewhere on disk a reversibly encrypted (effectively -plaintext) copy of the users password in order to use the -algorithm. This goes against the unix policy that "even the super-user -doesn't know your password" which comes from the use of a one-way hash -function. +Samba supports the password encryption method used by SMB +clients. Note that the use of password encryption in Microsoft +networking leads to password hashes that are "plain text equivalent". +This means that it is *VERY* important to ensure that the Samba +smbpasswd file containing these password hashes is only readable +by the root user. See the documentation ENCRYPTION.txt for more +details. + Locking ======= @@ -127,7 +131,7 @@ The second major problem is the "opportunistic locking" requested by some clients. If a client requests opportunistic locking then it is asking the server to notify it if anyone else tries to do something on the same file, at which time the client will say if it is willing to -give up it's lock. Unix has no simple way of implementing +give up its lock. Unix has no simple way of implementing opportunistic locking, and currently Samba has no support for it. Deny Modes @@ -140,10 +144,12 @@ allowed by anyone else who tries to use the file at the same time. If DENY_READ is placed on the file, for example, then any attempt to open the file for reading should fail. -Unix has no equivalent notion. To implement these Samba uses lock +Unix has no equivalent notion. To implement this Samba uses either lock files based on the files inode and placed in a separate lock -directory. These are clumsy and consume processing and file resources, -so they are optional and off by default. +directory or a shared memory implementation. The lock file method +is clumsy and consumes processing and file resources, +the shared memory implementation is vastly prefered and is turned on +by default for those systems that support it. Trapdoor UIDs ============= @@ -155,6 +161,9 @@ within the one process. On some unixes (such as SCO) this is not possible. This means that on those unixes the client is restricted to a single uid. +Note that you can also get the "trapdoor uid" message for other +reasons. Please see the FAQ for details. + Port numbers ============ @@ -216,5 +225,10 @@ this protocol level much easier. There is also a problem with the SMB specications. SMB is a X/Open spec, but the X/Open book is far from ideal, and fails to cover many -important issues, leaving much to the imagination. +important issues, leaving much to the imagination. Microsoft recently +renamed the SMB protocol CIFS (Common Internet File System) and have +published new specifications. These are far superior to the old +X/Open documents but there are still undocumented calls and features. +This specification is actively being worked on by a CIFS developers +mailing list hosted by Microsft. diff --git a/docs/textdocs/UNIX_INSTALL.txt b/docs/textdocs/UNIX_INSTALL.txt new file mode 100644 index 00000000000..8e3ac4609fd --- /dev/null +++ b/docs/textdocs/UNIX_INSTALL.txt @@ -0,0 +1,345 @@ +!== +!== UNIX_INSTALL.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell <samba-bugs@samba.anu.edu.au> +Date: Unknown +Status: Current +Updated: July 5, 1998 <jht@samba.anu.edu.au> + +Subject: HOW TO INSTALL AND TEST SAMBA +=============================================================================== + + +STEP 0. Read the man pages. They contain lots of useful info that will +help to get you started. If you don't know how to read man pages then +try something like: + + nroff -man smbd.8 | more + +Unfortunately, having said this, the man pages are sadly out of date and +really need more effort to maintain them. Other sources of information +are pointed to by the Samba web site, http://samba.anu.edu.au/samba. + +STEP 1. Building the binaries + +To do this, first run the program ./configure in the source +directory. This should automatically configure Samba for your +operating system. If you have unusual needs then you may wish to run +"./configure --help" first to see what special options you can enable. + +Then type "make". This will create the binaries. + +Once it's successfully compiled you can use "make install" to install +the binaries and manual pages. You can separately install the binaries +and/or man pages using "make installbin" and "make installman". + +Note that if you are upgrading for a previous version of Samba you +might like to know that the old versions of the binaries will be +renamed with a ".old" extension. You can go back to the previous +version with "make revert" if you find this version a disaster! + +STEP 2. The all important step + +At this stage you must fetch yourself a coffee or other drink you find +stimulating. Getting the rest of the install right can sometimes be +tricky, so you will probably need it. + +If you have installed samba before then you can skip this step. + +STEP 3. Create the smb configuration file. + +There are sample configuration files in the examples subdirectory in +the distribution. I suggest you read them carefully so you can see how +the options go together in practice. See the man page for all the +options. + +The simplest useful configuration file would be something like this: + + workgroup = MYGROUP + + [homes] + guest ok = no + read only = no + +which would allow connections by anyone with an account on the server, +using either their login name or "homes" as the service name. (Note +that I also set the workgroup that Samba is part of. See BROWSING.txt +for defails) + +Note that "make install" will not install a smb.conf file. You need to +create it yourself. You will also need to create the path you specify +in the Makefile for the logs etc, such as /usr/local/samba. + +Make sure you put the smb.conf file in the same place you specified in +the Makefile. + +For more information about security settings for the [homes] share please +refer to the document UNIX_SECURITY.txt + +STEP 4. Test your config file with testparm + +It's important that you test the validity of your smb.conf file using +the testparm program. If testparm runs OK then it will list the loaded +services. If not it will give an error message. + +Make sure it runs OK and that the services look resonable before +proceeding. + +STEP 5. Starting the smbd and nmbd. + +You must choose to start smbd and nmbd either as daemons or from +inetd. Don't try to do both! Either you can put them in inetd.conf +and have them started on demand by inetd, or you can start them as +daemons either from the command line or in /etc/rc.local. See the man +pages for details on the command line options. Take particular care +to read the bit about what user you need to be in order to start Samba. +In many cases you must be root. + +The main advantage of starting smbd and nmbd as a daemon is that they +will respond slightly more quickly to an initial connection +request. This is, however, unlilkely to be a problem. + +Step 5a. Starting from inetd.conf + +NOTE; The following will be different if you use NIS or NIS+ to +distributed services maps. + +Look at your /etc/services. What is defined at port 139/tcp. If +nothing is defined then add a line like this: + +netbios-ssn 139/tcp + +similarly for 137/udp you should have an entry like: + +netbios-ns 137/udp + +Next edit your /etc/inetd.conf and add two lines something like this: + +netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd + +The exact syntax of /etc/inetd.conf varies between unixes. Look at the +other entries in inetd.conf for a guide. + +NOTE: Some unixes already have entries like netbios_ns (note the +underscore) in /etc/services. You must either edit /etc/services or +/etc/inetd.conf to make them consistant. + +NOTE: On many systems you may need to use the "interfaces" option in +smb.conf to specify the IP address and netmask of your interfaces. Run +ifconfig as root if you don't know what the broadcast is for your +net. nmbd tries to determine it at run time, but fails on some +unixes. See the section on "testing nmbd" for a method of finding if +you need to do this. + +!!!WARNING!!! Many unixes only accept around 5 parameters on the +command line in inetd. This means you shouldn't use spaces between the +options and arguments, or you should use a script, and start the +script from inetd. + +Restart inetd, perhaps just send it a HUP. If you have installed an +earlier version of nmbd then you may need to kill nmbd as well. + +Step 5b. Alternative: starting it as a daemon + +To start the server as a daemon you should create a script something +like this one, perhaps calling it "startsmb" + +#!/bin/sh +/usr/local/samba/bin/smbd -D +/usr/local/samba/bin/nmbd -D + +then make it executable with "chmod +x startsmb" + +You can then run startsmb by hand or execute it from /etc/rc.local + +To kill it send a kill signal to the processes nmbd and smbd. + +NOTE: If you use the SVR4 style init system then you may like to look +at the examples/svr4-startup script to make Samba fit into that system. + + +STEP 6. Try listing the shares available on your server + +smbclient -L yourhostname + +Your should get back a list of shares available on your server. If you +don't then something is incorrectly setup. Note that this method can +also be used to see what shares are available on other LanManager +clients (such as WfWg). + +If you choose user level security then you may find that Samba requests +a password before it will list the shares. See the smbclient docs for +details. (you can force it to list the shares without a password by +adding the option -U% to the command line. This will not work with +non-Samba servers) + +STEP 7. try connecting with the unix client. eg: + +smbclient '\\yourhostname\aservice' + +Typically the "yourhostname" would be the name of the host where you +installed smbd. The "aservice" is any service you have defined in the +smb.conf file. Try your user name if you just have a [homes] section +in smb.conf. + +For example if your unix host is bambi and your login name is fred you +would type: + +smbclient '\\bambi\fred' + +NOTE: The number of slashes to use depends on the type of shell you +use. You may need '\\\\bambi\\fred' with some shells. + +STEP 8. Try connecting from a dos/WfWg/Win95/NT/os-2 client. Try +mounting disks. eg: + +net use d: \\servername\service + +Try printing. eg: + +net use lpt1: \\servername\spoolservice +print filename + +Celebrate, or send me a bug report! + +WHAT IF IT DOESN'T WORK? +======================== + +If nothing works and you start to think "who wrote this pile of trash" +then I suggest you do step 2 again (and again) till you calm down. + +Then you might read the file DIAGNOSIS.txt and the FAQ. If you are +still stuck then try the mailing list or newsgroup (look in the README +for details). Samba has been successfully installed at thousands of +sites worldwide, so maybe someone else has hit your problem and has +overcome it. You could also use the WWW site to scan back issues of +the samba-digest. + +When you fix the problem PLEASE send me some updates to the +documentation (or source code) so that the next person will find it +easier. + +DIAGNOSING PROBLEMS +=================== + +If you have instalation problems then go to DIAGNOSIS.txt to try to +find the problem. + +SCOPE IDs +========= + +By default Samba uses a blank scope ID. This means all your windows +boxes must also have a blank scope ID. If you really want to use a +non-blank scope ID then you will need to use the -i <scope> option to +nmbd, smbd, and smbclient. All your PCs will need to have the same +setting for this to work. I do not recommend scope IDs. + + +CHOOSING THE PROTOCOL LEVEL +=========================== + +The SMB protocol has many dialects. Currently Samba supports 5, called +CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. + +You can choose what maximum protocol to support in the smb.conf +file. The default is NT1 and that is the best for the vast majority of +sites. + +In older versions of Samba you may have found it necessary to use +COREPLUS. The limitations that led to this have mostly been fixed. It +is now less likely that you will want to use less than LANMAN1. The +only remaining advantage of COREPLUS is that for some obscure reason +WfWg preserves the case of passwords in this protocol, whereas under +LANMAN1, LANMAN2 or NT1 it uppercases all passwords before sending them, +forcing you to use the "password level=" option in some cases. + +The main advantage of LANMAN2 and NT1 is support for long filenames with some +clients (eg: smbclient, Windows NT or Win95). + +See the smb.conf manual page for more details. + +Note: To support print queue reporting you may find that you have to +use TCP/IP as the default protocol under WfWg. For some reason if you +leave Netbeui as the default it may break the print queue reporting on +some systems. It is presumably a WfWg bug. + + +PRINTING FROM UNIX TO A CLIENT PC +================================= + +To use a printer that is available via a smb-based server from a unix +host you will need to compile the smbclient program. You then need to +install the script "smbprint". Read the instruction in smbprint for +more details. + +There is also a SYSV style script that does much the same thing called +smbprint.sysv. It contains instructions. + + +LOCKING +======= + +One area which sometimes causes trouble is locking. + +There are two types of locking which need to be performed by a SMB +server. The first is "record locking" which allows a client to lock a +range of bytes in a open file. The second is the "deny modes" that are +specified when a file is open. + +Samba supports "record locking" using the fcntl() unix system +call. This is often implemented using rpc calls to a rpc.lockd process +running on the system that owns the filesystem. Unfortunately many +rpc.lockd implementations are very buggy, particularly when made to +talk to versions from other vendors. It is not uncommon for the +rpc.lockd to crash. + +There is also a problem translating the 32 bit lock requests generated +by PC clients to 31 bit requests supported by most +unixes. Unfortunately many PC applications (typically OLE2 +applications) use byte ranges with the top bit set as semaphore +sets. Samba attempts translation to support these types of +applications, and the translation has proved to be quite successful. + +Strictly a SMB server should check for locks before every read and +write call on a file. Unfortunately with the way fcntl() works this +can be slow and may overstress the rpc.lockd. It is also almost always +unnecessary as clients are supposed to independently make locking +calls before reads and writes anyway if locking is important to +them. By default Samba only makes locking calls when explicitly asked +to by a client, but if you set "strict locking = yes" then it will +make lock checking calls on every read and write. + +You can also disable by range locking completely using "locking = +no". This is useful for those shares that don't support locking or +don't need it (such as cdroms). In this case Samba fakes the return +codes of locking calls to tell clients that everything is OK. + +The second class of locking is the "deny modes". These are set by an +application when it opens a file to determine what types of access +should be allowed simultaneously with its open. A client may ask for +DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special +compatability modes called DENY_FCB and DENY_DOS. + +You can disable share modes using "share modes = no". This may be +useful on a heavily loaded server as the share modes code is very +slow. See also the FAST_SHARE_MODES option in the Makefile for a way +to do full share modes very fast using shared memory (if your OS +supports it). + + +MAPPING USERNAMES +================= + +If you have different usernames on the PCs and the unix server then +take a look at the "username map" option. See the smb.conf man page +for details. + + +OTHER CHARACTER SETS +==================== + +If you have problems using filenames with accented characters in them +(like the German, French or Scandinavian character sets) then I +recommmend you look at the "valid chars" option in smb.conf and also +take a look at the validchars package in the examples directory. diff --git a/docs/textdocs/UNIX_SECURITY.txt b/docs/textdocs/UNIX_SECURITY.txt new file mode 100644 index 00000000000..e8603b13e7a --- /dev/null +++ b/docs/textdocs/UNIX_SECURITY.txt @@ -0,0 +1,53 @@ +!== +!== UNIX_SECURITY.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: John H Terpstra <jht@samba.anu.edu.au> +Date: July 5, 1998 +Status: Current + +Subject: SETTING UNIX FILE SYSTEM SECURITY +=============================================================================== +The following excerpt from a bug report demonstrates the need to +understand Unix file system security and to manage it correctly. + +Quote: +====== +> We are unable to keep individual users from mapping to any other user's +> home directory once they have supplied a valid password! They only need +> to enter their own password. I have not found *any* method that I can +> use to configure samba to enforce that only a user may map their own +> home directory. +> +> User xyzzy can map his home directory. Once mapped user xyzzy can also map +> *anyone* elses home directory! + +ANSWER: +======= +This is not a security flaw, it is by design. Samba allows +users to have *exactly* the same access to the UNIX filesystem +as they would if they were logged onto the UNIX box, except +that it only allows such views onto the file system as are +allowed by the defined shares. + +This means that if your UNIX home directories are set up +such that one user can happily cd into another users +directory and do an ls, the UNIX security solution is to +change the UNIX file permissions on the users home directories +such that the cd and ls would be denied. + +Samba tries very had not to second guess the UNIX administrators +security policies, and trusts the UNIX admin to set +the policies and permissions he or she desires. + +Samba does allow the setup you require when you have set the +"only user = yes" option on the share, is that you have not set the +valid users list for the share. + +Note that only user works in conjunction with the users= list, +so to get the behavior you require, add the line : + +user = %S + +to the definition of the [homes] share, as recommended in +the smb.conf man page. + diff --git a/docs/textdocs/Win95.txt b/docs/textdocs/Win95.txt new file mode 100644 index 00000000000..d6f53362838 --- /dev/null +++ b/docs/textdocs/Win95.txt @@ -0,0 +1,77 @@ +!== +!== Win95.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Copyright (C) 1997 - Samba-Team +Contributed Date: August 20, 1997 +Last Update: August 20, 1997 + +Subject: Windows 95 and Samba Interoperability +=============================================================================== + +Password Handling: +------------------ +Microsoft periodically release updates to all their operating systems. Some of +these are welcomed while others cause us to change the way we do things. Few +people like change, particularly if the change is unexpected. The best advice +always is to read the documentation provided BEFORE applying an update. + +One of the recent Win95 updates (VRDRUPD.EXE) disables plain text (also called +clear text) password authentication. The effects of this updates are desirable +where MS Windows NT is providing the password authentication service. This +update is most undesirable where Samba must provide the authentication service +unless Samba has been specifically configured to use encrypted passwords _AND_ +has been linked with the libdes library. + +If the above conditions have not been complied with, and you are using Samba, +then Windows 95 clients will NOT be able to authenticate to a Samba server. + +To re-enable plain text password capabilities AFTER applying this update +you must create a new value in the Windows 95 registry. + +Either foillow the following procedure or just double click on the +file Win95_PlainPassword.reg for an easier way to do this. + +Procedure: +1) Launch the Registry Editor as follows: + Click on: /Start/Run + Type "regedit" and press enter. + +2) Double click on: HKEY_LOCAL_MACHINE + +3) Locate the following Key: + /HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/VxD/VNETSUP + +4) From the menu bar select Edit/New/DWORD Value + +5) Rename the entry from "New Value #1" to: + EnablePlainTextPassword + +6) Press Enter, then double click on the new entry. + A dialog box will pop up and enable you to set a value. + You must set this value to 1. + +------------------------------------------------------------------------------- + +Windows 95 Updates: +------------------- +When using Windows 95 OEM SR2 the following updates are recommended where Samba +is being used. Please NOTE that the above change will affect you once these +updates have been installed. + +There are more updates than the ones mentioned here. You are referred to the +Microsoft Web site for all currently available updates to your specific version +of Windows 95. + +Kernel Update: KRNLUPD.EXE +Ping Fix: PINGUPD.EXE +RPC Update: RPCRTUPD.EXE +TCP/IP Update: VIPUPD.EXE +Redirector Update: VRDRUPD.EXE + +Also, if using MS OutLook it is desirable to install the OLEUPD.EXE fix. This +fix may stop your machine from hanging for an extended period when exiting +OutLook and you may also notice a significant speedup when accessing network +neighborhood services. + +------------------------------------------------------------------------------- +The above password information was provided by: Jochen Huppertz <jhu@nrh.de> diff --git a/docs/textdocs/WinNT.txt b/docs/textdocs/WinNT.txt index b57abb7742e..701d3cdf1bc 100644 --- a/docs/textdocs/WinNT.txt +++ b/docs/textdocs/WinNT.txt @@ -1,6 +1,20 @@ -There are some particular issues with Samba and Windows NT +!== +!== WinNT.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributors: Various + Password Section - Copyright (C) 1997 - John H Terpstra + Printing Section - Copyright (C) 1997 - Matthew Harrell + Priting Info - Copyright (C) 1997 - Frank Varnavas +Updated: October 16, 1997 +Status: Current -===================================================================== +Subject: Samba and Windows NT Password Handling +============================================================================= + +There are some particular issues with Samba and Windows NT. + +Passwords: +========== One of the most annoying problems with WinNT is that NT refuses to connect to a server that is in user level security mode and that doesn't support password encryption unless it first prompts the user @@ -8,21 +22,34 @@ for a password. This means even if you have the same password on the NT box and the Samba server you will get prompted for a password. Entering the -correct password will get you connected. +correct password will get you connected only if Windows NT can +communicate with Samba using a compatible mode of password security. + +All versions of Windows NT prior to 4.0 Service Pack 3 could negotiate +plain text (clear text) passwords. Windows NT 4.0 Service Pack 3 changed +this default behaviour so it now will only handle encrypted passwords. +The following registry entry change will re-enable clear text password +handling: + +Run regedt32.exe and locate the hive key entry: +HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Rdr\Parameters\ + +Add the following value: + EnablePlainTextPassword:REG_DWORD=1 + +Alternatively, use the NT4_PlainPassword.reg file in this directory (either +by double clicking on it, or run regedt32.exe and select "Import Registry +File" from the "Registry" Menu). The other major ramification of this feature of NT is that it can't browse a user level non-encrypted server unless it already has a connection open. This is because there is no spot for a password prompt in the browser window. It works fine if you already have a drive mounted (for example, one auto mounted on startup). - -Samba should support encrypted passwords soon, which will solve this -problem. ===================================================================== - - -===================================================================== +Printing: +========= When you mount a printer using the print manager in NT you may find the following info from Matthew Harrell <harrell@leech.nrl.navy.mil> useful: @@ -49,8 +76,32 @@ time for the NT machine to get verification that the printer queue actually exists. I hope this helped in some way... ------------ + ===================================================================== +Printing Info: +-------------- + +From: Frank Varnavas <varnavas@ny.ubs.com> +Subject: RE: Samba as a print server + +When an NT client attempts to connect to a printer on a non-NT print +server the attempt is failed with an error, something like: + + "You have insufficient access to your computer to perform the + operation because a driver needs to be installed" + +This is because domain users must have 'Power User' status on the +desktop to connect to printers on a non-NT print server. +This error occurs regardless of whether the driver in question is +already installed or not. What it really means is that the server is +a non-NT server and the client does not have permission to create +printers locally. Apparently when a connection to a non-NT print +server is made the printer is defined locally. Such an action can be +performed by either a local administrator or a Power User. +Unfortunately there is no way to limit the powers of a Power User, nor +is there any way to grant the Printer Creation right to another group. +This permission policy is documented in PSS database WINNT, ID Q101874 +Frank Varnavas (varnavas@ny.ubs.com) diff --git a/docs/textdocs/cifsntdomain.txt b/docs/textdocs/cifsntdomain.txt new file mode 100644 index 00000000000..20ec64eda6f --- /dev/null +++ b/docs/textdocs/cifsntdomain.txt @@ -0,0 +1,1501 @@ +!== +!== cifsntdomain.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +NT Domain Authentication +------------------------ + +Authors: - Luke Kenneth Casson Leighton (lkcl@switchboard.net) +-------- - Paul Ashton (paul@argo.demon.co.uk) + - Duncan Stansfield (duncans@sco.com) + + Copyright (C) 1997 Luke Kenneth Casson Leighton + Copyright (C) 1997 Paul Ashton + Copyright (C) 1997 Duncan Stansfield + +Version: 0.024 (01Nov97) +-------- + +Distribution: Unlimited and encouraged, for the purposes of implementation +------------- and comments. Feedback welcomed by the authors. + +Liability: Absolutely none accepted implicitly or explicitly, direct +---------- or consequentially, for use, abuse, misuse, lack of use, + misunderstandings, mistakes, omissions, mis-information for + anything in or not in, related to or not related to, or + pertaining to this document, or anything else that a lawyer + can think of or not think of. + +Warning: Please bear in mind that an incorrect implementation of this +-------- protocol can cause NT workstation to fail irrevocably, for + which the authors accept no liability (see above). Please + contact your vendor if you have any problems. + +Sources: - Packet Traces from Netmonitor (Service Pack 1 and above) +-------- - Paul Ashton and Luke Leighton's other "NT Domain" doc. + - CIFS documentation - cifs6.txt + - CIFS documentation - cifsrap2.txt + +Original: http://mailhost.cb1.com/~lkcl/cifsntdomain.txt. +--------- (Controlled copy maintained by lkcl@switchboard.net) + +Credits: - Paul Ashton: loads of work with Net Monitor; +-------- understanding the NT authentication system; + reference implementation of the NT domain support on which + this document is originally based. + - Duncan Stansfield: low-level analysis of MSRPC Pipes. + - Linus Nordberg: producing c-code from Paul's crypto spec. + - Windows Sourcer development team + + +Contents: +--------- + + 1) Introduction + + 2) Structures and notes + + 2.1) Notes + 2.3) Enumerations + 2.3) Structures + + 3) Transact Named Pipe Header/Tail + + 3.1) MSRPC Pipes + 3.2) Header + 3.3) Tail + + 4) NTLSA Transact Named Pipe + + 4.1) LSA Open Policy + 4.2) LSA Query Info Policy + 4.3) LSA Enumerate Trusted Domains + 4.4) LSA Open Secret + 4.5) LSA Close + 4.6) LSA Lookup SIDS + 4.7) LSA Lookup Names + + 5) NETLOGON rpc Transact Named Pipe + + 5.1) LSA Request Challenge + 5.2) LSA Authenticate 2 + 5.3) LSA Server Password Set + 5.4) LSA SAM Logon + 5.5) LSA SAM Logoff + + 6) \\MAILSLOT\NET\NTLOGON + + 6.1) Query for PDC + 6.2) SAM Logon + + 7) SRVSVC Transact Named Pipe + + 7.1) Net Share Enum + 7.2) Net Server Get Info + + +Appendix: +--------- + + A1) Cryptographic side of NT Domain Authentication + + A1.1) Definitions + A1.2) Protocol + A1.3) Comments + + A2) SIDs and RIDs + + A2.1) Well-known SIDs + + A2.1.1) Universal well-known SIDs + A2.1.2) NT well-known SIDs + + A2.2) Well-known RIDS + + A2.2.1) Well-known RID users + A2.2.2) Well-known RID groups + A2.2.3) Well-known RID aliases + + + +1) Introduction +--------------- + + +This document contains information to provide an NT workstation with login +services, without the need for an NT server. + +It should be possible to select a domain instead of a workgroup (in the NT +workstation's TCP/IP settings) and after the obligatory reboot, type in a +username, password, select a domain and successfully log in. I would +appreciate any feedback on your experiences with this process, and any +comments, corrections and additions to this document. + + +The packets described here can be easily derived from (and are probably +better understood using) Netmon.exe. You will need to use the version +of Netmon that matches your system, in order to correctly decode the +NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from +NT Service Pack 1 and its corresponding version of Netmon. It is intended +that an annotated packet trace be produced, which will likely be more +instructive than this document. + +Also needed, to fully implement NT Domain Login Services, is the +document describing the cryptographic part of the NT authentication. +This document is available from comp.protocols.smb; from the ntsecurity.net +digest and from the samba digest, amongst other sources. + +A copy is available from: + +http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935 +http://mailhost.cb1.com/~lkcl/crypt.html + + +A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se> +of this protocol is available from: + +http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html +http://mailhost.cb1.com/~lkcl/crypt.txt + + +Also used to provide debugging information is the Check Build version of +NT workstation, and enabling full debugging in NETLOGON. This is +achieved by setting the following REG_SZ registry key to 0x1ffffff: + +HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + +- Incorrect direct editing of the registry can cause your machine to fail. + Then again, so can incorrect implementation of this protocol. + See "Liability:" above. + + +Bear in mind that each packet over-the-wire will have its origin in an +API call. Therefore, there are likely to be structures, enumerations +and defines that are usefully documented elsewhere. + + +This document is by no means complete or authoritative. Missing sections +include, but are not limited to: + +- the meaning (and use by NT) of SIDs and RIDs. + +- mappings of RIDs to usernames (and vice-versa). + +- what a User ID is and what a Group ID is. + +- the exact meaning/definition of various magic constants or enumerations. + +- the reply error code and use of that error code when a workstation + becomes a member of a domain (to be described later). Failure to + return this error code will make the workstation report that it is + already a member of the domain. + +- the cryptographic side of the NetrServerPasswordSet command, which would + allow the workstation to change its password. This password is used to + generate the long-term session key. [It is possible to reject this + command, and keep the default workstation password]. + + +2) Notes and Structures +----------------------- + + +2.1) Notes +---------- + +- In the SMB Transact pipes, some "Structures", described here, appear to be + 4-byte aligned with the SMB header, at their start. Exactly which + "Structures" need aligning is not precisely known or documented. + +- In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be + 2-byte aligned with the start of the mailslot, at their start. + +- Domain SID is of the format S-revision-version-auth1-auth2...authN. + e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision. + +- any undocumented buffer pointers must be non-zero if the string buffer it + refers to contains characters. exactly what value they should be is unknown. + 0x0000 0002 seems to do the trick to indicate that the buffer exists. a + NULL buffer pointer indicates that the string buffer is of zero length. + If the buffer pointer is NULL, then it is suspected that the structure it + refers to is NOT put into (or taken out of) the SMB data stream. This is + empirically derived from, for example, the LSA SAM Logon response packet, + where if the buffer pointer is NULL, the user information is not inserted + into the data stream. Exactly what happens with an array of buffer pointers + is not known, although an educated guess can be made. + +- an array of structures (a container) appears to have a count and a pointer. + if the count is zero, the pointer is also zero. no further data is put + into or taken out of the SMB data stream. if the count is non-zero, then + the pointer is also non-zero. immediately following the pointer is the + count again, followed by an array of container sub-structures. the count + appears a third time after the last sub-structure. + + +2.2) Enumerations +----------------- + +- MSRPC Header type. command number in the msrpc packet header + + MSRPC_Request: 0x00 + MSRPC_Response: 0x02 + MSRPC_Bind: 0x0B + MSRPC_BindAck: 0x0C + +- MSRPC Packet info. the meaning of these flags is undocumented + + FirstFrag: 0x01 + LastFrag: 0x02 + NotaFrag: 0x04 + RecRespond: 0x08 + NoMultiplex: 0x10 + NotForIdemp: 0x20 + NotforBcast: 0x40 + NoUuid: 0x80 + + +2.3) Structures +--------------- + +- sizeof VOID* is 32 bits. + +- sizeof char is 8 bits. + +- UTIME is 32 bits, indicating time in seconds since 01jan1970. documented + in cifs6.txt (section 3.5 page, page 30). + +- NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30). + +- DOM_SID (domain SID structure) : + + UINT32 num of sub-authorities in domain SID + UINT8 SID revision number + UINT8 num of sub-authorities in domain SID + UINT8[6] 6 bytes for domain SID - Identifier Authority. + UINT16[n_subauths] domain SID sub-authorities + + Note: the domain SID is documented elsewhere. + +- STR (string) : + + char[] null-terminated string of ascii characters. + +- UNIHDR (unicode string header) : + + UINT16 length of unicode string + UINT16 max length of unicode string + UINT32 4 - undocumented. + +- UNIHDR2 (unicode string header plus buffer pointer) : + + UNIHDR unicode string header + VOID* undocumented buffer pointer + +- UNISTR (unicode string) : + + UINT16[] null-terminated string of unicode characters. + +- NAME (length-indicated unicode string) : + + UINT32 length of unicode string + UINT16[] null-terminated string of unicode characters. + +- UNISTR2 (aligned unicode string) : + + UINT8[] padding to get unicode string 4-byte aligned + with the start of the SMB header. + UINT32 max length of unicode string + UINT32 0 - undocumented + UINT32 length of unicode string + UINT16[] string of uncode characters. + +- OBJ_ATTR (object attributes) : + + UINT32 0x18 - length (in bytes) including the length field. + VOID* 0 - root directory (pointer) + VOID* 0 - object name (pointer) + UINT32 0 - attributes (undocumented) + VOID* 0 - security descriptior (pointer) + UINT32 0 - security quality of service + +- POL_HND (LSA policy handle) : + + char[20] policy handle + +- DOM_SID2 (domain SID structure, SIDS stored in unicode) : + + UINT32 5 - SID type + UINT32 0 - undocumented + UNIHDR2 domain SID unicode string header + UNISTR domain SID unicode string + + Note: there is a conflict between the unicode string header and the + unicode string itself as to which to use to indicate string + length. this will need to be resolved. + + Note: the SID type indicates, for example, an alias; a well-known group etc. + this is documented somewhere. + +- DOM_RID (domain RID structure) : + + UINT32 5 - well-known SID. 1 - user SID (see ShowACLs) + UINT32 5 - undocumented + UINT32 domain RID + UINT32 0 - domain index out of above reference domains + + +- LOG_INFO (server, account, client structure) : + + Note: logon server name starts with two '\' characters and is upper case. + + Note: account name is the logon client name from the LSA Request Challenge, + with a $ on the end of it, in upper case. + + VOID* undocumented buffer pointer + UNISTR2 logon server unicode string + UNISTR2 account name unicode string + UINT16 sec_chan - security channel type + UNISTR2 logon client machine unicode string + +- CLNT_SRV (server, client names structure) : + + Note: logon server name starts with two '\' characters and is upper case. + + VOID* undocumented buffer pointer + UNISTR2 logon server unicode string + VOID* undocumented buffer pointer + UNISTR2 logon client machine unicode string + +- CREDS (credentials + time stamp) + + char[8] credentials + UTIME time stamp + +- CLNT_INFO2 (server, client structure, client credentials) : + + Note: whenever this structure appears in a request, you must take a copy + of the client-calculated credentials received, because they will be + used in subsequent credential checks. the presumed intention is to + maintain an authenticated request/response trail. + + CLNT_SRV client and server names + UINT8[] ???? padding, for 4-byte alignment with SMB header. + VOID* pointer to client credentials. + CREDS client-calculated credentials + client time + +- CLNT_INFO (server, account, client structure, client credentials) : + + Note: whenever this structure appears in a request, you must take a copy + of the client-calculated credentials received, because they will be + used in subsequent credential checks. the presumed intention is to + maintain an authenticated request/response trail. + + LOG_INFO logon account info + CREDS client-calculated credentials + client time + +- ID_INFO_1 (id info structure, auth level 1) : + + VOID* ptr_id_info_1 + UNIHDR domain name unicode header + UINT32 param control + UINT64 logon ID + UNIHDR user name unicode header + UNIHDR workgroup name unicode header + char[16] arc4 LM OWF Password + char[16] arc4 NT OWF Password + UNISTR2 domain name unicode string + UNISTR2 user name unicode string + UNISTR2 workstation name unicode string + +- SAM_INFO (sam logon/logoff id info structure) : + + Note: presumably, the return credentials is supposedly for the server to + verify that the credential chain hasn't been compromised. + + CLNT_INFO2 client identification/authentication info + VOID* pointer to return credentials. + CRED return credentials - ignored. + UINT16 logon level + UINT16 switch value + + switch (switch_value) + case 1: + { + ID_INFO_1 id_info_1; + } + +- GID (group id info) : + + UINT32 group id + UINT32 user attributes (only used by NT 3.1 and 3.51) + +- DOM_REF (domain reference info) : + + VOID* undocumented buffer pointer. + UINT32 num referenced domains? + VOID* undocumented domain name buffer pointer. + UINT32 32 - max number of entries + UINT32 4 - num referenced domains? + + UNIHDR2 domain name unicode string header + UNIHDR2[num_ref_doms-1] referenced domain unicode string headers + + UNISTR domain name unicode string + DOM_SID[num_ref_doms] referenced domain SIDs + +- DOM_INFO (domain info, levels 3 and 5 are the same)) : + + UINT8[] ??? padding to get 4-byte alignment with start of SMB header + UINT16 domain name string length * 2 + UINT16 domain name string length * 2 + VOID* undocumented domain name string buffer pointer + VOID* undocumented domain SID string buffer pointer + UNISTR2 domain name (unicode string) + DOM_SID domain SID + +- USER_INFO (user logon info) : + + Note: it would be nice to know what the 16 byte user session key is for. + + NTTIME logon time + NTTIME logoff time + NTTIME kickoff time + NTTIME password last set time + NTTIME password can change time + NTTIME password must change time + + UNIHDR username unicode string header + UNIHDR user's full name unicode string header + UNIHDR logon script unicode string header + UNIHDR profile path unicode string header + UNIHDR home directory unicode string header + UNIHDR home directory drive unicode string header + + UINT16 logon count + UINT16 bad password count + + UINT32 User ID + UINT32 Group ID + UINT32 num groups + VOID* undocumented buffer pointer to groups. + + UINT32 user flags + char[16] user session key + + UNIHDR logon server unicode string header + UNIHDR logon domain unicode string header + VOID* undocumented logon domain id pointer + char[40] 40 undocumented padding bytes. future expansion? + + UINT32 0 - num_other_sids? + VOID* NULL - undocumented pointer to other domain SIDs. + + UNISTR2 username unicode string + UNISTR2 user's full name unicode string + UNISTR2 logon script unicode string + UNISTR2 profile path unicode string + UNISTR2 home directory unicode string + UNISTR2 home directory drive unicode string + + UINT32 num groups + GID[num_groups] group info + + UNISTR2 logon server unicode string + UNISTR2 logon domain unicode string + + DOM_SID domain SID + DOM_SID[num_sids] other domain SIDs? + +- SH_INFO_1_PTR (pointers to level 1 share info strings): + +Note: see cifsrap2.txt section5, page 10. + + 0 for shi1_type indicates a Disk. + 1 for shi1_type indicates a Print Queue. + 2 for shi1_type indicates a Device. + 3 for shi1_type indicates an IPC pipe. + 0x8000 0000 (top bit set in shi1_type) indicates a hidden share. + + VOID* shi1_netname - pointer to net name + UINT32 shi1_type - type of share. 0 - undocumented. + VOID* shi1_remark - pointer to comment. + +- SH_INFO_1_STR (level 1 share info strings) : + + UNISTR2 shi1_netname - unicode string of net name + UNISTR2 shi1_remark - unicode string of comment. + +- SHARE_INFO_1_CTR : + + share container with 0 entries: + + UINT32 0 - EntriesRead + UINT32 0 - Buffer + + share container with > 0 entries: + + UINT32 EntriesRead + UINT32 non-zero - Buffer + UINT32 EntriesRead + + SH_INFO_1_PTR[EntriesRead] share entry pointers + SH_INFO_1_STR[EntriesRead] share entry strings + + UINT8[] padding to get unicode string 4-byte + aligned with start of the SMB header. + UINT32 EntriesRead + UINT32 0 - padding + +- SERVER_INFO_101 : + +Note: see cifs6.txt section 6.4 - the fields described therein will be + of assistance here. for example, the type listed below is the + same as fServerType, which is described in 6.4.1. + + SV_TYPE_WORKSTATION 0x00000001 All workstations + SV_TYPE_SERVER 0x00000002 All servers + SV_TYPE_SQLSERVER 0x00000004 Any server running with SQL + server + SV_TYPE_DOMAIN_CTRL 0x00000008 Primary domain controller + SV_TYPE_DOMAIN_BAKCTRL 0x00000010 Backup domain controller + SV_TYPE_TIME_SOURCE 0x00000020 Server running the timesource + service + SV_TYPE_AFP 0x00000040 Apple File Protocol servers + SV_TYPE_NOVELL 0x00000080 Novell servers + SV_TYPE_DOMAIN_MEMBER 0x00000100 Domain Member + SV_TYPE_PRINTQ_SERVER 0x00000200 Server sharing print queue + SV_TYPE_DIALIN_SERVER 0x00000400 Server running dialin service. + SV_TYPE_XENIX_SERVER 0x00000800 Xenix server + SV_TYPE_NT 0x00001000 NT server + SV_TYPE_WFW 0x00002000 Server running Windows for + + SV_TYPE_SERVER_NT 0x00008000 Windows NT non DC server + SV_TYPE_POTENTIAL_BROWSER 0x00010000 Server that can run the browser + service + SV_TYPE_BACKUP_BROWSER 0x00020000 Backup browser server + SV_TYPE_MASTER_BROWSER 0x00040000 Master browser server + SV_TYPE_DOMAIN_MASTER 0x00080000 Domain Master Browser server + SV_TYPE_LOCAL_LIST_ONLY 0x40000000 Enumerate only entries marked + "local" + SV_TYPE_DOMAIN_ENUM 0x80000000 Enumerate Domains. The pszServer + and pszDomain parameters must be + NULL. + + UINT32 500 - platform_id + VOID* pointer to name + UINT32 5 - major version + UINT32 4 - minor version + UINT32 type (SV_TYPE_... bit field) + VOID* pointer to comment + + UNISTR2 sv101_name - unicode string of server name + UNISTR2 sv_101_comment - unicode string of server comment. + + UINT8[] padding to get unicode string 4-byte + aligned with start of the SMB header. + + + +3) MSRPC over Transact Named Pipe +--------------------------------- + +For details on the SMB Transact Named Pipe, see cifs6.txt + + +3.1) MSRPC Pipes +---------------- + +The MSRPC is conducted over an SMB Transact Pipe with a name of "\PIPE\". +You must first obtain a 16 bit file handle, by sending a SMBopenX with the +pipe name "\PIPE\srvsvc" for example. You can then perform an SMB Trans, +and must carry out an SMBclose on the file handle once you are finished. + +Trans Requests must be sent with two setup UINT16s, no UINT16 params (none +known about), and UINT8 data parameters sufficient to contain the MSRPC +header, and MSRPC data. The first UINT16 setup parameter must be either +0x0026 to indicate an RPC, or 0x0001 to indicate Set Named Pipe Handle +state. The second UINT16 parameter must be the file handle for the pipe, +obtained above. + +The Data section for an API Command of 0x0026 (RPC pipe) in the Trans +Request is the RPC Header, followed by the RPC Data. The Data section for +an API Command of 0x0001 (Set Named Pipe Handle state) is two bytes. The +only value seen for these two bytes is 0x00 0x43. + + +MSRPC Responses are sent as response data inside standard SMB Trans +responses, with the MSRPC Header, MSRPC Data and MSRPC tail. + + +It is suspected that the Trans Requests will need to be at least 2-byte +aligned (probably 4-byte). This is standard practice for SMBs. It is also +independent of the observed 4-byte alignments with the start of the MSRPC +header, including the 4-byte alignment between the MSRPC header and the +MSRPC data. + + +First, an SMBtconX connection is made to the IPC$ share. The connection +must be made using encrypted passwords, not clear-text. Then, an SMBopenX +is made on the pipe. Then, a Set Named Pipe Handle State must be sent, +after which the pipe is ready to accept API commands. Lastly, and SMBclose +is sent. + + +To be resolved: + + lkcl/01nov97 there appear to be two additional bytes after the null- + terminated \PIPE\ name for the RPC pipe. Values seen so far are + listed below: + + initial SMBopenX request: RPC API command 0x26 params: + + "\\PIPE\\lsarpc" 0x65 0x63; 0x72 0x70; 0x44 0x65; + "\\PIPE\\srvsvc" 0x73 0x76; 0x4E 0x00; 0x5C 0x43; + + +3.2) Header +----------- + +[section to be rewritten, following receipt of work by Duncan Stansfield] + + +Interesting note: if you set packed data representation to 0x0100 0000 +then all 4-byte and 2-byte word ordering is turned around! + +The start of each of the NTLSA and NETLOGON named pipes begins with: + +00 UINT8 5 - RPC major version +01 UINT8 0 - RPC minor version +02 UINT8 2 - RPC response packet +03 UINT8 3 - (FirstFrag bit-wise or with LastFrag) +04 UINT32 0x1000 0000 - packed data representation +08 UINT16 fragment length - data size (bytes) inc header and tail. +0A UINT16 0 - authentication length +0C UINT32 call identifier. matches 12th UINT32 of incoming RPC data. +10 UINT32 allocation hint - data size (bytes) minus header and tail. +14 UINT16 0 - presentation context identifier +16 UINT8 0 - cancel count +17 UINT8 in replies: 0 - reserved; in requests: opnum - see #defines. +18 ...... start of data (goes on for allocation_hint bytes) + + +RPC_Packet for request, response, bind and bind acknowledgement. +{ + + UINT8 versionmaj # reply same as request (0x05) + UINT8 versionmin # reply same as request (0x00) + UINT8 type # one of the MSRPC_Type enums + UINT8 flags # reply same as request (0x00 for Bind, 0x03 for Request) + UINT32 representation # reply same as request (0x00000010) + UINT16 fraglength # the length of the data section of the SMB trans packet + UINT16 authlength + UINT32 callid # call identifier. (e.g. 0x00149594) + + * stub USE TvPacket # the remainder of the packet depending on the "type" +} + + +# the interfaces are numbered. as yet I haven't seen more than one interface +# used on the same pipe name +# srvsvc +# abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003) +# transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002) +RPC_Iface RW +{ + UINT8 byte[16] # 16 bytes of number + UINT32 version # the interface number +} + + +# the remainder of the packet after the header if "type" was Bind +# in the response header, "type" should be BindAck +RPC_ReqBind RW +{ + UINT16 maxtsize # maximum transmission fragment size (0x1630) + UINT16 maxrsize # max receive fragment size (0x1630) + UINT32 assocgid # associated group id (0x0) + UINT32 numelements # the number of elements (0x1) + UINT16 contextid # presentation context identifier (0x0) + UINT8 numsyntaxes # the number of syntaxes (has always been 1?)(0x1) + UINT8[] # 4-byte alignment padding, against SMB header + + * abstractint USE RPC_Iface # num and vers. of interface client is using + * transferint USE RPC_Iface # num and vers. of interface to use for replies +} + + +RPC_Address RW +{ + UINT16 length # length of the string including null terminator + * port USE string # the string above in single byte, null terminated form +} + + +# the response to place after the header in the reply packet +RPC_ResBind RW +{ + UINT16 maxtsize # same as request + UINT16 maxrsize # same as request + UINT32 assocgid # zero + + * secondaddr USE RPC_Address # the address string, as described earlier + + UINT8[] # 4-byte alignment padding, against SMB header + + UINT8 numresults # the number of results (0x01) + + UINT8[] # 4-byte alignment padding, against SMB header + UINT16 result # result (0x00 = accept) + UINT16 reason # reason (0x00 = no reason specified) + + * transfersyntax USE RPC_Iface # the transfer syntax from the request +} + + +# the remainder of the packet after the header for every other other +# request +RPC_ReqNorm RW +{ + UINT32 allochint # the size of the stub data in bytes + UINT16 prescontext # presentation context identifier (0x0) + UINT16 opnum # operation number (0x15) + + * stub USE TvPacket # a packet dependent on the pipe name + # (probably the interface) and the op number) +} + + +# response to a request +RPC_ResNorm RW +{ + UINT32 allochint # size of the stub data in bytes + UINT16 prescontext # presentation context identifier (same as request) + UINT8 cancelcount # cancel count? (0x0) + UINT8 reserved # 0 - one byte padding + + * stub USE TvPacket # the remainder of the reply +} + + +3.3) Tail +--------- + +The end of each of the NTLSA and NETLOGON named pipes ends with: + + ...... end of data + UINT32 return code + + + +3.4 RPC Bind / Bind Ack +----------------------- + +RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc) +with a "transfer syntax" (see RPC_Iface structure). The purpose for doing +this is unknown. + +Note: The RPC_ResBind SMB Transact request is sent with two uint16 setup + parameters. The first is 0x0026; the second is the file handle + returned by the SMBopenX Transact response. + +Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the + same in the response as the same members in the RPC_ReqBind. The + RPC_ResBind member transfersyntax is the same in the response as + the + +Note: The RPC_ResBind response member secondaddr contains the name + of what is presumed to be the service behind the RPC pipe. The + mapping identified so far is: + + initial SMBopenX request: RPC_ResBind response: + + "\\PIPE\\srvsvc" "\\PIPE\\ntsvcs" + "\\PIPE\\samr" "\\PIPE\\lsass" + "\\PIPE\\lsarpc" "\\PIPE\\lsass" + "\\PIPE\\wkssvc" "\\PIPE\\wksvcs" + "\\PIPE\\NETLOGON" "\\PIPE\\NETLOGON" + +Note: The RPC_Packet fraglength member in both the Bind Request and Bind + Acknowledgment must contain the length of the entire RPC data, + including the RPC_Packet header. + +Request: + + RPC_Packet + RPC_ReqBind + +Response: + + RPC_Packet + RPC_ResBind + + + +4) NTLSA Transact Named Pipe +---------------------------- + +The sequence of actions taken on this pipe are: + +- Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords. +- Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle. +- Using the file handle, send a Set Named Pipe Handle state to 0x4300. +- Send an LSA Open Policy request. Store the Policy Handle. +- Using the Policy Handle, send LSA Query Info Policy requests, etc. +- Using the Policy Handle, send an LSA Close. +- Close the IPC$ share. + + +Defines for this pipe, identifying the query are: + +- LSA Open Policy: 0x2c +- LSA Query Info Policy: 0x07 +- LSA Enumerate Trusted Domains: 0x0d +- LSA Open Secret: 0xff +- LSA Lookup SIDs: 0xfe +- LSA Lookup Names: 0xfd +- LSA Close: 0x00 + + +4.1) LSA Open Policy +-------------------- + +Note: The policy handle can be anything you like. + +Request: + + VOID* buffer pointer + UNISTR2 server name - unicode string starting with two '\'s + OBJ_ATTR object attributes + UINT32 1 - desired access + +Response: + + POL_HND LSA policy handle + + return 0 - indicates success + + +4.2) LSA Query Info Policy +-------------------------- + +Note: The info class in response must be the same as that in the request. + +Request: + + POL_HND LSA policy handle + UINT16 info class (also a policy handle?) + +Response: + + VOID* undocumented buffer pointer + UINT16 info class (same as info class in request). + + switch (info class) + case 3: + case 5: + { + DOM_INFO domain info, levels 3 and 5 (are the same). + } + + return 0 - indicates success + + +4.3) LSA Enumerate Trusted Domains +---------------------------------- + +Request: + + no extra data + +Response: + + UINT32 0 - enumeration context + UINT32 0 - entries read + UINT32 0 - trust information + + return 0x8000 001a - "no trusted domains" success code + + +4.4) LSA Open Secret +-------------------- + +Request: + + no extra data + +Response: + + UINT32 0 - undocumented + UINT32 0 - undocumented + UINT32 0 - undocumented + UINT32 0 - undocumented + UINT32 0 - undocumented + + return 0x0C00 0034 - "no such secret" success code + + +4.5) LSA Close +-------------- + +Request: + + POL_HND policy handle to be closed + +Response: + + POL_HND 0s - closed policy handle (all zeros) + + return 0 - indicates success + + +4.6) LSA Lookup SIDS +-------------------- + +Note: num_entries in response must be same as num_entries in request. + +Request: + + POL_HND LSA policy handle + UINT32 num_entries + VOID* undocumented domain SID buffer pointer + VOID* undocumented domain name buffer pointer + VOID*[num_entries] undocumented domain SID pointers to be looked up. + DOM_SID[num_entries] domain SIDs to be looked up. + char[16] completely undocumented 16 bytes. + +Response: + + DOM_REF domain reference response + + UINT32 num_entries (listed above) + VOID* undocumented buffer pointer + + UINT32 num_entries (listed above) + DOM_SID2[num_entries] domain SIDs (from Request, listed above). + + UINT32 num_entries (listed above) + + return 0 - indicates success + + +4.7) LSA Lookup Names +--------------------- + +Note: num_entries in response must be same as num_entries in request. + +Request: + + POL_HND LSA policy handle + UINT32 num_entries + UINT32 num_entries + VOID* undocumented domain SID buffer pointer + VOID* undocumented domain name buffer pointer + NAME[num_entries] names to be looked up. + char[] undocumented bytes - falsely translated SID structure? + +Response: + + DOM_REF domain reference response + + UINT32 num_entries (listed above) + VOID* undocumented buffer pointer + + UINT32 num_entries (listed above) + DOM_RID[num_entries] domain SIDs (from Request, listed above). + + UINT32 num_entries (listed above) + + return 0 - indicates success + + + +5) NETLOGON rpc Transact Named Pipe +----------------------------------- + +The sequence of actions taken on this pipe are: + +- Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords. +- Open an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle. +- Using the file handle, send a Set Named Pipe Handle state to 0x4300. +- Create Client Challenge. Send LSA Request Challenge. Store Server Challenge. +- Calculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge. +- Calc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds. +- Calc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds. +- Calc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds. +- Close the IPC$ share. + + +Defines for this pipe, identifying the query are: + +- LSA Request Challenge: 0x04 +- LSA Server Password Set: 0x06 +- LSA SAM Logon: 0x02 +- LSA SAM Logoff: 0x03 +- LSA Auth 2: 0x0f +- LSA Logon Control: 0x0e + + +5.1) LSA Request Challenge +-------------------------- + +Note: logon server name starts with two '\' characters and is upper case. + +Note: logon client is the machine, not the user. + +Note: the initial LanManager password hash, against which the challenge + is issued, is the machine name itself (lower case). there will be + calls issued (LSA Server Password Set) which will change this, later. + refusing these calls allows you to always deal with the same password + (i.e the LM# of the machine name in lower case). + +Request: + + VOID* undocumented buffer pointer + UNISTR2 logon server unicode string + UNISTR2 logon client unicode string + char[8] client challenge + +Response: + + char[8] server challenge + + return 0 - indicates success + + + +5.2) LSA Authenticate 2 +----------------------- + +Note: in between request and response, calculate the client credentials, + and check them against the client-calculated credentials (this + process uses the previously received client credentials). + +Note: neg_flags in the response is the same as that in the request. + +Note: you must take a copy of the client-calculated credentials received + here, because they will be used in subsequent authentication packets. + +Request: + + LOG_INFO client identification info + + char[8] client-calculated credentials + UINT8[] padding to 4-byte align with start of SMB header. + UINT32 neg_flags - negotiated flags (usual value is 0x0000 01ff) + +Response: + + char[8] server credentials. + UINT32 neg_flags - same as neg_flags in request. + + return 0 - indicates success. failure value unknown. + + +5.3) LSA Server Password Set +---------------------------- + +Note: the new password is suspected to be a DES encryption using the old + password to generate the key. + +Note: in between request and response, calculate the client credentials, + and check them against the client-calculated credentials (this + process uses the previously received client credentials). + +Note: the server credentials are constructed from the client-calculated + credentials and the client time + 1 second. + +Note: you must take a copy of the client-calculated credentials received + here, because they will be used in subsequent authentication packets. + +Request: + + CLNT_INFO client identification/authentication info + char[] new password - undocumented. + +Response: + + CREDS server credentials. server time stamp appears to be ignored. + + return 0 - indicates success; 0xC000 006a indicates failure + + +5.4) LSA SAM Logon +------------------ + +Note: valid_user is True iff the username and password hash are valid for + the requested domain. + +Request: + + SAM_INFO sam_id structure + +Response: + + VOID* undocumented buffer pointer + CREDS server credentials. server time stamp appears to be ignored. + + if (valid_user) + { + UINT16 3 - switch value indicating USER_INFO structure. + VOID* non-zero - pointer to USER_INFO structure + USER_INFO user logon information + + UINT32 1 - Authoritative response; 0 - Non-Auth? + + return 0 - indicates success + } + else + { + UINT16 0 - switch value. value to indicate no user presumed. + VOID* 0x0000 0000 - indicates no USER_INFO structure. + + UINT32 1 - Authoritative response; 0 - Non-Auth? + + return 0xC000 0064 - NT_STATUS_NO_SUCH_USER. + } + + +5.5) LSA SAM Logoff +-------------------- + +Note: presumably, the SAM_INFO structure is validated, and a (currently + undocumented) error code returned if the Logoff is invalid. + +Request: + + SAM_INFO sam_id structure + +Response: + + VOID* undocumented buffer pointer + CREDS server credentials. server time stamp appears to be ignored. + + return 0 - indicates success. undocumented failure indication. + + +6) \\MAILSLOT\NET\NTLOGON +------------------------- + +Note: mailslots will contain a response mailslot, to which the response + should be sent. the target NetBIOS name is REQUEST_NAME<20>, where + REQUEST_NAME is the name of the machine that sent the request. + + +6.1) Query for PDC +------------------ + +Note: NTversion, LMNTtoken, LM20token in response are the same as those + given in the request. + +Request: + + UINT16 0x0007 - Query for PDC + STR machine name + STR response mailslot + UINT8[] padding to 2-byte align with start of mailslot. + UNISTR machine name + UINT32 NTversion + UINT16 LMNTtoken + UINT16 LM20token + +Response: + + UINT16 0x000A - Respose to Query for PDC + STR machine name (in uppercase) + UINT8[] padding to 2-byte align with start of mailslot. + UNISTR machine name + UNISTR domain name + UINT32 NTversion (same as received in request) + UINT16 LMNTtoken (same as received in request) + UINT16 LM20token (same as received in request) + + +6.2) SAM Logon +-------------- + +Note: machine name in response is preceded by two '\' characters. + +Note: NTversion, LMNTtoken, LM20token in response are the same as those + given in the request. + +Note: user name in the response is presumably the same as that in the request. + +Request: + + UINT16 0x0012 - SAM Logon + UINT16 request count + UNISTR machine name + UNISTR user name + STR response mailslot + UINT32 alloweable account + UINT32 domain SID size + char[sid_size] domain SID, of sid_size bytes. + UINT8[] ???? padding to 4? 2? -byte align with start of mailslot. + UINT32 NTversion + UINT16 LMNTtoken + UINT16 LM20token + +Response: + + UINT16 0x0013 - Response to SAM Logon + UNISTR machine name + UNISTR user name - workstation trust account + UNISTR domain name + UINT32 NTversion + UINT16 LMNTtoken + UINT16 LM20token + + + +7) SRVSVC Transact Named Pipe +----------------------------- + + +Defines for this pipe, identifying the query are: + +- Net Share Enum : 0x0f +- Net Server Get Info : 0x15 + + +7.1) Net Share Enum +------------------ + +Note: share level and switch value in the response are presumably the + same as those in the request. + +Note: cifsrap2.txt (section 5) may be of limited assistance here. + +Request: + + VOID* pointer (to server name?) + UNISTR2 server name + + UINT8[] padding to get unicode string 4-byte aligned + with the start of the SMB header. + + UINT32 share level + UINT32 switch value + + VOID* pointer to SHARE_INFO_1_CTR + SHARE_INFO_1_CTR share info with 0 entries + + UINT32 preferred maximum length (0xffff ffff) + +Response: + + UINT32 share level + UINT32 switch value + + VOID* pointer to SHARE_INFO_1_CTR + SHARE_INFO_1_CTR share info (only added if share info ptr is non-zero) + + return 0 - indicates success + + +7.2) Net Server Get Info +------------------ + +Note: level is the same value as in the request. + +Request: + + UNISTR2 server name + UINT32 switch level + +Response: + + UINT32 switch level + VOID* pointer to SERVER_INFO_101 + + SERVER_INFO_101 server info (only added if server info ptr is non-zero) + + return 0 - indicates success + + + +Appendix +-------- + +A1) Cryptographic side of NT Domain Authentication +-------------------------------------------------- + + +A1.1) Definitions +----------------- + +Add(A1,A2): Intel byte ordered addition of corresponding 4 byte words +in arrays A1 and A2 + +E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K + +lmowf(): Lan man hash + +ntowf(): NT hash + +PW: md4(machine_password) == md4(lsadump $machine.acc) == +pwdump(machine$) (initially) == md4(lmowf(unicode(machine))) + +ARC4(K,Lk,D,Ld): ARC4 encryption of data D of length Ld with key K of +length Lk + +v[m..n(,l)]: subset of v from bytes m to n, optionally padded with +zeroes to length l + +Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential + +Time(): 4 byte current time + +Cc,Cs: 8 byte client and server challenges Rc,Rs: 8 byte client and +server credentials + + +A1.2) Protocol +-------------- + +C->S ReqChal,Cc S->C Cs + +C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs))) + +C: Rc = Cred(Ks,Cc) C->S Authenticate,Rc S: Rs = Cred(Ks,Cs), +assert(Rc == Cred(Ks,Cc)) S->C Rs C: assert(Rs == Cred(Ks,Cs)) + +On joining the domain the client will optionally attempt to change its +password and the domain controller may refuse to update it depending +on registry settings. This will also occur weekly afterwards. + +C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S ServerPasswordSet,Rc',Tc, +arc4(Ks[0..7,16],lmowf(randompassword()) C: Rc = Cred(Ks,Rc+Tc+1) S: +assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time() S: Rs' = Cred(Ks,Rs+Tc+1) +S->C Rs',Ts C: assert(Rs' == Cred(Ks,Rs+Tc+1)) S: Rs = Rs' + +User: U with password P wishes to login to the domain (incidental data +such as workstation and domain omitted) + +C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S NetLogonSamLogon,Rc',Tc,U, +arc4(Ks[0..7,16],16,ntowf(P),16), arc4(Ks[0..7,16],16,lmowf(P),16) S: +assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM) S: +Ts = Time() + +S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc) C: +assert(Rs == Cred(Ks,Cred(Rc+Tc+1)) C: Rc = Cred(Ks,Rc+Tc+1) + + +A1.3) Comments +-------------- + +On first joining the domain the session key could be computed by +anyone listening in on the network as the machine password has a well +known value. Until the machine is rebooted it will use this session +key to encrypt NT and LM one way functions of passwords which are +password equivalents. Any user who logs in before the machine has been +rebooted a second time will have their password equivalent exposed. Of +course the new machine password is exposed at this time anyway. + +None of the returned user info such as logon script, profile path and +SIDs *appear* to be protected by anything other than the TCP checksum. + +The server time stamps appear to be ignored. + +The client sends a ReturnAuthenticator in the SamLogon request which I +can't find a use for. However its time is used as the timestamp +returned by the server. + +The password OWFs should NOT be sent over the network reversibly +encrypted. They should be sent using ARC4(Ks,md4(owf)) with the server +computing the same function using the owf values in the SAM. + + +A2) SIDs and RIDs +----------------- + +SIDs and RIDs are well documented elsewhere. + +A SID is an NT Security ID (see DOM_SID structure). They are of the form: + + S-revision-NN-SubAuth1-SubAuth2-SubAuth3... + S-revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3... + +currently, the SID revision is 1. +The Sub-Authorities are known as Relative IDs (RIDs). + + +A2.1) Well-known SIDs +--------------------- + + +A2.1.1) Universal well-known SIDs +--------------------------------- + + Null SID S-1-0-0 + World S-1-1-0 + Local S-1-2-0 + Creator Owner ID S-1-3-0 + Creator Group ID S-1-3-1 + Creator Owner Server ID S-1-3-2 + Creator Group Server ID S-1-3-3 + + (Non-unique IDs) S-1-4 + + +A2.1.2) NT well-known SIDs +-------------------------- + + NT Authority S-1-5 + Dialup S-1-5-1 + + Network S-1-5-2 + Batch S-1-5-3 + Interactive S-1-5-4 + Service S-1-5-6 + AnonymousLogon S-1-5-7 (aka null logon session) + Proxy S-1-5-8 + ServerLogon S-1-5-8 (aka domain controller account) + + (Logon IDs) S-1-5-5-X-Y + + (NT non-unique IDs) S-1-5-0x15-... + + (Built-in domain) s-1-5-0x20 + + + +A2.2) Well-known RIDS +--------------------- + +A RID is a sub-authority value, as part of either a SID, or in the case +of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1 +structure, in the LSA SAM Logon response. + + +A2.2.1) Well-known RID users +---------------------------- + + DOMAIN_USER_RID_ADMIN 0x0000 01F4 + DOMAIN_USER_RID_GUEST 0x0000 01F5 + + + +A2.2.2) Well-known RID groups +---------------------------- + + DOMAIN_GROUP_RID_ADMINS 0x0000 0200 + DOMAIN_GROUP_RID_USERS 0x0000 0201 + DOMAIN_GROUP_RID_GUESTS 0x0000 0202 + + + +A2.2.3) Well-known RID aliases +------------------------------ + + DOMAIN_ALIAS_RID_ADMINS 0x0000 0220 + DOMAIN_ALIAS_RID_USERS 0x0000 0221 + DOMAIN_ALIAS_RID_GUESTS 0x0000 0222 + DOMAIN_ALIAS_RID_POWER_USERS 0x0000 0223 + + DOMAIN_ALIAS_RID_ACCOUNT_OPS 0x0000 0224 + DOMAIN_ALIAS_RID_SYSTEM_OPS 0x0000 0225 + DOMAIN_ALIAS_RID_PRINT_OPS 0x0000 0226 + DOMAIN_ALIAS_RID_BACKUP_OPS 0x0000 0227 + + DOMAIN_ALIAS_RID_REPLICATOR 0x0000 0228 + + diff --git a/docs/textdocs/security_level.txt b/docs/textdocs/security_level.txt new file mode 100644 index 00000000000..59e91b3c5a8 --- /dev/null +++ b/docs/textdocs/security_level.txt @@ -0,0 +1,99 @@ +!== +!== security_level.txt for Samba release 2.0.0-alpha11 09 Oct 1998 +!== +Contributor: Andrew Tridgell +Updated: June 27, 1997 +Status: Current + +Subject: Description of SMB security levels. +=========================================================================== + +Samba supports the following options to the global smb.conf parameter +"security =": + share, user, server + +Of the above, "security = server" means that Samba reports to clients that +it is running in "user mode" but actually passes off all authentication +requests to another "user mode" server. This requires an additional +parameter "password server =" that points to the real authentication server. +That real authentication server can be another Samba server or can be a +Windows NT server, the later natively capable of encrypted password support. + +Below is a more complete description of security levels. +=========================================================================== + +A SMB server tells the client at startup what "security level" it is +running. There are two options "share level" and "user level". Which +of these two the client receives affects the way the client then tries +to authenticate itself. It does not directly affect (to any great +extent) the way the Samba server does security. I know this is +strange, but it fits in with the client/server approach of SMB. In SMB +everything is initiated and controlled by the client, and the server +can only tell the client what is available and whether an action is +allowed. + +I'll describe user level security first, as its simpler. In user level +security the client will send a "session setup" command directly after +the protocol negotiation. This contains a username and password. The +server can either accept or reject that username/password +combination. Note that at this stage the server has no idea what +share the client will eventually try to connect to, so it can't base +the "accept/reject" on anything other than: + +- the username/password +- the machine that the client is coming from + +If the server accepts the username/password then the client expects to +be able to mount any share (using a "tree connection") without +specifying a password. It expects that all access rights will be as +the username/password specified in the "session setup". + +It is also possible for a client to send multiple "session setup" +requests. When the server responds it gives the client a "uid" to use +as an authentication tag for that username/password. The client can +maintain multiple authentication contexts in this way (WinDD is an +example of an application that does this) + + +Ok, now for share level security. In share level security (the default +with samba) the client authenticates itself separately for each +share. It will send a password along with each "tree connection" +(share mount). It does not explicitly send a username with this +operation. The client is expecting a password to be associated with +each share, independent of the user. This means that samba has to work +out what username the client probably wants to use. It is never +explicitly sent the username. Some commercial SMB servers such as NT actually +associate passwords directly with shares in share level security, but +samba always uses the unix authentication scheme where it is a +username/password that is authenticated, not a "share/password". + +Many clients send a "session setup" even if the server is in share +level security. They normally send a valid username but no +password. Samba records this username in a list of "possible +usernames". When the client then does a "tree connection" it also adds +to this list the name of the share they try to connect to (useful for +home directories) and any users listed in the "user =" smb.conf +line. The password is then checked in turn against these "possible +usernames". If a match is found then the client is authenticated as +that user. + +Finally "server level" security. In server level security the samba +server reports to the client that it is in user level security. The +client then does a "session setup" as described earlier. The samba +server takes the username/password that the client sends and attempts +to login to the "password server" by sending exactly the same +username/password that it got from the client. If that server is in +user level security and accepts the password then samba accepts the +clients connection. This allows the samba server to use another SMB +server as the "password server". + +You should also note that at the very start of all this, where the +server tells the client what security level it is in, it also tells +the client if it supports encryption. If it does then it supplies the +client with a random "cryptkey". The client will then send all +passwords in encrypted form. You have to compile samba with encryption +enabled to support this feature, and you have to maintain a separate +smbpasswd file with SMB style encrypted passwords. It is +cryptographically impossible to translate from unix style encryption +to SMB style encryption, although there are some fairly simple management +schemes by which the two could be kept in sync. diff --git a/docs/yodldocs/make_smbcodepage.1.yo b/docs/yodldocs/make_smbcodepage.1.yo new file mode 100644 index 00000000000..1194a2909b0 --- /dev/null +++ b/docs/yodldocs/make_smbcodepage.1.yo @@ -0,0 +1,131 @@ +mailto(samba-bugs@samba.anu.edu.au) + +manpage(make_smbcodepage)(1)(23 Oct 1998)(Samba)(SAMBA) + +manpagename(make_codepage)(Construct a codepage file for Samba) + +manpagesynopsis() + +bf(make_smbcodepage) [c|d] codepage inputfile outputfile + +manpagedescription() + +This program is part of the bf(Samba) suite. + +bf(make_smbcodepage) compiles or de-compiles codepage files for use +with the internationalization features of Samba 2.0 + +manpageoptions() + +startdit() + +dit(c|d) This tells make_smbcodepage if it is compiling (c) a text +format code page file to binary, or (d) de-compiling a binary codepage +file to text. + +dit(codepage) This is the codepage we are processing (a number, eg. 850). + +dit(inputfile) This is the input file to process. In the 'c' case this +will be a text codepage definition file such as the ones found in the +Samba em(source/codepages) directory. In the 'd' case this will be the +binary format codepage definition file normally found in the +em(lib/codepages) directory in the Samba install directory path. + +dit(outputfile) This is the output file to produce. + +endit() + +manpagesection(Samba Codepage files) + +A text Samba codepage definition file is a description that tells +Samba how to map from upper to lower case for characters greater than +ascii 127 in the specified DOS code page. Note that for certain DOS +codepages (437 for example) mapping from lower to upper case may be +asynchronous. For example, in code page 437 lower case a acute maps to +a plain upper case A when going from lower to upper case, but maps +from plain upper case A to plain lower case a when lower casing a +character. + +A binary Samba codepage definition file is a binary representation of +the same information, including a value that specifies what codepage +this file is describing. + +As Samba does not yet use UNICODE (current for Samba version 2.0) you +must specify the client code page that your DOS and Windows clients +are using if you wish to have case insensitivity done correctly for +your particular language. The default codepage Samba uses is 850 +(Western European). Text codepage definition sample files are +provided in the Samba distribution for codepages 437 (USA), 737 +(Greek), 850 (Western European) 852 (MS-DOS Latin 2), 861 (Icelandic), +866 (Cyrillic), 932 (Kanji SJIS), 936 (Simplified Chinese), 949 +(Hangul) and 950 (Traditional Chinese). Users are encouraged to write +text codepage definition files for their own code pages and donate +them to email(samba-bugs@samba.anu.edu.au). All codepage files in the +Samba em(source/codepages) directory are compiled and installed when a +em('make install') command is issued there. + +manpagefiles() + +bf(codepage_def.<codepage>) + +These are the input (text) codepage files provided in the Samba +em(source/codepages) directory. + +A text codepage definition file consists of multiple lines +containing four fields. These fields are : + +startit() + +it() bf(lower): which is the (hex) lower case character mapped on this +line. + +it() bf(upper): which is the (hex) upper case character that the lower +case character will map to. + +it() bf(map upper to lower) which is a boolean value (put either True +or False here) which tells Samba if it is to map the given upper case +character to the given lower case character when lower casing a +filename. + +it() bf(map lower to upper) which is a boolean value (put either True +or False here) which tells Samba if it is to map the given lower case +character to the given upper case character when upper casing a +filename. + +endit() + +bf(codepage.<codepage>) These are the output (binary) codepage files +produced and placed in the Samba destination em(lib/codepage) +directory. + +manpagesection(INSTALLATION) + +The location of the server and its support files is a matter for +individual system administrators. The following are thus suggestions +only. + +It is recommended that the bf(make_smbcodepage) program be installed +under the em(/usr/local/samba) hierarchy, in a directory readable by +all, writeable only by root. The program itself should be executable +by all. The program should NOT be setuid or setgid! + +manpagesection(VERSION) + +This man page is correct for version 2.0 of the Samba +suite, plus some of the recent patches to it. These notes will +necessarily lag behind development of the software, so it is possible +that your version of the program has extensions or parameter semantics +that differ from or are not covered by this man page. Please notify +these to the address below for rectification. + +manpageseealso() + +bf(smb.conf)(5), bf(smbd) (8) + +manpageauthor() + +The bf(make_smbcodepage) program was written by Jeremy Allison (email +email(samba-bugs@samba.anu.edu.au)) as part of the +internationalization effort of the Samba software package. + +Please send bug reports to email(samba-bugs@samba.anu.edu.au). diff --git a/docs/yodldocs/samba.7.yo b/docs/yodldocs/samba.7.yo new file mode 100644 index 00000000000..e13caff0449 --- /dev/null +++ b/docs/yodldocs/samba.7.yo @@ -0,0 +1,116 @@ +mailto(samba-bugs@samba.anu.edu.au) +manpage(samba)(7)(23 Oct 1998)()() +manpagename(Samba)(A Windows fileserver for UNIX) +manpagesynopsis() +bf(Samba) + + +manpagedescription() + +The Samba software suite is a collection of programs that implements +the Server Message Block(commenly abbreviated as SMB) protocol for +UNIX systems. This protocol is sometimes also referred to as the +Common Internet File System (CIFS), LanManager or NetBIOS protocol. + +manpagesection(COMPONENTS) + +The Samba suite is made up of several components. Each component is +described in a separate manual page. It is strongly recommended that +you read the documentation that comes with Samba and the manual pages +of those components that you use. If the manual pages aren't clear +enough then please send a patch to email(samba-bugs@samba.anu.edu.au). + +startdit() + +dit(bf(smbd)) nl() The bf(smbd) (8) daemon provides the file and print +services to SMB clients, such as Windows 95/98, Windows NT, Windows +for Workgroups or LanManager. The configuration file for this daemon +is described in bf(smb.conf) (5). + +dit(bf(nmbd)) nl() The bf(nmbd) (8) daemon provides NetBIOS +nameserving and browsing support. The configuration file for this +daemon is described in bf(smb.conf) (5). + +dit(bf(smbclient)) nl() The bf(smbclient) (1) program implements a simple +ftp-like client. This is useful for accessing SMB shares on other +compatible servers (such as Windows NT), and can also be used to allow +a UNIX box to print to a printer attached to any SMB server (such as a +PC running Windows NT). + +dit(bf(testparm)) nl() The bf(testparm) (1) utility allows you to test your +bf(smb.conf) (5) configuration file. + +dit(bf(smbstatus)) nl() The bf(smbstatus) (1) utility allows you to tell +who is currently using the bf(smbd) (8) server. + +dit(bf(nmblookup)) nl() the bf(nmblookup) (1) utility allows NetBIOS +name queries to be made from the UNIX machine. + +enddit() + +manpagesection(AVAILABILITY) + +The Samba software suite is licensed under the GNU Public License +(GPL). A copy of that license should have come with the package in the +file COPYING. You are encouraged to distribute copies of the Samba +suite, but please keep obey the terms of this license. + +The latest version of the Samba suite can be obtained via anonymous +ftp from samba.anu.edu.au in the directory pub/samba/. It is +also available on several mirror sites worldwide. + +You may also find useful information about Samba on the newsgroup +comp.protocols.smb and the Samba mailing list. Details on how to join +the mailing list are given in the README file that comes with Samba. + +If you have access to a WWW viewer (such as Netscape or Mosaic) then +you will also find lots of useful information, including back issues +of the Samba mailing list, at +url(http://samba.anu.edu.au/samba/)(http://samba.anu.edu.au/samba/). + +manpagesection(VERSION) + +This man page is current for version 2.0 of Samba + +manpagesection(CONTRIBUTIONS) + +If you wish to contribute to the Samba project, then I suggest you +join the Samba mailing list at email(samba@samba.anu.edu.au). See the +Web page at +url(http://samba.anu.edu.au/listproc)(http://samba.anu.edu.au/listproc) +for details on how to do this. + +If you have patches to submit or bugs to report then you may mail them +directly to email(samba-bugs@samba.anu.edu.au). Note, however, that due to +the enormous popularity of this package the Samba Team may take some +time to repond to mail. We prefer patches in em(diff -u) format. + +manpagesection(AUTHOR) + +The main author of the Samba suite is Andrew Tridgell. He may be +contacted via e-mail at email(samba-bugs@samba.anu.edu.au). Samba is +now maintained by a distributed group of people around the world +collectively known as the Samba Team. + +manpagesection(CREDITS) + +Contributors to the project are now too numerous to mention here but +all deserve the thanks of all Samba users. To see a full list, look at +url(ftp://samba.anu.edu.au/pub/samba/alpha/change-log)(ftp://samba.anu.edu.au/pub/samba/alpha/change-log) +for the pre-CVS changes and at +url(ftp://samba.anu.edu.au/pub/samba/alpha/cvs.log)(ftp://samba.anu.edu.au/pub/samba/alpha/cvs.log) +for the contributors to Samba post-CVS. CVS is the Open Source source +code control system used by the Samba Team to develop Samba. The +project would have been unmanageable without it. + +In addition, several commercial organisations now help fund the Samba +Team with money and equipment. For details see the Samba Web pages at +url(http://samba.anu.edu.au/samba/samba-thanks.html)(http://samba.anu.edu.au/samba/samba-thanks.html). + +manpageauthor() + +The original Samba man pages were written by Karl Auer. The man page +sources were converted to YODL format (another excellent piece of Open +Source software) and updated for the Samba2.0 release by Jeremy +Allison. + |