Your should get back a list of shares available on +>You should get back a list of shares available on your server. If you don't then something is incorrectly setup. Note that this method can also be used to see what shares are available on other LanManager clients (such as WfWg).

`Chapter 7. security = domain in Samba 2.xChapter 7. Printing with CUPS in Samba 2.2.x`

`7.1. Joining an NT Domain with Samba 2.27.1. Printing with CUPS in Samba 2.2.x`

Assume you have a Samba 2.x server with a NetBIOS name of - SERV1 and are joining an NT domain called - DOM, which has a PDC with a NetBIOS name - of DOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC2 - .

CUPS is a newcomer in +the UNIX printing scene, which has convinced many people upon first trial +already. However, it has quite a few new features, which make it different +from other, more traditional printing systems.

`7.2. Configuring smb.conf for CUPS`

In order to join the domain, first stop all Samba daemons - and run the command:

Printing with CUPS in the most basic smb.conf +setup in Samba 2.2.x only needs two settings: printing = cups and +printcap = cups. While CUPS itself doesn't need a printcap +anymore, the cupsd.conf configuration file knows two directives +(example: Printcap /etc/printcap and PrintcapFormat +BSD), which control if such a file should be created for the +convenience of third party applications. Make sure it is set! For details see +man cupsd.conf and other CUPS-related documentation. root# smbpasswd -j DOM -r DOMPDC - -UIf SAMBA is compiled against libcups, then printcap = +cups uses the CUPS API to list printers, submit jobs, etc. Otherwise it +maps to the System V commands with an additional Administrator%password-oraw +option for printing. On a Linux system, you can use the ldd command to +find out details (ldd may not be present on other OS platforms, or its +function may be embodied by a different command): as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary +>transmeta:/home/kurt # ldd `which smbd` + libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000) + libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) + libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) + libdl.so.2 => /lib/libdl.so.2 (0x401e8000) + libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000) + libpam.so.0 => /lib/libpam.so.0 (0x40202000) + libc.so.6 => /lib/libc.so.6 (0x4020b000) + /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) The line "libcups.so.2 => /usr/lib/libcups.so.2 +(0x40123000)" shows there is CUPS support compiled into this version of +Samba. If this is the case, and printing = cups is set, then any +otherwise manually set print command in smb.conf is ignored.

`7.3. Using CUPS as a mere spooling print server -- "raw" +printing with vendor drivers download`

You can setup Samba and your Windows clients to use the +CUPS print subsystem just as you would with any of the more traditional print +subsystems: that means the use of vendor provided, native Windows printer +drivers for each target printer. If you setup the [print$] share to +download these drivers to the clients, their GDI system (Graphical Device +Interface) will output the Wndows EMF (Enhanced MetaFile) and +convert it -- with the help of the printer driver -- locally into the format +the printer is expecting. Samba and the CUPS print subsystem will have to +treat these files as raw print files -- they are already in the +shape to be digestable for the printer. This is the same traditional setup +for Unix print servers handling Windows client jobs. It does not take much +CPU power to handle this kind of task efficiently.

`7.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe +PostScript driver with CUPS-PPDs downloaded to clients`

CUPS is perfectly able to use PPD files (PostScript +Printer Descriptions). PPDs can control all print device options. They +are usually provided by the manufacturer -- if you own a PostSript printer, +that is. PPD files are always a component of PostScript printer drivers on MS +Windows or Apple Mac OS systems. They are ASCII files containing +user-selectable print options, mapped to appropriate PostScript, PCL or PJL +commands for the target printer. Printer driver GUI dialogs translate these +options "on-the-fly" into buttons and drop-down lists for the user to +select.

CUPS can load, without any conversions, the PPD file from +any Windows (NT is recommended) PostScript driver and handle the options. +There is a web browser interface to the print options (select +http://localhost:631/printers/ and click on one "Configure Printer" button +to see it), a commandline interface (see man lpoptions or +try if you have lphelp on your system) plus some different GUI frontends on Linux +UNIX, which can present PPD options to the users. PPD options are normally +meant to become evaluated by the PostScript RIP on the real PostScript +printer.

CUPS doesn't stop at "real" PostScript printers in its +usage of PPDs. The CUPS developers have extended the PPD concept, to also +describe available device and driver options for non-PostScript printers +through CUPS-PPDs.

This is logical, as CUPS includes a fully featured +PostScript interpreter (RIP). This RIP is based on Ghostscript. It can +process all received PostScript (and additionally many other file formats) +from clients. All CUPS-PPDs geared to non-PostScript printers contain an +additional line, starting with the keyword *cupsFilter. +This line +tells the CUPS print system which printer-specific filter to use for the +interpretation of the accompanying PostScript. Thus CUPS lets all its +printers appear as PostScript devices to its clients, because it can act as a +PostScript RIP for those printers, processing the received PostScript code +into a proper raster print format.

CUPS-PPDs can also be used on Windows-Clients, on top of a +PostScript driver (recommended is the Adobe one).

This feature enables CUPS to do a few tricks no other +spooler can do:

act as a networked PostScript RIP (Raster Image Processor), handling + printfiles from all client platforms in a uniform way;
act as a central accounting and billing server, as all files are passed + through the pstops Filter and are therefor logged in + the CUPS page_log. - NOTE: this + can not happen with "raw" print jobs, which always remain unfiltered + per definition;
enable clients to consolidate on a single PostScript driver, even for + many different target printers.

`7.5. Windows Terminal Servers (WTS) as CUPS clients`

This setup may be of special interest to people +experiencing major problems in WTS environments. WTS need often a multitude +of non-PostScript drivers installed to run their clients' variety of +different printer models. This often imposes the price of much increased +instability. In many cases, in an attempt to overcome this problem, site +administrators have resorted to restrict the allowed drivers installed on +their WTS to one generic PCL- and one PostScript driver. This however +restricts the clients in the amount of printer options available for them -- +often they can't get out more then simplex prints from one standard paper +tray, while their devices could do much better, if driven by a different +driver!

Using an Adobe PostScript driver, enabled with a CUPS-PPD, +seems to be a very elegant way to overcome all these shortcomings. The +PostScript driver is not known to cause major stability problems on WTS (even +if used with many different PPDs). The clients will be able to (again) chose +paper trays, duplex printing and other settings. However, there is a certain +price for this too: a CUPS server acting as a PostScript RIP for its clients +requires more CPU and RAM than just to act as a "raw spooling" device. Plus, +this setup is not yet widely tested, although the first feedbacks look very +promising...

`7.6. Setting up CUPS for driver download`

The cupsadsmb utility (shipped with all current +CUPS versions) makes the sharing of any (or all) installed CUPS printers very +easy. Prior to using it, you need the following settings in smb.conf:

[global] + load printers = yes + printing = cups + printcap name = cups + +[printers] + comment = All Printers + path = /var/spool/samba + browseable = no + public = yes + guest ok = yes + writable = no + printable = yes + printer admin = root + +[print$] + comment = Printer Drivers + path = /etc/samba/drivers + browseable = yes + guest ok = no + read only = yes + write list = root

For licensing reasons the necessary files of the Adobe +Postscript driver can not be distributed with either Samba or CUPS. You need +to download them yourself from the Adobe website. Once extracted, create a +drivers directory in the CUPS data directory (usually +/usr/share/cups/). Copy the Adobe files using +UPPERCASE filenames, to this directory as follows:

ADFONTS.MFM + ADOBEPS4.DRV + ADOBEPS4.HLP + ADOBEPS5.DLL + ADOBEPSU.DLL + ADOBEPSU.HLP + DEFPRTR2.PPD + ICONLIB.DLL

Users of the ESP Print Pro software are able to install +their "Samba Drivers" package for this purpose with no problem.

`7.7. Sources of CUPS drivers / PPDs`

On the internet you can find now many thousand CUPS-PPD +files (with their companion filters), in many national languages, +supporting more than 1.000 non-PostScript models.

ESP PrintPro + (http://wwwl.easysw.com/printpro/) + (commercial, non-Free) is packaged with more than 3.000 PPDs, ready for + successful usage "out of the box" on Linux, IBM-AIX, HP-UX, Sun-Solaris, + SGI-IRIX, Compaq Tru64, Digital Unix and some more commercial Unices (it + is written by the CUPS developers themselves and its sales help finance + the further development of CUPS, as they feed their creators)
the Gimp-Print-Project + (http://gimp-print.sourceforge.net/) + (GPL, Free Software) provides around 120 PPDs (supporting nearly 300 + printers, many driven to photo quality output), to be used alongside the + Gimp-Print CUPS filters;
TurboPrint + (http://www.turboprint.com/) + (Shareware, non-Freee) supports roughly the same amount of printers in + excellent quality;
OMNI + (http://www-124.ibm.com/developerworks/oss/linux/projects/omni/) + (LPGL, Free) is a package made by IBM, now containing support for more + than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow + ported over to Linux (CUPS support is in a Beta-stage at present);
HPIJS + (http://hpinkjet.sourceforge.net/) + (BSD-style licnes, Free) supports around 120 of HP's own printers and is + also providing excellent print quality now;
Foomatic/cupsomatic (http://www.linuxprinting.org/) + (LPGL, Free) from Linuxprinting.org are providing PPDs for practically every + Ghostscript filter known to the world, now usable with CUPS.

NOTE: the cupsomatic trick from Linuxprinting.org is +working different from the other drivers. While the other drivers take the +generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as +their input, cupsomatic "kidnaps" the PostScript inside CUPS, before +RIP-ping, deviates it to an external Ghostscript installation (which now +becomes the RIP) and gives it back to a CUPS backend once Ghostscript is +finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster +PostScript RIP function again inside a system-wide Ghostscript +installation rather than in "their own" pstoraster filter. (This +CUPS-enabling Ghostscript version may be installed either as a +patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package). +However, this will not change the cupsomatic approach of guiding the printjob +along a different path through the filtering system than the standard CUPS +way...

Once you installed a printer inside CUPS with one of the +recommended methods (the lpadmin command, the web browser interface or one of +the available GUI wizards), you can use cupsaddsmb to share the +printer via Samba. cupsaddsmb prepares the driver files for +comfortable client download and installation upon their first contact with +this printer share.

`7.7.1. cupsaddsmb`

The cupsaddsmb command copies the needed files +for convenient Windows client installations from the previously prepared CUPS +data directory to your [print$] share. Additionally, the PPD +associated with this printer is copied from /etc/cups/ppd/ to +[print$].

root# cupsaddsmb -U root infotec_IS2027 +Password for root required to access localhost via SAMBA: [type in password 'secret']

To share all printers and drivers, use the -a +parameter instead of a printer name.

Probably you want to see what's going on. Use the +-v parameter to get a more verbose output:

root# cupsaddsmb -v -U root infotec_IS2027 + Password for root required to access localhost via SAMBA: + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLL W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) (average 17395.2 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) (average 11343.0 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) (average 9260.4 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) (average 9247.1 kb/s) + + Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;' + added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 + added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0 + added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 + Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] + NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 + putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) (average 26092.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) (average 11812.9 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) (average 14679.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) (average 14281.5 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) (average 12944.0 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) (average 13169.7 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) (average 13266.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"' + cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Printer Driver infotec_IS2027 successfully installed. + + Running command: rpcclient localhost -N -U'root%secret' -c 'setdriver infotec_IS2027 infotec_IS2027' + cmd = setdriver infotec_IS2027 infotec_IS2027 + Succesfully set infotec_IS2027 to driver infotec_IS2027. + + root#

If you look closely, you'll discover your root password +was transfered unencrypted over the wire, so beware! Also, if you look +further her, you'll discover error messages like +NT_STATUS_OBJECT_NAME_COLLISION in between. They occur, because +the directories WIN40 and W32X86 already +existed in the [print$] driver download share (from a previous driver +installation). They are harmless here.

Now your printer is prepared for the clients to use. From +a client, browse to the CUPS/Samba server, open the "Printers" +share, right-click on this printer and select "Install..." or +"Connect..." (depending on the Windows version you use). Now their +should be a new printer in your client's local "Printers" folder, +named (in my case) "infotec_IS2027 on kdebitshop"

NOTE: +cupsaddsmb will only reliably work i +with CUPS version 1.1.15 or higher +and Samba from 2.2.4. If it doesn't work, or if the automatic printer +driver download to the clients doesn't succeed, you can still manually +install the CUPS printer PPD on top of the Adobe PostScript driver on +clients and then point the client's printer queue to the Samba printer +share for connection, should you desire to use the CUPS networked +PostScript RIP functions.

`Chapter 8. security = domain in Samba 2.x`

`8.1. Joining an NT Domain with Samba 2.2`

Assume you have a Samba 2.x server with a NetBIOS name of + SERV1 and are joining an NT domain called + DOM, which has a PDC with a NetBIOS name + of DOMPDC and two backup domain controllers + with NetBIOS names DOMBDC1 and DOMBDC2 + .

In order to join the domain, first stop all Samba daemons + and run the command:

root# smbpasswd -j DOM -r DOMPDC + -UAdministrator%password

as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The Administrator%password is + the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message:

`7.2. Samba and Windows 2000 Domains8.2. Samba and Windows 2000 Domains`

Many people have asked regarding the state of Samba's ability to participate in @@ -5584,8 +6356,8 @@ CLASS="SECT1" >

`7.3. Why is this better than security = server?8.3. Why is this better than security = server?`

Currently, domain security in Samba doesn't free you from @@ -5671,15 +6443,15 @@ CLASS="CHAPTER" >

`Chapter 8. How to Configure Samba 2.2 as a Primary Domain ControllerChapter 9. How to Configure Samba 2.2 as a Primary Domain Controller`

`8.1. Prerequisite Reading9.1. Prerequisite Reading`

Before you continue reading in this chapter, please make sure @@ -5706,8 +6478,8 @@ CLASS="SECT1" >

`8.2. Background9.2. Background`

`8.3. Configuring the Samba Domain Controller9.3. Configuring the Samba Domain Controller`

The first step in creating a working Samba PDC is to @@ -6059,8 +6831,8 @@ CLASS="SECT1" >

`8.4. Creating Machine Trust Accounts and Joining Clients to the +NAME="AEN1324" +>9.4. Creating Machine Trust Accounts and Joining Clients to the Domain`

`8.4.1. Manual Creation of Machine Trust Accounts9.4.1. Manual Creation of Machine Trust Accounts`

The first step in manually creating a machine trust account is to @@ -6300,8 +7072,8 @@ CLASS="SECT2" >

`8.4.2. "On-the-Fly" Creation of Machine Trust Accounts9.4.2. "On-the-Fly" Creation of Machine Trust Accounts`

The second (and recommended) way of creating machine trust accounts is @@ -6346,8 +7118,8 @@ CLASS="SECT2" >

`8.4.3. Joining the Client to the Domain9.4.3. Joining the Client to the Domain`

The procedure for joining a client to the domain varies with the @@ -6406,8 +7178,8 @@ CLASS="SECT1" >

`8.5. Common Problems and Errors9.5. Common Problems and Errors`

`8.6. System Policies and Profiles9.6. System Policies and Profiles`

Much of the information necessary to implement System Policies and @@ -6762,8 +7534,8 @@ CLASS="SECT1" >

`8.7. What other help can I get?9.7. What other help can I get?`

There are many sources of information available in the form @@ -7158,8 +7930,8 @@ CLASS="SECT1" >

`8.8. Domain Control for Windows 9x/ME9.8. Domain Control for Windows 9x/ME`

`8.8.1. Configuration Instructions: Network Logons9.8.1. Configuration Instructions: Network Logons`

The main difference between a PDC and a Windows 9x logon @@ -7366,8 +8138,8 @@ CLASS="SECT2" >

`8.8.2. Configuration Instructions: Setting up Roaming User Profiles9.8.2. Configuration Instructions: Setting up Roaming User Profiles`

`8.8.2.1. Windows NT Configuration9.8.2.1. Windows NT Configuration`

To support WinNT clients, in the [global] section of smb.conf set the @@ -7457,8 +8229,8 @@ CLASS="SECT3" >

`8.8.2.2. Windows 9X Configuration9.8.2.2. Windows 9X Configuration`

To support Win9X clients, you must use the "logon home" parameter. Samba has @@ -7497,8 +8269,8 @@ CLASS="SECT3" >

`8.8.2.3. Win9X and WinNT Configuration9.8.2.3. Win9X and WinNT Configuration`

You can support profiles for both Win9X and WinNT clients by setting both the @@ -7535,8 +8307,8 @@ CLASS="SECT3" >

`8.8.2.4. Windows 9X Profile Setup9.8.2.4. Windows 9X Profile Setup`

When a user first logs in on Windows 9X, the file user.DAT is created, @@ -7691,8 +8463,8 @@ CLASS="SECT3" >

`8.8.2.5. Windows NT Workstation 4.09.8.2.5. Windows NT Workstation 4.0`

When a user first logs in to a Windows NT Workstation, the profile @@ -7773,8 +8545,8 @@ CLASS="SECT3" >

`8.8.2.6. Windows NT Server9.8.2.6. Windows NT Server`

There is nothing to stop you specifying any path that you like for the @@ -7787,8 +8559,8 @@ CLASS="SECT3" >

`8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.09.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0`

`8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba9.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba`

`Chapter 9. How to Act as a Backup Domain Controller in a Purely Samba Controlled DomainChapter 10. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain`

`9.1. Prerequisite Reading10.1. Prerequisite Reading`

Before you continue reading in this chapter, please make sure @@ -7998,8 +8770,8 @@ CLASS="SECT1" >

`9.2. Background10.2. Background`

What is a Domain Controller? It is a machine that is able to answer @@ -8035,9 +8807,13 @@ WIDTH="100%" >

workgroup = SAMBA
-domain master = yes
-domain logons = yes

[global] + workgroup = SAMBA + domain master = yes + domain logons = yes + encrypt passwords = yes + security = user + .... 9.3. What qualifies a Domain Controller on the network?10.3. What qualifies a Domain Controller on the network? Every machine that is a Domain Controller for the domain SAMBA has to @@ -8069,8 +8845,8 @@ CLASS="SECT2" > 9.3.1. How does a Workstation find its domain controller?10.3.1. How does a Workstation find its domain controller? A NT workstation in the domain SAMBA that wants a local user to be @@ -8088,8 +8864,8 @@ CLASS="SECT2" > 9.3.2. When is the PDC needed?10.3.2. When is the PDC needed? Whenever a user wants to change his password, this has to be done on @@ -8104,8 +8880,8 @@ CLASS="SECT1" > 9.4. Can Samba be a Backup Domain Controller?10.4. Can Samba be a Backup Domain Controller? With version 2.2, no. The native NT SAM replication protocols have @@ -8123,8 +8899,8 @@ CLASS="SECT1" > 9.5. How do I set up a Samba BDC?10.5. How do I set up a Samba BDC? Several things have to be done: The file private/MACHINE.SID identifies the domain. When a samba -server is first started, it is created on the fly and must never be -changed again. This file has to be the same on the PDC and the BDC, -so the MACHINE.SID has to be copied from the PDC to the BDC. The file private/MACHINE.SID identifies the domain. When a samba + server is first started, it is created on the fly and must never be + changed again. This file has to be the same on the PDC and the BDC, + so the MACHINE.SID has to be copied from the PDC to the BDC. Note that in the + latest Samba 2.2.x releases, the machine SID (and therefore domain SID) is stored + in the private/secrets.tdb database. This file cannot just + be copied because Samba looks under the key SECRETS/SID/DOMAIN. + where DOMAIN is the machine's netbios name. Since this name has + to be unique for each SAMBA server, this lookup will fail. A new option has been added to the smbpasswd(8) + command to help ease this problem. When running smbpasswd -S as the root user, + the domain SID will be retrieved from a domain controller matching the value of the + workgroup parameter in smb.conf and stored as the + new Samba server's machine SID. See the smbpasswd(8) + man page for more details on this functionality. + The Unix user database has to be synchronized from the PDC to the -BDC. This means that both the /etc/passwd and /etc/group have to be -replicated from the PDC to the BDC. This can be done manually -whenever changes are made, or the PDC is set up as a NIS master -server and the BDC as a NIS slave server. To set up the BDC as a -mere NIS client would not be enough, as the BDC would not be able to -access its user database in case of a PDC failure. The Unix user database has to be synchronized from the PDC to the + BDC. This means that both the /etc/passwd and /etc/group have to be + replicated from the PDC to the BDC. This can be done manually + whenever changes are made, or the PDC is set up as a NIS master + server and the BDC as a NIS slave server. To set up the BDC as a + mere NIS client would not be enough, as the BDC would not be able to + access its user database in case of a PDC failure. LDAP is also a + potential vehicle for sharing this information. + The Samba password database in the file private/smbpasswd has to be -replicated from the PDC to the BDC. This is a bit tricky, see the -next section. The Samba password database in the file private/smbpasswd + has to be replicated from the PDC to the BDC. This is a bit tricky, see the + next section. + Any netlogon share has to be replicated from the PDC to the -BDC. This can be done manually whenever login scripts are changed, -or it can be done automatically together with the smbpasswd -synchronization. Any netlogon share has to be replicated from the PDC to the + BDC. This can be done manually whenever login scripts are changed, + or it can be done automatically together with the smbpasswd + synchronization. + workgroup = samba -domain master = no -domain logons = yes[global] + workgroup = SAMBA + domain master = yes + domain logons = yes + encrypt passwords = yes + security = user + .... 9.5.1. How do I replicate the smbpasswd file?10.5.1. How do I replicate the smbpasswd file? Replication of the smbpasswd file is sensitive. It has to be done -whenever changes to the SAM are made. Every user's password change is -done in the smbpasswd file and has to be replicated to the BDC. So +whenever changes to the SAM are made. Every user's password change +(including machine trust account password changes) is done in the +smbpasswd file and has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary. As the smbpasswd file contains plain text password equivalents, it must not be sent unencrypted over the wire. The best way to set up smbpasswd replication from the PDC to the BDC is to use the utility -rsync. rsync can use ssh as a transport. ssh itself can be set up to -accept *only* rsync transfer without requiring the user to type a -password. rsync(1). rsync can use +ssh(1) as a transport. ssh itself +can be set up to accept only rsync transfer without requiring the user to +type a password. Refer to the man pages for these two tools for more details. Another solution with high potential is to use Samba's --with-ldapsam +for sharing and/or replicating the list of sambaAccount entries. +This can all be done over SSL to ensure security. See the Samba-LDAP-HOWTO +for more details.

`Chapter 10. Storing Samba's User/Machine Account information in an LDAP DirectoryChapter 11. Storing Samba's User/Machine Account information in an LDAP Directory`

`10.1. Purpose11.1. Purpose`

This document describes how to use an LDAP directory for storing Samba user @@ -8259,7 +9135,7 @@ TARGET="_top" >O'Reilly Publishing is working on a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002.

Two additional Samba resources which may prove to be helpful are

IDEALX that are - geared to manage users and group in such a Samba-LDAP Domain Controller configuration. + geared to manage users and group in such a Samba-LDAP Domain Controller configuration. These scripts can + be found in the Samba 2.2.5 release in the examples/LDAP/smbldap-tools/ directory.

`10.2. Introduction11.2. Introduction`

Traditionally, when configuring The first is that all lookups must be performed sequentially. Given that there are approximately two lookups per domain logon (one for a normal session connection such as when mapping a network drive or printer), this -is a performance bottleneck for lareg sites. What is needed is an indexed approach +is a performance bottleneck for large sites. What is needed is an indexed approach such as is used in databases.

As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts +used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support for a samdb backend (e.g. --with-ldapsam autoconf -option, smbd (and associated tools) will store and lookup user accounts in +option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.

`10.3. Supported LDAP Servers11.3. Supported LDAP Servers`

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP @@ -8433,8 +9319,8 @@ CLASS="SECT1" >

`10.4. Schema and Relationship to the RFC 2307 posixAccount11.4. Schema and Relationship to the RFC 2307 posixAccount`

Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in @@ -8453,7 +9339,7 @@ WIDTH="100%" >

objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+>objectclass ( 1.3.1.5.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILARY
      DESC 'Samba Account'
      MUST ( uid $ rid )
      MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
@@ -8465,7 +9351,10 @@ CLASS="PROGRAMLISTING"
 >
The samba.schema file has been formatted for OpenLDAP 2.0.  The OID's are
+>The samba.schema file has been formatted for OpenLDAP 2.0 & 2.1.  The OID's are
 owned by the Samba Team and as such is legal to be openly published.
 If you translate the schema to be used with Netscape DS, please
 submit the modified schema file as a patch to jerry@samba.org
Since the original release, schema files for
IBM's SecureWay Server
Netscape Directory Server version 4.x and 5.x
have been submitted and included in the Samba source distribution.  I cannot
+personally comment on the integration of these commercial directory servers since
+I have not had the oppotinuity to work with them.
Just as the smbpasswd file is mean to store information which supplements a
 user's /etc/passwd entry, so is the sambaAccount object
-meant to supplement the UNIX user account information.  A sambaAccount is a
+meant to supplement the UNIX user account information.  A sambaAccount is now an
 STRUCTURAL objectclass so it can be stored individually
-in the directory.  However, there are several fields (e.g. uid) which overlap
-with the posixAccount objectclass outlined in RFC2307.  This is by design.
AUXILARY objectclass so it can be stored alongside
+a posixAccount or person objectclass in the directory.  Note that there are
+several fields (e.g. uid) which overlap with the posixAccount objectclass
+outlined in RFC2307.  This is by design.  The move from a STRUCTURAL objectclass
+to an AUXILIARY one was compliance with the LDAP data model which states that
+an entry can contain only one STRUCTURAL objectclass per entry.  This is now
+enforced by the OpenLDAP 2.1 server.
In order to store all user account information (UNIX and Samba) in the directory,
 it is necessary to use the sambaAccount and posixAccount objectclasses in
-combination.  However, smbd will still obtain the user's UNIX account
+combination.  However, smbd will still obtain the user's UNIX account
 information via the standard C library calls (e.g. getpwnam(), et. al.).
 This means that the Samba server must also have the LDAP NSS library installed
 and functioning correctly.  This division of information makes it possible to
@@ -8501,16 +9415,16 @@ CLASS="SECT1"
 >
10.5. Configuring Samba with LDAP11.5. Configuring Samba with LDAP
10.5.1. OpenLDAP configuration11.5.1. OpenLDAP configuration
To include support for the sambaAccount object in an OpenLDAP directory
@@ -8588,9 +9502,9 @@ CLASS="PROGRAMLISTING"
 ## required by OpenLDAP 2.0
 index objectclass   eq
 
-## support pb_getsampwnam()
+## support pbb_getsampwnam()
 index uid           pres,eq
-## support pdb_getsambapwrid()
+## support pdb_getsampwrid()
 index rid           eq
 
 ## uncomment these if you are storing posixAccount and
@@ -8609,8 +9523,8 @@ CLASS="SECT2"
 >
10.5.2. Configuring Samba11.5.2. Configuring Samba
The following parameters are available in smb.conf only with 
11.5.3. Importing smbpasswd entries
Import existing user entries from an smbpasswd can be trivially done using
+a Perl script named import_smbpasswd.pl included in the
+examples/LDAP/ directory of the Samba source distribution.  There are
+two main requirements of this script:
All users to be imported to the directory must have a valid uid on the
+	local system.  This can be a problem if using a machinej different from the Samba server
+	to import the file.
The local system must have a working installation of the Net::LDAP perl
+	module which can be obtained from with http://search.cpan.org/
+	by searching for perl-ldap or directly from http://perl-ldap.sf.net/.
+	
Please refer to the documentation in the same directory as the script for more details.

`10.6. Accounts and Groups management11.6. Accounts and Groups management`

As users accounts are managed thru the sambaAccount objectclass, you should @@ -8763,8 +9733,8 @@ CLASS="SECT1" >

`10.7. Security and sambaAccount11.7. Security and sambaAccount`

There are two important points to remember when discussing the security @@ -8843,8 +9813,8 @@ CLASS="SECT1" >

`10.8. LDAP specials attributes for sambaAccounts11.8. LDAP specials attributes for sambaAccounts`

The sambaAccount objectclass is composed of the following attributes:

`10.9. Example LDIF Entries for a sambaAccount11.9. Example LDIF Entries for a sambaAccount`

The following is a working LDIF with the inclusion of the posixAccount objectclass:

`10.10. Comments11.10. Comments`

Please mail all comments regarding this HOWTO to jerry@samba.org. This documents was -last updated to reflect the Samba 2.2.3 release.

`Chapter 11. Unified Logons between Windows NT and UNIX using WinbindChapter 12. Unified Logons between Windows NT and UNIX using Winbind`

`11.1. Abstract12.1. Abstract`

Integration of UNIX and Microsoft Windows NT through @@ -9177,8 +10147,8 @@ CLASS="SECT1" >

`11.2. Introduction12.2. Introduction`

It is well known that UNIX and Microsoft Windows NT have @@ -9231,8 +10201,8 @@ CLASS="SECT1" >

`11.3. What Winbind Provides12.3. What Winbind Provides`

Winbind unifies UNIX and Windows NT account management by @@ -9273,8 +10243,8 @@ CLASS="SECT2" >

`11.3.1. Target Uses12.3.1. Target Uses`

Winbind is targeted at organizations that have an @@ -9286,7 +10256,7 @@ NAME="AEN1971" workstations into a NT based organization.

Another interesting way in which we expect Winbind to - be used is as a central part of UNIX based appliances. Appliances + be used is as a central part of UNIX based appliances. Appliances that provide file and print services to Microsoft based networks will be able to use Winbind to provide seamless integration of the appliance into the domain.

`11.4. How Winbind Works12.4. How Winbind Works`

The winbind system is designed around a client/server @@ -9317,8 +10287,8 @@ CLASS="SECT2" >

`11.4.1. Microsoft Remote Procedure Calls12.4.1. Microsoft Remote Procedure Calls`

Over the last two years, efforts have been underway @@ -9343,8 +10313,8 @@ CLASS="SECT2" >

`11.4.2. Name Service Switch12.4.2. Name Service Switch`

The Name Service Switch, or NSS, is a feature that is @@ -9423,8 +10393,8 @@ CLASS="SECT2" >

`11.4.3. Pluggable Authentication Modules12.4.3. Pluggable Authentication Modules`

Pluggable Authentication Modules, also known as PAM, @@ -9472,8 +10442,8 @@ CLASS="SECT2" >

`11.4.4. User and Group ID Allocation12.4.4. User and Group ID Allocation`

When a user or group is created under Windows NT @@ -9498,8 +10468,8 @@ CLASS="SECT2" >

`11.4.5. Result Caching12.4.5. Result Caching`

An active system can generate a lot of user and group @@ -9521,8 +10491,8 @@ CLASS="SECT1" >

`11.5. Installation and Configuration12.5. Installation and Configuration`

Many thanks to John Trostel jtrostel@snapserver.com -for providing the HOWTO for this section.

This HOWTO describes how to get winbind services up and running +for providing the original Linux version of this HOWTO which +describes how to get winbind services up and running to control access and authenticate users on your Linux box using -the winbind services which come with SAMBA 2.2.2.

There is also some Solaris specific information in -docs/textdocs/Solaris-Winbind-HOWTO.txt. -Future revisions of this document will incorporate that -information.

`11.5.1. Introduction12.5.1. Introduction`

This HOWTO describes the procedures used to get winbind up and -running on my RedHat 7.1 system. Winbind is capable of providing access -and authentication control for Windows Domain users through an NT -or Win2K PDC for 'regular' services, such as telnet a nd ftp, as -well for SAMBA services.

This HOWTO has been written from a 'RedHat-centric' perspective, so if -you are using another distribution, you may have to modify the instructions -somewhat to fit the way your distribution works.

This HOWTO has been written from a 'RedHat-centric' perspective, so if +you are using another distribution (or operating system), you may have +to modify the instructions somewhat to fit the way your distribution works. This allows the SAMBA administrator to rely on the - authentication mechanisms on the NT/Win2K PDC for the authentication - of domain members. NT/Win2K users no longer need to have separate +>This allows the SAMBA administrator to rely on the + authentication mechanisms on the NT/Win2K PDC for the authentication + of domain members. NT/Win2K users no longer need to have separate accounts on the SAMBA server. This HOWTO is designed for system administrators. If you are - implementing SAMBA on a file server and wish to (fairly easily) +> This HOWTO is designed for system administrators. If you are + implementing SAMBA on a file server and wish to (fairly easily) integrate existing NT/Win2K users from your PDC onto the - SAMBA server, this HOWTO is for you. That said, I am no NT or PAM - expert, so you may find a better or easier way to accomplish - these tasks. + SAMBA server, this HOWTO is for you. 11.5.2. Requirements12.5.2. Requirements If you have a samba configuration file that you are currently +>If you have a samba configuration file that you are currently using... BACK IT UP! If your system already uses PAM, +> If your system already uses PAM, back up the /etc/pam.d directory -contents! If you haven't already made a boot disk, +> (or /etc/pam.conf) +directory contents! If you haven't already made a boot disk, MAKE ONE NOW! Messing with the pam configuration files can make it nearly impossible -to log in to yourmachine. That's why you want to be able to boot back -into your machine in single user mode and restore your +>Messing with the pam configuration files can make it nearly impossible +to log in to your machine. That's why you want to be able to boot back +into your machine in single user mode and restore your /etc/pam.d back to the original state they were in if -you get frustrated with the way things are going. ;-) (or pam.conmf) back to +the original state they were in if +you get frustrated with the way things are going. The latest version of SAMBA (version 2.2.2 as of this writing), now -includes a functioning winbindd daemon. Please refer to the +>The first SAMBA release to inclue a stable winbindd daemon was 2.2.2. Please refer to the main SAMBA web page or, -better yet, your closest SAMBA mirror site for instructions on -downloading the source code. or, +better yet, your closest SAMBA mirror site for instructions on +downloading the source code. it is generally advised to obtain the lates +Samba release as bugs are constantly being fixed. To allow Domain users the ability to access SAMBA shares and -files, as well as potentially other services provided by your +>To allow Domain users the ability to access SAMBA shares and +files, as well as potentially other services provided by your SAMBA machine, PAM (pluggable authentication modules) must -be setup properly on your machine. In order to compile the -winbind modules, you should have at least the pam libraries resident -on your system. For recent RedHat systems (7.1, for instance), that -means pam-0.74-22. For best results, it is helpful to also -install the development packages in pam and pam-devel-0.74-22. pam-devel RPM. +The former is installed by default on all Linux systems of which the author is aware.

`11.5.3. Testing Things Out12.5.3. Testing Things Out`

Before starting, it is probably best to kill off all the SAMBA -related daemons running on your server. Kill off all Before starting, kill off all the SAMBA related daemons running on your server. Kill off +all smbd, -, nmbd, and winbindd processes that may -be running. To use PAM, you will want to make sure that you have the -standard PAM package (for RedHat) which supplies the processes that may +be running (winbindd will only be running if you have ao previous Winbind +installation...but why would you be reading tis if that were the case?). To use PAM, you will +want to make sure that you have the standard PAM package (for RedHat) which supplies the /etc/pam.d -directory structure, including the pam modules are used by pam-aware +> +directory structure, including the pam modules are used by pam-aware services, several pam libraries, and the /usr/doc +> and /usr/man entries for pam. Winbind built better -in SAMBA if the pam-devel package was also installed. This package includes -the header files needed to compile pam-aware applications. For instance, -my RedHat system has both pam-0.74-22 and - entries for pam. Samba will require +the pam-devel package if you plan to build the pam-devel-0.74-22 RPMs installed.

pam_winbind.so library or +include the --with-pam option to the configure script. +This package includes the header files needed to compile pam-aware applications. [I have no idea which Solaris packages are quired for PAM libraries and +development files. If you know, please mail me the information and I will include +it in the next revision of this HOWTO. --jerry@samba.org] 11.5.3.1. Configure and compile SAMBA12.5.3.1. Configure and Compile SAMBA The configuration and compilation of SAMBA is pretty straightforward. -The first three steps may not be necessary depending upon -whether or not you have previously built the Samba binaries. The configuration and compilation of SAMBA is straightforward. root#autoconf -root#make clean -root#rm config.cache -root#./configure --with-winbind/usr/local/samba. See the main SAMBA documentation if you want to install SAMBA somewhere else. -It will also build the winbindd executable and libraries. 11.5.3.2. Configure 12.5.3.2. Configure nsswitch.conf and the +> and the winbind libraries The libraries needed to run the winbindd daemon -through nsswitch need to be copied to their proper locations, so daemon +through nsswitch need to be copied to their proper locations. root# cp ../samba/source/nsswitch/libnss_winbind.so /libcp nsswitch/libnss_winbind.so /lib +root# chmod 755 /lib/libnss_winbind.so I also found it necessary to make the following symbolic link: It necessary to make the following symbolic link: ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 Now, as root you need to edit The .2 extension is due to the version of glibc used on your Linux host. +for most modern systems, the file extension is correct. However, some other operating systems, +Solaris 7/8 being the most common, the destination filename should be replaced with +/lib/nss_winbind.so.1 Now, as root edit /etc/nsswitch.conf to +> to allow user and group entries to be visible from the winbindd -daemon. My /etc/nsswitch.conf file look like -this after editing: +daemon. After editing, the file look appear: passwd: files winbind - shadow: files + shadow: files group: files winbind -The libraries needed by the winbind daemon will be automatically -entered into the ldconfig cache the next time -your system reboots, but it -is faster (and you don't need to reboot) if you do it manually: root# /sbin/ldconfig -v | grep winbind This makes libnss_winbind available to winbindd -and echos back a check to you. 11.5.3.3. Configure smb.conf12.5.3.3. Configure smb.conf Several parameters are needed in the smb.conf file to control +>Several parameters are needed in the smb.conf file to control the behavior of winbindd. Configure +>. Configure smb.conf These are described in more detail in +> These are described in more detail in the winbindd(8) man page. My +> man page. My smb.confwinbind gid = 10000-20000 # allow enumeration of winbind users and groups + # might need to disable these next two for performance + # reasons on the winbindd host winbind enum groups = yes - # give winbind users a real shell (only needed if they have telnet access) + # give winbind users a real shell (only needed if they have telnet/sshd/etc... access) 11.5.3.4. Join the SAMBA server to the PDC domain12.5.3.4. Join the SAMBA server to the PDC domain Enter the following command to make the SAMBA server join the +>Enter the following command to make the SAMBA server join the PDC domain, where DOMAIN is the name of +> is the name of your Windows domain and Administrator is +> is a domain user who has administrative privileges in the domain./usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator The proper response to the command should be: "Joined the domain +>The proper response to the command should be: "Joined the domain DOMAIN +> is your DOMAIN name. 11.5.3.5. Start up the winbindd daemon and test it!12.5.3.5. Start up the winbindd daemon and test it! Eventually, you will want to modify your smb startup script to -automatically invoke the winbindd daemon when the other parts of +>Eventually, you will want to modify your smb startup script to +automatically invoke the winbindd daemon when the other parts of SAMBA start, but it is possible to test out just the winbind -portion first. To start up winbind services, enter the following +portion first. To start up winbind services, enter the following command as root:root# /usr/local/samba/bin/winbinddexport PATH=$PATH:/usr/local/samba/bin +root# winbindd I'm always paranoid and like to make sure the daemon +>I'm always paranoid and like to make sure the daemon is really running... 3025 ? 00:00:00 winbindd Now... for the real test, try to get some information about the +>Note that a sample RedHat init script for starting winbindd is included in +the SAMBA sourse distribution as packaging/RedHat/winbind.init. Now... for the real test, try to get some information about the users on your PDC root# /usr/local/samba/bin/wbinfo -uwbinfo -u -This should echo back a list of users on your Windows users on +>This should echo back a list of users on your Windows users on your PDC. For example, I get the following response: is '+'. You can do the same sort of thing to get group information from +>You can do the same sort of thing to get group information from the PDC: The function 'getent' can now be used to get unified +>The function 'getent' can now be used to get unified lists of both local and PDC users and groups. Try the following command: You should get a list that looks like your /etc/passwd -list followed by the domain users with their new uids, gids, home -directories and default shells. +list followed by the domain users with their new uids, gids, home +directories and default shells. If you do not, verify that the permissions on the +libnss_winbind.so library are rwxr-xr-x. The same thing can be done for groups with the command 11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files12.5.3.6. Configure Winbind and PAM The At this point we are assured that winbindd daemon needs to start up after the -smbd and nmbd daemons are running. -To accomplish this task, you need to modify the /etc/init.d/smbsmbd -script to add commands to invoke this daemon in the proper sequence. My +are working together. If you want to use winbind to provide authentication for other +services, keep reading. The pam configuration files need to be altered in +this step. (Did you remember to make backups of your original /etc/init.d/smb file starts up smbd, -nmbd, and winbindd from the -/etc/pam.d (or /usr/local/samba/bin directory directly. The 'start' -function in the script looks like this: start() { - KIND="SMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/smbd $SMBDOPTIONS - RETVAL=$? - echo - KIND="NMB" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Starting $KIND services: " - daemon /usr/local/samba/bin/winbindd - RETVAL3=$? - echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ - RETVAL=1 - return $RETVAL -} The 'stop' function has a corresponding entry to shut down the -services and look s like this: stop() { - KIND="SMB" - echo -n $"Shutting down $KIND services: " - killproc smbd - RETVAL=$? - echo - KIND="NMB" - echo -n $"Shutting down $KIND services: " - killproc nmbd - RETVAL2=$? - echo - KIND="Winbind" - echo -n $"Shutting down $KIND services: " - killproc winbindd - RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb - echo "" - return $RETVAL -} /etc/pam.conf) file[s]? If not, do it now.) If you restart the smbd, nmbd, -and You will need a PAM module to use winbindd daemons at this point, you -should be able to connect to the samba server as a domain member just as -if you were a local user. 11.5.3.7. Configure Winbind and PAM If you have made it this far, you know that winbindd and samba are working -together. If you want to use winbind to provide authentication for other -services, keep reading. The pam configuration files need to be altered in -this step. (Did you remember to make backups of your original -/etc/pam.d files? If not, do it now.) You will need a pam module to use winbindd with these other services. This +> with these other services. This module will be compiled in the ../source/nsswitchpam_winbind.so file should be copied to the location of -your other pam security modules. On my RedHat system, this was the +your other pam security modules. On Linux and Solaris systems, this is the /lib/securityroot# cp ../samba/source/nsswitch/pam_winbind.so /lib/security The /etc/pam.d/samba file does not need to be changed. I -just left this fileas it was: auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth cp nsswitch/pam_winbind.so /lib/security +root# chmod 755 /lib/security/pam_winbind.so The other services that I modified to allow the use of winbind -as an authentication service were the normal login on the console (or a terminal -session), telnet logins, and ftp service. In order to enable these -services, you may first need to change the entries in +>Other services, such as the normal login on the console (or a terminal +session), telnet logins, and ftp service, can be modified to allow the use of winbind +as an authentication service. In order to enable these +services, you may first need to change the entries in /etc/xinetd.d (or /etc/inetd.conf). -RedHat 7.1 uses the new xinetd.d structure, in this case you need +>). +RedHat 7.1 uses the new xinetd.d structure, in this case you need to change the lines in /etc/xinetd.d/telnet +> and /etc/xinetd.d/wu-ftp from from -For ftp services to work properly, you will also need to either -have individual directories for the domain users already present on +>For ftp services to work properly, you will also need to either +have individual directories for the domain users already present on the server, or change the home directory template to a general -directory for all domain users. These can be easily set using +directory for all domain users. These can be easily set using the smb.conf global entry +> global entry template homedirThe /etc/pam.d/ftp file can be changed +> file can be changed to allow winbind ftp access in a manner similar to the samba file. My /etc/pam.d/ftp file was +> file was changed to look like this: The /etc/pam.d/login file can be changed nearly the +> file can be changed nearly the same way. It now looks like this: In this case, I added the auth sufficient /lib/security/pam_winbind.so +> lines as before, but also added the required pam_securetty.so -above it, to disallow root logins over the network. I also added a +> +above it, to disallow root logins over the network. I also added a sufficient /lib/security/pam_unix.so use_first_passwinbind.so line to get rid of annoying +> line to get rid of annoying double prompts for passwords. Note that a Solaris /etc/pam.conf confiruation file looks +very similar to this except thaty the service name is included as the first entry +per line. An example for the login service is given here. ## excerpt from /etc/pam.conf on a Solaris 8 system +login auth required /lib/security/pam_winbind.so +login auth required /lib/security/$ISA/pam_unix.so.1 try_first_pass +login auth required /lib/security/$ISA/pam_dial_auth.so.1 try_first_pass

`11.6. Limitations12.6. Limitations`

Winbind has a number of limitations in its current - released version that we hope to overcome in future +>Winbind has a number of limitations in its current + released version that we hope to overcome in future releases:

Winbind is currently only available for - the Linux operating system, although ports to other operating - systems are certainly possible. For such ports to be feasible, - we require the C library of the target operating system to - support the Name Service Switch and Pluggable Authentication - Modules systems. This is becoming more common as NSS and - PAM gain support among UNIX vendors.
The mappings of Windows NT RIDs to UNIX ids - is not made algorithmically and depends on the order in which - unmapped users or groups are seen by winbind. It may be difficult - to recover the mappings of rid to UNIX id mapping if the file +>The mappings of Windows NT RIDs to UNIX ids + is not made algorithmically and depends on the order in which + unmapped users or groups are seen by winbind. It may be difficult + to recover the mappings of rid to UNIX id mapping if the file containing this information is corrupted or destroyed.
Currently the winbind PAM module does not take - into account possible workstation and logon time restrictions +>Currently the winbind PAM module does not take + into account possible workstation and logon time restrictions that may be been set for Windows NT users.

`11.7. Conclusion12.7. Conclusion`

The winbind system, through the use of the Name Service @@ -10548,23 +11391,23 @@ CLASS="CHAPTER" >

`Chapter 12. OS2 Client HOWTOChapter 13. OS2 Client HOWTO`

`12.1. FAQs13.1. FAQs`

`12.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN2435" +>13.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?`

`12.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN2450" +>13.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?`

`12.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN2459" +>13.1.3. Are there any other issues when OS/2 (any version) is used as a client?`

`12.1.4. How do I get printer driver download working +NAME="AEN2463" +>13.1.4. How do I get printer driver download working for OS/2 clients?`

`Chapter 13. HOWTO Access Samba source code via CVSChapter 14. HOWTO Access Samba source code via CVS`

`13.1. Introduction14.1. Introduction`

Samba is developed in an open environment. Developers use CVS @@ -10775,8 +11618,8 @@ CLASS="SECT1" >

`13.2. CVS Access to samba.org14.2. CVS Access to samba.org`

The machine samba.org runs a publicly accessible CVS @@ -10788,8 +11631,8 @@ CLASS="SECT2" >

`13.2.1. Access via CVSweb14.2.1. Access via CVSweb`

You can access the source code via your @@ -10809,8 +11652,8 @@ CLASS="SECT2" >

`13.2.2. Access via cvs14.2.2. Access via cvs`

You can also access the source code via a @@ -10915,14 +11758,14 @@ CLASS="COMMAND" >

`Index`

Primary Domain Controller, Background

DESCRIPTIONOPTIONS-f Causes nmblookup to print out the flags + in the NMB packet headers. These flags will print out as + strings like Authoritative, Recursion_Desired, Recursion_available, etc. + -M EXAMPLES VERSION SEE ALSO AUTHORthe NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a "dual personality". Note that this paramater is not available when Samba listens + on port 445, as clients no longer send this information %MNAME MANGLINGmangling method controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered + a better algorithm (generates less collisions) in the names. + However, many Win32 applications store the + mangled names and so changing to the new algorithm must not be done + lightly as these applications may break unless reinstalled. + New installations of Samba may set the default to hash2. + Default hash. mangle case = yes/no NOTE ABOUT USERNAME/PASSWORD VALIDATION COMPLETE LIST OF GLOBAL PARAMETERS mangling method COMPLETE LIST OF SERVICE PARAMETERS force unknown acl user EXPLANATION OF EACH PARAMETER This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default - is 4.2. Do not change this parameter unless you have a specific + is 4.5. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. Default: See the discussion in the section NAME MANGLING. See the section on NAME MANGLING. Also note the force unknown acl user (S) If this parameter is set, a Windows NT ACL that contains + an unknown SID (security descriptor, or representation of a user or group id) + as the owner or group owner of the file will be silently mapped into the + current UNIX uid or gid of the currently connected user. This is designed to allow Windows NT clients to copy files and + folders containing ACLs that were created locally on the client machine + and contain users local to that machine only (no domain users) to be + copied to a Samba server (usually with XCOPY /O) and have the unknown + userid and groupid of the file owner map to the current connected user. + This can only be fixed correctly when winbindd allows arbitrary mapping + from any Windows NT SID to a UNIX uid or gid. Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + See also force group + Default: False Example: force unknown acl user = yes force user (S) Default : ldap port = 636ldap port = 636 ; if ldap ssl = on Default : ldap port = 389 ; if ldap ssl = off See the section on NAME MANGLING See the section on NAME MANGLING for details on how to control the mangling process. If mangling is used then the mangling algorithm is as follows: If mangling algorithm "hash" is used then the mangling algorithm is as follows: If mangling algorithm "hash2" is used then the mangling algorithm is as follows: The first alphanumeric character + before the rightmost dot of the filename is preserved, forced + to upper case, and appears as the first character of the mangled name. + A base63 hash of 5 characters is generated and the + first 4 characters of that hash are appended to the first character. + A tilde "~" is appended to the first part of the mangled + name, followed by the final character of the base36 hash of the name. + Note that the character to use may be specified using + the mangling char + option, if you don't like '~'. The first three alphanumeric characters of the final + extension are preserved, forced to upper case and appear as the + extension of the mangled name. The final extension is defined as that + part of the original filename after the rightmost dot. If there are no + dots in the filename, the mangled name will have no extension (except + in the case of "hidden files" - see below). Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores). The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension @@ -11497,7 +11643,7 @@ NAME="MANGLINGCHAR" the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set @@ -11515,6 +11661,33 @@ CLASS="COMMAND" > mangling mathod(G) controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered + a better algorithm (generates less collisions) in the names. + However, many Win32 applications store the mangled names and so + changing to the new algorithm must not be done + lightly as these applications may break unless reinstalled. + New installations of Samba may set the default to hash2. Default: mangling method = hash Example: mangling method = hash2 map archive (S) See the section on NAME MANGLING for a fuller discussion. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. See the section on NAME MANGLING. strip dot (G) This is a boolean that controls whether to - strip trailing dots off UNIX filenames. This helps with some - CDROMs that have filenames ending in a single dot. This parameter is now unused in Samba (2.2.5 and above). + It used strip trailing dots off UNIX filenames but was not correctly implmented. + In Samba 2.2.5 and above UNIX filenames ending in a dot are invalid Windows long + filenames (as they are in Windows NT and above) and are mangled to 8.3 before + being returned to a client. Default: See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how @@ -19019,24 +19194,32 @@ CLASS="COMMAND" > winbind use default domain, winbind use default domain (G) winbind use default domainThis option controls whether or not smbd - should lookup 'username' as 'DOMAIN\username' when winbindd is - running on a system. This is most useful when used in conjunction - with pam_winbind.so to prevent a Windows user from having to enter - commands like "ssh 'DOMAIN\username@hostname'". This option is disabled - by default, thus requiring that the DOMAIN\username format be used. This parameter specifies whether the winbindd(8) + daemon should operate on users without domain component in their username. + Users without a domain component are treated as is part of the winbindd server's + own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail + function in a way much closer to the way they would in a native unix system. Default: winbind use default domain = no - winbind use default domain = <falseg> + Example: winbind use default domain = trueWARNINGSVERSIONSEE ALSO AUTHOR smbcontrol [-i] [-d <debug level>] [-s <smb config file>] {-i} smbcontrol [destination] [message-type] [parameter] [-d <debug level>] [-s <smb config file>] {destination} {message-type} [parameter]DESCRIPTIONOPTIONS-d <debuglevel> debuglevel is an integer from 0 to 10. -s <smb.conf> This parameter specifies the pathname to + the Samba configuration file, smb.conf(5). This file controls all aspects of + the Samba setup on the machine. -i VERSION SEE ALSO AUTHORpasswd(5) file. It is an ASCII file containing one line for each user. Each field - ithin each line is separated from the next by a colon. Any entry + within each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user: . -s This option causes smbpasswd to be silent (i.e. - not issue prompts) and to read its old and new passwords from - standard input, rather than from /dev/tty - (like the passwd(1) program does). This option - is to aid people writing scripts to drive smbpasswd -c smb.conf file -s This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read its old and new passwords from + standard input, rather than from /dev/tty + (like the passwd(1) program does). This option + is to aid people writing scripts to drive smbpasswd -S This option causes smbpasswd + to query a domain controller of the domain specified + by the workgroup + parameter in smb.conf and store the + domain SID in the secrets.tdb file + as its own machine SID. This is only useful when configuring + a Samba PDC and Samba BDC, or when migrating from a Windows PDC + to a Samba PDC. The -r options can be used + as well to indicate a specific domain controller which should + be contacted. In this case, the domain SID obtained is the + one for the domain to which the remote machine belongs. + -U username[%pass] ldap admin dn ever changes, the password will beed to be +> ever changes, the password will need to be manually updated as well. NOTES VERSION SEE ALSO AUTHORThis HOWTO describes how to get winbind services up and running to control access and authenticate users on your Linux box using the winbind services which come with SAMBA 2.2.2. There is also some Solaris specific information in +docs/textdocs/Solaris-Winbind-HOWTO.txt. +Future revisions of this document will incorporate that +information. Introduction Requirements Testing Things Out Configure and compile SAMBA Configure nsswitch.confConfigure smb.conf Join the SAMBA server to the PDC domain Start up the winbindd daemon and test it! Fix the /etc/rc.d/init.d/smbConfigure Winbind and PAM Limitations Conclusion

6.2.4. Adding New Printers via the Windows NT APW6.2.5. Adding New Printers via the Windows NT APW

6.2.5. Samba and Printer Ports6.2.6. Samba and Printer Ports

Chapter 7. security = domain in Samba 2.xChapter 7. Printing with CUPS in Samba 2.2.x

7.1. Joining an NT Domain with Samba 2.27.1. Printing with CUPS in Samba 2.2.x

7.2. Samba and Windows 2000 Domains8.2. Samba and Windows 2000 Domains

7.3. Why is this better than security = server?8.3. Why is this better than security = server?

Chapter 8. How to Configure Samba 2.2 as a Primary Domain ControllerChapter 9. How to Configure Samba 2.2 as a Primary Domain Controller

8.1. Prerequisite Reading9.1. Prerequisite Reading

8.2. Background9.2. Background

8.3. Configuring the Samba Domain Controller9.3. Configuring the Samba Domain Controller

8.4.1. Manual Creation of Machine Trust Accounts9.4.1. Manual Creation of Machine Trust Accounts

8.4.2. "On-the-Fly" Creation of Machine Trust Accounts9.4.2. "On-the-Fly" Creation of Machine Trust Accounts

8.4.3. Joining the Client to the Domain9.4.3. Joining the Client to the Domain

8.5. Common Problems and Errors9.5. Common Problems and Errors

8.6. System Policies and Profiles9.6. System Policies and Profiles

8.7. What other help can I get?9.7. What other help can I get?

8.8. Domain Control for Windows 9x/ME9.8. Domain Control for Windows 9x/ME

8.8.1. Configuration Instructions: Network Logons9.8.1. Configuration Instructions: Network Logons

8.8.2. Configuration Instructions: Setting up Roaming User Profiles9.8.2. Configuration Instructions: Setting up Roaming User Profiles

8.8.2.1. Windows NT Configuration9.8.2.1. Windows NT Configuration

8.8.2.2. Windows 9X Configuration9.8.2.2. Windows 9X Configuration

8.8.2.3. Win9X and WinNT Configuration9.8.2.3. Win9X and WinNT Configuration

8.8.2.4. Windows 9X Profile Setup9.8.2.4. Windows 9X Profile Setup

8.8.2.5. Windows NT Workstation 4.09.8.2.5. Windows NT Workstation 4.0

8.8.2.6. Windows NT Server9.8.2.6. Windows NT Server

8.8.2.7. Sharing Profiles between W95 and NT Workstation 4.09.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

8.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba9.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

Chapter 9. How to Act as a Backup Domain Controller in a Purely Samba Controlled DomainChapter 10. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain

9.1. Prerequisite Reading10.1. Prerequisite Reading

9.2. Background10.2. Background

9.3. What qualifies a Domain Controller on the network?10.3. What qualifies a Domain Controller on the network?

9.3.1. How does a Workstation find its domain controller?10.3.1. How does a Workstation find its domain controller?

9.3.2. When is the PDC needed?10.3.2. When is the PDC needed?

9.4. Can Samba be a Backup Domain Controller?10.4. Can Samba be a Backup Domain Controller?

9.5. How do I set up a Samba BDC?10.5. How do I set up a Samba BDC?

9.5.1. How do I replicate the smbpasswd file?10.5.1. How do I replicate the smbpasswd file?

Chapter 10. Storing Samba's User/Machine Account information in an LDAP DirectoryChapter 11. Storing Samba's User/Machine Account information in an LDAP Directory

10.1. Purpose11.1. Purpose

10.2. Introduction11.2. Introduction

10.3. Supported LDAP Servers11.3. Supported LDAP Servers

10.4. Schema and Relationship to the RFC 2307 posixAccount11.4. Schema and Relationship to the RFC 2307 posixAccount

10.5. Configuring Samba with LDAP11.5. Configuring Samba with LDAP

10.5.1. OpenLDAP configuration11.5.1. OpenLDAP configuration

10.5.2. Configuring Samba11.5.2. Configuring Samba

10.6. Accounts and Groups management11.6. Accounts and Groups management

10.7. Security and sambaAccount11.7. Security and sambaAccount

10.8. LDAP specials attributes for sambaAccounts11.8. LDAP specials attributes for sambaAccounts

10.9. Example LDIF Entries for a sambaAccount11.9. Example LDIF Entries for a sambaAccount

10.10. Comments11.10. Comments

Chapter 11. Unified Logons between Windows NT and UNIX using WinbindChapter 12. Unified Logons between Windows NT and UNIX using Winbind

11.1. Abstract12.1. Abstract

11.2. Introduction12.2. Introduction

11.3. What Winbind Provides12.3. What Winbind Provides

11.3.1. Target Uses12.3.1. Target Uses

11.4. How Winbind Works12.4. How Winbind Works

11.4.1. Microsoft Remote Procedure Calls12.4.1. Microsoft Remote Procedure Calls

11.4.2. Name Service Switch12.4.2. Name Service Switch

11.4.3. Pluggable Authentication Modules12.4.3. Pluggable Authentication Modules

11.4.4. User and Group ID Allocation12.4.4. User and Group ID Allocation

11.4.5. Result Caching12.4.5. Result Caching

11.5. Installation and Configuration12.5. Installation and Configuration

11.5.1. Introduction12.5.1. Introduction

11.5.2. Requirements12.5.2. Requirements

11.5.3. Testing Things Out12.5.3. Testing Things Out

11.5.3.1. Configure and compile SAMBA12.5.3.1. Configure and Compile SAMBA

11.5.3.3. Configure smb.conf12.5.3.3. Configure smb.conf

11.5.3.4. Join the SAMBA server to the PDC domain12.5.3.4. Join the SAMBA server to the PDC domain

11.5.3.5. Start up the winbindd daemon and test it!12.5.3.5. Start up the winbindd daemon and test it!

11.5.3.6. Fix the /etc/rc.d/init.d/smb startup files12.5.3.6. Configure Winbind and PAM

11.6. Limitations12.6. Limitations

11.7. Conclusion12.7. Conclusion

Chapter 12. OS2 Client HOWTOChapter 13. OS2 Client HOWTO

12.1. FAQs13.1. FAQs

Chapter 13. HOWTO Access Samba source code via CVSChapter 14. HOWTO Access Samba source code via CVS

13.1. Introduction14.1. Introduction

13.2. CVS Access to samba.org14.2. CVS Access to samba.org

13.2.1. Access via CVSweb14.2.1. Access via CVSweb

13.2.2. Access via cvs14.2.2. Access via cvs

`6.2.5. Samba and Printer Ports6.2.6. Samba and Printer Ports`