From 1e6e5b299c235b513095a76a4cd9fffc41e8fc9c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Jun 2002 18:36:36 +0000 Subject: beginning to sync up for 2.2.5 release.... --- docs/htmldocs/Samba-HOWTO-Collection.html | 2679 +++++++++++++++++++---------- 1 file changed, 1761 insertions(+), 918 deletions(-) (limited to 'docs/htmldocs/Samba-HOWTO-Collection.html') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index d6c92a65cab..2e293287534 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -178,12 +178,12 @@ HREF="#AEN199" >
1.10.6. Mapping Usernames
1.10.7. Other Character Sets
2.1. Agenda
2.2. Name Resolution in a pure Unix/Linux world
2.2.1. /etc/hosts
2.2.2. /etc/resolv.conf
2.2.3. /etc/host.conf
2.2.4. /etc/nsswitch.conf
2.3. Name resolution as used within MS Windows networking
2.3.1. The NetBIOS Name Cache
2.3.2. The LMHOSTS file
2.3.3. HOSTS file
2.3.4. DNS Lookup
2.3.5. WINS Lookup
2.4. How browsing functions and how to deploy stable and dependable browsing using Samba
2.5. MS Windows security options and how to configure Samba for seemless integration
2.5.1. Use MS Windows NT as an authentication server
2.5.2. Make Samba a member of an MS Windows NT security domain
2.5.3. Configure Samba as an authentication server
2.5.3.1. Users
2.5.3.2. MS Windows NT Machine Accounts
2.6. Conclusions
3.1. Samba and PAM
3.2. Distributed Authentication
3.3. PAM Configuration in smb.conf
4.1. Instructions
4.1.1. Notes
5.1. Viewing and changing UNIX permissions using the NT security dialogs
5.2. How to view file security on a Samba share
5.3. Viewing file ownership
5.4. Viewing file or directory permissions
5.4.1. File Permissions
5.4.2. Directory Permissions
5.5. Modifying file or directory permissions
5.6. Interaction with the standard Samba create mask parameters
5.7. Interaction with the standard Samba file attribute mapping
6.1. Introduction
6.2. Configuration
6.2.1. Creating [print$]
6.2.2. Setting Drivers for Existing Printers
6.2.3. Support a large number of printersDeviceModes and New Printers
6.2.4. Adding New Printers via the Windows NT APWSupport a large number of printers
6.2.5. Adding New Printers via the Windows NT APW
6.2.6. Samba and Printer Ports
6.3. The Imprints Toolset
6.3.1. What is Imprints?
6.3.2. Creating Printer Driver Packages
6.3.3. The Imprints server
6.3.4. The Installation Client
6.4. Migration to from Samba 2.0.x to 2.2.x
6.4.1. Parameters in smb.conf(5) for Backwards Compatibility
7. Printing with CUPS in Samba 2.2.x
7.1. Printing with CUPS in Samba 2.2.x
7.2. Configuring smb.conf for CUPS
7.3. Using CUPS as a mere spooling print server -- "raw" +printing with vendor drivers download
7.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients
7.5. Windows Terminal Servers (WTS) as CUPS clients
7.6. Setting up CUPS for driver download
7.7. Sources of CUPS drivers / PPDs
7.7.1. cupsaddsmb
8. security = domain in Samba 2.x
7.1. 8.1. Joining an NT Domain with Samba 2.2
7.2. 8.2. Samba and Windows 2000 Domains
7.3. 8.3. Why is this better than security = server?
8. 9. How to Configure Samba 2.2 as a Primary Domain Controller
8.1. 9.1. Prerequisite Reading
8.2. 9.2. Background
8.3. 9.3. Configuring the Samba Domain Controller
8.4. 9.4. Creating Machine Trust Accounts and Joining Clients to the Domain
8.4.1. 9.4.1. Manual Creation of Machine Trust Accounts
8.4.2. 9.4.2. "On-the-Fly" Creation of Machine Trust Accounts
8.4.3. 9.4.3. Joining the Client to the Domain
8.5. 9.5. Common Problems and Errors
8.6. 9.6. System Policies and Profiles
8.7. 9.7. What other help can I get?
8.8. 9.8. Domain Control for Windows 9x/ME
8.8.1. 9.8.1. Configuration Instructions: Network Logons
8.8.2. 9.8.2. Configuration Instructions: Setting up Roaming User Profiles
8.8.2.1. 9.8.2.1. Windows NT Configuration
8.8.2.2. 9.8.2.2. Windows 9X Configuration
8.8.2.3. 9.8.2.3. Win9X and WinNT Configuration
8.8.2.4. 9.8.2.4. Windows 9X Profile Setup
8.8.2.5. 9.8.2.5. Windows NT Workstation 4.0
8.8.2.6. 9.8.2.6. Windows NT Server
8.8.2.7. 9.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0
8.9. 9.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
9. 10. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain
9.1. 10.1. Prerequisite Reading
9.2. 10.2. Background
9.3. 10.3. What qualifies a Domain Controller on the network?
9.3.1. 10.3.1. How does a Workstation find its domain controller?
9.3.2. 10.3.2. When is the PDC needed?
9.4. 10.4. Can Samba be a Backup Domain Controller?
9.5. 10.5. How do I set up a Samba BDC?
9.5.1. 10.5.1. How do I replicate the smbpasswd file?
10. 11. Storing Samba's User/Machine Account information in an LDAP Directory
10.1. 11.1. Purpose
10.2. 11.2. Introduction
10.3. 11.3. Supported LDAP Servers
10.4. 11.4. Schema and Relationship to the RFC 2307 posixAccount
10.5. 11.5. Configuring Samba with LDAP
10.5.1. 11.5.1. OpenLDAP configuration
10.5.2. 11.5.2. Configuring Samba
11.5.3. Importing smbpasswd entries
10.6. 11.6. Accounts and Groups management
10.7. 11.7. Security and sambaAccount
10.8. 11.8. LDAP specials attributes for sambaAccounts
10.9. 11.9. Example LDIF Entries for a sambaAccount
10.10. 11.10. Comments
11. 12. Unified Logons between Windows NT and UNIX using Winbind
11.1. 12.1. Abstract
11.2. 12.2. Introduction
11.3. 12.3. What Winbind Provides
11.3.1. 12.3.1. Target Uses
11.4. 12.4. How Winbind Works
11.4.1. 12.4.1. Microsoft Remote Procedure Calls
11.4.2. 12.4.2. Name Service Switch
11.4.3. 12.4.3. Pluggable Authentication Modules
11.4.4. 12.4.4. User and Group ID Allocation
11.4.5. 12.4.5. Result Caching
11.5. 12.5. Installation and Configuration
11.5.1. 12.5.1. Introduction
11.5.2. 12.5.2. Requirements
11.5.3. 12.5.3. Testing Things Out
11.5.3.1. Configure and compile SAMBA12.5.3.1. Configure and Compile SAMBA
11.5.3.2. 12.5.3.2. Configure nsswitch.conf and the +> and the winbind libraries
11.5.3.3. Configure smb.conf12.5.3.3. Configure smb.conf
11.5.3.4. 12.5.3.4. Join the SAMBA server to the PDC domain
11.5.3.5. 12.5.3.5. Start up the winbindd daemon and test it!
11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files
11.5.3.7. 12.5.3.6. Configure Winbind and PAM
11.6. 12.6. Limitations
11.7. 12.7. Conclusion
12. 13. OS2 Client HOWTO
12.1. 13.1. FAQs
12.1.1. 13.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
12.1.2. 13.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
12.1.3. 13.1.3. Are there any other issues when OS/2 (any version) is used as a client?
12.1.4. 13.1.4. How do I get printer driver download working for OS/2 clients?
13. 14. HOWTO Access Samba source code via CVS
13.1. 14.1. Introduction
13.2. 14.2. CVS Access to samba.org
13.2.1. 14.2.1. Access via CVSweb
13.2.2. 14.2.2. Access via cvs
Index

Your should get back a list of shares available on +>You should get back a list of shares available on your server. If you don't then something is incorrectly setup. Note that this method can also be used to see what shares are available on other LanManager clients (such as WfWg).

By default Samba uses a blank scope ID. This means all your windows boxes must also have a blank scope ID. If you really want to use a non-blank scope ID then you will - need to use the -i <scope> option to nmbd, smbd, and - smbclient. All your PCs will need to have the same setting for + need to use the 'netbios scope' smb.conf option. + All your PCs will need to have the same setting for this to work. I do not recommend scope IDs.

You can disable share modes using "share modes = no". - This may be useful on a heavily loaded server as the share - modes code is very slow. See also the FAST_SHARE_MODES - option in the Makefile for a way to do full share modes - very fast using shared memory (if your OS supports it).

1.10.6. Mapping Usernames

1.10.7. Other Character Sets

2.1. Agenda

2.2. Name Resolution in a pure Unix/Linux world

2.2.1. /etc/hosts is one such file.

When the IP address of the destination interface has been -determined a protocol called ARP/RARP isused to identify +determined a protocol called ARP/RARP is used to identify the MAC address of the target interface. ARP stands for Address Resolution Protocol, and is a broadcast oriented method that uses UDP (User Datagram Protocol) to send a request to all @@ -2070,7 +2145,7 @@ CLASS="SECT2" >

2.2.2. /etc/resolv.conf

2.2.3. /etc/host.conf

2.2.4. /etc/nsswitch.conf

2.3. Name resolution as used within MS Windows networking

2.3.1. The NetBIOS Name Cache

All MS Windows machines employ an in memory buffer in which is -stored the NetBIOS names and their IP addresses for all external -machines that that the local machine has communicated with over the +stored the NetBIOS names and IP addresses for all external +machines that that machine has communicated with over the past 10-15 minutes. It is more efficient to obtain an IP address for a machine from the local cache than it is to go through all the configured name resolution mechanisms.

If a machine whose name is in the local name cache has been shut down before the name had been expired and flushed from the cache, then an attempt to exchange a message with that machine will be subject -to time-out delays. ie: It's name is in the cache, so a name resolution +to time-out delays. i.e.: Its name is in the cache, so a name resolution lookup will succeed, but the machine can not respond. This can be frustrating for users - but it is a characteristic of the protocol.

2.3.2. The LMHOSTS file

2.3.3. HOSTS file

2.3.4. DNS Lookup

2.3.5. WINS Lookup

2.4. How browsing functions and how to deploy stable and dependable browsing using Samba

As stated above, MS Windows machines register their NetBIOS names -(ie: the machine name for each service type in operation) on start +(i.e.: the machine name for each service type in operation) on start up. Also, as stated above, the exact method by which this name registration takes place is determined by whether or not the MS Windows client/server has been given a WINS server address, whether or not LMHOSTS lookup @@ -2591,7 +2666,7 @@ Instead, the domain master browser serves the role of contacting each local master browser (found by asking WINS or from LMHOSTS) and exchanging browse list contents. This way every master browser will eventually obtain a complete list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By nature of +is held to determine which machine will be the master browser. By the nature of the election criteria used, the machine with the highest uptime, or the most senior protocol version, or other criteria, will win the election as domain master browser.

2.5. MS Windows security options and how to configure Samba for seemless integration

MS Windows clients have a habit of dropping network mappings that have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped the SMB protocol -has a mechanism by which the connection can be re-established using +use the mapped drive connection that has been dropped, the client +re-establishes the connection using a cached copy of the password.

When Microsoft changed the default password mode, they dropped support for @@ -2769,7 +2844,7 @@ CLASS="SECT2" >

2.5.1. Use MS Windows NT as an authentication server

2.5.2. Make Samba a member of an MS Windows NT security domain

2.5.3. Configure Samba as an authentication server

This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as and +Unix/Linux system both a Unix style account as well as an smbpasswd entry for the user. The Unix system account can be locked if required as only the encrypted password will be used for SMB client authentication.

2.5.3.1. Users

2.5.3.2. MS Windows NT Machine Accounts

2.6. Conclusions

3.1. Samba and PAM

3.2. Distributed Authentication

3.3. PAM Configuration in smb.conf

4.1. Instructions

4.1.1. Notes

5.1. Viewing and changing UNIX permissions using the NT security dialogs

5.2. How to view file security on a Samba share

5.3. Viewing file ownership

5.4. Viewing file or directory permissions

5.4.1. File Permissions

5.4.2. Directory Permissions

5.5. Modifying file or directory permissions

5.6. Interaction with the standard Samba create mask parameters

5.7. Interaction with the standard Samba file attribute mapping

6.1. Introduction

6.2. Configuration

printer driver file parameter, are being depreciated and should not +> parameter, are being deprecated and should not be used in new installations. For more information on this change, you should refer to the

6.2.1. Creating [print$]

6.2.2. Setting Drivers for Existing Printers

Click "No" in the error dialog and you will be presented with -the printer properties window. The way assign a driver to a +>Click No in the error dialog and you will be presented with +the printer properties window. The way assign a driver to a printer is to either

  • Use the "New Driver..." button to install +>Use the "New Driver..." button to install a new printer driver, or

  • Select a driver from the popup list of +>Select a driver from the popup list of installed drivers. Initially this list will be empty.

If you wish to install printer drivers for client -operating systems other than "Windows NT x86", you will need +>If you wish to install printer drivers for client +operating systems other than "Windows NT x86", you will need to use the "Sharing" tab of the printer properties dialog.

Assuming you have connected with a root account, you -will also be able modify other printer properties such as +>Assuming you have connected with a root account, you +will also be able modify other printer properties such as ACLs and device settings using this dialog box.

A few closing comments for this section, it is possible +>A few closing comments for this section, it is possible on a Windows NT print server to have printers listed in the Printers folder which are not shared. Samba does not make this distinction. By definition, the only printers of @@ -4745,7 +4822,7 @@ CLASS="FILENAME" >.

Another interesting side note is that Windows NT clients do -not use the SMB printer share, but rather can print directly +not use the SMB printer share, but rather can print directly to any printer on another Windows NT host using MS-RPC. This of course assumes that the printing client has the necessary privileges on the remote host serving the printer. The default @@ -4758,22 +4835,66 @@ CLASS="SECT2" CLASS="SECT2" >6.2.3. Support a large number of printers6.2.3. DeviceModes and New Printers

In order for a printer to be truly usbla eby a Windows NT/2k/XP client, +it must posses:

  • a valid Device Mode generated by the driver for the printer, and

  • a complete set of PrinterDriverData generated by the driver.

If either one of these is incomplete, the clients can produce less than optimal +output at best or in the worst cases, unreadable garbage or nothing at all. +Fortunately, most driver generate the printer driver that is needed. +However, the client must be tickled to generate a valid Device Mode and set it on the +server. The easist means of doing so is to simply set the page orientation on +the server's printer using the native Windows NT/2k printer properties page from +a Window clients. Make sure to apply changes between swapping the page orientation +to cause the change to actually take place. Be aware that this can only be done +by a "printer admin" (the reason should be obvious I hope).

Samba also includes a service level parameter name default +devmode for generating a default device mode for a printer. Some driver +will function fine with this default set of properties. Others may crash the client's +spooler service. Use this parameter with caution. It is always better to have the client +generate a valid device mode for the printer and store it on the server for you.

6.2.4. Support a large number of printers

One issue that has arisen during the development phase of Samba 2.2 is the need to support driver downloads for -100's of printers. Using the Windows NT APW is somewhat -awkward to say the list. If more than one printer are using the +100's of printers. Using the Windows NT APW is somewhat +awkward to say the list. If more than one printer are using the same driver, the rpcclient's -setdriver command can be used to set the driver +> command can be used to set the driver associated with an installed driver. The following is example of how this could be accomplished:

 
-$ rpcclient pogo -U root%secret -c "enumdrivers"
 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
- 
+
 [Windows NT x86]
 Printer Driver Info 1:
      Driver Name: [HP LaserJet 4000 Series PS]
- 
+
 Printer Driver Info 1:
      Driver Name: [HP LaserJet 2100 Series PS]
- 
+
 Printer Driver Info 1:
      Driver Name: [HP LaserJet 4Si/4SiMX PS]
-				  
+
 $ $ 
6.2.4. Adding New Printers via the Windows NT APW6.2.5. Adding New Printers via the Windows NT APW
By default, Samba offers all printer shares defined in smb.conf
-in the "Printers..." folder.  Also existing in this folder is the Windows NT 
+in the "Printers..." folder.  Also existing in this folder is the Windows NT
 Add Printer Wizard icon.  The APW will be show only if
show 
+>show
 	add printer wizard = yes
In order to be able to use the APW to successfully add a printer to a Samba 
+>In order to be able to use the APW to successfully add a printer to a Samba
 server, the add 
+>add
 printer command must have a defined value.  The program
-hook must successfully add the printer to the system (i.e. 
+hook must successfully add the printer to the system (i.e.
 /etc/printcap or appropriate files) and 
+> or appropriate files) and
 smb.conf if necessary.
When using the APW from a client, if the named printer share does 
+>When using the APW from a client, if the named printer share does
 not exist, smbd will execute the add printer 
+>add printer
 command and reparse to the 
6.2.5. Samba and Printer Ports6.2.6. Samba and Printer Ports
Windows NT/2000 print servers associate a port with each printer.  These normally
@@ -4975,7 +5095,7 @@ CLASS="SECT1"
 >
6.3. The Imprints Toolset
 as well as the documentation 
 	included with the imprints source distribution.  This section will 
 	only provide a brief introduction to the features of Imprints.
As of June 16, 2002 (quite a bit earlier actually), the Imprints
+	project is in need of a new maintainer.  The most important skill
+	is decent perl coding and an interest in MS-RPC based printing using Samba.
+	If you wich to volunteer, please coordinate your efforts on the samba-technical
+	mailing list.
+	
6.3.1. What is Imprints?
6.3.2. Creating Printer Driver Packages
6.3.3. The Imprints server
6.3.4. The Installation Client
6.4. 
6.4.1. Parameters in smb.conf(5) for Backwards Compatibility
The have been two new parameters add in Samba 2.2.2 to for 
 better support of Samba 2.0.x backwards capability (). Both of 
 these options are described in the smb.coinf(5) man page and are 
-disabled by default.

Chapter 7. security = domain in Samba 2.xChapter 7. Printing with CUPS in Samba 2.2.x

7.1. Joining an NT Domain with Samba 2.27.1. Printing with CUPS in Samba 2.2.x

Assume you have a Samba 2.x server with a NetBIOS name of - SERV1 and are joining an NT domain called - DOM, which has a PDC with a NetBIOS name - of DOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC2 - .

CUPS is a newcomer in +the UNIX printing scene, which has convinced many people upon first trial +already. However, it has quite a few new features, which make it different +from other, more traditional printing systems.

7.2. Configuring smb.conf for CUPS

In order to join the domain, first stop all Samba daemons - and run the command:

Printing with CUPS in the most basic smb.conf +setup in Samba 2.2.x only needs two settings: printing = cups and +printcap = cups. While CUPS itself doesn't need a printcap +anymore, the cupsd.conf configuration file knows two directives +(example: Printcap /etc/printcap and PrintcapFormat +BSD), which control if such a file should be created for the +convenience of third party applications. Make sure it is set! For details see +man cupsd.conf and other CUPS-related documentation.

root# smbpasswd -j DOM -r DOMPDC - -UIf SAMBA is compiled against libcups, then printcap = +cups uses the CUPS API to list printers, submit jobs, etc. Otherwise it +maps to the System V commands with an additional Administrator%password-oraw

+option for printing. On a Linux system, you can use the ldd command to +find out details (ldd may not be present on other OS platforms, or its +function may be embodied by a different command):

as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary +>
transmeta:/home/kurt # ldd `which smbd`
+        libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000)
+        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000)
+        libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
+        libdl.so.2 => /lib/libdl.so.2 (0x401e8000)
+        libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000)
+        libpam.so.0 => /lib/libpam.so.0 (0x40202000)
+        libc.so.6 => /lib/libc.so.6 (0x4020b000)
+        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

The line "libcups.so.2 => /usr/lib/libcups.so.2 +(0x40123000)" shows there is CUPS support compiled into this version of +Samba. If this is the case, and printing = cups is set, then any +otherwise manually set print command in smb.conf is ignored.

7.3. Using CUPS as a mere spooling print server -- "raw" +printing with vendor drivers download

You can setup Samba and your Windows clients to use the +CUPS print subsystem just as you would with any of the more traditional print +subsystems: that means the use of vendor provided, native Windows printer +drivers for each target printer. If you setup the [print$] share to +download these drivers to the clients, their GDI system (Graphical Device +Interface) will output the Wndows EMF (Enhanced MetaFile) and +convert it -- with the help of the printer driver -- locally into the format +the printer is expecting. Samba and the CUPS print subsystem will have to +treat these files as raw print files -- they are already in the +shape to be digestable for the printer. This is the same traditional setup +for Unix print servers handling Windows client jobs. It does not take much +CPU power to handle this kind of task efficiently.

7.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients

CUPS is perfectly able to use PPD files (PostScript +Printer Descriptions). PPDs can control all print device options. They +are usually provided by the manufacturer -- if you own a PostSript printer, +that is. PPD files are always a component of PostScript printer drivers on MS +Windows or Apple Mac OS systems. They are ASCII files containing +user-selectable print options, mapped to appropriate PostScript, PCL or PJL +commands for the target printer. Printer driver GUI dialogs translate these +options "on-the-fly" into buttons and drop-down lists for the user to +select.

CUPS can load, without any conversions, the PPD file from +any Windows (NT is recommended) PostScript driver and handle the options. +There is a web browser interface to the print options (select +http://localhost:631/printers/ and click on one "Configure Printer" button +to see it), a commandline interface (see man lpoptions or +try if you have lphelp on your system) plus some different GUI frontends on Linux +UNIX, which can present PPD options to the users. PPD options are normally +meant to become evaluated by the PostScript RIP on the real PostScript +printer.

CUPS doesn't stop at "real" PostScript printers in its +usage of PPDs. The CUPS developers have extended the PPD concept, to also +describe available device and driver options for non-PostScript printers +through CUPS-PPDs.

This is logical, as CUPS includes a fully featured +PostScript interpreter (RIP). This RIP is based on Ghostscript. It can +process all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain an +additional line, starting with the keyword *cupsFilter. +This line +tells the CUPS print system which printer-specific filter to use for the +interpretation of the accompanying PostScript. Thus CUPS lets all its +printers appear as PostScript devices to its clients, because it can act as a +PostScript RIP for those printers, processing the received PostScript code +into a proper raster print format.

CUPS-PPDs can also be used on Windows-Clients, on top of a +PostScript driver (recommended is the Adobe one).

This feature enables CUPS to do a few tricks no other +spooler can do:

  • act as a networked PostScript RIP (Raster Image Processor), handling + printfiles from all client platforms in a uniform way;

  • act as a central accounting and billing server, as all files are passed + through the pstops Filter and are therefor logged in + the CUPS page_log. - NOTE: this + can not happen with "raw" print jobs, which always remain unfiltered + per definition;

  • enable clients to consolidate on a single PostScript driver, even for + many different target printers.

7.5. Windows Terminal Servers (WTS) as CUPS clients

This setup may be of special interest to people +experiencing major problems in WTS environments. WTS need often a multitude +of non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much increased +instability. In many cases, in an attempt to overcome this problem, site +administrators have resorted to restrict the allowed drivers installed on +their WTS to one generic PCL- and one PostScript driver. This however +restricts the clients in the amount of printer options available for them -- +often they can't get out more then simplex prints from one standard paper +tray, while their devices could do much better, if driven by a different +driver!

Using an Adobe PostScript driver, enabled with a CUPS-PPD, +seems to be a very elegant way to overcome all these shortcomings. The +PostScript driver is not known to cause major stability problems on WTS (even +if used with many different PPDs). The clients will be able to (again) chose +paper trays, duplex printing and other settings. However, there is a certain +price for this too: a CUPS server acting as a PostScript RIP for its clients +requires more CPU and RAM than just to act as a "raw spooling" device. Plus, +this setup is not yet widely tested, although the first feedbacks look very +promising...

7.6. Setting up CUPS for driver download

The cupsadsmb utility (shipped with all current +CUPS versions) makes the sharing of any (or all) installed CUPS printers very +easy. Prior to using it, you need the following settings in smb.conf:

[global]
+         load printers = yes
+         printing = cups
+         printcap name = cups
+
+[printers]
+         comment = All Printers
+         path = /var/spool/samba
+         browseable = no
+         public = yes
+         guest ok = yes
+         writable = no
+         printable = yes
+         printer admin = root
+
+[print$]
+         comment = Printer Drivers
+         path = /etc/samba/drivers
+         browseable = yes
+         guest ok = no
+         read only = yes
+         write list = root

For licensing reasons the necessary files of the Adobe +Postscript driver can not be distributed with either Samba or CUPS. You need +to download them yourself from the Adobe website. Once extracted, create a +drivers directory in the CUPS data directory (usually +/usr/share/cups/). Copy the Adobe files using +UPPERCASE filenames, to this directory as follows:

        ADFONTS.MFM
+        ADOBEPS4.DRV
+        ADOBEPS4.HLP
+        ADOBEPS5.DLL
+        ADOBEPSU.DLL
+        ADOBEPSU.HLP
+        DEFPRTR2.PPD
+        ICONLIB.DLL

Users of the ESP Print Pro software are able to install +their "Samba Drivers" package for this purpose with no problem.

7.7. Sources of CUPS drivers / PPDs

On the internet you can find now many thousand CUPS-PPD +files (with their companion filters), in many national languages, +supporting more than 1.000 non-PostScript models.

NOTE: the cupsomatic trick from Linuxprinting.org is +working different from the other drivers. While the other drivers take the +generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as +their input, cupsomatic "kidnaps" the PostScript inside CUPS, before +RIP-ping, deviates it to an external Ghostscript installation (which now +becomes the RIP) and gives it back to a CUPS backend once Ghostscript is +finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster +PostScript RIP function again inside a system-wide Ghostscript +installation rather than in "their own" pstoraster filter. (This +CUPS-enabling Ghostscript version may be installed either as a +patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package). +However, this will not change the cupsomatic approach of guiding the printjob +along a different path through the filtering system than the standard CUPS +way...

Once you installed a printer inside CUPS with one of the +recommended methods (the lpadmin command, the web browser interface or one of +the available GUI wizards), you can use cupsaddsmb to share the +printer via Samba. cupsaddsmb prepares the driver files for +comfortable client download and installation upon their first contact with +this printer share.

7.7.1. cupsaddsmb

The cupsaddsmb command copies the needed files +for convenient Windows client installations from the previously prepared CUPS +data directory to your [print$] share. Additionally, the PPD +associated with this printer is copied from /etc/cups/ppd/ to +[print$].

root#  cupsaddsmb -U root infotec_IS2027
+Password for root required to access localhost via SAMBA: [type in password 'secret']

To share all printers and drivers, use the -a +parameter instead of a printer name.

Probably you want to see what's going on. Use the +-v parameter to get a more verbose output:

root#  cupsaddsmb -v -U root infotec_IS2027
+    Password for root required to access localhost via SAMBA:
+    Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLL W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP'
+    added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
+    added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
+    added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
+    Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
+    NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
+    putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) (average 17395.2 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) (average 11343.0 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) (average 9260.4 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) (average 9247.1 kb/s)
+
+    Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
+    added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
+    added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
+    added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
+    Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
+    NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
+    putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) (average 26092.8 kb/s)
+    putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) (average 11812.9 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) (average 14679.3 kb/s)
+    putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) (average 14281.5 kb/s)
+    putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) (average 12944.0 kb/s)
+    putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) (average 13169.7 kb/s)
+    putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) (average 13266.7 kb/s)
+
+    Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"'
+    cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"
+    Printer Driver infotec_IS2027 successfully installed.
+
+    Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
+    cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
+    Printer Driver infotec_IS2027 successfully installed.
+
+    Running command: rpcclient localhost -N -U'root%secret' -c 'setdriver infotec_IS2027 infotec_IS2027'
+    cmd = setdriver infotec_IS2027 infotec_IS2027
+    Succesfully set infotec_IS2027 to driver infotec_IS2027.
+
+    root#

If you look closely, you'll discover your root password +was transfered unencrypted over the wire, so beware! Also, if you look +further her, you'll discover error messages like +NT_STATUS_OBJECT_NAME_COLLISION in between. They occur, because +the directories WIN40 and W32X86 already +existed in the [print$] driver download share (from a previous driver +installation). They are harmless here.

Now your printer is prepared for the clients to use. From +a client, browse to the CUPS/Samba server, open the "Printers" +share, right-click on this printer and select "Install..." or +"Connect..." (depending on the Windows version you use). Now their +should be a new printer in your client's local "Printers" folder, +named (in my case) "infotec_IS2027 on kdebitshop"

NOTE: +cupsaddsmb will only reliably work i +with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients and then point the client's printer queue to the Samba printer +share for connection, should you desire to use the CUPS networked +PostScript RIP functions.

Chapter 8. security = domain in Samba 2.x

8.1. Joining an NT Domain with Samba 2.2

Assume you have a Samba 2.x server with a NetBIOS name of + SERV1 and are joining an NT domain called + DOM, which has a PDC with a NetBIOS name + of DOMPDC and two backup domain controllers + with NetBIOS names DOMBDC1 and DOMBDC2 + .

In order to join the domain, first stop all Samba daemons + and run the command:

root# smbpasswd -j DOM -r DOMPDC + -UAdministrator%password

as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The Administrator%password is + the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message:

7.2. Samba and Windows 2000 Domains8.2. Samba and Windows 2000 Domains

Many people have asked regarding the state of Samba's ability to participate in @@ -5584,8 +6356,8 @@ CLASS="SECT1" >

7.3. Why is this better than security = server?8.3. Why is this better than security = server?

Currently, domain security in Samba doesn't free you from @@ -5671,15 +6443,15 @@ CLASS="CHAPTER" >

Chapter 8. How to Configure Samba 2.2 as a Primary Domain ControllerChapter 9. How to Configure Samba 2.2 as a Primary Domain Controller

8.1. Prerequisite Reading9.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure @@ -5706,8 +6478,8 @@ CLASS="SECT1" >

8.2. Background9.2. Background

8.3. Configuring the Samba Domain Controller9.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to @@ -6059,8 +6831,8 @@ CLASS="SECT1" >

8.4. Creating Machine Trust Accounts and Joining Clients to the +NAME="AEN1324" +>9.4. Creating Machine Trust Accounts and Joining Clients to the Domain

8.4.1. Manual Creation of Machine Trust Accounts9.4.1. Manual Creation of Machine Trust Accounts

The first step in manually creating a machine trust account is to @@ -6300,8 +7072,8 @@ CLASS="SECT2" >

8.4.2. "On-the-Fly" Creation of Machine Trust Accounts9.4.2. "On-the-Fly" Creation of Machine Trust Accounts

The second (and recommended) way of creating machine trust accounts is @@ -6346,8 +7118,8 @@ CLASS="SECT2" >

8.4.3. Joining the Client to the Domain9.4.3. Joining the Client to the Domain

The procedure for joining a client to the domain varies with the @@ -6406,8 +7178,8 @@ CLASS="SECT1" >

8.5. Common Problems and Errors9.5. Common Problems and Errors

8.6. System Policies and Profiles9.6. System Policies and Profiles

Much of the information necessary to implement System Policies and @@ -6762,8 +7534,8 @@ CLASS="SECT1" >

8.7. What other help can I get?9.7. What other help can I get?

There are many sources of information available in the form @@ -7158,8 +7930,8 @@ CLASS="SECT1" >

8.8. Domain Control for Windows 9x/ME9.8. Domain Control for Windows 9x/ME

8.8.1. Configuration Instructions: Network Logons9.8.1. Configuration Instructions: Network Logons

The main difference between a PDC and a Windows 9x logon @@ -7366,8 +8138,8 @@ CLASS="SECT2" >

8.8.2. Configuration Instructions: Setting up Roaming User Profiles9.8.2. Configuration Instructions: Setting up Roaming User Profiles

8.8.2.1. Windows NT Configuration9.8.2.1. Windows NT Configuration

To support WinNT clients, in the [global] section of smb.conf set the @@ -7457,8 +8229,8 @@ CLASS="SECT3" >

8.8.2.2. Windows 9X Configuration9.8.2.2. Windows 9X Configuration

To support Win9X clients, you must use the "logon home" parameter. Samba has @@ -7497,8 +8269,8 @@ CLASS="SECT3" >

8.8.2.3. Win9X and WinNT Configuration9.8.2.3. Win9X and WinNT Configuration

You can support profiles for both Win9X and WinNT clients by setting both the @@ -7535,8 +8307,8 @@ CLASS="SECT3" >

8.8.2.4. Windows 9X Profile Setup9.8.2.4. Windows 9X Profile Setup

When a user first logs in on Windows 9X, the file user.DAT is created, @@ -7691,8 +8463,8 @@ CLASS="SECT3" >

8.8.2.5. Windows NT Workstation 4.09.8.2.5. Windows NT Workstation 4.0

When a user first logs in to a Windows NT Workstation, the profile @@ -7773,8 +8545,8 @@ CLASS="SECT3" >

8.8.2.6. Windows NT Server9.8.2.6. Windows NT Server

There is nothing to stop you specifying any path that you like for the @@ -7787,8 +8559,8 @@ CLASS="SECT3" >

8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.09.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba9.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

Chapter 9. How to Act as a Backup Domain Controller in a Purely Samba Controlled DomainChapter 10. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain

9.1. Prerequisite Reading10.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure @@ -7998,8 +8770,8 @@ CLASS="SECT1" >

9.2. Background10.2. Background

What is a Domain Controller? It is a machine that is able to answer @@ -8035,9 +8807,13 @@ WIDTH="100%" >

workgroup = SAMBA
-domain master = yes
-domain logons = yes
[global] + workgroup = SAMBA + domain master = yes + domain logons = yes + encrypt passwords = yes + security = user + ....

9.3. What qualifies a Domain Controller on the network?10.3. What qualifies a Domain Controller on the network?

Every machine that is a Domain Controller for the domain SAMBA has to @@ -8069,8 +8845,8 @@ CLASS="SECT2" >

9.3.1. How does a Workstation find its domain controller?10.3.1. How does a Workstation find its domain controller?

A NT workstation in the domain SAMBA that wants a local user to be @@ -8088,8 +8864,8 @@ CLASS="SECT2" >

9.3.2. When is the PDC needed?10.3.2. When is the PDC needed?

Whenever a user wants to change his password, this has to be done on @@ -8104,8 +8880,8 @@ CLASS="SECT1" >

9.4. Can Samba be a Backup Domain Controller?10.4. Can Samba be a Backup Domain Controller?

With version 2.2, no. The native NT SAM replication protocols have @@ -8123,8 +8899,8 @@ CLASS="SECT1" >

9.5. How do I set up a Samba BDC?10.5. How do I set up a Samba BDC?

Several things have to be done:

  • The file private/MACHINE.SID identifies the domain. When a samba -server is first started, it is created on the fly and must never be -changed again. This file has to be the same on the PDC and the BDC, -so the MACHINE.SID has to be copied from the PDC to the BDC.

    The file private/MACHINE.SID identifies the domain. When a samba + server is first started, it is created on the fly and must never be + changed again. This file has to be the same on the PDC and the BDC, + so the MACHINE.SID has to be copied from the PDC to the BDC. Note that in the + latest Samba 2.2.x releases, the machine SID (and therefore domain SID) is stored + in the private/secrets.tdb database. This file cannot just + be copied because Samba looks under the key SECRETS/SID/DOMAIN. + where DOMAIN is the machine's netbios name. Since this name has + to be unique for each SAMBA server, this lookup will fail.

    A new option has been added to the smbpasswd(8) + command to help ease this problem. When running smbpasswd -S as the root user, + the domain SID will be retrieved from a domain controller matching the value of the + workgroup parameter in smb.conf and stored as the + new Samba server's machine SID. See the smbpasswd(8) + man page for more details on this functionality. +

  • The Unix user database has to be synchronized from the PDC to the -BDC. This means that both the /etc/passwd and /etc/group have to be -replicated from the PDC to the BDC. This can be done manually -whenever changes are made, or the PDC is set up as a NIS master -server and the BDC as a NIS slave server. To set up the BDC as a -mere NIS client would not be enough, as the BDC would not be able to -access its user database in case of a PDC failure.

    The Unix user database has to be synchronized from the PDC to the + BDC. This means that both the /etc/passwd and /etc/group have to be + replicated from the PDC to the BDC. This can be done manually + whenever changes are made, or the PDC is set up as a NIS master + server and the BDC as a NIS slave server. To set up the BDC as a + mere NIS client would not be enough, as the BDC would not be able to + access its user database in case of a PDC failure. LDAP is also a + potential vehicle for sharing this information. +

  • The Samba password database in the file private/smbpasswd has to be -replicated from the PDC to the BDC. This is a bit tricky, see the -next section.

    The Samba password database in the file private/smbpasswd + has to be replicated from the PDC to the BDC. This is a bit tricky, see the + next section. +

  • Any netlogon share has to be replicated from the PDC to the -BDC. This can be done manually whenever login scripts are changed, -or it can be done automatically together with the smbpasswd -synchronization.

    Any netlogon share has to be replicated from the PDC to the + BDC. This can be done manually whenever login scripts are changed, + or it can be done automatically together with the smbpasswd + synchronization. + 

workgroup = samba
-domain master = no
-domain logons = yes
[global] + workgroup = SAMBA + domain master = yes + domain logons = yes + encrypt passwords = yes + security = user + ....

9.5.1. How do I replicate the smbpasswd file?10.5.1. How do I replicate the smbpasswd file?

Replication of the smbpasswd file is sensitive. It has to be done -whenever changes to the SAM are made. Every user's password change is -done in the smbpasswd file and has to be replicated to the BDC. So +whenever changes to the SAM are made. Every user's password change +(including machine trust account password changes) is done in the +smbpasswd file and has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.

As the smbpasswd file contains plain text password equivalents, it must not be sent unencrypted over the wire. The best way to set up smbpasswd replication from the PDC to the BDC is to use the utility -rsync. rsync can use ssh as a transport. ssh itself can be set up to -accept *only* rsync transfer without requiring the user to type a -password.

rsync(1). rsync can use +ssh(1) as a transport. ssh itself +can be set up to accept only rsync transfer without requiring the user to +type a password. Refer to the man pages for these two tools for more details.

Another solution with high potential is to use Samba's --with-ldapsam +for sharing and/or replicating the list of sambaAccount entries. +This can all be done over SSL to ensure security. See the Samba-LDAP-HOWTO +for more details.

Chapter 10. Storing Samba's User/Machine Account information in an LDAP DirectoryChapter 11. Storing Samba's User/Machine Account information in an LDAP Directory

10.1. Purpose11.1. Purpose

This document describes how to use an LDAP directory for storing Samba user @@ -8259,7 +9135,7 @@ TARGET="_top" >O'Reilly Publishing is working on a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002.

Two additional Samba resources which may prove to be helpful are

IDEALX that are - geared to manage users and group in such a Samba-LDAP Domain Controller configuration. + geared to manage users and group in such a Samba-LDAP Domain Controller configuration. These scripts can + be found in the Samba 2.2.5 release in the examples/LDAP/smbldap-tools/ directory.

10.2. Introduction11.2. Introduction

Traditionally, when configuring The first is that all lookups must be performed sequentially. Given that there are approximately two lookups per domain logon (one for a normal session connection such as when mapping a network drive or printer), this -is a performance bottleneck for lareg sites. What is needed is an indexed approach +is a performance bottleneck for large sites. What is needed is an indexed approach such as is used in databases.

  • As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts +used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support for a samdb backend (e.g. --with-ldapsam autoconf -option, smbd (and associated tools) will store and lookup user accounts in +option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.

    10.3. Supported LDAP Servers11.3. Supported LDAP Servers

    The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP @@ -8433,8 +9319,8 @@ CLASS="SECT1" >

    10.4. Schema and Relationship to the RFC 2307 posixAccount11.4. Schema and Relationship to the RFC 2307 posixAccount

    Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in @@ -8453,7 +9339,7 @@ WIDTH="100%" >

    objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+>objectclass ( 1.3.1.5.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILARY
      DESC 'Samba Account'
      MUST ( uid $ rid )
      MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
@@ -8465,7 +9351,10 @@ CLASS="PROGRAMLISTING"
 >
    The samba.schema file has been formatted for OpenLDAP 2.0.  The OID's are
+>The samba.schema file has been formatted for OpenLDAP 2.0 & 2.1.  The OID's are
 owned by the Samba Team and as such is legal to be openly published.
 If you translate the schema to be used with Netscape DS, please
 submit the modified schema file as a patch to jerry@samba.org
    Since the original release, schema files for
    • IBM's SecureWay Server
    • Netscape Directory Server version 4.x and 5.x
    have been submitted and included in the Samba source distribution.  I cannot
+personally comment on the integration of these commercial directory servers since
+I have not had the oppotinuity to work with them.
    Just as the smbpasswd file is mean to store information which supplements a
 user's /etc/passwd entry, so is the sambaAccount object
-meant to supplement the UNIX user account information.  A sambaAccount is a
+meant to supplement the UNIX user account information.  A sambaAccount is now an
 STRUCTURAL objectclass so it can be stored individually
-in the directory.  However, there are several fields (e.g. uid) which overlap
-with the posixAccount objectclass outlined in RFC2307.  This is by design.
    AUXILARY     objectclass so it can be stored alongside
+a posixAccount or person objectclass in the directory.  Note that there are
+several fields (e.g. uid) which overlap with the posixAccount objectclass
+outlined in RFC2307.  This is by design.  The move from a STRUCTURAL objectclass
+to an AUXILIARY one was compliance with the LDAP data model which states that
+an entry can contain only one STRUCTURAL objectclass per entry.  This is now
+enforced by the OpenLDAP 2.1 server.
    In order to store all user account information (UNIX and Samba) in the directory,
 it is necessary to use the sambaAccount and posixAccount objectclasses in
-combination.  However, smbd will still obtain the user's UNIX account
+combination.  However, smbd will still obtain the user's UNIX account
 information via the standard C library calls (e.g. getpwnam(), et. al.).
 This means that the Samba server must also have the LDAP NSS library installed
 and functioning correctly.  This division of information makes it possible to
@@ -8501,16 +9415,16 @@ CLASS="SECT1"
 >
    10.5. Configuring Samba with LDAP11.5. Configuring Samba with LDAP
    10.5.1. OpenLDAP configuration11.5.1. OpenLDAP configuration
    To include support for the sambaAccount object in an OpenLDAP directory
@@ -8588,9 +9502,9 @@ CLASS="PROGRAMLISTING"
 ## required by OpenLDAP 2.0
 index objectclass   eq
 
-## support pb_getsampwnam()
+## support pbb_getsampwnam()
 index uid           pres,eq
-## support pdb_getsambapwrid()
+## support pdb_getsampwrid()
 index rid           eq
 
 ## uncomment these if you are storing posixAccount and
@@ -8609,8 +9523,8 @@ CLASS="SECT2"
 >
    10.5.2. Configuring Samba11.5.2. Configuring Samba
    The following parameters are available in smb.conf only with 
    11.5.3. Importing smbpasswd entries
    Import existing user entries from an smbpasswd can be trivially done using
+a Perl script named import_smbpasswd.pl included in the
+examples/LDAP/ directory of the Samba source distribution.  There are
+two main requirements of this script:
    • All users to be imported to the directory must have a valid uid on the
+	local system.  This can be a problem if using a machinej different from the Samba server
+	to import the file.
    • The local system must have a working installation of the Net::LDAP perl
+	module which can be obtained from with http://search.cpan.org/
+	by searching for perl-ldap or directly from http://perl-ldap.sf.net/.
+	
    Please refer to the documentation in the same directory as the script for more details.

    • 10.6. Accounts and Groups management11.6. Accounts and Groups management

    As users accounts are managed thru the sambaAccount objectclass, you should @@ -8763,8 +9733,8 @@ CLASS="SECT1" >

    10.7. Security and sambaAccount11.7. Security and sambaAccount

    There are two important points to remember when discussing the security @@ -8843,8 +9813,8 @@ CLASS="SECT1" >

    10.8. LDAP specials attributes for sambaAccounts11.8. LDAP specials attributes for sambaAccounts

    The sambaAccount objectclass is composed of the following attributes:

    10.9. Example LDIF Entries for a sambaAccount11.9. Example LDIF Entries for a sambaAccount

    The following is a working LDIF with the inclusion of the posixAccount objectclass:

    10.10. Comments11.10. Comments

    Please mail all comments regarding this HOWTO to jerry@samba.org. This documents was -last updated to reflect the Samba 2.2.3 release.

    Chapter 11. Unified Logons between Windows NT and UNIX using WinbindChapter 12. Unified Logons between Windows NT and UNIX using Winbind

    11.1. Abstract12.1. Abstract

    Integration of UNIX and Microsoft Windows NT through @@ -9177,8 +10147,8 @@ CLASS="SECT1" >

    11.2. Introduction12.2. Introduction

    It is well known that UNIX and Microsoft Windows NT have @@ -9231,8 +10201,8 @@ CLASS="SECT1" >

    11.3. What Winbind Provides12.3. What Winbind Provides

    Winbind unifies UNIX and Windows NT account management by @@ -9273,8 +10243,8 @@ CLASS="SECT2" >

    11.3.1. Target Uses12.3.1. Target Uses

    Winbind is targeted at organizations that have an @@ -9286,7 +10256,7 @@ NAME="AEN1971" workstations into a NT based organization.

    Another interesting way in which we expect Winbind to - be used is as a central part of UNIX based appliances. Appliances + be used is as a central part of UNIX based appliances. Appliances that provide file and print services to Microsoft based networks will be able to use Winbind to provide seamless integration of the appliance into the domain.

    11.4. How Winbind Works12.4. How Winbind Works

    The winbind system is designed around a client/server @@ -9317,8 +10287,8 @@ CLASS="SECT2" >

    11.4.1. Microsoft Remote Procedure Calls12.4.1. Microsoft Remote Procedure Calls

    Over the last two years, efforts have been underway @@ -9343,8 +10313,8 @@ CLASS="SECT2" >

    11.4.2. Name Service Switch12.4.2. Name Service Switch

    The Name Service Switch, or NSS, is a feature that is @@ -9423,8 +10393,8 @@ CLASS="SECT2" >

    11.4.3. Pluggable Authentication Modules12.4.3. Pluggable Authentication Modules

    Pluggable Authentication Modules, also known as PAM, @@ -9472,8 +10442,8 @@ CLASS="SECT2" >

    11.4.4. User and Group ID Allocation12.4.4. User and Group ID Allocation

    When a user or group is created under Windows NT @@ -9498,8 +10468,8 @@ CLASS="SECT2" >

    11.4.5. Result Caching12.4.5. Result Caching

    An active system can generate a lot of user and group @@ -9521,8 +10491,8 @@ CLASS="SECT1" >

    11.5. Installation and Configuration12.5. Installation and Configuration

    Many thanks to John Trostel jtrostel@snapserver.com -for providing the HOWTO for this section.

    This HOWTO describes how to get winbind services up and running +for providing the original Linux version of this HOWTO which +describes how to get winbind services up and running to control access and authenticate users on your Linux box using -the winbind services which come with SAMBA 2.2.2.

    There is also some Solaris specific information in -docs/textdocs/Solaris-Winbind-HOWTO.txt. -Future revisions of this document will incorporate that -information.

    11.5.1. Introduction12.5.1. Introduction

    This HOWTO describes the procedures used to get winbind up and -running on my RedHat 7.1 system. Winbind is capable of providing access -and authentication control for Windows Domain users through an NT -or Win2K PDC for 'regular' services, such as telnet a nd ftp, as -well for SAMBA services.

    This HOWTO has been written from a 'RedHat-centric' perspective, so if -you are using another distribution, you may have to modify the instructions -somewhat to fit the way your distribution works.

    This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution (or operating system), you may have +to modify the instructions somewhat to fit the way your distribution works.

      This allows the SAMBA administrator to rely on the - authentication mechanisms on the NT/Win2K PDC for the authentication - of domain members. NT/Win2K users no longer need to have separate +>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate accounts on the SAMBA server.

      This HOWTO is designed for system administrators. If you are - implementing SAMBA on a file server and wish to (fairly easily) +> This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) integrate existing NT/Win2K users from your PDC onto the - SAMBA server, this HOWTO is for you. That said, I am no NT or PAM - expert, so you may find a better or easier way to accomplish - these tasks. + SAMBA server, this HOWTO is for you.

    11.5.2. Requirements12.5.2. Requirements

    If you have a samba configuration file that you are currently +>If you have a samba configuration file that you are currently using... BACK IT UP! If your system already uses PAM, +> If your system already uses PAM, back up the /etc/pam.d directory -contents! If you haven't already made a boot disk, +> (or /etc/pam.conf) +directory contents! If you haven't already made a boot disk, MAKE ONE NOW!

    Messing with the pam configuration files can make it nearly impossible -to log in to yourmachine. That's why you want to be able to boot back -into your machine in single user mode and restore your +>Messing with the pam configuration files can make it nearly impossible +to log in to your machine. That's why you want to be able to boot back +into your machine in single user mode and restore your /etc/pam.d back to the original state they were in if -you get frustrated with the way things are going. ;-)

    (or pam.conmf) back to +the original state they were in if +you get frustrated with the way things are going.

    The latest version of SAMBA (version 2.2.2 as of this writing), now -includes a functioning winbindd daemon. Please refer to the +>The first SAMBA release to inclue a stable winbindd daemon was 2.2.2. Please refer to the main SAMBA web page or, -better yet, your closest SAMBA mirror site for instructions on -downloading the source code.

    or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code. it is generally advised to obtain the lates +Samba release as bugs are constantly being fixed.

    To allow Domain users the ability to access SAMBA shares and -files, as well as potentially other services provided by your +>To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your SAMBA machine, PAM (pluggable authentication modules) must -be setup properly on your machine. In order to compile the -winbind modules, you should have at least the pam libraries resident -on your system. For recent RedHat systems (7.1, for instance), that -means pam-0.74-22. For best results, it is helpful to also -install the development packages in pam and pam-devel-0.74-22.

    pam-devel     RPM. +The former is installed by default on all Linux systems of which the author is aware.

    11.5.3. Testing Things Out12.5.3. Testing Things Out

    Before starting, it is probably best to kill off all the SAMBA -related daemons running on your server. Kill off all Before starting, kill off all the SAMBA related daemons running on your server. Kill off +all smbd, -, nmbd, and winbindd processes that may -be running. To use PAM, you will want to make sure that you have the -standard PAM package (for RedHat) which supplies the processes that may +be running (winbindd will only be running if you have ao previous Winbind +installation...but why would you be reading tis if that were the case?). To use PAM, you will +want to make sure that you have the standard PAM package (for RedHat) which supplies the /etc/pam.d -directory structure, including the pam modules are used by pam-aware +> +directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the /usr/doc +> and /usr/man entries for pam. Winbind built better -in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, -my RedHat system has both pam-0.74-22 and - entries for pam. Samba will require +the pam-devel package if you plan to build the pam-devel-0.74-22 RPMs installed.

    pam_winbind.so library or +include the --with-pam option to the configure script. +This package includes the header files needed to compile pam-aware applications.

    [I have no idea which Solaris packages are quired for PAM libraries and +development files. If you know, please mail me the information and I will include +it in the next revision of this HOWTO. --jerry@samba.org]

    11.5.3.1. Configure and compile SAMBA12.5.3.1. Configure and Compile SAMBA

    The configuration and compilation of SAMBA is pretty straightforward. -The first three steps may not be necessary depending upon -whether or not you have previously built the Samba binaries.

    The configuration and compilation of SAMBA is straightforward.

    root#autoconf -root#make clean -root#rm config.cache -root#./configure --with-winbind/usr/local/samba. See the main SAMBA documentation if you want to install SAMBA somewhere else. -It will also build the winbindd executable and libraries.

    11.5.3.2. Configure 12.5.3.2. Configure nsswitch.conf and the +> and the winbind libraries

    The libraries needed to run the winbindd daemon -through nsswitch need to be copied to their proper locations, so

    daemon +through nsswitch need to be copied to their proper locations.

    root# cp ../samba/source/nsswitch/libnss_winbind.so /libcp nsswitch/libnss_winbind.so /lib +root# chmod 755 /lib/libnss_winbind.so

    I also found it necessary to make the following symbolic link:

    It necessary to make the following symbolic link:

    ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

    Now, as root you need to edit The .2 extension is due to the version of glibc used on your Linux host. +for most modern systems, the file extension is correct. However, some other operating systems, +Solaris 7/8 being the most common, the destination filename should be replaced with +/lib/nss_winbind.so.1

    Now, as root edit /etc/nsswitch.conf to +> to allow user and group entries to be visible from the winbindd -daemon. My /etc/nsswitch.conf file look like -this after editing:

    +daemon. After editing, the file look appear:

    	passwd:     files winbind
-	shadow:     files 
+	shadow:     files
 	group:      files winbind

    -The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time -your system reboots, but it -is faster (and you don't need to reboot) if you do it manually:

    root# /sbin/ldconfig -v | grep winbind

    This makes libnss_winbind available to winbindd -and echos back a check to you.

    11.5.3.3. Configure smb.conf12.5.3.3. Configure smb.conf

    Several parameters are needed in the smb.conf file to control +>Several parameters are needed in the smb.conf file to control the behavior of winbindd. Configure +>. Configure smb.conf These are described in more detail in +> These are described in more detail in the winbindd(8) man page. My +> man page. My smb.confwinbind gid = 10000-20000 # allow enumeration of winbind users and groups + # might need to disable these next two for performance + # reasons on the winbindd host winbind enum groups = yes - # give winbind users a real shell (only needed if they have telnet access) + # give winbind users a real shell (only needed if they have telnet/sshd/etc... access)

    11.5.3.4. Join the SAMBA server to the PDC domain12.5.3.4. Join the SAMBA server to the PDC domain

    Enter the following command to make the SAMBA server join the +>Enter the following command to make the SAMBA server join the PDC domain, where DOMAIN is the name of +> is the name of your Windows domain and Administrator is +> is a domain user who has administrative privileges in the domain.

    /usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator

    The proper response to the command should be: "Joined the domain +>The proper response to the command should be: "Joined the domain DOMAIN +> is your DOMAIN name.

    11.5.3.5. Start up the winbindd daemon and test it!12.5.3.5. Start up the winbindd daemon and test it!

    Eventually, you will want to modify your smb startup script to -automatically invoke the winbindd daemon when the other parts of +>Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of SAMBA start, but it is possible to test out just the winbind -portion first. To start up winbind services, enter the following +portion first. To start up winbind services, enter the following command as root:

    root# /usr/local/samba/bin/winbinddexport PATH=$PATH:/usr/local/samba/bin +root# winbindd

    I'm always paranoid and like to make sure the daemon +>I'm always paranoid and like to make sure the daemon is really running...

    3025 ? 00:00:00 winbindd

    Now... for the real test, try to get some information about the +>Note that a sample RedHat init script for starting winbindd is included in +the SAMBA sourse distribution as packaging/RedHat/winbind.init.

    Now... for the real test, try to get some information about the users on your PDC

    root# /usr/local/samba/bin/wbinfo -uwbinfo -u

    -This should echo back a list of users on your Windows users on +>This should echo back a list of users on your Windows users on your PDC. For example, I get the following response:

    is '+'.

    You can do the same sort of thing to get group information from +>You can do the same sort of thing to get group information from the PDC:

    The function 'getent' can now be used to get unified +>The function 'getent' can now be used to get unified lists of both local and PDC users and groups. Try the following command:

    You should get a list that looks like your /etc/passwd -list followed by the domain users with their new uids, gids, home -directories and default shells.

    +list followed by the domain users with their new uids, gids, home +directories and default shells. If you do not, verify that the permissions on the +libnss_winbind.so library are rwxr-xr-x.

    The same thing can be done for groups with the command

    11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files12.5.3.6. Configure Winbind and PAM

    The At this point we are assured that winbindd daemon needs to start up after the -smbd and nmbd daemons are running. -To accomplish this task, you need to modify the /etc/init.d/smbsmbd -script to add commands to invoke this daemon in the proper sequence. My +are working together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original /etc/init.d/smb file starts up smbd, -nmbd, and winbindd from the -/etc/pam.d (or /usr/local/samba/bin directory directly. The 'start' -function in the script looks like this:

    start() {
-        KIND="SMB"
-        echo -n $"Starting $KIND services: "
-        daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
-        RETVAL=$?
-        echo
-        KIND="NMB"
-        echo -n $"Starting $KIND services: "
-        daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
-        RETVAL2=$?
-        echo
-        KIND="Winbind"
-        echo -n $"Starting $KIND services: "
-        daemon /usr/local/samba/bin/winbindd
-        RETVAL3=$?
-        echo
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \
-           RETVAL=1
-        return $RETVAL
-}

    The 'stop' function has a corresponding entry to shut down the -services and look s like this:

    stop() {
-        KIND="SMB"
-        echo -n $"Shutting down $KIND services: "
-        killproc smbd
-        RETVAL=$?
-        echo
-        KIND="NMB"
-        echo -n $"Shutting down $KIND services: "
-        killproc nmbd
-        RETVAL2=$?
-        echo
-        KIND="Winbind"
-        echo -n $"Shutting down $KIND services: "
-        killproc winbindd
-        RETVAL3=$?
-        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb
-        echo ""
-        return $RETVAL
-}

    /etc/pam.conf    ) file[s]? If not, do it now.)

    If you restart the smbd, nmbd, -and You will need a PAM module to use winbindd daemons at this point, you -should be able to connect to the samba server as a domain member just as -if you were a local user.

    11.5.3.7. Configure Winbind and PAM

    If you have made it this far, you know that winbindd and samba are working -together. If you want to use winbind to provide authentication for other -services, keep reading. The pam configuration files need to be altered in -this step. (Did you remember to make backups of your original -/etc/pam.d files? If not, do it now.)

    You will need a pam module to use winbindd with these other services. This +> with these other services. This module will be compiled in the ../source/nsswitchpam_winbind.so file should be copied to the location of -your other pam security modules. On my RedHat system, this was the +your other pam security modules. On Linux and Solaris systems, this is the /lib/securityroot# cp ../samba/source/nsswitch/pam_winbind.so /lib/security

    The /etc/pam.d/samba file does not need to be changed. I -just left this fileas it was:

    auth    required        /lib/security/pam_stack.so service=system-auth
-account required        /lib/security/pam_stack.so service=system-auth
    cp nsswitch/pam_winbind.so /lib/security +root# chmod 755 /lib/security/pam_winbind.so

    The other services that I modified to allow the use of winbind -as an authentication service were the normal login on the console (or a terminal -session), telnet logins, and ftp service. In order to enable these -services, you may first need to change the entries in +>Other services, such as the normal login on the console (or a terminal +session), telnet logins, and ftp service, can be modified to allow the use of winbind +as an authentication service. In order to enable these +services, you may first need to change the entries in /etc/xinetd.d (or /etc/inetd.conf). -RedHat 7.1 uses the new xinetd.d structure, in this case you need +>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need to change the lines in /etc/xinetd.d/telnet +> and /etc/xinetd.d/wu-ftp from

    from

    -For ftp services to work properly, you will also need to either -have individual directories for the domain users already present on +>For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on the server, or change the home directory template to a general -directory for all domain users. These can be easily set using +directory for all domain users. These can be easily set using the smb.conf global entry +> global entry template homedirThe /etc/pam.d/ftp file can be changed +> file can be changed to allow winbind ftp access in a manner similar to the samba file. My /etc/pam.d/ftp file was +> file was changed to look like this:

    The /etc/pam.d/login file can be changed nearly the +> file can be changed nearly the same way. It now looks like this:

    In this case, I added the auth sufficient /lib/security/pam_winbind.so +> lines as before, but also added the required pam_securetty.so -above it, to disallow root logins over the network. I also added a +> +above it, to disallow root logins over the network. I also added a sufficient /lib/security/pam_unix.so use_first_passwinbind.so line to get rid of annoying +> line to get rid of annoying double prompts for passwords.

    Note that a Solaris /etc/pam.conf confiruation file looks +very similar to this except thaty the service name is included as the first entry +per line. An example for the login service is given here.

    ## excerpt from /etc/pam.conf on a Solaris 8 system
+login   auth required   /lib/security/pam_winbind.so
+login   auth required   /lib/security/$ISA/pam_unix.so.1 try_first_pass
+login   auth required   /lib/security/$ISA/pam_dial_auth.so.1 try_first_pass

    11.6. Limitations12.6. Limitations

    Winbind has a number of limitations in its current - released version that we hope to overcome in future +>Winbind has a number of limitations in its current + released version that we hope to overcome in future releases:

    • Winbind is currently only available for - the Linux operating system, although ports to other operating - systems are certainly possible. For such ports to be feasible, - we require the C library of the target operating system to - support the Name Service Switch and Pluggable Authentication - Modules systems. This is becoming more common as NSS and - PAM gain support among UNIX vendors.

    • The mappings of Windows NT RIDs to UNIX ids - is not made algorithmically and depends on the order in which - unmapped users or groups are seen by winbind. It may be difficult - to recover the mappings of rid to UNIX id mapping if the file +>The mappings of Windows NT RIDs to UNIX ids + is not made algorithmically and depends on the order in which + unmapped users or groups are seen by winbind. It may be difficult + to recover the mappings of rid to UNIX id mapping if the file containing this information is corrupted or destroyed.

    • Currently the winbind PAM module does not take - into account possible workstation and logon time restrictions +>Currently the winbind PAM module does not take + into account possible workstation and logon time restrictions that may be been set for Windows NT users.

    11.7. Conclusion12.7. Conclusion

    The winbind system, through the use of the Name Service @@ -10548,23 +11391,23 @@ CLASS="CHAPTER" >

    Chapter 12. OS2 Client HOWTOChapter 13. OS2 Client HOWTO

    12.1. FAQs13.1. FAQs

    12.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN2435" +>13.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

    12.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN2450" +>13.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

    12.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN2459" +>13.1.3. Are there any other issues when OS/2 (any version) is used as a client?

    12.1.4. How do I get printer driver download working +NAME="AEN2463" +>13.1.4. How do I get printer driver download working for OS/2 clients?

    Chapter 13. HOWTO Access Samba source code via CVSChapter 14. HOWTO Access Samba source code via CVS

    13.1. Introduction14.1. Introduction

    Samba is developed in an open environment. Developers use CVS @@ -10775,8 +11618,8 @@ CLASS="SECT1" >

    13.2. CVS Access to samba.org14.2. CVS Access to samba.org

    The machine samba.org runs a publicly accessible CVS @@ -10788,8 +11631,8 @@ CLASS="SECT2" >

    13.2.1. Access via CVSweb14.2.1. Access via CVSweb

    You can access the source code via your @@ -10809,8 +11652,8 @@ CLASS="SECT2" >

    13.2.2. Access via cvs14.2.2. Access via cvs

    You can also access the source code via a @@ -10915,14 +11758,14 @@ CLASS="COMMAND" >

    Index

    Primary Domain Controller, Background