Chapter 30. How to compile SAMBA

Date: Wed, 14 May 2003 20:41:34 +0000 Subject: This commit was manufactured by cvs2svn to create tag 'release-3-0alpha24'. --- docs/htmldocs/compiling.html | 186 -------------- docs/htmldocs/domain-member.html | 79 ------ docs/htmldocs/editreg.1.html | 12 - docs/htmldocs/ntlm_auth.1.html | 45 ---- docs/htmldocs/passdb.html | 518 -------------------------------------- docs/htmldocs/problems.html | 134 ---------- docs/htmldocs/profiles.1.html | 12 - docs/htmldocs/securing-samba.html | 116 --------- docs/htmldocs/smbcquotas.1.html | 88 ------- docs/htmldocs/smbtree.1.html | 74 ------ docs/htmldocs/unicode.html | 60 ----- 11 files changed, 1324 deletions(-) delete mode 100644 docs/htmldocs/compiling.html delete mode 100644 docs/htmldocs/domain-member.html delete mode 100644 docs/htmldocs/editreg.1.html delete mode 100644 docs/htmldocs/ntlm_auth.1.html delete mode 100644 docs/htmldocs/passdb.html delete mode 100644 docs/htmldocs/problems.html delete mode 100644 docs/htmldocs/profiles.1.html delete mode 100644 docs/htmldocs/securing-samba.html delete mode 100644 docs/htmldocs/smbcquotas.1.html delete mode 100644 docs/htmldocs/smbtree.1.html delete mode 100644 docs/htmldocs/unicode.html (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/compiling.html b/docs/htmldocs/compiling.html deleted file mode 100644 index c62fcf13f2a..00000000000 --- a/docs/htmldocs/compiling.html +++ /dev/null @@ -1,186 +0,0 @@ - -Chapter 30. How to compile SAMBA

Chapter 30. How to compile SAMBA
Prev	Part V. Appendixes	Next

Chapter 30. How to compile SAMBA

Samba Team

Jelmer R. Vernooij

The Samba Team

<jelmer@samba.org>

(22 May 2001)

18 March 2003

Table of Contents

Access Samba source code via CVS

Introduction
CVS Access to samba.org

Accessing the samba sources via rsync and ftp

Verifying Samba's PGP signature

Building the Binaries

Compiling samba with Active Directory support

Starting the smbd and nmbd

Starting from inetd.conf
Alternative: starting it as a daemon

-You can obtain the samba source from the samba website. To obtain a development version, -you can download samba from CVS or using rsync. -

Access Samba source code via CVS

Introduction

-Samba is developed in an open environment. Developers use CVS -(Concurrent Versioning System) to "checkin" (also known as -"commit") new source code. Samba's various CVS branches can -be accessed via anonymous CVS using the instructions -detailed in this chapter. -

-This chapter is a modified version of the instructions found at -http://samba.org/samba/cvs.html -

CVS Access to samba.org

-The machine samba.org runs a publicly accessible CVS -repository for access to the source code of several packages, -including samba, rsync and jitterbug. There are two main ways of -accessing the CVS server on this host. -

Access via CVSweb

-You can access the source code via your -favourite WWW browser. This allows you to access the contents of -individual files in the repository and also to look at the revision -history and commit logs of individual files. You can also ask for a diff -listing between any two versions on the repository. -

-Use the URL : http://samba.org/cgi-bin/cvsweb -

Access via cvs

-You can also access the source code via a -normal cvs client. This gives you much more control over what you can -do with the repository and allows you to checkout whole source trees -and keep them up to date via normal cvs commands. This is the -preferred method of access if you are a developer and not -just a casual browser. -

-To download the latest cvs source code, point your -browser at the URL : http://www.cyclic.com/. -and click on the 'How to get cvs' link. CVS is free software under -the GNU GPL (as is Samba). Note that there are several graphical CVS clients -which provide a graphical interface to the sometimes mundane CVS commands. -Links to theses clients are also available from http://www.cyclic.com. -

-To gain access via anonymous cvs use the following steps. -For this example it is assumed that you want a copy of the -samba source code. For the other source code repositories -on this system just substitute the correct package name -

- Install a recent copy of cvs. All you really need is a - copy of the cvs client binary. -
- Run the command -
- cvs -d :pserver:cvs@samba.org:/cvsroot login -
- When it asks you for a password type cvs. -
- Run the command -
- cvs -d :pserver:cvs@samba.org:/cvsroot co samba -
- This will create a directory called samba containing the - latest samba source code (i.e. the HEAD tagged cvs branch). This - currently corresponds to the 3.0 development tree. -
- CVS branches other then HEAD can be obtained by using the -r - and defining a tag name. A list of branch tag names can be found on the - "Development" page of the samba web site. A common request is to obtain the - latest 2.2 release code. This could be done by using the following userinput. -
- cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba -
- Whenever you want to merge in the latest code changes use - the following command from within the samba directory: -
- cvs update -d -P -

Accessing the samba sources via rsync and ftp

- pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. I recommend using rsync rather than ftp. - See the rsync homepage for more info on rsync. -

- The disadvantage of the unpacked trees - is that they do not support automatic - merging of local changes like CVS does. - rsync access is most convenient for an - initial install. -

Verifying Samba's PGP signature

-In these days of insecurity, it's strongly recommended that you verify the PGP signature for any -source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of -all Samba downloads have had a corresponding PGP signature download (a very low percentage, which -should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP -signatures should be a standard reflex. -

-With that said, go ahead and download the following files: -

-     $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc
-     $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
-

-The first file is the PGP signature for the Samba source file; the other is the Samba public -PGP key itself. Import the public PGP key with: -

-     $ gpg --import samba-pubkey.asc
-

-And verify the Samba source code integrity with: -

-     $ gzip -d samba-2.2.8a.tar.gz
-     $ gpg --verify samba-2.2.8a.tar.asc
-

-If you receive a message like, "Good signature from Samba Distribution Verification Key..." -then all is well. The warnings about trust relationships can be ignored. An example of what -you would not want to see would be: -

-     gpg: BAD signature from "Samba Distribution Verification Key"
-

Building the Binaries

To do this, first run the program ./configure - in the source directory. This should automatically - configure Samba for your operating system. If you have unusual - needs then you may wish to run

root# ./configure --help -

first to see what special options you can enable. - Then executing

root# make

will create the binaries. Once it's successfully - compiled you can use

root# make install

to install the binaries and manual pages. You can - separately install the binaries and/or man pages using

root# make installbin -

and

root# make installman -

Note that if you are upgrading for a previous version - of Samba you might like to know that the old versions of - the binaries will be renamed with a ".old" extension. You - can go back to the previous version with

root# make revert -

if you find this version a disaster!

Compiling samba with Active Directory support

In order to compile samba with ADS support, you need to have installed - on your system:

the MIT kerberos development libraries - (either install from the sources or use a package). The - heimdal libraries will not work.
the OpenLDAP development libraries.

If your kerberos libraries are in a non-standard location then - remember to add the configure option --with-krb5=DIR.

After you run configure make sure that include/config.h it generates contains lines like this:

-#define HAVE_KRB5 1
-#define HAVE_LDAP 1
-

If it doesn't then configure did not find your krb5 libraries or - your ldap libraries. Look in config.log to figure out why and fix - it.

Installing the required packages for Debian

On Debian you need to install the following packages:

libkrb5-dev
krb5-user

Installing the required packages for RedHat

On RedHat this means you should have at least:

krb5-workstation (for kinit)
krb5-libs (for linking with)
krb5-devel (because you are compiling from source)

in addition to the standard development environment.

Note that these are not standard on a RedHat install, and you may need - to get them off CD2.

Starting the smbd and nmbd

You must choose to start smbd and nmbd either - as daemons or from inetdDon't try - to do both! Either you can put them in - inetd.conf and have them started on demand - by inetd, or you can start them as - daemons either from the command line or in - /etc/rc.local. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start - Samba. In many cases you must be root.

The main advantage of starting smbd - and nmbd using the recommended daemon method - is that they will respond slightly more quickly to an initial connection - request.

Starting from inetd.conf

NOTE; The following will be different if - you use NIS, NIS+ or LDAP to distribute services maps.

Look at your /etc/services. - What is defined at port 139/tcp. If nothing is defined - then add a line like this:

netbios-ssn 139/tcp

similarly for 137/udp you should have an entry like:

netbios-ns 137/udp

Next edit your /etc/inetd.conf - and add two lines something like this:

-		netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
-		netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd 
-

The exact syntax of /etc/inetd.conf - varies between unixes. Look at the other entries in inetd.conf - for a guide.

Note

Some unixes already have entries like netbios_ns - (note the underscore) in /etc/services. - You must either edit /etc/services or - /etc/inetd.conf to make them consistent.

Note

On many systems you may need to use the - interfaces option in smb.conf to specify the IP address - and netmask of your interfaces. Run ifconfig - as root if you don't know what the broadcast is for your - net. nmbd tries to determine it at run - time, but fails on some unixes. -

Warning

Many unixes only accept around 5 - parameters on the command line in inetd.conf. - This means you shouldn't use spaces between the options and - arguments, or you should use a script, and start the script - from inetd.

Restart inetd, perhaps just send - it a HUP. If you have installed an earlier version of - nmbd then you may need to kill nmbd as well.

Alternative: starting it as a daemon

To start the server as a daemon you should create - a script something like this one, perhaps calling - it startsmb.

-		#!/bin/sh
-		/usr/local/samba/bin/smbd -D 
-		/usr/local/samba/bin/nmbd -D 
-

then make it executable with chmod - +x startsmb

You can then run startsmb by - hand or execute it from /etc/rc.local -

To kill it send a kill signal to the processes - nmbd and smbd.

Note

If you use the SVR4 style init system then - you may like to look at the examples/svr4-startup - script to make Samba fit into that system.

Prev	Up	Next
Part V. Appendixes	Home	Chapter 31. Migration from NT4 PDC to Samba-3 PDC

diff --git a/docs/htmldocs/domain-member.html b/docs/htmldocs/domain-member.html deleted file mode 100644 index 5be675a541c..00000000000 --- a/docs/htmldocs/domain-member.html +++ /dev/null @@ -1,79 +0,0 @@ - -Chapter 8. Samba as a NT4 or Win2k domain member

Chapter 8. Samba as a NT4 or Win2k domain member
Prev	Part II. Server Configuration Basics	Next

Chapter 8. Samba as a NT4 or Win2k domain member

Jeremy Allison

Samba Team

<jra@samba.org>

Gerald (Jerry) Carter

Samba Team

<jerry@samba.org>

16 Apr 2001

Table of Contents

Joining an NT Domain with Samba 3.0
Why is this better than security = server?

Joining an NT Domain with Samba 3.0

Assumptions: -

-		NetBIOS name: SERV1
-		Win2K/NT domain name: DOM
-		Domain's PDC NetBIOS name: DOMPDC
-		Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
-

First, you must edit your smb.conf file to tell Samba it should - now use domain security.

Change (or add) your - security = line in the [global] section - of your smb.conf to read:

security = domain

Next change the - workgroup = line in the [global] section to read:

workgroup = DOM

as this is the name of the domain we are joining.

You must also have the parameter - encrypt passwords set to yes - in order for your users to authenticate to the NT PDC.

Finally, add (or modify) a - password server = line in the [global] - section to read:

password server = DOMPDC DOMBDC1 DOMBDC2

These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers.

Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be :

password server = *

This method, allows Samba to use exactly the same - mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against.

In order to actually join the domain, you must run this - command:

root# net join -S DOMPDC - -UAdministrator%password

- If the -S DOMPDC argument is not given then - the domain name will be obtained from smb.conf. -

as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:

Joined domain DOM. - or Joined 'SERV1' to realm 'MYREALM' -

in your terminal window. See the - net(8) man page for more details.

This process joins the server to the domain - without having to create the machine trust account on the PDC - beforehand.

This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :

/usr/local/samba/private/secrets.tdb

This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.

Finally, restart your Samba daemons and get ready for - clients to begin using domain security!

Why is this better than security = server?

Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - security = server, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. -

Please refer to the Winbind - paper for information on a system to automatically - assign UNIX uids and gids to Windows NT Domain users and groups. -

The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC).

In addition, with security = server every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With security = domain, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources.

And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc.

Note

Much of the text of this document - was first published in the Web magazine - LinuxWorld as the article Doing - the NIS/NT Samba.

Prev	Up	Next
Chapter 7. Samba as a ADS domain member	Home	Part III. Advanced Configuration

diff --git a/docs/htmldocs/editreg.1.html b/docs/htmldocs/editreg.1.html deleted file mode 100644 index c5a86ee9602..00000000000 --- a/docs/htmldocs/editreg.1.html +++ /dev/null @@ -1,12 +0,0 @@ -editreg

Name

editreg — A utility to report and change SIDs in registry files -

Synopsis

editreg [-v] [-c file] {file}

DESCRIPTION

This tool is part of the Samba(7) suite.

editreg is a utility that - can visualize windows registry files (currently only NT4) and apply - so-called commandfiles to them. -

OPTIONS

registry_file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. -
-c commandfile: Read commands to execute on registry_file from commandfile. Currently not yet supported! -
-h|--help: Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

The editreg man page was written by Jelmer Vernooij.

diff --git a/docs/htmldocs/ntlm_auth.1.html b/docs/htmldocs/ntlm_auth.1.html deleted file mode 100644 index 956f30641d2..00000000000 --- a/docs/htmldocs/ntlm_auth.1.html +++ /dev/null @@ -1,45 +0,0 @@ -ntlm_auth

Name

ntlm_auth — tool to allow external access to Winbind's NTLM authentication function

Synopsis

ntlm_auth [-d debuglevel] [-l logfile] [-s <smb config file>]

DESCRIPTION

This tool is part of the Samba(7) suite.

ntlm_auth is a helper utility that authenticates - users using NT/LM authentication. It returns 0 if the users is authenticated - successfully and 1 if access was denied. ntlm_auth uses winbind to access - the user and authentication data for a domain. This utility - is only to be used by other programs (currently squid). -

OPTIONS

--helper-protocol=PROTO

- Operate as a stdio-based helper -

--username=USERNAME

- Specify username of user to authenticate -

--domain=DOMAIN

- Specify domain of user to authenticate -

--workstation=WORKSTATION

- Specify the workstation the user authenticated from -

--challenge=STRING

challenge (HEX encoded)

--lm-response=RESPONSE

LM Response to the challenge (HEX encoded)

--nt-response=RESPONSE

NT or NTLMv2 Response to the challenge (HEX encoded)

--password=PASSWORD

User's plaintext password

--request-lm-key

Retreive LM session key

--request-nt-key

Request NT key

-V

Prints the version number for -smbd.

-s <configuration file>

The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See -smb.conf(5) for more information. -The default configuration file name is determined at -compile time.

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of -information about operations carried out.

Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.

Note that specifying this parameter here will -override the log -level parameter in the -smb.conf(5) file.

-l|--logfile=logbasename

File name for log/debug files. The extension -".client" will be appended. The log file is -never removed by the client. -

-h|--help

Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The ntlm_auth manpage was written by Jelmer Vernooij.

diff --git a/docs/htmldocs/passdb.html b/docs/htmldocs/passdb.html deleted file mode 100644 index 9f313ee1232..00000000000 --- a/docs/htmldocs/passdb.html +++ /dev/null @@ -1,518 +0,0 @@ - -Chapter 10. User information database

Chapter 10. User information database
Prev	Part III. Advanced Configuration	Next

Chapter 10. User information database

Jelmer R. Vernooij

The Samba Team

<jelmer@samba.org>

Gerald (Jerry) Carter

Samba Team

<jerry@samba.org>

Jeremy Allison

Samba Team

<jra@samba.org>

John H. Terpstra

Samba Team

<jht@samba.org>

Olivier (lem) Lemaire

IDEALX

<olem@IDEALX.org>

February 2003

Introduction

Old windows clients send plain text passwords over the wire. - Samba can check these passwords by crypting them and comparing them - to the hash stored in the unix user database. -

- Newer windows clients send encrypted passwords (so-called - Lanman and NT hashes) over - the wire, instead of plain text passwords. The newest clients - will only send encrypted passwords and refuse to send plain text - passwords, unless their registry is tweaked. -

These passwords can't be converted to unix style encrypted - passwords. Because of that you can't use the standard unix - user database, and you have to store the Lanman and NT hashes - somewhere else.

Next to a differently encrypted passwords, - windows also stores certain data for each user - that is not stored in a unix user database, e.g. - workstations the user may logon from, the location where his/her - profile is stored, etc. - Samba retrieves and stores this information using a "passdb backend". - Commonly - available backends are LDAP, plain text file, MySQL and nisplus. - For more information, see the documentation about the - passdb backend = parameter. -

Important Notes About Security

The unix and SMB password encryption techniques seem similar - on the surface. This similarity is, however, only skin deep. The unix - scheme typically sends clear text passwords over the network when - logging in. This is bad. The SMB encryption scheme never sends the - cleartext password over the network but it does store the 16 byte - hashed values on disk. This is also bad. Why? Because the 16 byte hashed - values are a "password equivalent". You cannot derive the user's - password from them, but they could potentially be used in a modified - client to gain access to a server. This would require considerable - technical knowledge on behalf of the attacker but is perfectly possible. - You should thus treat the data stored in whatever - passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the - cleartext passwords of all your users. Its contents must be kept - secret, and the file should be protected accordingly.

Ideally we would like a password scheme which neither requires - plain text passwords on the net or on disk. Unfortunately this - is not available as Samba is stuck with being compatible with - other SMB systems (WinNT, WfWg, Win95 etc).

Warning

Note that Windows NT 4.0 Service pack 3 changed the - default for permissible authentication so that plaintext - passwords are never sent over the wire. - The solution to this is either to switch to encrypted passwords - with Samba or edit the Windows NT registry to re-enable plaintext - passwords. See the document WinNT.txt for details on how to do - this.

Other Microsoft operating systems which also exhibit - this behavior includes

These versions of MS Windows do not support full domain - security protocols, although they may log onto a domain environment. - Of these Only MS Windows XP Home does NOT support domain logons.

MS DOS Network client 3.0 with - the basic network redirector installed

Windows 95 with the network redirector - update installed

Windows 98 [se]

Windows Me

Windows XP Home

The following versions of MS Windows fully support domain - security protocols.

Windows NT 3.5x

Windows NT 4.0

Windows 2000 Professional

Windows 200x Server/Advanced Server

Windows XP Professional

Note

All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.

MS Windows clients will cache the encrypted password alone. - Even when plain text passwords are re-enabled, through the appropriate - registry change, the plain text password is NEVER cached. This means that - in the event that a network connections should become disconnected (broken) - only the cached (encrypted) password will be sent to the resource server - to affect a auto-reconnect. If the resource server does not support encrypted - passwords the auto-reconnect will fail. USE OF ENCRYPTED PASSWORDS - IS STRONGLY ADVISED.

Advantages of SMB Encryption

Plain text passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server.

WinNT doesn't like talking to a server - that does not support encrypted passwords. It will refuse - to browse the server if the server is also in user level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only things you can do to stop this is to use SMB encryption. -

Encrypted password support allows automatic share - (resource) reconnects.

Advantages of non-encrypted passwords

Plain text passwords are not kept - on disk, and are NOT cached in memory.

Uses same password file as other unix - services such as login and ftp

Use of other services (such as telnet and ftp) which - send plain text passwords over the net, so sending them for SMB - isn't such a big deal.

The smbpasswd Command

The smbpasswd utility is a utility similar to the - passwd or yppasswd programs. - It maintains the two 32 byte password fields in the passdb backend.

smbpasswd works in a client-server mode - where it contacts the local smbd to change the user's password on its - behalf. This has enormous benefits - as follows.

smbpasswd has the capability - to change passwords on Windows NT servers (this only works when - the request is sent to the NT Primary Domain Controller if you - are changing an NT Domain user's password).

To run smbpasswd as a normal user just type :

$ smbpasswd

Old SMB password: <type old value here - - or hit return if there was no old password>

New SMB Password: <type new value> -

Repeat New SMB Password: <re-type new value -

If the old value does not match the current value stored for - that user, or the two new values do not match each other, then the - password will not be changed.

If invoked by an ordinary user it will only allow the user - to change his or her own Samba password.

If run by the root user smbpasswd may take an optional - argument, specifying the user name whose SMB password you wish to - change. Note that when run as root smbpasswd does not prompt for - or check the old password value, thus allowing root to set passwords - for users who have forgotten their passwords.

smbpasswd is designed to work in the same way - and be familiar to UNIX users who use the passwd or - yppasswd commands.

For more details on using smbpasswd refer - to the man page which will always be the definitive reference.

Plain text

-Older versions of samba retrieved user information from the unix user database -and eventually some other fields from the file /etc/samba/smbpasswd -or /etc/smbpasswd. When password encryption is disabled, no -data is stored at all. -

TDB

Samba can also store the user data in a "TDB" (Trivial Database). Using this backend -doesn't require any additional configuration. This backend is recommended for new installations that -don not require LDAP. -

LDAP

Introduction

-This document describes how to use an LDAP directory for storing Samba user -account information traditionally stored in the smbpasswd(5) file. It is -assumed that the reader already has a basic understanding of LDAP concepts -and has a working directory server already installed. For more information -on LDAP architectures and Directories, please refer to the following sites. -

OpenLDAP - http://www.openldap.org/
iPlanet Directory Server - http://iplanet.netscape.com/directory

-Note that O'Reilly Publishing is working on -a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002. -

-Two additional Samba resources which may prove to be helpful are -

The Samba-PDC-LDAP-HOWTO - maintained by Ignacio Coupeau.
The NT migration scripts from IDEALX that are - geared to manage users and group in such a Samba-LDAP Domain Controller configuration. -

Encrypted Password Database

-Traditionally, when configuring "encrypt -passwords = yes" in Samba's smb.conf file, user account -information such as username, LM/NT password hashes, password change times, and account -flags have been stored in the smbpasswd(5) file. There are several -disadvantages to this approach for sites with very large numbers of users (counted -in the thousands). -

-The first is that all lookups must be performed sequentially. Given that -there are approximately two lookups per domain logon (one for a normal -session connection such as when mapping a network drive or printer), this -is a performance bottleneck for large sites. What is needed is an indexed approach -such as is used in databases. -
-The second problem is that administrators who desired to replicate a -smbpasswd file to more than one Samba server were left to use external -tools such as rsync(1) and ssh(1) -and wrote custom, in-house scripts. -
-And finally, the amount of information which is stored in an -smbpasswd entry leaves no room for additional attributes such as -a home directory, password expiration time, or even a Relative -Identified (RID). -

-As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts -is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). -

-There are a few points to stress about that the ldapsam -does not provide. The LDAP support referred to in the this documentation does not -include: -

A means of retrieving user account information from - an Windows 2000 Active Directory server.
A means of replacing /etc/passwd.

-The second item can be accomplished by using LDAP NSS and PAM modules. LGPL -versions of these libraries can be obtained from PADL Software -(http://www.padl.com/). More -information about the configuration of these packages may be found at "LDAP, -System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS". -

Supported LDAP Servers

-The LDAP samdb code in 2.2.3 (and later) has been developed and tested -using the OpenLDAP 2.0 server and client libraries. -The same code should be able to work with Netscape's Directory Server -and client SDK. However, due to lack of testing so far, there are bound -to be compile errors and bugs. These should not be hard to fix. -If you are so inclined, please be sure to forward all patches to -samba-patches@samba.org and -jerry@samba.org. -

Schema and Relationship to the RFC 2307 posixAccount

-Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -examples/LDAP/samba.schema. The sambaAccount objectclass is given here: -

-objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY
-     DESC 'Samba Account'
-     MUST ( uid $ rid )
-     MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
-            logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
-            displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
-            description $ userWorkstations $ primaryGroupID $ domain ))
-

-The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are -owned by the Samba Team and as such is legal to be openly published. -If you translate the schema to be used with Netscape DS, please -submit the modified schema file as a patch to jerry@samba.org -

-Just as the smbpasswd file is meant to store information which supplements a -user's /etc/passwd entry, so is the sambaAccount object -meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURAL objectclass so it can be stored individually -in the directory. However, there are several fields (e.g. uid) which overlap -with the posixAccount objectclass outlined in RFC2307. This is by design. -

-In order to store all user account information (UNIX and Samba) in the directory, -it is necessary to use the sambaAccount and posixAccount objectclasses in -combination. However, smbd will still obtain the user's UNIX account -information via the standard C library calls (e.g. getpwnam(), et. al.). -This means that the Samba server must also have the LDAP NSS library installed -and functioning correctly. This division of information makes it possible to -store all Samba account information in LDAP, but still maintain UNIX account -information in NIS while the network is transitioning to a full LDAP infrastructure. -

Configuring Samba with LDAP

OpenLDAP configuration

-To include support for the sambaAccount object in an OpenLDAP directory -server, first copy the samba.schema file to slapd's configuration directory. -

-root# cp samba.schema /etc/openldap/schema/ -

-Next, include the samba.schema file in slapd.conf. -The sambaAccount object contains two attributes which depend upon other schema -files. The 'uid' attribute is defined in cosine.schema and -the 'displayName' attribute is defined in the inetorgperson.schema -file. Both of these must be included before the samba.schema file. -

-## /etc/openldap/slapd.conf
-
-## schema files (core.schema is required by default)
-include	           /etc/openldap/schema/core.schema
-
-## needed for sambaAccount
-include            /etc/openldap/schema/cosine.schema
-include            /etc/openldap/schema/inetorgperson.schema
-include            /etc/openldap/schema/samba.schema
-include            /etc/openldap/schema/nis.schema
-
-....
-

-It is recommended that you maintain some indices on some of the most usefull attributes, -like in the following example, to speed up searches made on sambaAccount objectclasses -(and possibly posixAccount and posixGroup as well). -

-# Indices to maintain
-## required by OpenLDAP 2.0
-index objectclass   eq
-
-## support pb_getsampwnam()
-index uid           pres,eq
-## support pdb_getsambapwrid()
-index rid           eq
-
-## uncomment these if you are storing posixAccount and
-## posixGroup entries in the directory as well
-##index uidNumber     eq
-##index gidNumber     eq
-##index cn            eq
-##index memberUid     eq
-
-# (both fetched via ldapsearch):
-index   primaryGroupID  eq
-index   displayName     pres,eq
-
-

Configuring Samba

-The following parameters are available in smb.conf only with --with-ldapsam -was included when compiling Samba. -

-These are described in the smb.conf(5) man -page and so will not be repeated here. However, a sample smb.conf file for -use with an LDAP directory could appear as -

-## /usr/local/samba/lib/smb.conf
-[global]
-     security = user
-     encrypt passwords = yes
-
-     netbios name = TASHTEGO
-     workgroup = NARNIA
-
-     # ldap related parameters
-
-     # define the DN to use when binding to the directory servers
-     # The password for this DN is not stored in smb.conf.  Rather it
-     # must be set by using 'smbpasswd -w secretpw' to store the
-     # passphrase in the secrets.tdb file.  If the "ldap admin dn" values
-     # change, this password will need to be reset.
-     ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
-
-     # Define the SSL option when connecting to the directory
-     # ('off', 'start tls', or 'on' (default))
-     ldap ssl = start tls
-
-     passdb backend ldapsam:ldap://ahab.samba.org
-
-     # smbpasswd -x delete the entire dn-entry
-     ldap delete dn = no
-
-     # the machine and user suffix added to the base suffix
-     # wrote WITHOUT quotes. NULL siffixes by default
-     ldap user suffix = ou=People
-     ldap machine suffix = ou=Systems
-
-     # define the port to use in the LDAP session (defaults to 636 when
-     # "ldap ssl = on")
-     ldap port = 389
-
-     # specify the base DN to use when searching the directory
-     ldap suffix = "ou=people,dc=samba,dc=org"
-
-     # generally the default ldap search filter is ok
-     # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
-

Accounts and Groups management

-As users accounts are managed thru the sambaAccount objectclass, you should -modify your existing administration tools to deal with sambaAccount attributes. -

-Machines accounts are managed with the sambaAccount objectclass, just -like users accounts. However, it's up to you to store thoses accounts -in a different tree of you LDAP namespace: you should use -"ou=Groups,dc=plainjoe,dc=org" to store groups and -"ou=People,dc=plainjoe,dc=org" to store users. Just configure your -NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration -file). -

-In Samba release 3.0, the group management system is based on posix -groups. This means that Samba makes usage of the posixGroup objectclass. -For now, there is no NT-like group system management (global and local -groups). -

Security and sambaAccount

-There are two important points to remember when discussing the security -of sambaAccount entries in the directory. -

Never retrieve the lmPassword or - ntPassword attribute values over an unencrypted LDAP session.
Never allow non-admin users to - view the lmPassword or ntPassword attribute values.

-These password hashes are clear text equivalents and can be used to impersonate -the user without deriving the original clear text strings. For more information -on the details of LM/NT password hashes, refer to the User Database of the Samba-HOWTO-Collection. -

-To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults -to require an encrypted session (ldap ssl = on) using -the default port of 636 -when contacting the directory server. When using an OpenLDAP 2.0 server, it -is possible to use the use the StartTLS LDAP extended operation in the place of -LDAPS. In either case, you are strongly discouraged to disable this security -(ldap ssl = off). -

-Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS -extended operation. However, the OpenLDAP library still provides support for -the older method of securing communication between clients and servers. -

-The second security precaution is to prevent non-administrative users from -harvesting password hashes from the directory. This can be done using the -following ACL in slapd.conf: -

-## allow the "ldap admin dn" access, but deny everyone else
-access to attrs=lmPassword,ntPassword
-     by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
-     by * none
-

LDAP specials attributes for sambaAccounts

-The sambaAccount objectclass is composed of the following attributes: -

lmPassword: the LANMAN password 16-byte hash stored as a character - representation of a hexidecimal string.
ntPassword: the NT password hash 16-byte stored as a character - representation of a hexidecimal string.
pwdLastSet: The integer time in seconds since 1970 when the - lmPassword and ntPassword attributes were last set. -
acctFlags: string of 11 characters surrounded by square brackets [] - representing account flags such as U (user), W(workstation), X(no password expiration), and - D(disabled).
logonTime: Integer value currently unused
logoffTime: Integer value currently unused
kickoffTime: Integer value currently unused
pwdCanChange: Integer value currently unused
pwdMustChange: Integer value currently unused
homeDrive: specifies the drive letter to which to map the - UNC path specified by homeDirectory. The drive letter must be specified in the form "X:" - where X is the letter of the drive to map. Refer to the "logon drive" parameter in the - smb.conf(5) man page for more information.
scriptPath: The scriptPath property specifies the path of - the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path - is relative to the netlogon share. Refer to the "logon script" parameter in the - smb.conf(5) man page for more information.
profilePath: specifies a path to the user's profile. - This value can be a null string, a local absolute path, or a UNC path. Refer to the - "logon path" parameter in the smb.conf(5) man page for more information.
smbHome: The homeDirectory property specifies the path of - the home directory for the user. The string can be null. If homeDrive is set and specifies - a drive letter, homeDirectory should be a UNC path. The path must be a network - UNC path of the form \\server\share\directory. This value can be a null string. - Refer to the "logon home" parameter in the smb.conf(5) man page for more information. -
userWorkstation: character string value currently unused. -
rid: the integer representation of the user's relative identifier - (RID).
primaryGroupID: the relative identifier (RID) of the primary group - of the user.

-The majority of these parameters are only used when Samba is acting as a PDC of -a domain (refer to the Samba-PDC-HOWTO for details on -how to configure Samba as a Primary Domain Controller). The following four attributes -are only stored with the sambaAccount entry if the values are non-default values: -

smbHome
scriptPath
logonPath
homeDrive

-These attributes are only stored with the sambaAccount entry if -the values are non-default values. For example, assume TASHTEGO has now been -configured as a PDC and that logon home = \\%L\%u was defined in -its smb.conf file. When a user named "becky" logons to the domain, -the logon home string is expanded to \\TASHTEGO\becky. -If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", -this value is used. However, if this attribute does not exist, then the value -of the logon home parameter is used in its place. Samba -will only write the attribute value to the directory entry if the value is -something other than the default (e.g. \\MOBY\becky). -

Example LDIF Entries for a sambaAccount

-The following is a working LDIF with the inclusion of the posixAccount objectclass: -

-dn: uid=guest2, ou=people,dc=plainjoe,dc=org
-ntPassword: 878D8014606CDA29677A44EFA1353FC7
-pwdMustChange: 2147483647
-primaryGroupID: 1201
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-pwdLastSet: 1010179124
-logonTime: 0
-objectClass: sambaAccount
-uid: guest2
-kickoffTime: 2147483647
-acctFlags: [UX         ]
-logoffTime: 2147483647
-rid: 19006
-pwdCanChange: 0
-

-The following is an LDIF entry for using both the sambaAccount and -posixAccount objectclasses: -

-dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
-logonTime: 0
-displayName: Gerald Carter
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-primaryGroupID: 1201
-objectClass: posixAccount
-objectClass: sambaAccount
-acctFlags: [UX         ]
-userPassword: {crypt}BpM2ej8Rkzogo
-uid: gcarter
-uidNumber: 9000
-cn: Gerald Carter
-loginShell: /bin/bash
-logoffTime: 2147483647
-gidNumber: 100
-kickoffTime: 2147483647
-pwdLastSet: 1010179230
-rid: 19000
-homeDirectory: /home/tashtego/gcarter
-pwdCanChange: 0
-pwdMustChange: 2147483647
-ntPassword: 878D8014606CDA29677A44EFA1353FC7
-

MySQL

Creating the database

-You either can set up your own table and specify the field names to pdb_mysql (see below -for the column names) or use the default table. The file examples/pdb/mysql/mysql.dump -contains the correct queries to create the required tables. Use the command : - -mysql -uusername -hhostname -ppassword databasename > /path/to/samba/examples/pdb/mysql/mysql.dump - -

Configuring

This plugin lacks some good documentation, but here is some short info:

Add a the following to the passdb backend variable in your smb.conf: -

-passdb backend = [other-plugins] mysql:identifier [other-plugins]
-

The identifier can be any string you like, as long as it doesn't collide with -the identifiers of other plugins or other instances of pdb_mysql. If you -specify multiple pdb_mysql.so entries in 'passdb backend', you also need to -use different identifiers! -

-Additional options can be given thru the smb.conf file in the [global] section. -

-identifier:mysql host                     - host name, defaults to 'localhost'
-identifier:mysql password
-identifier:mysql user                     - defaults to 'samba'
-identifier:mysql database                 - defaults to 'samba'
-identifier:mysql port                     - defaults to 3306
-identifier:table                          - Name of the table containing users
-

Warning

-Since the password for the mysql user is stored in the -smb.conf file, you should make the the smb.conf file -readable only to the user that runs samba. This is considered a security -bug and will be fixed soon. -

Names of the columns in this table(I've added column types those columns should have first):

-identifier:logon time column             - int(9)
-identifier:logoff time column            - int(9)
-identifier:kickoff time column           - int(9)
-identifier:pass last set time column     - int(9)
-identifier:pass can change time column   - int(9)
-identifier:pass must change time column  - int(9)
-identifier:username column               - varchar(255) - unix username
-identifier:domain column                 - varchar(255) - NT domain user is part of
-identifier:nt username column            - varchar(255) - NT username
-identifier:fullname column               - varchar(255) - Full name of user
-identifier:home dir column               - varchar(255) - Unix homedir path
-identifier:dir drive column              - varchar(2)   - Directory drive path (eg: 'H:')
-identifier:logon script column           - varchar(255)
-					 - Batch file to run on client side when logging on
-identifier:profile path column           - varchar(255) - Path of profile
-identifier:acct desc column              - varchar(255) - Some ASCII NT user data
-identifier:workstations column           - varchar(255)
-					 - Workstations user can logon to (or NULL for all)
-identifier:unknown string column         - varchar(255) - unknown string
-identifier:munged dial column            - varchar(255) - ?
-identifier:user sid column               - varchar(255) - NT user SID
-identifier:group sid column              - varchar(255) - NT group ID
-identifier:lanman pass column            - varchar(255) - encrypted lanman password
-identifier:nt pass column                - varchar(255) - encrypted nt passwd
-identifier:plain pass column             - varchar(255) - plaintext password
-identifier:acct control column           - int(9) - nt user data
-identifier:unknown 3 column              - int(9) - unknown
-identifier:logon divs column             - int(9) - ?
-identifier:hours len column              - int(9) - ?
-identifier:unknown 5 column              - int(9) - unknown
-identifier:unknown 6 column              - int(9) - unknown
-

-Eventually, you can put a colon (:) after the name of each column, which -should specify the column to update when updating the table. You can also -specify nothing behind the colon - then the data from the field will not be -updated. -

Using plaintext passwords or encrypted password

-I strongly discourage the use of plaintext passwords, however, you can use them: -

-If you would like to use plaintext passwords, set -'identifier:lanman pass column' and 'identifier:nt pass column' to -'NULL' (without the quotes) and 'identifier:plain pass column' to the -name of the column containing the plaintext passwords. -

-If you use encrypted passwords, set the 'identifier:plain pass -column' to 'NULL' (without the quotes). This is the default. -

Getting non-column data from the table

-It is possible to have not all data in the database and making some 'constant'. -

-For example, you can set 'identifier:fullname column' to : -CONCAT(First_name,' ',Sur_name) -

-Or, set 'identifier:workstations column' to : -NULL

See the MySQL documentation for more language constructs.

XML

This module requires libxml2 to be installed.

The usage of pdb_xml is pretty straightforward. To export data, use: -

- pdbedit -e xml:filename -

-(where filename is the name of the file to put the data in) -

-To import data, use: -pdbedit -i xml:filename -e current-pdb -

-Where filename is the name to read the data from and current-pdb to put it in. -

Prev	Up	Next
Chapter 9. Samba / MS Windows Network Browsing Guide	Home	Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists

diff --git a/docs/htmldocs/problems.html b/docs/htmldocs/problems.html deleted file mode 100644 index f2bc0008eb4..00000000000 --- a/docs/htmldocs/problems.html +++ /dev/null @@ -1,134 +0,0 @@ - -Chapter 28. Analysing and solving samba problems

Chapter 28. Analysing and solving samba problems
Prev	Part IV. Troubleshooting	Next

Chapter 28. Analysing and solving samba problems

Gerald (Jerry) Carter

Samba Team

<jerry@samba.org>

Jelmer R. Vernooij

The Samba Team

<jelmer@samba.org>

David Bannon

Samba Team

<dbannon@samba.org>

8 Apr 2003

Table of Contents

Diagnostics tools
Installing 'Network Monitor' on an NT Workstation or a Windows 9x box
Useful URL's
Getting help from the mailing lists
How to get off the mailinglists

-There are many sources of information available in the form -of mailing lists, RFC's and documentation. The docs that come -with the samba distribution contain very good explanations of -general SMB topics such as browsing.

Diagnostics tools

-One of the best diagnostic tools for debugging problems is Samba itself. -You can use the -d option for both smbd and nmbd to specify what -'debug level' at which to run. See the man pages on smbd, nmbd and -smb.conf for more information on debugging options. The debug -level can range from 1 (the default) to 10 (100 for debugging passwords). -

-Another helpful method of debugging is to compile samba using the -gcc -g flag. This will include debug -information in the binaries and allow you to attach gdb to the -running smbd / nmbd process. In order to attach gdb to an smbd -process for an NT workstation, first get the workstation to make the -connection. Pressing ctrl-alt-delete and going down to the domain box -is sufficient (at least, on the first time you join the domain) to -generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation -maintains an open connection, and therefore there will be an smbd -process running (assuming that you haven't set a really short smbd -idle timeout) So, in between pressing ctrl alt delete, and actually -typing in your password, you can attach gdb and continue. -

-Some useful samba commands worth investigating: -

testparam | more
smbclient -L //{netbios name of server}

-An SMB enabled version of tcpdump is available from -http://www.tcpdup.org/. -Ethereal, another good packet sniffer for Unix and Win32 -hosts, can be downloaded from http://www.ethereal.com. -

-For tracing things on the Microsoft Windows NT, Network Monitor -(aka. netmon) is available on the Microsoft Developer Network CD's, -the Windows NT Server install CD and the SMS CD's. The version of -netmon that ships with SMS allows for dumping packets between any two -computers (i.e. placing the network interface in promiscuous mode). -The version on the NT Server install CD will only allow monitoring -of network traffic directed to the local NT box and broadcasts on the -local subnet. Be aware that Ethereal can read and write netmon -formatted files. -

Installing 'Network Monitor' on an NT Workstation or a Windows 9x box

-Installing netmon on an NT workstation requires a couple -of steps. The following are for installing Netmon V4.00.349, which comes -with Microsoft Windows NT Server 4.0, on Microsoft Windows NT -Workstation 4.0. The process should be similar for other versions of -Windows NT / Netmon. You will need both the Microsoft Windows -NT Server 4.0 Install CD and the Workstation 4.0 Install CD. -

-Initially you will need to install 'Network Monitor Tools and Agent' -on the NT Server. To do this -

Goto Start - Settings - Control Panel - - Network - Services - Add
Select the 'Network Monitor Tools and Agent' and - click on 'OK'.
Click 'OK' on the Network Control Panel. -
Insert the Windows NT Server 4.0 install CD - when prompted.

-At this point the Netmon files should exist in -%SYSTEMROOT%\System32\netmon\*.*. -Two subdirectories exist as well, parsers\ -which contains the necessary DLL's for parsing the netmon packet -dump, and captures\. -

-In order to install the Netmon tools on an NT Workstation, you will -first need to install the 'Network Monitor Agent' from the Workstation -install CD. -

Goto Start - Settings - Control Panel - - Network - Services - Add
Select the 'Network Monitor Agent' and click - on 'OK'.
Click 'OK' on the Network Control Panel. -
Insert the Windows NT Workstation 4.0 install - CD when prompted.

-Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* -to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set -permissions as you deem appropriate for your site. You will need -administrative rights on the NT box to run netmon. -

-To install Netmon on a Windows 9x box install the network monitor agent -from the Windows 9x CD (\admin\nettools\netmon). There is a readme -file located with the netmon driver files on the CD if you need -information on how to do this. Copy the files from a working -Netmon installation. -

Useful URL's

Home of Samba site - http://samba.org. We have a mirror near you !
The Development document -on the Samba mirrors might mention your problem. If so, -it might mean that the developers are working on it.
See how Scott Merrill simulates a BDC behavior at - - http://www.skippy.net/linux/smb-howto.html.
Although 2.0.7 has almost had its day as a PDC, David Bannon will - keep the 2.0.7 PDC pages at - http://bioserve.latrobe.edu.au/samba going for a while yet.
Misc links to CIFS information - http://samba.org/cifs/
NT Domains for Unix - http://mailhost.cb1.com/~lkcl/ntdom/
FTP site for older SMB specs: - - ftp://ftp.microsoft.com/developr/drg/CIFS/

Getting help from the mailing lists

-There are a number of Samba related mailing lists. Go to http://samba.org, click on your nearest mirror -and then click on Support and then click on -Samba related mailing lists. -

-For questions relating to Samba TNG go to -http://www.samba-tng.org/ -It has been requested that you don't post questions about Samba-TNG to the -main stream Samba lists.

-If you post a message to one of the lists please observe the following guide lines : -

Always remember that the developers are volunteers, they are -not paid and they never guarantee to produce a particular feature at -a particular time. Any time lines are 'best guess' and nothing more. -
Always mention what version of samba you are using and what -operating system its running under. You should probably list the -relevant sections of your smb.conf file, at least the options -in [global] that affect PDC support.
In addition to the version, if you obtained Samba via -CVS mention the date when you last checked it out.
Try and make your question clear and brief, lots of long, -convoluted questions get deleted before they are completely read ! -Don't post html encoded messages (if you can select colour or font -size its html).
If you run one of those nifty 'I'm on holidays' things when -you are away, make sure its configured to not answer mailing lists. -
Don't cross post. Work out which is the best list to post to -and see what happens, i.e. don't post to both samba-ntdom and samba-technical. -Many people active on the lists subscribe to more -than one list and get annoyed to see the same message two or more times. -Often someone will see a message and thinking it would be better dealt -with on another, will forward it on for you.
You might include partial -log files written at a debug level set to as much as 20. -Please don't send the entire log but enough to give the context of the -error messages.
(Possibly) If you have a complete netmon trace ( from the opening of -the pipe to the error ) you can send the *.CAP file as well.
Please think carefully before attaching a document to an email. -Consider pasting the relevant parts into the body of the message. The samba -mailing lists go to a huge number of people, do they all need a copy of your -smb.conf in their attach directory?

How to get off the mailinglists

To have your name removed from a samba mailing list, go to the -same place you went to to get on it. Go to http://lists.samba.org, -click on your nearest mirror and then click on Support and -then click on Samba related mailing lists. Or perhaps see -here -

-Please don't post messages to the list asking to be removed, you will just -be referred to the above address (unless that process failed in some way...) -

Prev	Up	Next
Chapter 27. The samba checklist	Home	Chapter 29. Reporting Bugs

diff --git a/docs/htmldocs/profiles.1.html b/docs/htmldocs/profiles.1.html deleted file mode 100644 index ea9f779b576..00000000000 --- a/docs/htmldocs/profiles.1.html +++ /dev/null @@ -1,12 +0,0 @@ -profiles

Name

profiles — A utility to report and change SIDs in registry files -

Synopsis

profiles [-v] [-c SID] [-n SID] {file}

DESCRIPTION

This tool is part of the Samba(7) suite.

profiles is a utility that - reports and changes SIDs in windows registry files. It currently only - supports NT. -

OPTIONS

file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. -
-c SID1 -n SID2: Change all occurences of SID1 in file by SID2. -
-h|--help: Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The profiles man page was written by Jelmer Vernooij.

diff --git a/docs/htmldocs/securing-samba.html b/docs/htmldocs/securing-samba.html deleted file mode 100644 index ae6408ea7b0..00000000000 --- a/docs/htmldocs/securing-samba.html +++ /dev/null @@ -1,116 +0,0 @@ - -Chapter 24. Securing Samba

Chapter 24. Securing Samba
Prev	Part III. Advanced Configuration	Next

Chapter 24. Securing Samba

Andrew Tridgell

Samba Team

<tridge@samba.org>

John H. Terpstra

Samba Team

<jht@samba.org>

17 March 2003

Table of Contents

Introduction
Using host based protection
Using interface protection
Using a firewall
Using a IPC$ share deny
NTLMv2 Security
Upgrading Samba

Introduction

-This note was attached to the Samba 2.2.8 release notes as it contained an -important security fix. The information contained here applies to Samba -installations in general. -

Using host based protection

-In many installations of Samba the greatest threat comes for outside -your immediate network. By default Samba will accept connections from -any host, which means that if you run an insecure version of Samba on -a host that is directly connected to the Internet you can be -especially vulnerable. -

-One of the simplest fixes in this case is to use the hosts allow and -hosts deny options in the Samba smb.conf configuration file to only -allow access to your server from a specific range of hosts. An example -might be: -

-	hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
-	hosts deny = 0.0.0.0/0
-

-The above will only allow SMB connections from 'localhost' (your own -computer) and from the two private networks 192.168.2 and -192.168.3. All other connections will be refused as soon -as the client sends its first packet. The refusal will be marked as a -'not listening on called name' error. -

Using interface protection

-By default Samba will accept connections on any network interface that -it finds on your system. That means if you have a ISDN line or a PPP -connection to the Internet then Samba will accept connections on those -links. This may not be what you want. -

-You can change this behaviour using options like the following: -

-	interfaces = eth* lo
-	bind interfaces only = yes
-

-This tells Samba to only listen for connections on interfaces with a -name starting with 'eth' such as eth0, eth1, plus on the loopback -interface called 'lo'. The name you will need to use depends on what -OS you are using, in the above I used the common name for Ethernet -adapters on Linux. -

-If you use the above and someone tries to make a SMB connection to -your host over a PPP interface called 'ppp0' then they will get a TCP -connection refused reply. In that case no Samba code is run at all as -the operating system has been told not to pass connections from that -interface to any samba process. -

Using a firewall

-Many people use a firewall to deny access to services that they don't -want exposed outside their network. This can be a very good idea, -although I would recommend using it in conjunction with the above -methods so that you are protected even if your firewall is not active -for some reason. -

-If you are setting up a firewall then you need to know what TCP and -UDP ports to allow and block. Samba uses the following: -

-	UDP/137    - used by nmbd
-	UDP/138    - used by nmbd
-	TCP/139    - used by smbd
-	TCP/445    - used by smbd
-

-The last one is important as many older firewall setups may not be -aware of it, given that this port was only added to the protocol in -recent years. -

Using a IPC$ share deny

-If the above methods are not suitable, then you could also place a -more specific deny on the IPC$ share that is used in the recently -discovered security hole. This allows you to offer access to other -shares while denying access to IPC$ from potentially untrustworthy -hosts. -

-To do that you could use: -

-	[ipc$]
-	     hosts allow = 192.168.115.0/24 127.0.0.1
-	     hosts deny = 0.0.0.0/0
-

-this would tell Samba that IPC$ connections are not allowed from -anywhere but the two listed places (localhost and a local -subnet). Connections to other shares would still be allowed. As the -IPC$ share is the only share that is always accessible anonymously -this provides some level of protection against attackers that do not -know a username/password for your host. -

-If you use this method then clients will be given a 'access denied' -reply when they try to access the IPC$ share. That means that those -clients will not be able to browse shares, and may also be unable to -access some other resources. -

-This is not recommended unless you cannot use one of the other -methods listed above for some reason. -

NTLMv2 Security

-To configure NTLMv2 authentication the following registry keys are worth knowing about: -

-	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
-	"lmcompatibilitylevel"=dword:00000003
-
-	0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
-	use NTLMv2 session security if the server supports it. Domain
-	controllers accept LM, NTLM and NTLMv2 authentication.
-
-	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
-	"NtlmMinClientSec"=dword:00080000
-
-	0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
-	NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
-	session security is not negotiated.
-

Upgrading Samba

-Please check regularly on http://www.samba.org/ for updates and -important announcements. Occasionally security releases are made and -it is highly recommended to upgrade Samba when a security vulnerability -is discovered. -

Prev	Up	Next
Chapter 23. Integrating MS Windows networks with Samba	Home	Chapter 25. Unicode/Charsets

diff --git a/docs/htmldocs/smbcquotas.1.html b/docs/htmldocs/smbcquotas.1.html deleted file mode 100644 index 478c03cdaab..00000000000 --- a/docs/htmldocs/smbcquotas.1.html +++ /dev/null @@ -1,88 +0,0 @@ -smbcquotas

Name

smbcquotas — Set or get QUOTAs of NTFS 5 shares

Synopsis

smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logfilebase] [-V] [-U username] [-N] [-k] [-A]

DESCRIPTION

This tool is part of the Samba(7) suite.

The smbcquotas program manipulates NT Quotas on SMB file shares.

OPTIONS

The following options are available to the smbcquotas program.

-u user

Specifies the user of whom the quotas are get or set. - By default the current user's username will be used.

-L

Lists all quota records of the share.

-F

Show the share quota status and default limits.

-S QUOTA_SET_COMMAND

This command set/modify quotas for a user or on the share, - depending on the QUOTA_SET_COMMAND parameter witch is described later

-n

This option displays all QUOTA information in numeric - format. The default is to convert SIDs to names and QUOTA limits - to a readable string format.

-t

- Don't actually do anything, only validate the correctness of - the arguments. -

-v

- Be verbose. -

-h|--help

Print a summary of command line options. -

-V

Prints the version number for -smbd.

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the log -level parameter in the -smb.conf(5) file.

-l|--logfile=logbasename

File name for log/debug files. The extension -".client" will be appended. The log file is -never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authfile=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The -client will first check the USER environment variable, then the -LOGNAME variable and if either exists, the -string is uppercased. If these environmental variables are not -found, the username GUEST is used.

A third option is to use a credentials file which -contains the plaintext of the username and password. This -option is mainly provided for scripts where the admin does not -wish to pass the credentials on the command line or via environment -variables. If this method is used, make certain that the permissions -on the file restrict access from unwanted users. See the --A for more details.

Be cautious about including passwords in scripts. Also, on -many systems the command line of a running process may be seen -via the ps command. To be safe always allow -rpcclient to prompt for a password and type -it in directly.

QUOTA_SET_COMAND

The format of an ACL is one or more ACL entries separated by - either commas or newlines. An ACL entry is one of the following:

- for user setting quotas for the specified by -u or the current username: -

- UQLIM:<username><softlimit><hardlimit> -

- for setting the share quota defaults limits: -

- FSQLIM:<softlimit><hardlimit> -

- for changing the share quota settings: -

- FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT -

EXIT STATUS

The smbcquotas program sets the exit status - depending on the success or otherwise of the operations performed. - The exit status may be one of the following values.

If the operation succeeded, smbcquotas returns an exit - status of 0. If smbcquotas couldn't connect to the specified server, - or when there was an error getting or setting the quota(s), an exit status - of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbcacls was written by Stefan Metzmacher.

diff --git a/docs/htmldocs/smbtree.1.html b/docs/htmldocs/smbtree.1.html deleted file mode 100644 index 0d9a845d708..00000000000 --- a/docs/htmldocs/smbtree.1.html +++ /dev/null @@ -1,74 +0,0 @@ -smbtree

Name

smbtree — A text based smb network browser -

Synopsis

smbtree [-b] [-D] [-S]

DESCRIPTION

This tool is part of the Samba(7) suite.

smbtree is a smb browser program - in text mode. It is similar to the "Network Neighborhood" found - on Windows computers. It prints a tree with all - the known domains, the servers in those domains and - the shares on the servers. -

OPTIONS

-b

Query network nodes by sending requests - as broadcasts instead of querying the (domain) master browser. -

-D

Only print a list of all - the domains known on broadcast or by the - master browser

-S

Only print a list of - all the domains and servers responding on broadcast or - known by the master browser. -

-V

Prints the version number for -smbd.

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the log -level parameter in the -smb.conf(5) file.

-l|--logfile=logbasename

File name for log/debug files. The extension -".client" will be appended. The log file is -never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authfile=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

-h|--help

Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The smbtree man page was written by Jelmer Vernooij.

diff --git a/docs/htmldocs/unicode.html b/docs/htmldocs/unicode.html deleted file mode 100644 index 0c5bb01d136..00000000000 --- a/docs/htmldocs/unicode.html +++ /dev/null @@ -1,60 +0,0 @@ - -Chapter 25. Unicode/Charsets

Chapter 25. Unicode/Charsets
Prev	Part III. Advanced Configuration	Next

Chapter 25. Unicode/Charsets

Jelmer R. Vernooij

The Samba Team

<jelmer@samba.org>

TAKAHASHI Motonobu

<monyo@home.monyo.com>

25 March 2003

Table of Contents

What are charsets and unicode?
Samba and charsets
Conversion from old names
Japanese charsets

What are charsets and unicode?

-Computers communicate in numbers. In texts, each number will be -translated to a corresponding letter. The meaning that will be assigned -to a certain number depends on the character set(charset) - that is used. -A charset can be seen as a table that is used to translate numbers to -letters. Not all computers use the same charset (there are charsets -with German umlauts, Japanese characters, etc). Usually a charset contains -256 characters, which means that storing a character with it takes -exactly one byte.

-There are also charsets that support even more characters, -but those need twice(or even more) as much storage space. These -charsets can contain 256 * 256 = 65536 characters, which -is more then all possible characters one could think of. They are called -multibyte charsets (because they use more then one byte to -store one character). -

-A standardised multibyte charset is unicode, info is available at -www.unicode.org. -A big advantage of using a multibyte charset is that you only need one; no -need to make sure two computers use the same charset when they are -communicating. -

Old windows clients used to use single-byte charsets, named -'codepages' by microsoft. However, there is no support for -negotiating the charset to be used in the smb protocol. Thus, you -have to make sure you are using the same charset when talking to an old client. -Newer clients (Windows NT, 2K, XP) talk unicode over the wire. -

Samba and charsets

-As of samba 3.0, samba can (and will) talk unicode over the wire. Internally, -samba knows of three kinds of character sets: -

unix charset: - This is the charset used internally by your operating system. - The default is ASCII, which is fine for most - systems. -
display charset: This is the charset samba will use to print messages - on your screen. It should generally be the same as the unix charset. -
dos charset: This is the charset samba uses when communicating with - DOS and Windows 9x clients. It will talk unicode to all newer clients. - The default depends on the charsets you have installed on your system. - Run testparm -v | grep "dos charset" to see - what the default is on your system. -

Conversion from old names

Because previous samba versions did not do any charset conversion, -characters in filenames are usually not correct in the unix charset but only -for the local charset used by the DOS/Windows clients.

The following script from Steve Langasek converts all -filenames from CP850 to the iso8859-15 charset.

-#find /path/to/share -type f -exec bash -c 'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \ - -t iso8859-15`; if [ "$CP" != "$ISO" ]; then mv "$CP" "$ISO"; fi' \; - -

Japanese charsets

Samba doesn't work correctly with Japanese charsets yet. Here are -points of attention when setting it up:

You should set mangling method = -hash
There are various iconv() implementations around and not -all of them work equally well. glibc2's iconv() has a critical problem -in CP932. libiconv-1.8 works with CP932 but still has some problems and -does not work with EUC-JP.
You should set dos charset = CP932, not -Shift_JIS, SJIS...
Currently only unix charset = CP932 -will work (but still has some problems...) because of iconv() issues. -unix charset = EUC-JP doesn't work well because of -iconv() issues.
Currently Samba 3.0 does not support unix charset -= UTF8-MAC/CAP/HEX/JIS*

More information (in Japanese) is available at: http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html.

Prev	Up	Next
Chapter 24. Securing Samba	Home	Chapter 26. File and Record Locking

-- cgit