diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/index.html samba-3.0.21/docs/htmldocs/index.html --- samba-3.0.20b/docs/htmldocs/index.html 2005-08-19 13:13:01.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/index.html 2005-12-19 10:29:12.000000000 -0600 @@ -11,7 +11,7 @@
- + @@ -31,11 +31,11 @@ - + - +
SAMBA Developers GuideSAMBA Developers Guide This book is a collection of documents that might be useful for people developing samba or those interested in doing so. It's nothing more than a collection of documents written by samba developers about the internals of various parts of samba and the SMB protocol. It's still (and will always be) incomplete.
The Samba man pages in HTML.
WHATSNEWWHATSNEW Samba Release Notes.
README.VENDORREADME.VENDOR VENDOR specific information.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/editreg.1.html samba-3.0.21/docs/htmldocs/manpages/editreg.1.html --- samba-3.0.20b/docs/htmldocs/manpages/editreg.1.html 2005-08-19 12:55:08.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/editreg.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,12 +0,0 @@ -editreg

Name

editreg — A utility for printing and editing NT4 registry files -

Synopsis

editreg [-v] [-c file] {file}

DESCRIPTION

This tool is part of the samba(7) suite.

editreg is a utility that - can visualize windows registry files (currently only NT4) and apply - so-called commandfiles to them. -

OPTIONS

registry_file

Registry file to view or edit.

-v,--verbose

Increases verbosity of messages. -

-c commandfile

Read commands to execute on registry_file from commandfile. Currently not yet supported! -

-h|--help

Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

The editreg man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/findsmb.1.html samba-3.0.21/docs/htmldocs/manpages/findsmb.1.html --- samba-3.0.20b/docs/htmldocs/manpages/findsmb.1.html 2005-08-19 12:55:12.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/findsmb.1.html 2005-12-19 10:16:21.000000000 -0600 @@ -1,12 +1,12 @@ findsmb

Name

findsmb — list info about machines that respond to SMB - name queries on a subnet

Synopsis

findsmb [subnet broadcast address]

DESCRIPTION

This perl script is part of the samba(7) + name queries on a subnet

Synopsis

findsmb [subnet broadcast address]

DESCRIPTION

This perl script is part of the samba(7) suite.

findsmb is a perl script that prints out several pieces of information about machines on a subnet that respond to SMB name query requests. It uses nmblookup(1) and smbclient(1) to obtain this information. -

OPTIONS

-r

Controls whether findsmb takes +

OPTIONS

-r

Controls whether findsmb takes bugs in Windows95 into account when trying to find a Netbios name registered of the remote machine. This option is disabled by default because it is specific to Windows 95 and Windows 95 machines only. @@ -16,7 +16,7 @@ findsmb(1) is run. This value is passed to nmblookup(1) - as part of the -B option.

EXAMPLES

The output of findsmb lists the following + as part of the -B option.

EXAMPLES

The output of findsmb lists the following information for all machines that respond to the initial nmblookup for any name: IP address, NetBIOS name, Workgroup name, operating system, and SMB server version.

There will be a '+' in front of the workgroup name for @@ -35,7 +35,7 @@ the command must be run as root and with -r option on a machine without nmbd running.

For example, running findsmb without -r option set would yield output similar - to the following

+	to the following
 IP ADDR         NETBIOS NAME   WORKGROUP/OS/VERSION 
 --------------------------------------------------------------------- 
 192.168.35.10   MINESET-TEST1  [DMVENGR]
@@ -48,10 +48,10 @@
 192.168.35.88   SCNT2         +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0]
 192.168.35.93   FROGSTAR-PC    [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager]
 192.168.35.97   HERBNT1       *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0]
-

VERSION

This man page is correct for version 3.0 of - the Samba suite.

SEE ALSO

nmbd(8), +

VERSION

This man page is correct for version 3.0 of + the Samba suite.

SEE ALSO

nmbd(8), smbclient(1), and nmblookup(1) -

AUTHOR

The original Samba software and related utilities +

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/index.html samba-3.0.21/docs/htmldocs/manpages/index.html --- samba-3.0.20b/docs/htmldocs/manpages/index.html 2005-08-19 12:58:05.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/index.html 2005-12-19 10:18:07.000000000 -0600 @@ -1,6 +1,4 @@ -

editreg(1)

A utility for printing and editing NT4 registry files - -

findsmb(1)

list info about machines that respond to SMB +

findsmb(1)

list info about machines that respond to SMB name queries on a subnet

libsmbclient(8)

An extension library for browsers and that can be used as a generic browsing API.

lmhosts(5)

The Samba NetBIOS hosts file @@ -48,7 +46,6 @@

tdbdump(8)

tool for printing the contents of a TDB file

testparm(1)

check an smb.conf configuration file for internal correctness -

testprns(1)

check printer name for validity with smbd

umount.cifs(8)

for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts

vfstest(1)

tool for testing samba VFS modules

wbinfo(1)

Query information from winbind daemon diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/libsmbclient.8.html samba-3.0.21/docs/htmldocs/manpages/libsmbclient.8.html --- samba-3.0.20b/docs/htmldocs/manpages/libsmbclient.8.html 2005-08-19 12:55:15.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/libsmbclient.8.html 2005-12-19 10:16:24.000000000 -0600 @@ -1,6 +1,6 @@ libsmbclient

Name

libsmbclient — An extension library for browsers and that can be used as a generic browsing API.

Synopsis

Browser URL:

smb://[[[domain:]user[:password@]]server[/share[/path[/file]]]] [?options] -

DESCRIPTION

+

DESCRIPTION

This tool is part of the samba(8) suite.

libsmbclient is a library toolset that permits applications @@ -14,7 +14,7 @@ it provides an extension of the capabilities of tools such as file managers and browsers. This man page describes the configuration options for this tool so that the user may obtain greatest utility of use. -

OPTIONS

+

OPTIONS

What the URLs mean:

smb://

Shows all workgroups or domains that are visible in the network. The behavior matches @@ -46,11 +46,11 @@ libsmbclient will check the users shell environment for the USER parameter and will use its value when if the user parameter was not included in the URL. -

PROGRAMMERS GUIDE

+

PROGRAMMERS GUIDE

Watch this space for future updates. -

VERSION

+

VERSION

This man page is correct for version 3.0 of the Samba suite. -

AUTHOR

+

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/lmhosts.5.html samba-3.0.21/docs/htmldocs/manpages/lmhosts.5.html --- samba-3.0.20b/docs/htmldocs/manpages/lmhosts.5.html 2005-08-19 12:55:19.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/lmhosts.5.html 2005-12-19 10:16:26.000000000 -0600 @@ -1,8 +1,8 @@ -lmhosts

Name

lmhosts — The Samba NetBIOS hosts file

Synopsis

lmhosts is the samba(7) NetBIOS name to IP address mapping file.

DESCRIPTION

This file is part of the samba(7) suite.

lmhosts is the Samba +lmhosts

Name

lmhosts — The Samba NetBIOS hosts file

Synopsis

lmhosts is the samba(7) NetBIOS name to IP address mapping file.

DESCRIPTION

This file is part of the samba(7) suite.

lmhosts is the Samba NetBIOS name to IP address mapping file. It is very similar to the /etc/hosts file format, except that the hostname component must correspond - to the NetBIOS naming format.

FILE FORMAT

It is an ASCII file containing one line for NetBIOS name. + to the NetBIOS naming format.

FILE FORMAT

It is an ASCII file containing one line for NetBIOS name. The two fields on each line are separated from each other by white space. Any entry beginning with '#' is ignored. Each line in the lmhosts file contains the following information:

  • IP Address - in dotted decimal format.

  • NetBIOS Name - This name format is a @@ -10,23 +10,25 @@ trailing '#' character followed by the NetBIOS name type as two hexadecimal digits.

    If the trailing '#' is omitted then the given IP address will be returned for all names that match the given - name, whatever the NetBIOS name type in the lookup.

An example follows:

+		name, whatever the NetBIOS name type in the lookup.

An example follows: +

 #
 # Sample Samba lmhosts file.
 #
 192.9.200.1	TESTPC
 192.9.200.20	NTSERVER#20
 192.9.200.21	SAMBASERVER
-

Contains three IP to NetBIOS name mappings. The first +

+

Contains three IP to NetBIOS name mappings. The first and third will be returned for any queries for the names "TESTPC" and "SAMBASERVER" respectively, whatever the type component of the NetBIOS name requested.

The second mapping will be returned only when the "0x20" name type for a name "NTSERVER" is queried. Any other name type will not be resolved.

The default location of the lmhosts file - is in the same directory as the smb.conf(5) file.

FILES

lmhosts is loaded from the configuration directory. This is + is in the same directory as the smb.conf(5) file.

FILES

lmhosts is loaded from the configuration directory. This is usually /etc/samba or /usr/local/samba/lib. -

VERSION

This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

smbclient(1), smb.conf(5), and smbpasswd(8) -

AUTHOR

The original Samba software and related utilities +

VERSION

This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

smbclient(1), smb.conf(5), and smbpasswd(8) +

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/log2pcap.1.html samba-3.0.21/docs/htmldocs/manpages/log2pcap.1.html --- samba-3.0.20b/docs/htmldocs/manpages/log2pcap.1.html 2005-08-19 12:55:23.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/log2pcap.1.html 2005-12-19 10:16:28.000000000 -0600 @@ -1,11 +1,11 @@ -log2pcap

Name

log2pcap — Extract network traces from Samba log files

Synopsis

log2pcap [-h] [-q] [logfile] [pcap_file]

DESCRIPTION

This tool is part of the samba(7) suite.

log2pcap reads in a +log2pcap

Name

log2pcap — Extract network traces from Samba log files

Synopsis

log2pcap [-h] [-q] [logfile] [pcap_file]

DESCRIPTION

This tool is part of the samba(7) suite.

log2pcap reads in a samba log file and generates a pcap file (readable by most sniffers, such as ethereal or tcpdump) based on the packet dumps in the log file.

The log file must have a log level of at least 5 to get the SMB header/parameters right, 10 to get the first 512 data bytes of the packet and 50 to get the whole packet. -

OPTIONS

-h

If this parameter is +

OPTIONS

-h

If this parameter is specified the output file will be a hex dump, in a format that is readable by the text2pcap utility.

-q

Be quiet. No warning messages about missing @@ -17,13 +17,13 @@ If this argument is not specified, output data will be written to stdout.

-h|--help

Print a summary of command line options. -

EXAMPLES

Extract all network traffic from all samba log files:

+

EXAMPLES

Extract all network traffic from all samba log files:

 			$ log2pcap < /var/log/* > trace.pcap
-

Convert to pcap using text2pcap:

+

Convert to pcap using text2pcap:

 	$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
-

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

Only SMB data is extracted from the samba logs, no LDAP, +

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

Only SMB data is extracted from the samba logs, no LDAP, NetBIOS lookup or other data.

The generated TCP and IP headers don't contain a valid - checksum.

SEE ALSO

text2pcap(1), ethereal(1)

AUTHOR

The original Samba software and related utilities + checksum.

SEE ALSO

text2pcap(1), ethereal(1)

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

This manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/mount.cifs.8.html samba-3.0.21/docs/htmldocs/manpages/mount.cifs.8.html --- samba-3.0.20b/docs/htmldocs/manpages/mount.cifs.8.html 2005-08-19 12:55:26.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/mount.cifs.8.html 2005-12-19 10:16:31.000000000 -0600 @@ -1,4 +1,4 @@ -mount.cifs

Name

mount.cifs — mount using the Common Internet File System (CIFS)

Synopsis

mount.cifs {service} {mount-point} [-o options]

DESCRIPTION

This tool is part of the samba(7) suite.

mount.cifs mounts a Linux CIFS filesystem. It +mount.cifs

Name

mount.cifs — mount using the Common Internet File System (CIFS)

Synopsis

mount.cifs {service} {mount-point} [-o options]

DESCRIPTION

This tool is part of the samba(7) suite.

mount.cifs mounts a Linux CIFS filesystem. It is usually invoked indirectly by the mount(8) command when using the "-t cifs" option. This command only works in Linux, and the kernel must @@ -20,7 +20,7 @@

mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until the mounted resource is unmounted (usually via the umount utility). -

OPTIONS

user=arg

specifies the username to connect as. If +

OPTIONS

user=arg

specifies the username to connect as. If this is not given, then the environment variable USER is used. This option can also take the form "user%password" or "workgroup/user" or "workgroup/user%password" to allow the password and workgroup @@ -74,14 +74,20 @@ unused.

ro

mount read-only

rw

mount read-write

setuids

If the CIFS Unix extensions are negotiated with the server the client will attempt to set the effective uid and gid of the local process on newly created files, directories, and - devices (create, mkdir, mknod).

nosetuids

The client will not attempt to set the uid and gid on + devices (create, mkdir, mknod). If the CIFS Unix Extensions + are not negotiated, for newly created files and directories + instead of using the default uid and gid specified on the + the mount, cache the new file's uid and gid locally which means + that the uid for the file can change when the inode is + reloaded (or the user remounts the share).

nosetuids

The client will not attempt to set the uid and gid on on newly created files, directories, and devices (create, mkdir, mknod) which will result in the server setting the uid and gid to the default (usually the server uid of the user who mounted the share). Letting the server (rather than - the client) set the uid and gid is the default. This - parameter has no effect if the CIFS Unix Extensions are not - negotiated.

perm

Client does permission checks (vfs_permission check of uid + the client) set the uid and gid is the default.If the CIFS + Unix Extensions are not negotiated then the uid and gid for + new files will appear to be the uid (gid) of the mounter or the + uid (gid) parameter specified on the mount.

perm

Client does permission checks (vfs_permission check of uid and gid of the file against the mode and desired operation), Note that this is in addition to the normal ACL check on the target machine done by the server software. @@ -113,12 +119,33 @@ whose names contain any of these seven characters). This has no effect if the server does not support Unicode on the wire.

nomapchars

Do not translate any of these seven characters (default)

intr

currently unimplemented

nointr

(default) currently unimplemented

hard

The program accessing a file on the cifs mounted file system will hang when the - server crashes.

soft

(default) The program accessing a file on the cifs mounted file system will not hang when the server crashes and will return errors to the user application.

--verbose

Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example:

mount -t cifs //server/share /mnt --verbose -o user=username

noacl

Do not allow POSIX ACL operations even if server would support them.

+ server crashes.

soft

(default) The program accessing a file on the cifs mounted file system will not hang when the server crashes and will return errors to the user application.

noacl

Do not allow POSIX ACL operations even if server would support them.

The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and then POSIX support in the CIFS configuration options when building the cifs module. POSIX ACL support can be disabled on a per mount basic by specifying - "noacl" on mount.

serverino

Use inode numbers (unique persistent file identifiers) + "noacl" on mount.

nocase

Request case insensitive path name matching (case + sensitive is the default if the server suports it). +

sec=

Security mode. Allowed values are:

  • none attempt to connection as a null user (no name)

  • krb5 Use Kerberos version 5 authentication

  • krb5i Use Kerberos authentication and packet signing

  • ntlm Use NTLM password hashing (default)

  • ntlmi Use NTLM password hashing with signing (if + /proc/fs/cifs/PacketSigningEnabled on or if + server requires signing also can be the default)

  • ntlmv2 Use NTLMv2 password hashing

  • ntlmv2i Use NTLMv2 password hashing with packet signing

[NB This [sec parameter] is under development and expected to be available in cifs kernel module 1.40 and later] +

nobrl

Do not send byte range lock requests to the server. + This is necessary for certain applications that break + with cifs style mandatory byte range locks (and most + cifs servers do not yet support requesting advisory + byte range locks). +

sfu

+ When the CIFS Unix Extensions are not negotiated, attempt to + create device files and fifos in a format compatible with + Services for Unix (SFU). In addition retrieve bits 10-12 + of the mode via the SETFILEBITS extended attribute (as + SFU does). In the future the bottom 9 bits of the mode + mode also will be emulated using queries of the security + descriptor (ACL). [NB: requires version 1.39 or later + of the CIFS VFS. To recognize symlinks and be able + to create symlinks in an SFU interoperable form + requires version 1.40 or later of the CIFS VFS kernel module. +

serverino

Use inode numbers (unique persistent file identifiers) returned by the server instead of automatically generating temporary inode numbers on the client. Although server inode numbers make it easier to spot hardlinked files (as they will have @@ -136,7 +163,7 @@ the server lacks support for returning inode numbers or equivalent.

noserverino

client generates inode numbers (rather than using the actual one from the server) by default. -

nouser_xattr

(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise.

rsize=arg

default network read size

wsize=arg

default network write size

ENVIRONMENT VARIABLES

+

nouser_xattr

(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise.

rsize=arg

default network read size

wsize=arg

default network write size

--verbose

Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example:

mount -t cifs //server/share /mnt --verbose -o user=username

ENVIRONMENT VARIABLES

The variable USER may contain the username of the person to be used to authenticate to the server. The variable can be used to set both username and @@ -148,13 +175,18 @@ The variable PASSWD_FILE may contain the pathname of a file to read the password from. A single line of input is read and used as the password. -

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

+

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

The primary mechanism for making configuration changes and for reading debug information for the cifs vfs is via the Linux /proc filesystem. In the directory /proc/fs/cifs are various configuration files and pseudo files which can display debug information. +There are additional startup options such as maximum buffer size and number +of buffers which only may be set when the kernel cifs vfs (cifs.ko module) is +loaded. These can be seen by running the modinfo utility against the file +cifs.ko which will list the options that may be passed to cifs during module +installation (device driver load). For more information see the kernel file fs/cifs/README. -

BUGS

Mounting using the CIFS URL specification is currently not supported. +

BUGS

Mounting using the CIFS URL specification is currently not supported.

The credentials file does not handle usernames or passwords with leading space.

Note that the typical response to a bug report is a suggestion @@ -162,11 +194,11 @@ and always include which versions you use of relevant software when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and server type you are trying to contact. -

VERSION

This man page is correct for version 1.34 of - the cifs vfs filesystem (roughly Linux kernel 2.6.12).

SEE ALSO

+

VERSION

This man page is correct for version 1.39 of + the cifs vfs filesystem (roughly Linux kernel 2.6.15).

SEE ALSO

Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel source tree may contain additional options and information. -

umount.cifs(8)

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It +

umount.cifs(8)

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It was converted to Docbook/XML by Jelmer Vernooij.

The maintainer of the Linux cifs vfs and the userspace tool mount.cifs is Steve French. The Linux CIFS Mailing list diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/net.8.html samba-3.0.21/docs/htmldocs/manpages/net.8.html --- samba-3.0.20b/docs/htmldocs/manpages/net.8.html 2005-08-19 12:55:30.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/net.8.html 2005-12-19 10:16:33.000000000 -0600 @@ -1,13 +1,13 @@ net

Name

net — Tool for administration of Samba and remote CIFS servers. -

Synopsis

net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel]

DESCRIPTION

This tool is part of the samba(7) suite.

The samba net utility is meant to work just like the net utility +

Synopsis

net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel]

DESCRIPTION

This tool is part of the samba(7) suite.

The samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols. -

OPTIONS

-h|--help

Print a summary of command line options. +

OPTIONS

-h|--help

Print a summary of command line options.

-w target-workgroup

Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server. @@ -24,7 +24,7 @@ Defaults to trying 445 first, then 139.

-n <primary NetBIOS name>

This option allows you to override the NetBIOS name that Samba uses for itself. This is identical -to setting the parameter in the smb.conf file. +to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

-s <configuration file>

The file specified contains the @@ -41,7 +41,7 @@ When listing data, give more information on each item.

-P

Make queries to the external server using the machine account of the local server. -

-d|--debug=debuglevel

debuglevel is an integer +

-d|--debuglevel=level

level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the @@ -53,19 +53,19 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

COMMANDS

CHANGESECRETPW

This command allows the Samba machine account password to be set from an external application +override the parameter +in the smb.conf file.

COMMANDS

CHANGESECRETPW

This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory. DO NOT USE this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) be used also. There will be NO command prompt. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning. YOU HAVE BEEN WARNED. -

TIME

The NET TIME command allows you to view the time on a remote server - or synchronise the time on the local server with the time on the remote server.

TIME

Without any options, the NET TIME command +

TIME

The NET TIME command allows you to view the time on a remote server + or synchronise the time on the local server with the time on the remote server.

TIME

Without any options, the NET TIME command displays the time on the remote server. -

TIME SYSTEM

Displays the time on the remote server in a format ready for /bin/date

TIME SET

Tries to set the date and time of the local server to that on -the remote server using /bin/date.

TIME ZONE

Displays the timezone in hours from GMT on the remote computer.

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]

+

TIME SYSTEM

Displays the time on the remote server in a format ready for /bin/date

TIME SET

Tries to set the date and time of the local server to that on +the remote server using /bin/date.

TIME ZONE

Displays the timezone in hours from GMT on the remote computer.

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]

Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) @@ -73,71 +73,71 @@ be created.

[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain. -

[RPC] OLDJOIN [options]

Join a domain. Use the OLDJOIN option to join the domain +

[RPC] OLDJOIN [options]

Join a domain. Use the OLDJOIN option to join the domain using the old style of domain joining - you need to create a trust -account in server manager first.

[RPC|ADS] USER

[RPC|ADS] USER

List all users

[RPC|ADS] USER DELETE target

Delete specified user

[RPC|ADS] USER INFO target

List the domain groups of a the specified user.

[RPC|ADS] USER RENAME oldname newname

Rename specified user.

[RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]

Add specified user.

[RPC|ADS] GROUP

[RPC|ADS] GROUP [misc options] [targets]

List user groups.

[RPC|ADS] GROUP DELETE name [misc. options]

Delete specified group.

[RPC|ADS] GROUP ADD name [-C comment]

Create specified group.

[RAP|RPC] SHARE

[RAP|RPC] SHARE [misc. options] [targets]

Enumerates all exported resources (network shares) on target server.

[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]

Adds a share from a server (makes the export active). Maxusers +account in server manager first.

[RPC|ADS] USER

[RPC|ADS] USER

List all users

[RPC|ADS] USER DELETE target

Delete specified user

[RPC|ADS] USER INFO target

List the domain groups of a the specified user.

[RPC|ADS] USER RENAME oldname newname

Rename specified user.

[RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]

Add specified user.

[RPC|ADS] GROUP

[RPC|ADS] GROUP [misc options] [targets]

List user groups.

[RPC|ADS] GROUP DELETE name [misc. options]

Delete specified group.

[RPC|ADS] GROUP ADD name [-C comment]

Create specified group.

[RAP|RPC] SHARE

[RAP|RPC] SHARE [misc. options] [targets]

Enumerates all exported resources (network shares) on target server.

[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]

Adds a share from a server (makes the export active). Maxusers specifies the number of users that can be connected to the -share simultaneously.

SHARE DELETE sharenam

Delete specified share.

[RPC|RAP] FILE

[RPC|RAP] FILE

List all open files on remote server.

[RPC|RAP] FILE CLOSE fileid

Close file with specified fileid on -remote server.

[RPC|RAP] FILE INFO fileid

+share simultaneously.

SHARE DELETE sharenam

Delete specified share.

[RPC|RAP] FILE

[RPC|RAP] FILE

List all open files on remote server.

[RPC|RAP] FILE CLOSE fileid

Close file with specified fileid on +remote server.

[RPC|RAP] FILE INFO fileid

Print information on specified fileid. Currently listed are: file-id, username, locks, path, permissions. -

[RAP|RPC] FILE USER

Note

Currently NOT implemented.

SESSION

RAP SESSION

Without any other options, SESSION enumerates all active SMB/CIFS -sessions on the target server.

RAP SESSION DELETE|CLOSE CLIENT_NAME

Close the specified sessions.

RAP SESSION INFO CLIENT_NAME

Give a list with all the open files in specified session.

RAP SERVER DOMAIN

List all servers in specified domain or workgroup. Defaults -to local domain.

RAP DOMAIN

Lists all domains and workgroups visible on the -current network.

RAP PRINTQ

RAP PRINTQ LIST QUEUE_NAME

Lists the specified print queue and print jobs on the server. +

[RAP|RPC] FILE USER

Note

Currently NOT implemented.

SESSION

RAP SESSION

Without any other options, SESSION enumerates all active SMB/CIFS +sessions on the target server.

RAP SESSION DELETE|CLOSE CLIENT_NAME

Close the specified sessions.

RAP SESSION INFO CLIENT_NAME

Give a list with all the open files in specified session.

RAP SERVER DOMAIN

List all servers in specified domain or workgroup. Defaults +to local domain.

RAP DOMAIN

Lists all domains and workgroups visible on the +current network.

RAP PRINTQ

RAP PRINTQ LIST QUEUE_NAME

Lists the specified print queue and print jobs on the server. If the QUEUE_NAME is omitted, all -queues are listed.

RAP PRINTQ DELETE JOBID

Delete job with specified id.

RAP VALIDATE user [password]

+queues are listed.

RAP PRINTQ DELETE JOBID

Delete job with specified id.

RAP VALIDATE user [password]

Validate whether the specified user can log in to the remote server. If the password is not specified on the commandline, it will be prompted. -

Note

Currently NOT implemented.

RAP GROUPMEMBER

RAP GROUPMEMBER LIST GROUP

List all members of the specified group.

RAP GROUPMEMBER DELETE GROUP USER

Delete member from group.

RAP GROUPMEMBER ADD GROUP USER

Add member to group.

RAP ADMIN command

Execute the specified command on +

Note

Currently NOT implemented.

RAP GROUPMEMBER

RAP GROUPMEMBER LIST GROUP

List all members of the specified group.

RAP GROUPMEMBER DELETE GROUP USER

Delete member from group.

RAP GROUPMEMBER ADD GROUP USER

Add member to group.

RAP ADMIN command

Execute the specified command on the remote server. Only works with OS/2 servers. -

Note

Currently NOT implemented.

RAP SERVICE

RAP SERVICE START NAME [arguments...]

Start the specified service on the remote server. Not implemented yet.

Note

Currently NOT implemented.

RAP SERVICE STOP

Stop the specified service on the remote server.

Note

Currently NOT implemented.

RAP PASSWORD USER OLDPASS NEWPASS

+

Note

Currently NOT implemented.

RAP SERVICE

RAP SERVICE START NAME [arguments...]

Start the specified service on the remote server. Not implemented yet.

Note

Currently NOT implemented.

RAP SERVICE STOP

Stop the specified service on the remote server.

Note

Currently NOT implemented.

RAP PASSWORD USER OLDPASS NEWPASS

Change password of USER from OLDPASS to NEWPASS. -

LOOKUP

LOOKUP HOST HOSTNAME [TYPE]

+

LOOKUP

LOOKUP HOST HOSTNAME [TYPE]

Lookup the IP address of the given host with the specified type (netbios suffix). The type defaults to 0x20 (workstation). -

LOOKUP LDAP [DOMAIN

Give IP address of LDAP server of specified DOMAIN. Defaults to local domain.

LOOKUP KDC [REALM]

Give IP address of KDC for the specified REALM. -Defaults to local realm.

LOOKUP DC [DOMAIN]

Give IP's of Domain Controllers for specified -DOMAIN. Defaults to local domain.

LOOKUP MASTER DOMAIN

Give IP of master browser for specified DOMAIN -or workgroup. Defaults to local domain.

CACHE

Samba uses a general caching interface called 'gencache'. It +

LOOKUP LDAP [DOMAIN

Give IP address of LDAP server of specified DOMAIN. Defaults to local domain.

LOOKUP KDC [REALM]

Give IP address of KDC for the specified REALM. +Defaults to local realm.

LOOKUP DC [DOMAIN]

Give IP's of Domain Controllers for specified +DOMAIN. Defaults to local domain.

LOOKUP MASTER DOMAIN

Give IP of master browser for specified DOMAIN +or workgroup. Defaults to local domain.

CACHE

Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'.

All the timeout parameters support the suffixes:

s - Seconds
m - Minutes
h - Hours
d - Days
w - Weeks

-

CACHE ADD key data time-out

Add specified key+data to the cache with the given timeout.

CACHE DEL key

Delete key from the cache.

CACHE SET key data time-out

Update data of existing cache entry.

CACHE SEARCH PATTERN

Search for the specified pattern in the cache data.

CACHE LIST

+

CACHE ADD key data time-out

Add specified key+data to the cache with the given timeout.

CACHE DEL key

Delete key from the cache.

CACHE SET key data time-out

Update data of existing cache entry.

CACHE SEARCH PATTERN

Search for the specified pattern in the cache data.

CACHE LIST

List all current items in the cache. -

CACHE FLUSH

Remove all the current items from the cache.

GETLOCALSID [DOMAIN]

Print the SID of the specified domain, or if the parameter is -omitted, the SID of the domain the local server is in.

SETLOCALSID S-1-5-21-x-y-z

Sets domain sid for the local server to the specified SID.

GROUPMAP

Manage the mappings between Windows group SIDs and UNIX groups. +

CACHE FLUSH

Remove all the current items from the cache.

GETLOCALSID [DOMAIN]

Print the SID of the specified domain, or if the parameter is +omitted, the SID of the domain the local server is in.

SETLOCALSID S-1-5-21-x-y-z

Sets domain sid for the local server to the specified SID.

GROUPMAP

Manage the mappings between Windows group SIDs and UNIX groups. Parameters take the for "parameter=value". Common options include:

  • unixgroup - Name of the UNIX group

  • ntgroup - Name of the Windows NT group (must be resolvable to a SID

  • rid - Unsigned 32-bit integer

  • sid - Full SID in the form of "S-1-..."

  • type - Type of the group; either 'domain', 'local', - or 'builtin'

  • comment - Freeform text description of the group

GROUPMAP ADD

+ or 'builtin'

  • comment - Freeform text description of the group

    • GROUPMAP ADD

    Add a new group mapping entry: -

    +
     net groupmap add {rid=int|sid=string} unixgroup=string \
       [type={domain|local}] [ntgroup=string] [comment=string]
 
    
-

    GROUPMAP DELETE

    Delete a group mapping entry. If more then one group name matches, the first entry found is deleted.

    net groupmap delete {ntgroup=string|sid=SID}

    GROUPMAP MODIFY

    Update en existing group entry

    -

    +

    GROUPMAP DELETE

    Delete a group mapping entry. If more then one group name matches, the first entry found is deleted.

    net groupmap delete {ntgroup=string|sid=SID}

    GROUPMAP MODIFY

    Update en existing group entry

    +

     net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
        [comment=string] [type={domain|local}]

    -

    GROUPMAP LIST

    List existing group mapping entries

    net groupmap list [verbose] [ntgroup=string] [sid=SID]

    MAXRID

    Prints out the highest RID currently in use on the local +

    GROUPMAP LIST

    List existing group mapping entries

    net groupmap list [verbose] [ntgroup=string] [sid=SID]

    MAXRID

    Prints out the highest RID currently in use on the local server (by the active 'passdb backend'). -

    RPC INFO

    Print information about the domain of the remote server, +

    RPC INFO

    Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups. -

    [RPC|ADS] TESTJOIN

    Check whether participation in a domain is still valid.

    [RPC|ADS] CHANGETRUSTPW

    Force change of domain trust password.

    RPC TRUSTDOM

    RPC TRUSTDOM ADD DOMAIN

    Add a interdomain trust account for +

    [RPC|ADS] TESTJOIN

    Check whether participation in a domain is still valid.

    [RPC|ADS] CHANGETRUSTPW

    Force change of domain trust password.

    RPC TRUSTDOM

    RPC TRUSTDOM ADD DOMAIN

    Add a interdomain trust account for DOMAIN to the remote server. -

    RPC TRUSTDOM DEL DOMAIM

    Remove interdomain trust account for +

    RPC TRUSTDOM DEL DOMAIM

    Remove interdomain trust account for DOMAIN from the remote server. -

    Note

    Currently NOT implemented.

    RPC TRUSTDOM ESTABLISH DOMAIN

    +

    Note

    Currently NOT implemented.

    RPC TRUSTDOM ESTABLISH DOMAIN

    Establish a trust relationship to a trusting domain. Interdomain account must already be created on the remote PDC. -

    RPC TRUSTDOM REVOKE DOMAIN

    Abandon relationship to trusted domain

    RPC TRUSTDOM LIST

    List all current interdomain trust relationships.

    RPC RIGHTS

    This subcommand is used to view and manage Samba's rights assignments (also +

    RPC TRUSTDOM REVOKE DOMAIN

    Abandon relationship to trusted domain

    RPC TRUSTDOM LIST

    List all current interdomain trust relationships.

    RPC RIGHTS

    This subcommand is used to view and manage Samba's rights assignments (also referred to as privileges). There are three options current available: list, grant, and revoke. More details on Samba's privilege model and its use -can be found in the Samba-HOWTO-Collection.

    RPC ABORTSHUTDOWN

    Abort the shutdown of a remote server.

    SHUTDOWN [-t timeout] [-r] [-f] [-C message]

    Shut down the remote server.

    -r

    +can be found in the Samba-HOWTO-Collection.

    RPC ABORTSHUTDOWN

    Abort the shutdown of a remote server.

    SHUTDOWN [-t timeout] [-r] [-f] [-C message]

    Shut down the remote server.

    -r

    Reboot after shutdown.

    -f

    Force shutting down all applications. @@ -145,22 +145,22 @@ Timeout before system will be shut down. An interactive user of the system can use this time to cancel the shutdown.

    -C message

    Display the specified message on the screen to -announce the shutdown.

    SAMDUMP

    Print out sam database of remote server. You need -to run this on either a BDC.

    VAMPIRE

    Export users, aliases and groups from remote server to +announce the shutdown.

    SAMDUMP

    Print out sam database of remote server. You need +to run this on either a BDC.

    VAMPIRE

    Export users, aliases and groups from remote server to local server. Can only be run an a BDC. -

    GETSID

    Fetch domain SID and store it in the local secrets.tdb.

    ADS LEAVE

    Make the remote host leave the domain it is part of.

    ADS STATUS

    Print out status of machine account of the local machine in ADS. +

    GETSID

    Fetch domain SID and store it in the local secrets.tdb.

    ADS LEAVE

    Make the remote host leave the domain it is part of.

    ADS STATUS

    Print out status of machine account of the local machine in ADS. Prints out quite some debug info. Aimed at developers, regular -users should use NET ADS TESTJOIN.

    ADS PRINTER

    ADS PRINTER INFO [PRINTER] [SERVER]

    +users should use NET ADS TESTJOIN.

    ADS PRINTER

    ADS PRINTER INFO [PRINTER] [SERVER]

    Lookup info for PRINTER on SERVER. The printer name defaults to "*", the -server name defaults to the local host.

    ADS PRINTER PUBLISH PRINTER

    Publish specified printer using ADS.

    ADS PRINTER REMOVE PRINTER

    Remove specified printer from ADS directory.

    ADS SEARCH EXPRESSION ATTRIBUTES...

    Perform a raw LDAP search on a ADS server and dump the results. The +server name defaults to the local host.

    ADS PRINTER PUBLISH PRINTER

    Publish specified printer using ADS.

    ADS PRINTER REMOVE PRINTER

    Remove specified printer from ADS directory.

    ADS SEARCH EXPRESSION ATTRIBUTES...

    Perform a raw LDAP search on a ADS server and dump the results. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results.

    Example: net ads search '(objectCategory=group)' sAMAccountName -

    ADS DN DN (attributes)

    +

    ADS DN DN (attributes)

    Perform a raw LDAP search on a ADS server and dump the results. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result. -

    Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName

    WORKGROUP

    Print out workgroup name for specified kerberos realm.

    HELP [COMMAND]

    Gives usage information for the specified command.

    VERSION

    This man page is complete for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities +

    Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName

    WORKGROUP

    Print out workgroup name for specified kerberos realm.

    HELP [COMMAND]

    Gives usage information for the specified command.

    VERSION

    This man page is complete for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The net manpage was written by Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/nmbd.8.html samba-3.0.21/docs/htmldocs/manpages/nmbd.8.html --- samba-3.0.20b/docs/htmldocs/manpages/nmbd.8.html 2005-08-19 12:55:33.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/nmbd.8.html 2005-12-19 10:16:35.000000000 -0600 @@ -1,5 +1,5 @@ nmbd

    Name

    nmbd — NetBIOS name server to provide NetBIOS - over IP naming services to clients

    Synopsis

    nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]

    DESCRIPTION

    This program is part of the samba(7) suite.

    nmbd is a server that understands + over IP naming services to clients

    Synopsis

    nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]

    DESCRIPTION

    This program is part of the samba(7) suite.

    nmbd is a server that understands and can reply to NetBIOS over IP name service requests, like those produced by SMB/CIFS clients such as Windows 95/98/ME, Windows NT, Windows 2000, Windows XP and LanManager clients. It also @@ -11,7 +11,7 @@ specified it will respond with the IP number of the host it is running on. Its "own NetBIOS name" is by default the primary DNS name of the host it is running on, - but this can be overridden by the netbios name + but this can be overridden by the netbios name in smb.conf. Thus nmbd will reply to broadcast queries for its own name(s). Additional names for nmbd to respond on can be set @@ -22,7 +22,7 @@ replying to queries from clients for these names.

    In addition, nmbd can act as a WINS proxy, relaying broadcast queries from clients that do not understand how to talk the WINS protocol to a WINS - server.

    OPTIONS

    -D

    If specified, this parameter causes + server.

    OPTIONS

    -D

    If specified, this parameter causes nmbd to operate as a daemon. That is, it detaches itself and runs in the background, fielding requests on the appropriate port. By default, nmbd @@ -51,7 +51,7 @@

    -H <filename>

    NetBIOS lmhosts file. The lmhosts file is a list of NetBIOS names to IP addresses that is loaded by the nmbd server and used via the name - resolution mechanism name resolve order described in smb.conf(5) to resolve any + resolution mechanism name resolve order described in smb.conf(5) to resolve any NetBIOS name queries needed by the server. Note that the contents of this file are NOT used by nmbd to answer any name queries. @@ -68,7 +68,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -80,7 +80,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -88,7 +88,7 @@ This option changes the default UDP port number (normally 137) that nmbd responds to name queries on. Don't use this option unless you are an expert, in which case you - won't need help!

    FILES

    /etc/inetd.conf

    If the server is to be run by the + won't need help!

    FILES

    /etc/inetd.conf

    If the server is to be run by the inetd meta-daemon, this file must contain suitable startup information for the meta-daemon. @@ -104,18 +104,18 @@ configuration file. Other common places that systems install this file are /usr/samba/lib/smb.conf and /etc/samba/smb.conf.

    When run as a WINS server (see the - wins support + wins support parameter in the smb.conf(5) man page), nmbd will store the WINS database in the file wins.dat in the var/locks directory configured under wherever Samba was configured to install itself.

    If nmbd is acting as a - browse master (see the local master + browse master (see the local master parameter in the smb.conf(5) man page, nmbd will store the browsing database in the file browse.dat in the var/locks directory configured under wherever Samba was configured to install itself. -

    SIGNALS

    To shut down an nmbd process it is recommended +

    SIGNALS

    To shut down an nmbd process it is recommended that SIGKILL (-9) NOT be used, except as a last resort, as this may leave the name database in an inconsistent state. The correct way to terminate nmbd is to send it @@ -129,13 +129,13 @@ using smbcontrol(1) (SIGUSR[1|2] signals are no longer used since Samba 2.2). This is to allow transient problems to be diagnosed, whilst still running - at a normally low log level.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    + at a normally low log level.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    inetd(8), smbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the Internet RFC's rfc1001.txt, rfc1002.txt. In addition the CIFS (formerly SMB) specification is available as a link from the Web page - http://samba.org/cifs/.

    AUTHOR

    The original Samba software and related utilities + http://samba.org/cifs/.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/nmblookup.1.html samba-3.0.21/docs/htmldocs/manpages/nmblookup.1.html --- samba-3.0.20b/docs/htmldocs/manpages/nmblookup.1.html 2005-08-19 12:55:38.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/nmblookup.1.html 2005-12-19 10:16:38.000000000 -0600 @@ -1,9 +1,9 @@ nmblookup

    Name

    nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS - names

    Synopsis

    nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    nmblookup is used to query NetBIOS names + names

    Synopsis

    nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries - are done over UDP.

    OPTIONS

    -M

    Searches for a master browser by looking + are done over UDP.

    OPTIONS

    -M

    Searches for a master browser by looking up the NetBIOS name name with a type of 0x1d. If name is "-" then it does a lookup on the special name @@ -28,7 +28,7 @@

    -A

    Interpret name as an IP Address and do a node status query on this address.

    -n <primary NetBIOS name>

    This option allows you to override the NetBIOS name that Samba uses for itself. This is identical -to setting the parameter in the smb.conf file. +to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

    -i <scope>

    This specifies a NetBIOS scope that @@ -61,7 +61,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -73,7 +73,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -88,12 +88,12 @@ If a NetBIOS name then the different name types may be specified by appending '#<type>' to the name. This name may also be '*', which will return all registered names within a broadcast - area.

    EXAMPLES

    nmblookup can be used to query + area.

    EXAMPLES

    nmblookup can be used to query a WINS server (in the same way nslookup is used to query DNS servers). To query a WINS server, nmblookup must be called like this:

    nmblookup -U server -R 'name'

    For example, running :

    nmblookup -U samba.org -R 'IRIX#1B'

    would query the WINS server samba.org for the domain - master browser (1B name type) for the IRIX workgroup.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    nmbd(8), samba(7), and smb.conf(5).

    AUTHOR

    The original Samba software and related utilities + master browser (1B name type) for the IRIX workgroup.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    nmbd(8), samba(7), and smb.conf(5).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/ntlm_auth.1.html samba-3.0.21/docs/htmldocs/manpages/ntlm_auth.1.html --- samba-3.0.20b/docs/htmldocs/manpages/ntlm_auth.1.html 2005-08-19 12:55:42.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/ntlm_auth.1.html 2005-12-19 10:16:40.000000000 -0600 @@ -1,18 +1,18 @@ -ntlm_auth

    Name

    ntlm_auth — tool to allow external access to Winbind's NTLM authentication function

    Synopsis

    ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    ntlm_auth is a helper utility that authenticates +ntlm_auth

    Name

    ntlm_auth — tool to allow external access to Winbind's NTLM authentication function

    Synopsis

    ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    ntlm_auth is a helper utility that authenticates users using NT/LM authentication. It returns 0 if the users is authenticated successfully and 1 if access was denied. ntlm_auth uses winbind to access the user and authentication data for a domain. This utility is only indended to be used by other programs (currently Squid and mod_ntlm_winbind) -

    OPERATIONAL REQUIREMENTS

    +

    OPERATIONAL REQUIREMENTS

    The winbindd(8) daemon must be operational for many of these commands to function.

    Some of these commands also require access to the directory winbindd_privileged in $LOCKDIR. This should be done either by running this command as root or providing group access to the winbindd_privileged directory. For - security reasons, this directory should not be world-accessable.

    OPTIONS

    --helper-protocol=PROTO

    + security reasons, this directory should not be world-accessable.

    OPTIONS

    --helper-protocol=PROTO

    Operate as a stdio-based helper. Valid helper protocols are:

    squid-2.4-basic

    Server-side helper for use with Squid 2.4's basic (plaintext) @@ -64,33 +64,33 @@ any data (such as usernames/passwords) that may contain malicous user data, such as a newline. They may also need to decode strings from the helper, which likewise may have been base64 encoded.

    Username

    The username, expected to be in - Samba's unix charset. -

    Example 1. 

    Username: bob

    Example 2. 

    Username:: Ym9i
    Username

    The user's domain, expected to be in - Samba's unix charset. -

    Example 3. 

    Domain: WORKGROUP

    Example 4. 

    Domain:: V09SS0dST1VQ
    Full-Username

    The fully qualified username, expected to be in - Samba's and qualified with the - winbind separator. -

    Example 5. 

    Full-Username: WORKGROUP\bob

    Example 6. 

    Full-Username:: V09SS0dST1VQYm9i
    LANMAN-Challenge

    The 8 byte LANMAN Challenge value, + Samba's unix charset. +

    Example 1. 

    Username: bob

    Example 2. 

    Username:: Ym9i
    Username

    The user's domain, expected to be in + Samba's unix charset. +

    Example 3. 

    Domain: WORKGROUP

    Example 4. 

    Domain:: V09SS0dST1VQ
    Full-Username

    The fully qualified username, expected to be in + Samba's and qualified with the + winbind separator. +

    Example 5. 

    Full-Username: WORKGROUP\bob

    Example 6. 

    Full-Username:: V09SS0dST1VQYm9i
    LANMAN-Challenge

    The 8 byte LANMAN Challenge value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client. -

    Example 7. 

    LANMAN-Challege: 0102030405060708
    LANMAN-Response

    The 24 byte LANMAN Response value, +

    Example 7. 

    LANMAN-Challege: 0102030405060708
    LANMAN-Response

    The 24 byte LANMAN Response value, calculated from the user's password and the supplied LANMAN Challenge. Typically, this is provided over the network by a client wishing to authenticate. -

    Example 8. 

    LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
    NT-Response

    The >= 24 byte NT Response +

    Example 8. 

    LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
    NT-Response

    The >= 24 byte NT Response calculated from the user's password and the supplied LANMAN Challenge. Typically, this is provided over the network by a client wishing to authenticate. -

    Example 9. 

    NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
    Password

    The user's password. This would be +

    Example 9. 

    NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
    Password

    The user's password. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way. -

    Example 10. 

    Password: samba2

    Example 11. 

    Password:: c2FtYmEy
    Request-User-Session-Key

    Apon sucessful authenticaiton, return +

    Example 10. 

    Password: samba2

    Example 11. 

    Password:: c2FtYmEy
    Request-User-Session-Key

    Apon sucessful authenticaiton, return the user session key associated with the login. -

    Example 12. 

    Request-User-Session-Key: Yes
    Request-LanMan-Session-Key

    Apon sucessful authenticaiton, return +

    Example 12. 

    Request-User-Session-Key: Yes
    Request-LanMan-Session-Key

    Apon sucessful authenticaiton, return the LANMAN session key associated with the login. -

    Example 13. 

    Request-LanMan-Session-Key: Yes
    --username=USERNAME

    +

    Example 13. 

    Request-LanMan-Session-Key: Yes
    --username=USERNAME

    Specify username of user to authenticate

    --domain=DOMAIN

    Specify domain of user to authenticate @@ -111,7 +111,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -123,12 +123,12 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

    -h|--help

    Print a summary of command line options. -

    EXAMPLE SETUP

    To setup ntlm_auth for use by squid 2.5, with both basic and +

    EXAMPLE SETUP

    To setup ntlm_auth for use by squid 2.5, with both basic and NTLMSSP authentication, the following should be placed in the squid.conf file. 

    @@ -144,13 +144,13 @@
 
     auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-

    TROUBLESHOOTING

    If you're experiencing problems with authenticating Internet Explorer running +

    TROUBLESHOOTING

    If you're experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication helper (--helper-protocol=squid-2.5-ntlmssp), then please read the Microsoft Knowledge Base article #239869 and follow instructions described there. -

    VERSION

    This man page is correct for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities +

    VERSION

    This man page is correct for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The ntlm_auth manpage was written by Jelmer Vernooij and diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/pam_winbind.8.html samba-3.0.21/docs/htmldocs/manpages/pam_winbind.8.html --- samba-3.0.20b/docs/htmldocs/manpages/pam_winbind.8.html 2005-08-19 12:55:46.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/pam_winbind.8.html 2005-12-19 10:16:43.000000000 -0600 @@ -1,5 +1,5 @@ -pam_winbind

    Name

    pam_winbind — PAM module for Winbind

    DESCRIPTION

    This tool is part of the samba(7) suite.

    pam_winbind is a PAM module that can authenticate users against the local domain - by talking to the Winbind daemon.

    OPTIONS

    +pam_winbind

    Name

    pam_winbind — PAM module for Winbind

    DESCRIPTION

    This tool is part of the samba(7) suite.

    pam_winbind is a PAM module that can authenticate users against the local domain + by talking to the Winbind daemon.

    OPTIONS

    pam_winbind supports several options:

    debug

    Gives debugging output to syslog.

    require_membership_of=[SID or NAME]

    If this option is set, pam_winbind will only succeed if the @@ -22,7 +22,7 @@

    -

    SEE ALSO

    wbinfo(1), winbindd(8)

    VERSION

    This man page is correct for version 3.0 of Samba.

    AUTHOR

    The original Samba software and related utilities +

    SEE ALSO

    wbinfo(1), winbindd(8)

    VERSION

    This man page is correct for version 3.0 of Samba.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    This manpage was written by Jelmer Vernooij and Guenther Deschner.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/pdbedit.8.html samba-3.0.21/docs/htmldocs/manpages/pdbedit.8.html --- samba-3.0.20b/docs/htmldocs/manpages/pdbedit.8.html 2005-08-19 12:55:50.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/pdbedit.8.html 2005-12-19 10:16:46.000000000 -0600 @@ -1,18 +1,18 @@ -pdbedit

    Name

    pdbedit — manage the SAM database (Database of Samba Users)

    Synopsis

    pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The pdbedit program is used to manage the users accounts +pdbedit

    Name

    pdbedit — manage the SAM database (Database of Samba Users)

    Synopsis

    pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.

    The pdbedit tool uses the passdb modular interface and is independent from the kind of users database used (currently there are smbpasswd, ldap, nis+ and tdb based and more can be added without changing the tool).

    There are five main ways to use pdbedit: adding a user account, removing a user account, modifing a user account, listing user - accounts, importing users accounts.

    OPTIONS

    -L

    This option lists all the user accounts + accounts, importing users accounts.

    OPTIONS

    -L

    This option lists all the user accounts present in the users database. This option prints a list of user/uid pairs separated by - the ':' character.

    Example: pdbedit -L

    +		the ':' character.
    Example: pdbedit -L
     sorce:500:Simo Sorce
 samba:45:Test User
    -v

    This option enables the verbose listing format. It causes pdbedit to list the users in the database, printing - out the account fields in a descriptive format.

    Example: pdbedit -L -v

    +		out the account fields in a descriptive format.
    Example: pdbedit -L -v
     ---------------
 username:       sorce
 user ID/Group:  500/500
@@ -35,7 +35,7 @@
 		It will make pdbedit list the users in the database, printing
 		out the account fields in a format compatible with the
 		smbpasswd file format. (see the
-		smbpasswd(5) for details)
    Example: pdbedit -L -w
    +		smbpasswd(5) for details)
    Example: pdbedit -L -w
     sorce:500:508818B733CE64BEAAD3B435B51404EE:
           D2A2418EFC466A8A0F6B1DBB5C3DB80C:
           [UX         ]:LCT-00000000:
@@ -78,7 +78,7 @@
 retype new password
 
    
 
    Note
    pdbedit does not call the unix password syncronisation 
-				script if unix password sync
+				script if unix password sync
 				has been set. It only updates the data in the Samba 
 				user database. 
 			
    If you wish to add a user and synchronise the password
@@ -122,7 +122,7 @@
 as descriptions of all the services that the server is 
 to provide. See smb.conf for more information.
 The default configuration file name is determined at 
-compile time.
    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -134,12 +134,12 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. -

    NOTES

    This command may be used only by root.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smbpasswd(5), samba(7)

    AUTHOR

    The original Samba software and related utilities +

    NOTES

    This command may be used only by root.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smbpasswd(5), samba(7)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/profiles.1.html samba-3.0.21/docs/htmldocs/manpages/profiles.1.html --- samba-3.0.20b/docs/htmldocs/manpages/profiles.1.html 2005-08-19 12:55:53.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/profiles.1.html 2005-12-19 10:16:48.000000000 -0600 @@ -1,12 +1,12 @@ profiles

    Name

    profiles — A utility to report and change SIDs in registry files -

    Synopsis

    profiles [-v] [-c SID] [-n SID] {file}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    profiles is a utility that +

    Synopsis

    profiles [-v] [-c SID] [-n SID] {file}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    profiles is a utility that reports and changes SIDs in windows registry files. It currently only supports NT. -

    OPTIONS

    file

    Registry file to view or edit.

    -v,--verbose

    Increases verbosity of messages. +

    OPTIONS

    file

    Registry file to view or edit.

    -v,--verbose

    Increases verbosity of messages.

    -c SID1 -n SID2

    Change all occurences of SID1 in file by SID2.

    -h|--help

    Print a summary of command line options. -

    VERSION

    This man page is correct for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities +

    VERSION

    This man page is correct for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The profiles man page was written by Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/rpcclient.1.html samba-3.0.21/docs/htmldocs/manpages/rpcclient.1.html --- samba-3.0.20b/docs/htmldocs/manpages/rpcclient.1.html 2005-08-19 12:55:58.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/rpcclient.1.html 2005-12-19 10:16:50.000000000 -0600 @@ -1,11 +1,11 @@ rpcclient

    Name

    rpcclient — tool for executing client side - MS-RPC functions

    Synopsis

    rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    rpcclient is a utility initially developed + MS-RPC functions

    Synopsis

    rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from - their UNIX workstation.

    OPTIONS

    server

    NetBIOS name of Server to which to connect. + their UNIX workstation.

    OPTIONS

    server

    NetBIOS name of Server to which to connect. The server can be any SMB/CIFS server. The name is - resolved using the name resolve order line from smb.conf(5).

    -c|--command='command string'

    execute semicolon separated commands (listed + resolved using the name resolve order line from smb.conf(5).

    -c|--command='command string'

    execute semicolon separated commands (listed below))

    -I IP-address

    IP address is the address of the server to connect to. It should be specified in standard "a.b.c.d" notation.

    Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution @@ -23,7 +23,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -35,7 +35,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -70,7 +70,7 @@ rpcclient to prompt for a password and type it in directly.

    -n <primary NetBIOS name>

    This option allows you to override the NetBIOS name that Samba uses for itself. This is identical -to setting the parameter in the smb.conf file. +to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

    -i <scope>

    This specifies a NetBIOS scope that @@ -87,11 +87,11 @@ socket. See the socket options parameter in the smb.conf manual page for the list of valid options.

    -h|--help

    Print a summary of command line options. -

    COMMANDS

    LSARPC

    lsaquery

    Query info policy

    lookupsids

    Resolve a list +

    COMMANDS

    LSARPC

    lsaquery

    Query info policy

    lookupsids

    Resolve a list of SIDs to usernames.

    lookupnames

    Resolve a list of usernames to SIDs. -

    enumtrusts

    Enumerate trusted domains

    enumprivs

    Enumerate privileges

    getdispname

    Get the privilege name

    lsaenumsid

    Enumerate the LSA SIDS

    lsaenumprivsaccount

    Enumerate the privileges of an SID

    lsaenumacctrights

    Enumerate the rights of an SID

    lsaenumacctwithright

    Enumerate accounts with a right

    lsaaddacctrights

    Add rights to an account

    lsaremoveacctrights

    Remove rights from an account

    lsalookupprivvalue

    Get a privilege value given its name

    lsaquerysecobj

    Query LSA security object

    LSARPC-DS

    dsroledominfo

    Get Primary Domain Information

    DFS

    dfsexist

    Query DFS support

    dfsadd

    Add a DFS share

    dfsremove

    Remove a DFS share

    dfsgetinfo

    Query DFS share info

    dfsenum

    Enumerate dfs shares

    REG

    shutdown

    Remote Shutdown

    abortshutdown

    Abort Shutdown

    SRVSVC

    srvinfo

    Server query info

    netshareenum

    Enumerate shares

    netfileenum

    Enumerate open files

    netremotetod

    Fetch remote time of day

    SAMR

    queryuser

    Query user info

    querygroup

    Query group info

    queryusergroups

    Query user groups

    querygroupmem

    Query group membership

    queryaliasmem

    Query alias membership

    querydispinfo

    Query display info

    querydominfo

    Query domain info

    enumdomusers

    Enumerate domain users

    enumdomgroups

    Enumerate domain groups

    enumalsgroups

    Enumerate alias groups

    createdomuser

    Create domain user

    samlookupnames

    Look up names

    samlookuprids

    Look up names

    deletedomuser

    Delete domain user

    samquerysecobj

    Query SAMR security object

    getdompwinfo

    Retrieve domain password info

    lookupdomain

    Look up domain

    SPOOLSS

    adddriver <arch> <config> [<version>]

    +

    enumtrusts

    Enumerate trusted domains

    enumprivs

    Enumerate privileges

    getdispname

    Get the privilege name

    lsaenumsid

    Enumerate the LSA SIDS

    lsaenumprivsaccount

    Enumerate the privileges of an SID

    lsaenumacctrights

    Enumerate the rights of an SID

    lsaenumacctwithright

    Enumerate accounts with a right

    lsaaddacctrights

    Add rights to an account

    lsaremoveacctrights

    Remove rights from an account

    lsalookupprivvalue

    Get a privilege value given its name

    lsaquerysecobj

    Query LSA security object

    LSARPC-DS

    dsroledominfo

    Get Primary Domain Information

    DFS

    dfsexist

    Query DFS support

    dfsadd

    Add a DFS share

    dfsremove

    Remove a DFS share

    dfsgetinfo

    Query DFS share info

    dfsenum

    Enumerate dfs shares

    REG

    shutdown

    Remote Shutdown

    abortshutdown

    Abort Shutdown

    SRVSVC

    srvinfo

    Server query info

    netshareenum

    Enumerate shares

    netfileenum

    Enumerate open files

    netremotetod

    Fetch remote time of day

    SAMR

    queryuser

    Query user info

    querygroup

    Query group info

    queryusergroups

    Query user groups

    querygroupmem

    Query group membership

    queryaliasmem

    Query alias membership

    querydispinfo

    Query display info

    querydominfo

    Query domain info

    enumdomusers

    Enumerate domain users

    enumdomgroups

    Enumerate domain groups

    enumalsgroups

    Enumerate alias groups

    createdomuser

    Create domain user

    samlookupnames

    Look up names

    samlookuprids

    Look up names

    deletedomuser

    Delete domain user

    samquerysecobj

    Query SAMR security object

    getdompwinfo

    Retrieve domain password info

    lookupdomain

    Look up domain

    SPOOLSS

    adddriver <arch> <config> [<version>]

    Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should already exist in the directory returned by @@ -176,11 +176,11 @@ already be correctly installed on the print server.

    See also the enumprinters and enumdrivers commands for obtaining a list of of installed printers and drivers.

    addform

    Add form

    setform

    Set form

    getform

    Get form

    deleteform

    Delete form

    enumforms

    Enumerate form

    setprinter

    Set printer comment

    setprinterdata

    Set REG_SZ printer data

    setprintername <printername> - <newprintername>

    Set printer name

    rffpcnex

    Rffpcnex test

    NETLOGON

    logonctrl2

    Logon Control 2

    logonctrl

    Logon Control

    samsync

    Sam Synchronisation

    samdeltas

    Query Sam Deltas

    samlogon

    Sam Logon

    GENERAL COMMANDS

    debuglevel

    Set the current + <newprintername>

    Set printer name

    rffpcnex

    Rffpcnex test

    NETLOGON

    logonctrl2

    Logon Control 2

    logonctrl

    Logon Control

    samsync

    Sam Synchronisation

    samdeltas

    Query Sam Deltas

    samlogon

    Sam Logon

    GENERAL COMMANDS

    debuglevel

    Set the current debug level used to log information.

    help (?)

    Print a listing of all known commands or extended help on a particular command.

    quit (exit)

    Exit rpcclient - .

    BUGS

    rpcclient is designed as a developer testing tool + .

    BUGS

    rpcclient is designed as a developer testing tool and may not be robust in certain areas (such as command line parsing). It has been known to generate a core dump upon failures when invalid parameters where passed to the interpreter.

    From Luke Leighton's original rpcclient man page:

    WARNING! The MSRPC over SMB code has @@ -193,8 +193,8 @@ versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may - result in incompatibilities.

    VERSION

    This man page is correct for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities + result in incompatibilities.

    VERSION

    This man page is correct for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original rpcclient man page was written by Matthew diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/samba.7.html samba-3.0.21/docs/htmldocs/manpages/samba.7.html --- samba-3.0.20b/docs/htmldocs/manpages/samba.7.html 2005-08-19 12:56:03.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/samba.7.html 2005-12-19 10:16:53.000000000 -0600 @@ -1,4 +1,4 @@ -samba

    Name

    samba — A Windows SMB/CIFS fileserver for UNIX

    Synopsis

    samba

    DESCRIPTION

    The Samba software suite is a collection of programs +samba

    Name

    samba — A Windows SMB/CIFS fileserver for UNIX

    Synopsis

    samba

    DESCRIPTION

    The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS). For a @@ -49,8 +49,6 @@ that is used for integrating authentication and the user database into unix.

    wbinfo(1)

    wbinfo is a utility that retrieves and stores information related to winbind. -

    editreg(1)

    editreg is a command-line - utility that can edit windows registry files.

    profiles(1)

    profiles is a command-line utility that can be used to replace all occurences of a certain SID with another SID. @@ -65,7 +63,7 @@ smbmnt(8)

    smbmount,smbumount and smbmnt are commands that can be used to mount CIFS/SMB shares on Linux.

    smbcquotas(1)

    smbcquotas is a tool that - can set remote QUOTA's on server with NTFS 5.

    COMPONENTS

    The Samba suite is made up of several components. Each + can set remote QUOTA's on server with NTFS 5.

    COMPONENTS

    The Samba suite is made up of several components. Each component is described in a separate manual page. It is strongly recommended that you read the documentation that comes with Samba and the manual pages of those components that you use. If the @@ -74,7 +72,7 @@ for information on how to file a bug report or submit a patch.

    If you require help, visit the Samba webpage at http://www.samba.org/ and explore the many option available to you. -

    AVAILABILITY

    The Samba software suite is licensed under the +

    AVAILABILITY

    The Samba software suite is licensed under the GNU Public License(GPL). A copy of that license should have come with the package in the file COPYING. You are encouraged to distribute copies of the Samba suite, but @@ -88,14 +86,14 @@ the README file that comes with Samba.

    If you have access to a WWW viewer (such as Mozilla or Konqueror) then you will also find lots of useful information, including back issues of the Samba mailing list, at - http://lists.samba.org.

    VERSION

    This man page is correct for version 3.0 of the - Samba suite.

    CONTRIBUTIONS

    If you wish to contribute to the Samba project, + http://lists.samba.org.

    VERSION

    This man page is correct for version 3.0 of the + Samba suite.

    CONTRIBUTIONS

    If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list at http://lists.samba.org.

    If you have patches to submit, visit http://devel.samba.org/ for information on how to do it properly. We prefer patches - in diff -u format.

    CONTRIBUTORS

    Contributors to the project are now too numerous + in diff -u format.

    CONTRIBUTORS

    Contributors to the project are now too numerous to mention here but all deserve the thanks of all Samba users. To see a full list, look at the change-log in the source package @@ -103,7 +101,7 @@ http://cvs.samba.org/ for the contributors to Samba post-CVS. CVS is the Open Source source code control system used by the Samba Team to develop - Samba. The project would have been unmanageable without it.

    AUTHOR

    The original Samba software and related utilities + Samba. The project would have been unmanageable without it.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbcacls.1.html samba-3.0.21/docs/htmldocs/manpages/smbcacls.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbcacls.1.html 2005-08-19 12:56:15.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbcacls.1.html 2005-12-19 10:17:00.000000000 -0600 @@ -1,5 +1,5 @@ -smbcacls

    Name

    smbcacls — Set or get ACLs on an NT file or directory names

    Synopsis

    smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbcacls program manipulates NT Access Control - Lists (ACLs) on SMB file shares.

    OPTIONS

    The following options are available to the smbcacls program. +smbcacls

    Name

    smbcacls — Set or get ACLs on an NT file or directory names

    Synopsis

    smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbcacls program manipulates NT Access Control + Lists (ACLs) on SMB file shares.

    OPTIONS

    The following options are available to the smbcacls program. The format of ACLs is described in the section ACL FORMAT

    -a acls

    Add the ACLs specified to the ACL list. Existing access control entries are unchanged.

    -M acls

    Modify the mask value (permissions) for the ACLs specified on the command line. An error will be printed for each @@ -36,7 +36,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -48,11 +48,11 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. -

    ACL FORMAT

    The format of an ACL is one or more ACL entries separated by +

    ACL FORMAT

    The format of an ACL is one or more ACL entries separated by either commas or newlines. An ACL entry is one of the following: 

     
 REVISION:<revision number>
 OWNER:<sid or name>
@@ -78,13 +78,13 @@
 	file permissions of the same name. 
    • R - Allow read access 
    • W - Allow write access
    • X - Execute permission on the object
    • D - Delete the object
    • P - Change permissions
    • O - Take ownership
    The following combined permissions can be specified:
    • READ -  Equivalent to 'RX'
 		permissions
    • CHANGE - Equivalent to 'RXWD' permissions
 		
    • FULL - Equivalent to 'RWXDPO' 
-		permissions

    EXIT STATUS

    The smbcacls program sets the exit status + permissions

    EXIT STATUS

    The smbcacls program sets the exit status depending on the success or otherwise of the operations performed. The exit status may be one of the following values.

    If the operation succeeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities + arguments, an exit status of 2 is returned.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    smbcacls was written by Andrew Tridgell diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbclient.1.html samba-3.0.21/docs/htmldocs/manpages/smbclient.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbclient.1.html 2005-08-19 12:56:18.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbclient.1.html 2005-12-19 10:17:03.000000000 -0600 @@ -1,11 +1,11 @@ smbclient

    Name

    smbclient — ftp-like client to access SMB/CIFS resources - on servers

    Synopsis

    smbclient [-b <buffer size>] [-d debuglevel] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k]

    smbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logdir] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbclient is a client that can + on servers

    Synopsis

    smbclient [-b <buffer size>] [-d debuglevel] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k] [-P]

    smbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logdir] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program (see ftp(1)). Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server - and so on.

    OPTIONS

    servicename

    servicename is the name of the service + and so on.

    OPTIONS

    servicename

    servicename is the name of the service you want to use on the server. A service name takes the form //server/service where server is the NetBIOS name of the SMB/CIFS server @@ -72,11 +72,13 @@ WinPopup the message will be lost, and no error message will occur.

    The message is also automatically truncated if the message is over 1600 bytes, as this is the limit of the protocol. -

    One useful trick is to cat the message through - smbclient. For example: - cat mymessage.txt | smbclient -M FRED will - send the message in the file mymessage.txt - to the machine FRED.

    You may also find the -U and +

    + One useful trick is to cat the message through smbclient. For example: +

    +cat mymessage.txt | smbclient -M FRED 
+

    + will send the message in the file mymessage.txt to the machine FRED. +

    You may also find the -U and -I options useful, as they allow you to control the FROM and TO parts of the message.

    See the message command parameter in the smb.conf(5) for a description of how to handle incoming WinPopup messages in Samba.

    Note: Copy WinPopup into the startup group @@ -84,7 +86,9 @@ messages.

    -p port

    This number is the TCP port number that will be used when making connections to the server. The standard (well-known) TCP port number for an SMB/CIFS server is 139, which is the - default.

    -h|--help

    Print a summary of command line options. + default.

    -P

    + Make queries to the external server using the machine account of the local server. +

    -h|--help

    Print a summary of command line options.

    -I IP-address

    IP address is the address of the server to connect to. It should be specified in standard "a.b.c.d" notation.

    Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution @@ -123,7 +127,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -135,7 +139,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -170,7 +174,7 @@ rpcclient to prompt for a password and type it in directly.

    -n <primary NetBIOS name>

    This option allows you to override the NetBIOS name that Samba uses for itself. This is identical -to setting the parameter in the smb.conf file. +to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

    -i <scope>

    This specifies a NetBIOS scope that @@ -248,7 +252,7 @@ only of any use with the tar -T option.

    -c command string

    command string is a semicolon-separated list of commands to be executed instead of prompting from stdin. -N is implied by -c.

    This is particularly useful in scripts and for printing stdin - to the server, e.g. -c 'print -'.

    OPERATIONS

    Once the client is running, the user is presented with + to the server, e.g. -c 'print -'.

    OPERATIONS

    Once the client is running, the user is presented with a prompt :

    smb:\>

    The backslash ("\\") indicates the current working directory on the server, and will change if the current working directory is changed.

    The prompt indicates that the client is ready and waiting to @@ -338,9 +342,7 @@ operation and non-recursive operation - refer to the recurse and mask commands for more information. Note that all transfers in smbclient are binary.

    print <file name>

    Print the specified file from the local machine - through a printable service on the server.

    See also the printmode command.

    printmode <graphics or text>

    Set the print mode to suit either binary data - (such as graphical information) or text. Subsequent print - commands will use the currently set print mode.

    prompt

    Toggle prompting for filenames during operation + through a printable service on the server.

    prompt

    Toggle prompting for filenames during operation of the mget and mput commands.

    When toggled ON, the user will be prompted to confirm the transfer of each file during these commands. When toggled OFF, all specified files will be transferred without prompting. @@ -385,14 +387,14 @@ archive bit setting (this is the default mode). In incremental mode, tar will only back up files with the archive bit set. In reset mode, tar will reset the archive bit on all files it backs up (implies - read/write share).

    NOTES

    Some servers are fussy about the case of supplied usernames, + read/write share).

    NOTES

    Some servers are fussy about the case of supplied usernames, passwords, share names (AKA service names) and machine names. If you fail to connect try giving all parameters in uppercase.

    It is often necessary to use the -n option when connecting to some types of servers. For example OS/2 LanManager insists on a valid NetBIOS name being used, so you need to supply a valid name that would be known to the server.

    smbclient supports long file names where the server - supports the LANMAN2 protocol or above.

    ENVIRONMENT VARIABLES

    The variable USER may contain the + supports the LANMAN2 protocol or above.

    ENVIRONMENT VARIABLES

    The variable USER may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords.

    The variable PASSWD may contain @@ -402,7 +404,7 @@ the path, executed with system(), which the client should connect to instead of connecting to a server. This functionality is primarily intended as a development aid, and works best when using a LMHOSTS - file

    INSTALLATION

    The location of the client program is a matter for + file

    INSTALLATION

    The location of the client program is a matter for individual system administrators. The following are thus suggestions only.

    It is recommended that the smbclient software be installed in the /usr/local/samba/bin/ or @@ -413,11 +415,11 @@ and writeable only by the user.

    To test the client, you will need to know the name of a running SMB/CIFS server. It is possible to run smbd(8) as an ordinary user - running that server as a daemon on a user-accessible port (typically any port number over 1024) - would provide a suitable test server.

    DIAGNOSTICS

    Most diagnostics issued by the client are logged in a + would provide a suitable test server.

    DIAGNOSTICS

    Most diagnostics issued by the client are logged in a specified log file. The log file name is specified at compile time, but may be overridden on the command line.

    The number and nature of diagnostics available depends on the debug level used by the client. If you have problems, - set the debug level to 3 and peruse the log files.

    VERSION

    This man page is correct for version 2.2 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities + set the debug level to 3 and peruse the log files.

    VERSION

    This man page is correct for version 3 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smb.conf.5.html samba-3.0.21/docs/htmldocs/manpages/smb.conf.5.html --- samba-3.0.20b/docs/htmldocs/manpages/smb.conf.5.html 2005-08-19 12:56:11.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smb.conf.5.html 2005-12-19 10:16:58.000000000 -0600 @@ -1,4 +1,4 @@ -smb.conf

    Name

    smb.conf — The configuration file for the Samba suite

    SYNOPSIS

    +smb.conf

    Name

    smb.conf — The configuration file for the Samba suite

    SYNOPSIS

    The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The smb.conf file is designed to be configured and administered by the swat(8) program. The @@ -6,7 +6,7 @@

    FILE FORMAT

    The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. Sections contain parameters of the form: -

    +
     name = value 
 
    
 	
    
@@ -26,7 +26,7 @@
 	The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean,
 	which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved
 	in string values. Some items such as create masks are numeric.
-

    SECTION DESCRIPTIONS

    +

    SECTION DESCRIPTIONS

    Each section in the configuration file (except for the [global] section) describes a shared resource (known as a “share”). The section name is the name of the shared resource and the parameters within the section define the shares attributes. @@ -53,11 +53,23 @@ UNIX user by the host system. The server does not grant more access than the host system grants.

    The following sample section defines a file space share. The user has write access to the path /home/bar. The share is accessed via the share name foo: -

    [foo]
    path = /home/bar
    read only = read only = no

    +

    +	[foo]
+	path = /home/bar
+	read only = no
+

    +

    The following sample section defines a printable share. The share is read-only, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The guest ok parameter means access will be permitted as the default guest user (specified elsewhere): -

    [aprinter]
    path = /usr/spool/public
    read only = yes
    printable = yes
    guest ok = yes

    SPECIAL SECTIONS

    The [global] section

    +

    +	[aprinter]
+	path = /usr/spool/public
+	read only = yes
+	printable = yes
+	guest ok = yes
+

    +

    SPECIAL SECTIONS

    The [global] section

    Parameters in this section apply to the server as a whole, or are defaults for sections that do not specifically define certain items. See the notes under PARAMETERS for more information.

    The [homes] section

    @@ -77,7 +89,7 @@

    If you decide to use a path = line in your [homes] section, it may be useful to use the %S macro. For example: -

    +
     path = /data/pchome/%S
 
    
 		is useful if you have different home directories for your PCs than for UNIX access.
@@ -91,7 +103,11 @@
 		
    
 		The [homes] section can specify all the parameters a normal service section can specify, though some make more sense 
 		than others. The following is a typical and suitable [homes] section:
-		
     
    [homes]
    read only = no
    
+
    +[homes]
+read only = no
+
    
+		
    
 		An important point is that if guest access is specified in the [homes] section, all home directories will be 
 		visible to all clients without a password.  In the very unlikely event that this is actually
 		desirable, it is wise to also specify read only access.
@@ -119,14 +135,20 @@
 		
    
 		Typically the path specified is that of a world-writeable spool directory with the sticky bit set on 
 		it. A typical [printers] entry looks like this:
-		
     
    [printers]
    path = /usr/spool/public
    guest ok = yes
    printable = yes
    
+
    +[printers]
+path = /usr/spool/public
+guest ok = yes
+printable = yes
+
    
+		
    
 		All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. 
 		If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file
 		consisting of one or more lines like this:
-
    +
     alias|alias|alias|alias...    
 
    
-
    
+		
    
 		Each alias should be an acceptable printer name for your printing subsystem. In the [global] section,
 		specify the new file as your printcap.  The server will only recognize names found in your pseudo-printcap,
 		which of course can contain whatever aliases you like. The same technique could be used simply to limit access
@@ -138,7 +160,7 @@
 		On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
 		printcap name = lpstat to automatically obtain a list of printers. See the
 		printcap name option for more details.
-

    PARAMETERS

    Parameters define the specific attributes of sections.

    +

    PARAMETERS

    Parameters define the specific attributes of sections.

    Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., create mask). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be @@ -150,7 +172,7 @@ Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym. -

    VARIABLE SUBSTITUTIONS

    +

    VARIABLE SUBSTITUTIONS

    Many of the strings that are settable in the config file can take substitutions. For example the option “path = /tmp/%u” is interpreted as “path = /tmp/john” if the user connected with the username john. @@ -205,17 +227,26 @@ DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default auto.

    default case = upper/lower

    - controls what the default case is for new filenames. Default lower. + controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). + Default lower. IMPORTANT NOTE: This option will be used to modify the case of + all incoming client filenames, not just new filenames if the options case sensitive = yes, preserve case = No, + short preserve case = No are set. This change is needed as part of the + optimisations for directories containing large numbers of files.

    preserve case = yes/no

    - controls whether new files are created with the case that the client passes, or if they are forced to be the - default case. Default yes. + controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case + that the client passes, or if they are forced to be the default case. Default + yes.

    short preserve case = yes/no

    - controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, - are created upper case, or if they are forced to be the default case. This option can be - used with preserve case = yes to permit long filenames to retain their case, while short - names are lowercased. Default yes. + controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created upper case, or if they are forced to be the + default case. This option can be used with preserve case = yes to permit + long filenames to retain their case, while short names are lowercased. Default yes.

    - By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. + By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive + but case preserving. As a special case for directories with large numbers of files, if the case + options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" + then the "default case" option will be applied and will modify all filenames sent from the client + when accessing this share.

    NOTE ABOUT USERNAME/PASSWORD VALIDATION

    There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connection @@ -245,12 +276,32 @@

  • If the service is a guest service, a connection is made as the username given in the guest account = for the service, irrespective of the supplied password. -

    • EXPLANATION OF EACH PARAMETER

    abort shutdown script (G)

    This a full path name to a script called by smbd(8) that - should stop a shutdown procedure issued by the shutdown script.

    If the connected user posseses the SeRemoteShutdownPrivilege, +

    EXPLANATION OF EACH PARAMETER

    abort shutdown script (G)

    This a full path name to a script called by smbd(8) that + should stop a shutdown procedure issued by the shutdown script.

    If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as user.

    Default: abort shutdown script =

    Example: abort shutdown script = /sbin/shutdown -c +

    acl check permissions (S)

    This boolean parameter controls what smbd(8)does on receiving a protocol request of "open for delete" + from a Windows client. If a Windows client doesn't have permissions to delete a file then they + expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by + actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a + delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately + on "open for delete" request as we cannot restore such a deleted file. With this parameter set to + true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the + request without actually deleting the file if the file system permissions would seem to deny it. + This is not perfect, as it's possible a user could have deleted a file without Samba being able to + check the permissions correctly, but it is close enough to Windows semantics for mostly correct + behaviour. Samba will correctly check POSIX ACL semantics in this case. +

    If this parameter is set to "false" Samba doesn't check permissions on "open for delete" + and allows the open. If the user doesn't have permission to delete the file this will only be + discovered at close time, which is too late for the Windows user tools to display an error message + to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing + on a Windows explorer refersh. This is an extremely advanced protocol option which should not + need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version + with slightly different semantics was introduced in 3.0.20. That older version is not documented here. +

    Default: acl check permissions = True +

    acl compatibility (S)

    This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. @@ -276,7 +327,7 @@ directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on.

    - This parameter is best used with the inherit owner option and also + This parameter is best used with the inherit owner option and also on on a share containing directories with the UNIX setgid bit bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory. @@ -288,6 +339,13 @@ the user owner or superuser able to reset permissions.

    Default: acl group control = no +

    acl map full control (S)

    This boolean parameter controls whether smbd(8)maps a POSIX ACE entry of "rwx" (read/write/execute), + the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this + parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as + "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be + returned as the specific Windows ACL bits representing read, write and execute. +

    Default: acl map full control = True +

    add group script (G)

    This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This @@ -304,7 +362,7 @@

    Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u -

    addprinter command (G)

    With the introduction of MS-RPC based printing +

    add printer command (G)

    With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW @@ -329,9 +387,9 @@ The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares. -

    Default: addprinter command = +

    Default: add printer command = -

    Example: addprinter command = /usr/bin/addprinter +

    Example: add printer command = /usr/bin/addprinter

    add share command (G)

    Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The @@ -354,46 +412,55 @@ with the new share.

    This parameter is only used for add file shares. To add printer shares, - see the addprinter command. + see the addprinter command.

    Default: add share command =

    Example: add share command = /usr/local/bin/addshare -

    add user script (G)

    This is the full pathname to a script that will - be run AS ROOT by smbd(8) under special circumstances described below.

    Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server.

    In order to use this option, smbd(8) must NOT be set to security = share - and add user script - must be set to a full pathname for a script that will create a UNIX - user given one argument of %u, which expands into - the UNIX user name to create.

    When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) time, smbd(8) contacts the password server and - attempts to authenticate the given user with the given password. If the - authentication succeeds then smbd - attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbd will - call the specified script AS ROOT, expanding - any %u argument to be the user name to create.

    If this script successfully creates the user then smbd - will continue on as though the UNIX user - already existed. In this way, UNIX users are dynamically created to - match existing Windows NT accounts.

    - See also security, password server, - delete user script. +

    add user script (G)

    + This is the full pathname to a script that will be run AS ROOT by + smbd(8) + under special circumstances described below. +

    + Normally, a Samba server requires that UNIX users are created for all users accessing + files on this server. For sites that use Windows NT account databases as their primary + user database creating these users and keeping the user list in sync with the Windows + NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server. +

    + In order to use this option, smbd(8) must NOT be set to + security = share and add user script + must be set to a full pathname for a script that will create a UNIX user given one argument of + %u, which expands into the UNIX user name to create. +

    + When the Windows user attempts to access the Samba server, at login (session setup in + the SMB protocol) time, smbd(8) contacts the password server + and attempts to authenticate the given user with the given password. If the authentication + succeeds then smbd attempts to find a UNIX user in the UNIX + password database to map the Windows user into. If this lookup fails, and + add user script is set then smbd will + call the specified script AS ROOT, expanding any + %u argument to be the user name to create. +

    + If this script successfully creates the user then smbd will + continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. +

    + See also security, password server, + delete user script.

    Default: add user script =

    Example: add user script = /usr/local/samba/bin/add_user %u -

    add user to group script (G)

    Full path to the script that will be called when - a user is added to a group using the Windows NT domain administration - tools. It will be run by smbd(8) AS ROOT. - Any %g will be replaced with the group name and +

    add user to group script (G)

    + Full path to the script that will be called when a user is added to a group using the Windows NT domain administration + tools. It will be run by smbd(8) + AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. -

    Note that the adduser command used in the example below does - not support the used syntax on all systems.

    Default: add user to group script = +

    + Note that the adduser command used in the example below does + not support the used syntax on all systems. +

    Default: add user to group script =

    Example: add user to group script = /usr/sbin/adduser %u %g @@ -401,7 +468,7 @@ administrative privileges on the share. This means that they will do all file operations as the super-user (root).

    You should use this option very carefully, as any user in this list will be able to do anything they like on the share, - irrespective of file permissions.

    This parameter will not work with the security = share in + irrespective of file permissions.

    This parameter will not work with the security = share in Samba 3.0. This is by design.

    Default: admin users =

    Example: admin users = jason @@ -411,7 +478,7 @@ the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. -

    Default: afs share = no +

    Default: afs share = no

    afs username map (G)

    If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. @@ -451,7 +518,7 @@ # (to disable roundups)

    allow trusted domains (G)

    - This option only takes effect when the security option is set to + This option only takes effect when the security option is set to server,domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running @@ -485,19 +552,23 @@

    Example: announce version = 2.0

    auth methods (G)

    - This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values - based on security. This should be considered a developer option and used only in rare - circumstances. In the majority (if not all) of production servers, the default setting should be adequate. -

    Each entry in the list attempts to authenticate the user in turn, until + This option allows the administrator to chose what authentication methods smbd + will use when authenticating a user. This option defaults to sensible values based on security. + This should be considered a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. +

    + Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. -

    Possible options include guest (anonymous access), +

    + Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the - remote DC directly from smbd; deprecated in favour of winbind method).

    Default: auth methods = + remote DC directly from smbd; deprecated in favour of winbind method). +

    Default: auth methods =

    Example: auth methods = guest sam winbind @@ -510,33 +581,33 @@ to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

    For name service it causes nmbd to bind to ports 137 and 138 on the - interfaces listed in the interfaces parameter. nmbd + interfaces listed in the interfaces parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will - service name requests on all of these sockets. If bind interfaces only is set then + service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the - interfaces parameter list. As unicast packets are received on the other sockets it + interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that - arrive through any interfaces not listed in the interfaces list. IP Source address + arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd.

    - For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will + For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.

    - If bind interfaces only is set then unless the network address - 127.0.0.1 is added to the interfaces parameter list + If bind interfaces only is set then unless the network address + 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below.

    To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If - bind interfaces only is set then unless the network address - 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using + bind interfaces only is set then unless the network address + 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using its smbpasswd(8) -r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.

    @@ -576,7 +647,7 @@ set to yes. You should never need to change this.

    Default: browse list = yes -

    casesignames

    This parameter is a synonym for case sensitive.

    case sensitive (S)

    See the discussion in the section name mangling.

    Default: case sensitive = no +

    casesignames

    This parameter is a synonym for case sensitive.

    case sensitive (S)

    See the discussion in the section name mangling.

    Default: case sensitive = no

    change notify timeout (G)

    This SMB allows a client to tell a server to "watch" a particular directory for any changes and only reply to @@ -651,14 +722,13 @@

    client plaintext auth (G)

    Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.

    Default: client plaintext auth = yes -

    client schannel (G)

    This controls whether the client offers or even - demands the use of the netlogon schannel. - client schannel = no does not - offer the schannel, client schannel = - auto offers the schannel but does not - enforce it, and client schannel = - yes denies access if the server is not - able to speak netlogon schannel.

    Default: client schannel = auto +

    client schannel (G)

    + This controls whether the client offers or even demands the use of the netlogon schannel. + client schannel = no does not offer the schannel, + client schannel = auto offers the schannel but does not + enforce it, and client schannel = yes denies access + if the server is not able to speak netlogon schannel. +

    Default: client schannel = auto

    Example: client schannel = yes @@ -680,7 +750,7 @@ when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

    If you want to set the string that is displayed next to the - machine name then see the server string parameter.

    Default: comment = + machine name then see the server string parameter.

    Default: comment = # No comment

    Example: comment = Fred's Files @@ -715,33 +785,40 @@ write and execute bits from the UNIX modes.

    Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the - force create mode parameter which is set to 000 by default. + force create mode parameter which is set to 000 by default.

    - This parameter does not affect directory masks. See the parameter directory mask + This parameter does not affect directory masks. See the parameter directory mask for details.

    Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the security mask. + administrator wishes to enforce a mask on access control lists also, they need to set the security mask.

    Default: create mask = 0744

    Example: create mask = 0775 -

    csc policy (S)

    This stands for client-side caching - policy, and specifies how clients capable of offline - caching will cache the files in the share. The valid values - are: manual, documents, programs, disable.

    These values correspond to those used on Windows servers.

    For example, shares containing roaming profiles can have - offline caching disabled using csc policy = disable.

    Default: csc policy = manual +

    csc policy (S)

    + This stands for client-side caching policy, and specifies how clients capable of offline + caching will cache the files in the share. The valid values are: manual, documents, programs, disable. +

    + These values correspond to those used on Windows servers. +

    + For example, shares containing roaming profiles can have offline caching disabled using + csc policy = disable. +

    Default: csc policy = manual

    Example: csc policy = programs

    cups options (S)

    - This parameter is only applicable if printing is + This parameter is only applicable if printing is set to cups. Its value is a free form string of options passed directly to the cups library. -

    You can pass any generic print option known to CUPS (as listed +

    + You can pass any generic print option known to CUPS (as listed in the CUPS "Software Users' Manual"). You can also pass any printer specific option (as listed in "lpoptions -d printername -l") - valid for the target queue.

    You should set this parameter to raw if your CUPS server + valid for the target queue. +

    + You should set this parameter to raw if your CUPS server error_log file contains messages such as "Unsupported format 'application/octet-stream'" when printing from a Windows client through Samba. It is no longer necessary to enable @@ -750,10 +827,12 @@

    Example: cups options = "raw,media=a4,job-sheets=secret,secret" -

    cups server (G)

    This parameter is only applicable if printing is set to cups. -

    If set, this option overrides the ServerName option in the CUPS - client.conf. This is necessary if you have virtual - samba servers that connect to different CUPS daemons.

    Default: cups server = "" +

    cups server (G)

    + This parameter is only applicable if printing is set to cups. +

    + If set, this option overrides the ServerName option in the CUPS client.conf. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. +

    Default: cups server = ""

    Example: cups server = MYCUPSSERVER @@ -769,35 +848,38 @@

    Example: deadtime = 15 -

    debug hires timestamp (G)

    Sometimes the timestamps in the log messages - are needed with a resolution of higher that seconds, this - boolean parameter adds microsecond resolution to the timestamp - message header when turned on.

    - Note that the parameter debug timestamp must be on for this to have an - effect.

    Default: debug hires timestamp = no - -

    debug pid (G)

    When using only one log file for more then one forked - smbd(8)-process there may be hard to - follow which process outputs which message. This boolean parameter - is adds the process-id to the timestamp message headers in the - logfile when turned on.

    Note that the parameter debug timestamp must be on for this to have an - effect.

    Default: debug pid = no - -

    timestamp logs

    This parameter is a synonym for debug timestamp.

    debug timestamp (G)

    Samba debug log messages are timestamped - by default. If you are running at a high debug level these timestamps - can be distracting. This boolean parameter allows timestamping - to be turned off.

    Default: debug timestamp = yes - -

    debug uid (G)

    Samba is sometimes run as root and sometime - run as the connected user, this boolean parameter inserts the - current euid, egid, uid and gid to the timestamp message headers - in the log file if turned on.

    Note that the parameter debug timestamp must be on for this to have an - effect.

    Default: debug uid = no +

    debug hires timestamp (G)

    + Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp message header when turned on. +

    + Note that the parameter debug timestamp must be on for this to have an effect. +

    Default: debug hires timestamp = no -

    default case (S)

    See the section on name mangling - . Also note the short preserve case parameter.

    Default: default case = lower +

    debug pid (G)

    + When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which + message. This boolean parameter is adds the process-id to the timestamp message headers in the + logfile when turned on. +

    + Note that the parameter debug timestamp must be on for this to have an effect. +

    Default: debug pid = no + +

    timestamp logs

    This parameter is a synonym for debug timestamp.

    debug timestamp (G)

    + Samba debug log messages are timestamped by default. If you are running at a high + debug level these timestamps can be distracting. This + boolean parameter allows timestamping to be turned off. +

    Default: debug timestamp = yes + +

    debug uid (G)

    + Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. +

    + Note that the parameter debug timestamp must be on for this to have an effect. +

    Default: debug uid = no -

    default devmode (S)

    This parameter is only applicable to printable services. +

    default case (S)

    See the section on name mangling + . Also note the short preserve case parameter.

    Default: default case = lower + +

    default devmode (S)

    This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be @@ -826,7 +908,7 @@ given in the parameter value (see example below).

    There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error.

    - Typically the default service would be a guest ok, read-only service.

    Also note that the apparent service name will be changed to equal + Typically the default service would be a guest ok, read-only service.

    Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service.

    Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/". This allows for @@ -842,7 +924,7 @@ smbd to act as a Windows server does, and defer returning a "sharing violation" error message for up to one second, allowing the client to close the file causing the violation in the meantime. -

    Unix by default does not have this behaviour.

    +

    UNIX by default does not have this behaviour.

    There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows.

    Default: defer sharing violations = True @@ -858,16 +940,16 @@ possible to delete printer at run time by issuing the DeletePrinter() RPC call.

    For a Samba host this means that the printer must be physically deleted from underlying printing system. The - deleteprinter command defines a script to be run which + deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf. -

    The deleteprinter command is - automatically called with only one parameter: printer name. -

    Once the deleteprinter command has +

    The deleteprinter command is + automatically called with only one parameter: printer name. +

    Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd - will return an ACCESS_DENIED error to the client.

    Default: deleteprinter command = + will return an ACCESS_DENIED error to the client.

    Default: deleteprinter command =

    Example: deleteprinter command = /usr/bin/removeprinter @@ -893,7 +975,7 @@ the existing service.

    This parameter is only used to remove file shares. To delete printer shares, - see the deleteprinter command. + see the deleteprinter command.

    Default: delete share command =

    Example: delete share command = /usr/local/bin/delshare @@ -918,7 +1000,7 @@

    delete veto files (S)

    This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories - (see the veto files + (see the veto files option). If this option is set to no (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.

    If this option is set to yes, then Samba @@ -926,36 +1008,60 @@ the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might normally veto DOS/Windows users from seeing - (e.g. .AppleDouble)

    Setting delete veto files = yes allows these + (e.g. .AppleDouble)

    Setting delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).

    Default: delete veto files = no -

    dfree command (G)

    The dfree command setting - should only be used on systems where a problem occurs with the - internal disk space calculations. This has been known to happen - with Ultrix, but may occur with other operating systems. The - symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing.

    This setting allows the replacement of the internal routines to - calculate the total disk space and amount available with an external - routine. The example below gives a possible script that might fulfill - this function.

    The external program will be passed a single parameter indicating - a directory in the filesystem being queried. This will typically consist - of the string ./. The script should return two - integers in ASCII. The first should be the total disk space in blocks, - and the second should be the number of available blocks. An optional - third return value can give the block size in bytes. The default - blocksize is 1024 bytes.

    Note: Your script should NOT be setuid or - setgid and should be owned by (and writeable only by) root!

    Where the script dfree (which must be made executable) could be:

     
+
    dfree cache time (S)

    + The dfree cache time should only be used on systems where a problem + occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur + with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the + end of each directory listing. +

    + This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will + cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily + loaded server to prevent rapid spawning of dfree command scripts increasing the load. +

    + By default this parameter is zero, meaning no caching will be done. +

    No default

    Example: dfree cache time = dfree cache time = 60 + +

    dfree command (S)

    + The dfree command setting should only be used on systems where a + problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may + occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" + at the end of each directory listing. +

    + This setting allows the replacement of the internal routines to calculate the total disk space and amount + available with an external routine. The example below gives a possible script that might fulfill this + function. +

    + In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the + parameter dfree cache time was added to allow the output of this script to be cached + for systems under heavy load. +

    + The external program will be passed a single parameter indicating a directory in the filesystem being queried. + This will typically consist of the string ./. The script should return + two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number + of available blocks. An optional third return value can give the block size in bytes. The default blocksize is + 1024 bytes. +

    + Note: Your script should NOT be setuid or setgid and should be owned by (and writeable + only by) root! +

    + Where the script dfree (which must be made executable) could be: +

     
 #!/bin/sh
 df $1 | tail -1 | awk '{print $2" "$4}'
-

    or perhaps (on Sys V based systems):

     
+

    + or perhaps (on Sys V based systems): +

     
 #!/bin/sh
 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-

    Note that you may have to replace the command names with full path names on some systems.

    Default: dfree command = -# By default internal routines for - determining the disk capacity and remaining space will be used. - -

    Example: dfree command = /usr/local/samba/bin/dfree +

    + Note that you may have to replace the command names with full path names on some systems. +

    + By default internal routines for determining the disk capacity and remaining space will be used. +

    No default

    Example: dfree command = /usr/local/samba/bin/dfree

    directory mode

    This parameter is a synonym for directory mask.

    directory mask (S)

    This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX @@ -968,10 +1074,10 @@ created.

    The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.

    Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the force directory mode parameter. + created from this parameter with the value of the force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).

    Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the directory security mask.

    Default: directory mask = 0755 + a mask on access control lists also, they need to set the directory security mask.

    Default: directory mask = 0755

    Example: directory mask = 0775 @@ -980,7 +1086,7 @@ permission on a directory using the native NT security dialog box.

    This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not - in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. + in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

    If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world @@ -1012,7 +1118,7 @@

    display charset (G)

    Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. - Should generally be the same as the unix charset. + Should generally be the same as the unix charset.

    Default: display charset = ASCII

    Example: display charset = UTF8 @@ -1029,34 +1135,38 @@

    domain logons (G)

    If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the - workgroup it is in. + workgroup it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection.

    Default: domain logons = no -

    domain master (G)

    Tell smbd(8) to enable WAN-wide browse list - collation. Setting this option causes nmbd to - claim a special domain specific NetBIOS name that identifies - it as a domain master browser for its given - workgroup. Local master browsers - in the same workgroup on broadcast-isolated - subnets will give this nmbd their local browse lists, - and then ask smbd(8) for a complete copy of the browse - list for the whole wide area network. Browser clients will then contact - their local master browser, and will receive the domain-wide browse list, - instead of just the list for their broadcast-isolated subnet.

    Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroup specific special - NetBIOS name that identifies them as domain master browsers for - that workgroup by default (i.e. there is no - way to prevent a Windows NT PDC from attempting to do this). This - means that if this parameter is set and nmbd claims - the special name for a workgroup before a Windows - NT PDC is able to do so then cross subnet browsing will behave - strangely and may fail.

    If domain logons = yes - , then the default behavior is to enable the domain master parameter. If domain logons is - not enabled (the default setting), then neither will domain master be enabled by default.

    Default: domain master = auto +

    domain master (G)

    + Tell smbd(8) to enable + WAN-wide browse list collation. Setting this option causes nmbd to claim a + special domain specific NetBIOS name that identifies it as a domain master browser for its given + workgroup. Local master browsers in the same workgroup on + broadcast-isolated subnets will give this nmbd their local browse lists, + and then ask smbd(8) for a + complete copy of the browse list for the whole wide area network. Browser clients will then contact their + local master browser, and will receive the domain-wide browse list, instead of just the list for their + broadcast-isolated subnet. +

    + Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that + workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting + to do this). This means that if this parameter is set and nmbd claims the + special name for a workgroup before a Windows NT PDC is able to do so then cross + subnet browsing will behave strangely and may fail. +

    + If domain logons = yes, then the default behavior is to enable the + domain master parameter. If domain logons is not enabled (the + default setting), then neither will domain master be enabled by default. +

    + When domain logons = Yes the default setting for this parameter is + Yes, with the result that Samba will be a PDC. If domain master = No, + Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC. +

    Default: domain master = auto

    dont descend (S)

    There are certain directories on some systems (e.g., the /proc tree under Linux) that are either not @@ -1168,7 +1278,7 @@

    In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which + and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.

    Default: encrypt passwords = yes @@ -1198,10 +1308,23 @@ can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response - to the level 1 and 2 EnumPorts() RPC.

    Default: enumports command = + to the level 1 and 2 EnumPorts() RPC.

    Default: enumports command =

    Example: enumports command = /usr/bin/listports +

    eventlog list (G)

    This option defines a list of log names that Samba will + report to the Microsoft EventViewer utility. The listed + eventlogs will be associated with tdb file on disk in the + $(libdir)/eventlog. +

    + The administrator must use an external process to parse the normal + Unix logs such as /var/log/messages + and write then entries to the eventlog tdb files. Refer to the + eventlogadm(8) utility for how to write eventlog entries. +

    Default: eventlog list = + +

    Example: eventlog list = Security Application Syslog Apache +

    fake directory create times (S)

    NTFS and Windows VFAT file systems keep a create time for all files and directories. This is not the same as the ctime - status change time - that Unix keeps, so Samba by default @@ -1231,7 +1354,7 @@ cache file data. With some oplock types the client may even cache file open/close operations. This can give enormous performance benefits.

    When you set fake oplocks = yes, smbd(8) will - always grant oplock requests no matter how many clients are using the file.

    It is generally much better to use the real oplocks support rather + always grant oplock requests no matter how many clients are using the file.

    It is generally much better to use the real oplocks support rather than this parameter.

    If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as physically read-only media like CDROMs, you will see @@ -1240,16 +1363,15 @@ files read-write at the same time you can get data corruption. Use this option carefully!

    Default: fake oplocks = no -

    follow symlinks (S)

    This parameter allows the Samba administrator - to stop smbd(8) from following symbolic - links in a particular share. Setting this - parameter to no prevents any file or directory - that is a symbolic link from being followed (the user will get an - error). This option is very useful to stop users from adding a - symbolic link to /etc/passwd in their home - directory for instance. However it will slow filename lookups - down slightly.

    This option is enabled (i.e. smbd will - follow symbolic links) by default.

    Default: follow symlinks = yes +

    follow symlinks (S)

    + This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this + parameter to no prevents any file or directory that is a symbolic link from being + followed (the user will get an error). This option is very useful to stop users from adding a symbolic + link to /etc/passwd in their home directory for instance. However + it will slow filename lookups down slightly. +

    + This option is enabled (i.e. smbd will follow symbolic links) by default. +

    Default: follow symlinks = yes

    force create mode (S)

    This parameter specifies a set of UNIX mode bit permissions that will always be set on a @@ -1282,7 +1404,7 @@ the UNIX permission on a directory using the native NT security dialog box.

    This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead + mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead of an OR.

    Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, @@ -1316,7 +1438,7 @@ that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.

    - If the force user parameter is also set the group specified in + If the force user parameter is also set the group specified in force group will override the primary group set in force user.

    Default: force group = @@ -1350,7 +1472,7 @@ the UNIX permission on a file using the native NT security dialog box.

    This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR. + mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR.

    Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be on. @@ -1365,19 +1487,19 @@

    Example: force security mode = 700 -

    force unknown acl user (S)

    If this parameter is set, a Windows NT ACL that contains an unknown - SID (security descriptor, or representation of a user or group - id) as the owner or group owner of the file will be silently - mapped into the current UNIX uid or gid of the currently - connected user.

    This is designed to allow Windows NT clients to copy files and - folders containing ACLs that were created locally on the client - machine and contain users local to that machine only (no domain - users) to be copied to a Samba server (usually with XCOPY /O) - and have the unknown userid and groupid of the file owner map to - the current connected user. This can only be fixed correctly - when winbindd allows arbitrary mapping from any Windows NT SID - to a UNIX uid or gid.

    Try using this parameter when XCOPY /O gives an ACCESS_DENIED - error.

    Default: force unknown acl user = no +

    force unknown acl user (S)

    + If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or + representation of a user or group id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently connected user. +

    + This is designed to allow Windows NT clients to copy files and folders containing ACLs that were + created locally on the client machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and + groupid of the file owner map to the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. +

    + Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. +

    Default: force unknown acl user = no

    force user (S)

    This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. @@ -1393,13 +1515,13 @@

    Example: force user = auser -

    fstype (S)

    This parameter allows the administrator to - configure the string that specifies the type of filesystem a share - is using that is reported by smbd(8) when a client queries the filesystem type - for a share. The default type is NTFS for - compatibility with Windows NT but this can be changed to other - strings such as Samba or FAT - if required.

    Default: fstype = NTFS +

    fstype (S)

    + This parameter allows the administrator to configure the string that specifies the type of filesystem a share + is using that is reported by smbd(8) + when a client queries the filesystem type for a share. The default type is NTFS for compatibility + with Windows NT but this can be changed to other strings such as Samba or FAT + if required. +

    Default: fstype = NTFS

    Example: fstype = Samba @@ -1418,10 +1540,10 @@

    getwd cache (G)

    This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially - when the wide smbconfoptions parameter is set to no.

    Default: getwd cache = yes + when the wide smbconfoptions parameter is set to no.

    Default: getwd cache = yes

    guest account (G)

    This is a username which will be used for access - to services which are specified as guest ok (see below). Whatever privileges this + to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice @@ -1440,14 +1562,14 @@

    public

    This parameter is a synonym for guest ok.

    guest ok (S)

    If this parameter is yes for a service, then no password is required to connect to the service. - Privileges will be those of the guest account.

    This paramater nullifies the benifits of setting - restrict anonymous = 2 -

    See the section below on security for more information about this option. + Privileges will be those of the guest account.

    This paramater nullifies the benifits of setting + restrict anonymous = 2 +

    See the section below on security for more information about this option.

    Default: guest ok = no

    only guest

    This parameter is a synonym for guest only.

    guest only (S)

    If this parameter is yes for a service, then only guest connections to the service are permitted. - This parameter will have no effect if guest ok is not set for the service.

    See the section below on security for more information about this option. + This parameter will have no effect if guest ok is not set for the service.

    See the section below on security for more information about this option.

    Default: guest only = no

    hide dot files (S)

    This is a boolean parameter that controls whether @@ -1469,43 +1591,46 @@ all files beginning with a dot.

    An example of us of this parameter is: -

    +
     hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
 
    
 	
    Default: hide files = 
 # no file are hidden
 
-
    hide special files (S)

    This parameter prevents clients from seeing - special files such as sockets, devices and fifo's in directory - listings. -

    Default: hide special files = no +

    hide special files (S)

    + This parameter prevents clients from seeing special files such as sockets, devices and + fifo's in directory listings. +

    Default: hide special files = no

    hide unreadable (S)

    This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.

    Default: hide unreadable = no -

    hide unwriteable files (S)

    This parameter prevents clients from seeing - the existance of files that cannot be written to. Defaults to off. - Note that unwriteable directories are shown as usual. -

    Default: hide unwriteable files = no - -

    homedir map (G)

    If nis homedir is yes, - and smbd(8) is also acting - as a Win95/98 logon server then this parameter - specifies the NIS (or YP) map from which the server for the user's - home directory should be extracted. At present, only the Sun - auto.home map format is understood. The form of the map is:

    username server:/some/file/system

    and the program will extract the servername from before - the first ':'. There should probably be a better parsing system - that copes with different map formats and also Amd (another - automounter) maps.

    Note

    A working NIS client is required on - the system for this option to work.

    Default: homedir map = +

    hide unwriteable files (S)

    + This parameter prevents clients from seeing the existance of files that cannot be written to. + Defaults to off. Note that unwriteable directories are shown as usual. +

    Default: hide unwriteable files = no + +

    homedir map (G)

    + If nis homedir is yes, and smbd(8) is also acting as a Win95/98 logon server + then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. + At present, only the Sun auto.home map format is understood. The form of the map is: +

    +username server:/some/file/system
+

    + and the program will extract the servername from before the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another automounter) maps. +

    Note

    + A working NIS client is required on the system for this option to work. +

    Default: homedir map =

    Example: homedir map = amd.homedir -

    host msdfs (G)

    If set to yes, Samba will act as a Dfs - server, and allow Dfs-aware clients to browse Dfs trees hosted - on the server.

    See also the msdfs root share level parameter. For - more information on setting up a Dfs tree on Samba, - refer to the MSFDS chapter in the book Samba3-HOWTO. +

    host msdfs (G)

    + If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse + Dfs trees hosted on the server. +

    + See also the msdfs root share level parameter. For more information on + setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.

    Default: host msdfs = no

    hostname lookups (G)

    Specifies whether samba should use (expensive) @@ -1516,18 +1641,17 @@

    Example: hostname lookups = yes -

    allow hosts

    This parameter is a synonym for hosts allow.

    hosts allow (S)

    A synonym for this parameter is allow - hosts.

    This parameter is a comma, space, or tab delimited +

    allow hosts

    This parameter is a synonym for hosts allow.

    hosts allow (S)

    A synonym for this parameter is allow hosts.

    This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.

    If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.

    You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man + Class C subnet with something like allow hosts = 150.203.5.. + The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief description will be given here also.

    Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a hosts deny option.

    You can also specify hosts by network/netmask pairs and + be allowed access unless specifically denied by a hosts deny option.

    You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:

    Example 1: allow all IPs in 150.203.*.*; except one

    hosts allow = 150.203. EXCEPT 150.203.6.66

    Example 2: allow hosts that match the given network/netmask

    hosts allow = 150.203.15.0/255.255.255.0

    Example 3: allow a couple of hosts

    hosts allow = lapland, arvidsjaur

    Example 4: allow only hosts in NIS netgroup "foonet", but @@ -1541,7 +1665,12 @@ - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the allow - list takes precedence.

    Default: hosts deny = + list takes precedence.

    + In the event that it is necessary to deny all by default, use the keyword + ALL (or the netmask 0.0.0.0/0) and then explicitly specify + to the hosts allow = hosts allow parameter those hosts + that should be permitted access. +

    Default: hosts deny = # none (i.e., no hosts specifically excluded)

    Example: hosts deny = 150.203.4. badhost.mynet.edu.au @@ -1549,7 +1678,7 @@

    hosts equiv (G)

    If this global parameter is a non-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access without specifying a password. -

    This is not be confused with hosts allow which is about hosts +

    This is not be confused with hosts allow which is about hosts access to services and is more useful for guest services. hosts equiv may be useful for NT clients which will not supply passwords to Samba.

    Note

    The use of hosts equiv @@ -1577,11 +1706,18 @@ “allow trusted domains = No” must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be specified. +

    + Finally, using the idmap_ad module, the UID and GID can directly + be retrieved from an Active Directory LDAP Server that supports an + RFC2307 compliant LDAP schema. idmap_ad supports "Services for Unix" + (SFU) version 2.x and 3.0.

    Default: idmap backend =

    Example: idmap backend = ldap:ldap://ldapslave.example.com -

    Example: idmap backend = idmap_rid:DOMNAME=1000-100000000 +

    Example: idmap backend = idmap_rid:BUILTIN=1000-1999,DOMNAME=2000-100000000 + +

    Example: idmap backend = idmap_ad

    winbind gid

    This parameter is a synonym for idmap gid.

    idmap gid (G)

    The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no @@ -1596,11 +1732,13 @@

    Example: idmap uid = 10000-20000 -

    include (G)

    This allows you to include one config file - inside another. The file is included literally, as though typed - in place.

    It takes the standard substitutions, except %u - , %P and %S. -

    Default: include = +

    include (G)

    + This allows you to include one config file inside another. The file is included literally, as though typed + in place. +

    + It takes the standard substitutions, except %u, + %P and %S. +

    Default: include =

    Example: include = /usr/local/samba/lib/admin_smb.conf @@ -1621,12 +1759,12 @@ roaming profile directory are actually owner by the user.

    Default: inherit owner = no

    inherit permissions (S)

    - The permissions on new files and directories are normally governed by create mask, - directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. + The permissions on new files and directories are normally governed by create mask, + directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

    New directories inherit the mode of the parent directory, including bits such as setgid.

    New files inherit their read/write bits from the parent directory. Their execute bits continue to be - determined by map archive, map hidden and map system as usual. + determined by map archive, map hidden and map system as usual.

    Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

    This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] @@ -1645,16 +1783,16 @@ as 24 for a C class network) or a full netmask in dotted decimal form.

    The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via - the OS's normal hostname resolution mechanisms.

    Default: interfaces = -# all active interfaces except 127.0.0.1 that are broadcast capable - -

    Example: interfaces = - -# This would configure three network interfaces corresponding + the OS's normal hostname resolution mechanisms.

    + By default Samba enables all active interfaces that are broadcast capable + except the loopback adaptor (IP address 127.0.0.1). +

    + The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0. - eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 - +

    Default: interfaces = + +

    Example: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0

    invalid users (S)

    This is a list of users that should not be allowed to login to this service. This is really a paranoid @@ -1676,12 +1814,21 @@

    Example: invalid users = root fred admin @wheel +

    iprint server (G)

    + This parameter is only applicable if printing is set to iprint. +

    + If set, this option overrides the ServerName option in the CUPS client.conf. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. +

    Default: iprint server = "" + +

    Example: iprint server = MYCUPSSERVER +

    keepalive (G)

    The value of the parameter (an integer) represents the number of seconds between keepalive packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding.

    Keepalives should, in general, not be needed if the socket - has the SO_KEEPALIVE attribute set on it by default. (see socket options). + has the SO_KEEPALIVE attribute set on it by default. (see socket options). Basically you should only use this option if you strike difficulties.

    Default: keepalive = 300

    Example: keepalive = 600 @@ -1693,7 +1840,7 @@ change notification to user programs, using the F_NOTIFY fcntl.

    Default: kernel change notify = yes -

    kernel oplocks (G)

    For UNIXes that support kernel based oplocks +

    kernel oplocks (G)

    For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.

    Kernel oplocks support allows Samba oplocks to be broken whenever a local UNIX process or NFS operation @@ -1730,36 +1877,38 @@ tested as some other Samba code paths.

    Default: large readwrite = yes

    ldap admin dn (G)

    - The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact - the ldap server when retreiving user account information. The ldap admin dn is used + The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact + the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd(8) man page for more information on how to accomplish this.

    - The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn. + The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn.

    No default

    ldap delete dn (G)

    This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba. -

    Default: ldap delete dn = no +

    Default: ldap delete dn = no

    ldap group suffix (G)

    This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. - If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN.

    Default: ldap group suffix = + If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.

    Default: ldap group suffix =

    Example: ldap group suffix = ou=Groups -

    ldap idmap suffix (G)

    This parameters specifies the suffix that is - used when storing idmap mappings. If this parameter - is unset, the value of ldap suffix - will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN.

    Default: ldap idmap suffix = +

    ldap idmap suffix (G)

    + This parameters specifies the suffix that is used when storing idmap mappings. If this parameter + is unset, the value of ldap suffix will be used instead. The suffix + string is pre-pended to the ldap suffix string so use a partial DN. +

    Default: ldap idmap suffix =

    Example: ldap idmap suffix = ou=Idmap -

    ldap machine suffix (G)

    It specifies where machines should be added to the ldap tree. - If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN.

    Default: ldap machine suffix = +

    ldap machine suffix (G)

    + It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of + ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN. +

    Default: ldap machine suffix =

    Example: ldap machine suffix = ou=Computers @@ -1767,33 +1916,37 @@ This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA. -

    The ldap passwd sync can be set to one of three values:

    • Yes = Try +

      + The ldap passwd sync can be set to one of three values: +

      • Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.

      • No = Update NT and LM passwords and update the pwdLastSet time.

      • Only = Only update the LDAP password and let the LDAP server do the rest.

      Default: ldap passwd sync = no -

    ldap port (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time.

    This option is used to control the tcp port number used to contact - the ldap server. - The default is to use the stand LDAPS port 636.

    Default: ldap port = 636 +

    ldap port (G)

    + This parameter is only available if Samba has been configure to include the + --with-ldapsam option at compile time. +

    + This option is used to control the tcp port number used to contact the + ldap server. The default is to use the stand LDAPS port 636. +

    Default: ldap port = 636 # if ldap ssl = on

    Default: ldap port = 389 # if ldap ssl = off -

    ldap replication sleep (G)

    When Samba is asked to write to a read-only LDAP -replica, we are redirected to talk to the read-write master server. -This server then replicates our changes back to the 'local' server, -however the replication might take some seconds, especially over slow -links. Certain client activities, particularly domain joins, can become -confused by the 'success' that does not immediately change the LDAP -back-end's data.

    This option simply causes Samba to wait a short time, to -allow the LDAP server to catch up. If you have a particularly -high-latency network, you may wish to time the LDAP replication with a -network sniffer, and increase this value accordingly. Be aware that no -checking is performed that the data has actually replicated.

    The value is specified in milliseconds, the maximum -value is 5000 (5 seconds).

    Default: ldap replication sleep = 1000 +

    ldap replication sleep (G)

    + When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. + This server then replicates our changes back to the 'local' server, however the replication might take some seconds, + especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' + that does not immediately change the LDAP back-end's data. +

    + This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly + high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. + Be aware that no checking is performed that the data has actually replicated. +

    + The value is specified in milliseconds, the maximum value is 5000 (5 seconds). +

    Default: ldap replication sleep = 1000

    ldapsam:trusted (G)

    By default, Samba as a Domain Controller with an LDAP backend needs to use the @@ -1824,33 +1977,34 @@ This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure - script.

    The ldap ssl can be set to one of three values:

    • Off = Never + script.

      The ldap ssl can be set to one of three values:

      • Off = Never use SSL when querying the directory.

      • Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.

      • On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend

      Default: ldap ssl = start_tls + to configure. See passdb backend

    Default: ldap ssl = start_tls

    ldap suffix (G)

    Specifies the base for all ldap suffixes and for storing the sambaDomain object.

    - The ldap suffix will be appended to the values specified for the ldap user suffix, - ldap group suffix, ldap machine suffix, and the - ldap idmap suffix. Each of these should be given only a DN relative to the - ldap suffix. + The ldap suffix will be appended to the values specified for the ldap user suffix, + ldap group suffix, ldap machine suffix, and the + ldap idmap suffix. Each of these should be given only a DN relative to the + ldap suffix.

    Default: ldap suffix =

    Example: ldap suffix = dc=samba,dc=org -

    ldap timeout (G)

    When Samba connects to an ldap server that server -may be down or unreachable. To prevent Samba from hanging whilst -waiting for the connection this parameter specifies in seconds how -long Samba should wait before failing the connect. The default is -to only wait fifteen seconds for the ldap server to respond to the -connect request.

    Default: ldap timeout = 15 - -

    ldap user suffix (G)

    This parameter specifies where users are added to the tree. - If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the - ldap suffix string so use a partial DN.

    Default: ldap user suffix = +

    ldap timeout (G)

    + When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst + waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the + connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request. +

    Default: ldap timeout = 15 + +

    ldap user suffix (G)

    + This parameter specifies where users are added to the tree. If this parameter is unset, + the value of ldap suffix will be used instead. The suffix + string is pre-pended to the ldap suffix string so use a partial DN. +

    Default: ldap user suffix =

    Example: ldap user suffix = ou=people @@ -1868,9 +2022,9 @@ or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.

    It is recommended that this parameter be turned on to speed access to shared executables.

    For more discussions on level2 oplocks see the CIFS spec.

    - Currently, if kernel oplocks are supported then + Currently, if kernel oplocks are supported then level2 oplocks are not granted (even if this parameter is set to - yes). Note also, the oplocks + yes). Note also, the oplocks parameter must be set to yes on this share in order for this parameter to have any effect.

    Default: level2 oplocks = yes @@ -1882,28 +2036,28 @@ If set to no Samba will never produce these broadcasts. If set to yes Samba will produce Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to auto + lm interval. If set to auto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter - lm interval.

    Default: lm announce = auto + lm interval.

    Default: lm announce = auto

    Example: lm announce = yes

    lm interval (G)

    If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the - lm announce parameter) then this + lm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announce + made despite the setting of the lm announce parameter.

    Default: lm interval = 60

    Example: lm interval = 120

    load printers (G)

    A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the printers section for - more details.

    Default: load printers = yes + See the printers section for + more details.

    Default: load printers = yes

    local master (G)

    This option allows nmbd(8) to try and become a local master browser on a subnet. If set to no then @@ -1917,7 +2071,7 @@

    lock dir

    This parameter is a synonym for lock directory.

    lock directory (G)

    This option specifies the directory where lock files will be placed. The lock files are used to implement the - max connections option. + max connections option.

    Default: lock directory = ${prefix}/var/locks

    Example: lock directory = /var/run/samba/locks @@ -1940,27 +2094,30 @@ in case the lock could later be acquired. This behavior is used to support PC database formats such as MS Access and FoxPro. -

    Default: lock spin count = 3 +

    Default: lock spin count = 3

    lock spin time (G)

    The time in microseconds that smbd should pause before attempting to gain a failed lock. See - lock spin count for more details.

    Default: lock spin time = 10 + lock spin count for more details.

    Default: lock spin time = 10 -

    log file (G)

    This option allows you to override the name - of the Samba log file (also known as the debug file).

    This option takes the standard substitutions, allowing - you to have separate log files for each user or machine.

    No default

    Example: log file = /usr/local/samba/var/log.%m - -

    debuglevel

    This parameter is a synonym for log level.

    log level (G)

    The value of the parameter (a astring) allows - the debug level (logging level) to be specified in the - smb.conf file. This parameter has been - extended since the 2.2.x series, now it allow to specify the debug - level for multiple debug classes. This is to give greater - flexibility in the configuration of the system.

    The default will be the log level specified on - the command line or level zero if none was specified.

    No default

    Example: log level = 3 passdb:5 auth:10 winbind:2 +

    log file (G)

    + This option allows you to override the name of the Samba log file (also known as the debug file). +

    + This option takes the standard substitutions, allowing you to have separate log files for each user or machine. +

    No default

    Example: log file = /usr/local/samba/var/log.%m + +

    debuglevel

    This parameter is a synonym for log level.

    log level (G)

    + The value of the parameter (a astring) allows the debug level (logging level) to be specified in the + smb.conf file. This parameter has been extended since the 2.2.x + series, now it allow to specify the debug level for multiple debug classes. This is to give greater + flexibility in the configuration of the system. +

    + The default will be the log level specified on the command line or level zero if none was specified. +

    No default

    Example: log level = 3 passdb:5 auth:10 winbind:2

    logon drive (G)

    This parameter specifies the local path to which the home directory will be - connected (see logon home) and is only used by NT + connected (see logon home) and is only used by NT Workstations.

    Note that this option is only useful if Samba is set up as a logon server. @@ -1987,12 +2144,12 @@ in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles.

    - Note that in prior versions of Samba, the logon path was returned rather than + Note that in prior versions of Samba, the logon path was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

    - Disable this feature by setting logon home = "" - using the empty string. + Disable this feature by setting logon home = "" - using the empty string.

    This option is only useful if Samba is set up as a logon server.

    Default: logon home = \\%N\%U @@ -2003,7 +2160,7 @@ This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the - logon home parameter. + logon home parameter.

    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies the directory from which the "Application Data", (desktop, start menu, network neighborhood, programs and other @@ -2022,23 +2179,23 @@

    This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

    Warning

    - Do not quote the value. Setting this as “\\%N\profile\%U” - will break profile handling. Where the tdbsam or ldapsam passdb backend - is used, at the time the user account is created the value configured - for this parameter is written to the passdb backend and that value will - over-ride the parameter value present in the smb.conf file. Any error - present in the passdb backend account record must be editted using the - appropriate tool (pdbedit on the command-line, or any other locally - provided system tool. -

    Note that this option is only useful if Samba is set up as a domain controller.

    + Do not quote the value. Setting this as “\\%N\profile\%U” + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be editted using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool. +

    Note that this option is only useful if Samba is set up as a domain controller.

    Disable the use of roaming profiles by setting the value of this parameter to the empty string. For - example, logon path = "". Take note that even if the default setting + example, logon path = "". Take note that even if the default setting in the smb.conf file is the empty string, any value specified in the user account settings in the passdb backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use requires that the user account settings must also be blank.

    An example of use is: -

    +
     logon path = \\PROFILESERVER\PROFILE\%U
 
    
 	
    Default: logon path = \\%N\%U\profile
@@ -2049,15 +2206,18 @@
 	must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
 	
    
 	The script must be a relative path to the [netlogon] service.  If the [netlogon]
-	service specifies a path of /usr/local/samba/netlogon, and logon  script = STARTUP.BAT, then the file that will be downloaded is:
-	
    +	service specifies a path of /usr/local/samba/netlogon, and logon  script = STARTUP.BAT, then the file that will be downloaded is:
+
     	/usr/local/samba/netlogon/STARTUP.BAT
-	
    
+
    
 	
    
 	The contents of the batch file are entirely your choice.  A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the
 	same time server.  Another use would be to add NET USE U: \\SERVER\UTILS
-	for commonly used utilities, or 
     NET USE Q: \\SERVER\ISO9001_QA
     for
-	example.
+	for commonly used utilities, or 
+
    +NET USE Q: \\SERVER\ISO9001_QA
+
     
+	for example.
 	
    
 	Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users
 	write permission on the batch files in a secure environment, as this would allow the batch files to be
@@ -2086,8 +2246,12 @@
     will have the SPOOLED or PRINTING status.
    Note that it is good practice to include the absolute path 
     in the lppause command as the PATH may not be available to the server.
    Default: lppause command = 
 # Currently no default value is given to 
-    this string, unless the value of the printing 
-	parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. 
+    this string, unless the value of the printing 
+    parameter is SYSV, in which case the default is : 
+    lp -i %p-%j -H hold or if the value of the 
+    printing parameter is 
+    SOFTQ, then the default is: 
+    qstat -s -j%j -h. 
 
 
    Example: lppause command = /usr/bin/lpalt %p-%j -p0
 
@@ -2130,14 +2294,14 @@
     executed on the server host in order to restart or continue 
     printing or spooling a specific print job.
    This command should be a program or script which takes 
     a printer name and job number to resume the print job. See 
-    also the lppause command parameter.
    If a %p is given then the printer name 
+    also the lppause command parameter.
    If a %p is given then the printer name 
     is put in its place. A %j is replaced with 
     the job number (an integer).
    Note that it is good practice to include the absolute path 
     in the lpresume command as the PATH may not 
-    be available to the server.
    See also the printing parameter.
    Default: Currently no default value is given 
+    be available to the server.
    See also the printing parameter.
    Default: Currently no default value is given 
     to this string, unless the value of the printing 
     parameter is SYSV, in which case the default is :
    lp -i %p-%j -H resume
    or if the value of the printing parameter 
-		is SOFTQ, then the default is:
    qstat -s -j%j -r
    Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2
+    is SOFTQ, then the default is:
    qstat -s -j%j -r
    Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2
 
 
    lprm command (S)
    This parameter specifies the command to be 
     executed on the server host in order to delete a print job.
    This command should be a program or script which takes 
@@ -2147,7 +2311,7 @@
     path in the lprm command as the PATH may not be 
     available to the server.
    
 	Examples of use are:
-
    +
     lprm command = /usr/bin/lprm -P%p %j
 
 or
@@ -2156,22 +2320,22 @@
 
    
 	
    Default: lprm command =  determined by printing parameter
 
-
    machine password timeout (G)
    If a Samba server is a member of a Windows 
-		NT Domain (see the security = domain
-	parameter) then periodically a running smbd
-	 process will try and change the MACHINE ACCOUNT 
-	PASSWORD stored in the TDB called private/secrets.tdb
-	.  This parameter specifies how often this password 
-	will be changed, in seconds. The default is one week (expressed in 
-	seconds), the same as a Windows NT Domain member server.
    See also smbpasswd(8), and the security = domain parameter.
    Default: machine password timeout = 604800
+
    machine password timeout (G)
    
+	If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
+	the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb
+	.  This parameter specifies how often this password will be changed, in seconds. The default is one
+	week (expressed in seconds), the same as a Windows NT Domain member server.
+	
    
+	See also smbpasswd(8),
+	and the security = domain parameter.
+	
    Default: machine password timeout = 604800
 
 
    magic output (S)
    
-	This parameter specifies the name of a file 
-	which will contain output created by a magic script (see the 
-	magic script parameter below).
+	This parameter specifies the name of a file which will contain output created by a magic script (see the 
+	magic script parameter below).
 	
    Warning
    If two clients use the same magic script
-	 in the same directory the output file content
-	is undefined.
    Default: magic output = <magic script name>.out
+	 in the same directory the output file content is undefined.
+

    Default: magic output = <magic script name>.out

    Example: magic output = myfile.txt @@ -2181,7 +2345,7 @@ executed on behalf of the connected user.

    Scripts executed in this way will be deleted upon completion assuming that the user has the appropriate level of privilege and the file permissions allow the deletion.

    If the script generates output, output will be sent to - the file specified by the magic output + the file specified by the magic output parameter (see above).

    Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executable @@ -2191,23 +2355,30 @@

    Example: magic script = user.csh -

    mangled map (S)

    This is for those who want to directly map UNIX - file names which cannot be represented on Windows/DOS. The mangling - of names is not always what is needed. In particular you may have +

    mangled map (S)

    + This is for those who want to directly map UNIX file names which cannot be represented on + Windows/DOS. The mangling of names is not always what is needed. In particular you may have documents with file extensions that differ between DOS and UNIX. For example, under UNIX it is common to use .html for HTML files, whereas under Windows/DOS .htm - is more commonly used.

    So to map html to htm - you would use:

    mangled map = (*.html *.htm).

    One very useful case is to remove the annoying ;1 - off the ends of filenames on some CDROMs (only visible - under some UNIXes). To do this use a map of (*;1 *;).

    Default: mangled map = + is more commonly used. +

    + So to map html to htm + you would use: +

    + mangled map = (*.html *.htm). +

    + One very useful case is to remove the annoying ;1 off + the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of + (*;1 *;). +

    Default: mangled map = # no mangled map

    Example: mangled map = (*;1 *;)

    mangled names (S)

    This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, - or whether non-DOS names should simply be ignored.

    See the section on name mangling for + or whether non-DOS names should simply be ignored.

    See the section on name mangling for details on how to control the mangling process.

    If mangling is used then the mangling algorithm is as follows:

    • The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters @@ -2217,7 +2388,7 @@ extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.

      Note that the character to use may be specified using - the mangling char + the mangling char option, if you don't like '~'.

    • Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as @@ -2241,7 +2412,7 @@

      Example: mangle prefix = 4

    mangling char (S)

    This controls what character is used as - the magic character in name mangling. The + the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.

    Default: mangling char = ~ @@ -2266,37 +2437,67 @@ POSIX ACL mapping code.

    Default: map acl inherit = no -

    map archive (S)

    This controls whether the DOS archive attribute +

    map archive (S)

    + This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can - be quite annoying for shared source code, documents, etc...

    Note that this requires the create mask - parameter to be set such that owner execute bit is not masked out - (i.e. it must include 100). See the parameter create mask for details.

    Default: map archive = yes - -

    map hidden (S)

    This controls whether DOS style hidden files - should be mapped to the UNIX world execute bit.

    Note that this requires the create mask - to be set such that the world execute bit is not masked out (i.e. - it must include 001). See the parameter create mask for details.

    No default

    map system (S)

    This controls whether DOS style system files - should be mapped to the UNIX group execute bit.

    Note that this requires the create mask - to be set such that the group execute bit is not masked out (i.e. - it must include 010). See the parameter create mask - for details.

    Default: map system = no + be quite annoying for shared source code, documents, etc... +

    + Note that this requires the create mask parameter to be set such that owner + execute bit is not masked out (i.e. it must include 100). See the parameter + create mask for details. +

    Default: map archive = yes -

    map to guest (G)

    This parameter is only useful in SECURITY = +

    map hidden (S)

    + This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. +

    + Note that this requires the create mask to be set such that the world execute + bit is not masked out (i.e. it must include 001). See the parameter create mask + for details. +

    No default

    map read only (S)

    + This controls how the DOS read only attribute should be mapped from a UNIX filesystem. +

    + This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either + store dos attributes is set to No, or no extended attribute is + present. If store dos attributes is set to yes then this + parameter is ignored. This is a new parameter introduced in Samba version 3.0.21. +

    The three settings are :

    • + Yes - The read only DOS attribute is mapped to the inverse of the user + or owner write bit in the unix permission mode set. If the owner write bit is not set, the + read only attribute is reported as being set on the file. +

    • + Permissions - The read only DOS attribute is mapped to the effective permissions of + the connecting user, as evaluated by smbd(8) by reading the unix permissions and POSIX ACL (if present). + If the connecting user does not have permission to modify the file, the read only attribute + is reported as being set on the file. +

    • + No - The read only DOS attribute is unaffected by permissions, and can only be set by + the store dos attributes method. This may be useful for exporting mounted CDs. +

    Default: map read only = yes + +

    map system (S)

    + This controls whether DOS style system files should be mapped to the UNIX group execute bit. +

    + Note that this requires the create mask to be set such that the group + execute bit is not masked out (i.e. it must include 010). See the parameter + create mask for details. +

    Default: map system = no + +

    map to guest (G)

    This parameter is only useful in SECURITY = security modes other than security = share - i.e. user, server, and domain.

    This parameter can take four different values, which tell smbd(8) what to do with user - login requests that don't match a valid UNIX user in some way.

    The three settings are :

    • Never - Means user login + login requests that don't match a valid UNIX user in some way.

      The four settings are :

      • Never - Means user login requests with an invalid password are rejected. This is the default.

      • Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and - mapped into the guest account.

      • Bad Password - Means user logins + mapped into the guest account.

      • Bad Password - Means user logins with an invalid password are treated as a guest login and mapped - into the guest account. Note that + into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think @@ -2326,7 +2527,7 @@ If max connections is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.

        Record lock files are used to implement this feature. The lock files will be stored in - the directory specified by the lock directory option.

        Default: max connections = 0 + the directory specified by the lock directory option.

        Default: max connections = 0

        Example: max connections = 10 @@ -2344,10 +2545,12 @@

        Example: max disk size = 1000 -

    max log size (G)

    This option (an integer in kilobytes) specifies - the max size the log file should grow to. Samba periodically checks - the size and if it is exceeded it will rename the file, adding - a .old extension.

    A size of 0 means no limit.

    Default: max log size = 5000 +

    max log size (G)

    + This option (an integer in kilobytes) specifies the max size the log file should grow to. + Samba periodically checks the size and if it is exceeded it will rename the file, adding + a .old extension. +

    A size of 0 means no limit. +

    Default: max log size = 5000

    Default: max log size = 1000 @@ -2382,11 +2585,12 @@

    Example: max protocol = LANMAN1 -

    max reported print jobs (S)

    This parameter limits the maximum number of - jobs displayed in a port monitor for Samba printer queue at any given - moment. If this number is exceeded, the excess jobs will not be shown. - A value of zero means there is no limit on the number of print - jobs reported.

    Default: max reported print jobs = 0 +

    max reported print jobs (S)

    + This parameter limits the maximum number of jobs displayed in a port monitor for + Samba printer queue at any given moment. If this number is exceeded, the excess + jobs will not be shown. A value of zero means there is no limit on the number of + print jobs reported. +

    Default: max reported print jobs = 0

    Example: max reported print jobs = 1000 @@ -2413,7 +2617,7 @@ never need to change this parameter. The default is 3 days.

    Default: max ttl = 259200

    max wins ttl (G)

    This option tells smbd(8) when acting as a WINS server - (wins support = yes) what the maximum + (wins support = yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).

    Default: max wins ttl = 518400 @@ -2429,7 +2633,10 @@

    message command (G)

    This specifies what command to run when the server receives a WinPopup style message.

    This would normally be a command that would deliver the message somehow. How this is to be done is - up to your imagination.

    An example is:

    message command = csh -c 'xedit %s;rm %s' & + up to your imagination.

    An example is: +

    +message command = csh -c 'xedit %s;rm %s' &
+

    This delivers the message using xedit, then removes it afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why I @@ -2444,12 +2651,21 @@ the message was sent to (probably the server name).

  • %f = who the message is from.

    • You could make this command send mail, or whatever else takes your fancy. Please let us know of any really interesting - ideas you have.

    Here's a way of sending the messages as mail to root:

    message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s

    If you don't have a message command then the message + ideas you have.

    + Here's a way of sending the messages as mail to root: +

    +message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
+

    +

    If you don't have a message command then the message won't be delivered and Samba will tell the sender there was an error. Unfortunately WfWg totally ignores the error code and carries on regardless, saying that the message was delivered. -

    If you want to silently delete it then try:

    message command = rm %s

    Default: message command = +

    + If you want to silently delete it then try: +

    +message command = rm %s
+

    +

    Default: message command =

    Example: message command = csh -c 'xedit %s; rm %s' & @@ -2462,18 +2678,18 @@

    min protocol (G)

    The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol + to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients.

    If you are viewing this parameter as a security measure, you should - also refer to the lanman auth parameter. Otherwise, you should never need + also refer to the lanman auth parameter. Otherwise, you should never need to change this parameter.

    Default: min protocol = CORE

    Example: min protocol = NT1

    min wins ttl (G)

    This option tells nmbd(8) - when acting as a WINS server (wins support = yes) what the minimum 'time to live' + when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).

    Default: min wins ttl = 21600 @@ -2483,7 +2699,7 @@ the value of the parameter. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.

    Only Dfs roots can act as proxy shares. Take a look at the - msdfs root and host msdfs + msdfs root and host msdfs options to find out how to set up a Dfs root share.

    No default

    Example: msdfs proxy = \otherserver\someshare

    msdfs root (S)

    If set to yes, Samba treats the @@ -2492,7 +2708,7 @@ Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree on - Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.

    Default: msdfs root = no + Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.

    Default: msdfs root = no

    name cache timeout (G)

    Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If @@ -2507,21 +2723,21 @@ control how netbios name resolution is performed. The option takes a space separated string of name resolution options.

    The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be - resolved as follows:

    • lmhosts : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the <usmbconfoption>lmhosts(5)</usmbconfoption> for details) then - any name type matches for lookup.

    • host : Do a standard host - name to IP address resolution, using the system /etc/hosts - , NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file. Note that this method is used only if the NetBIOS name - type being queried is the 0x20 (server) name type or 0x1c (domain controllers). - The latter case is only useful for active directory domains and results in a DNS - query for the SRV RR entry matching _ldap._tcp.domain.

    • wins : Query a name with - the IP address listed in the WINSSERVER parameter. If no WINS server has + resolved as follows:

      • + lmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then + any name type matches for lookup. +

      • + host : Do a standard host name to IP address resolution, using the system + /etc/hosts , NIS, or DNS lookups. This method of name resolution is + operating system depended for instance on IRIX or Solaris this may be controlled by the /etc/nsswitch.conf file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only + useful for active directory domains and results in a DNS query for the SRV RR entry matching + _ldap._tcp.domain. +

      • wins : Query a name with + the IP address listed in the WINSSERVER parameter. If no WINS server has been specified this method will be ignored.

      • bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces + each of the known local interfaces listed in the interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet.

      The example below will cause the local lmhosts file to be examined @@ -2542,12 +2758,15 @@

      Example: netbios aliases = TEST TEST1 TEST2 -

    netbios name (G)

    This sets the NetBIOS name by which a Samba - server is known. By default it is the same as the first component - of the host's DNS name. If a machine is a browse server or - logon server this name (or the first component - of the hosts DNS name) will be the name that these services are - advertised under.

    Default: netbios name = +

    netbios name (G)

    + This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of + the hosts DNS name) will be the name that these services are advertised under. +

    + There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name + is set to the literal name PIPE. To avoid this problem, do not name your Samba-3 + server PIPE. +

    Default: netbios name = # machine DNS name

    Example: netbios name = MYNAME @@ -2570,7 +2789,7 @@ it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it will consult the NIS map specified in - homedir map and return the server + homedir map and return the server listed there.

    Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server.

    Default: nis homedir = no @@ -2607,7 +2826,7 @@ should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of encrypt passwords = yes. The reason + always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.

    Default: obey pam restrictions = no @@ -2618,65 +2837,73 @@ client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login names from the user list and is only really - useful in security = share level security.

    Note that this also means Samba won't try to deduce + useful in security = share level security.

    Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the [homes] section. To get around this you could use user = %S which means your user list will be just the service name, which for home directories is the name of the user.

    Default: only user = no -

    oplock break wait time (G)

    This is a tuning parameter added due to bugs in - both Windows 9x and WinNT. If Samba responds to a client too - quickly when that client issues an SMB that can cause an oplock - break request, then the network client can fail and not respond - to the break request. This tuning parameter (which is set in milliseconds) - is the amount of time Samba will wait before sending an oplock break - request to such (broken) clients.

    Warning

    DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND - UNDERSTOOD THE SAMBA OPLOCK CODE.

    Default: oplock break wait time = 0 - -

    oplock contention limit (S)

    This is a very advanced - smbd(8) tuning option to - improve the efficiency of the granting of oplocks under multiple - client contention for the same file.

    In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested - if the approximate number of clients contending for an oplock on the same file goes over this +

    oplock break wait time (G)

    + This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock break request, then the network client can + fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount + of time Samba will wait before sending an oplock break request to such (broken) clients. +

    Warning

    + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. +

    Default: oplock break wait time = 0 + +

    oplock contention limit (S)

    + This is a very advanced smbd(8) tuning option to improve the efficiency of the + granting of oplocks under multiple client contention for the same file. +

    + In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested if the + approximate number of clients contending for an oplock on the same file goes over this limit. This causes smbd to behave in a similar - way to Windows NT.

    Warning

    DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE.

    Default: oplock contention limit = 2 + way to Windows NT. +

    Warning

    + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. +

    Default: oplock contention limit = 2 -

    oplocks (S)

    This boolean option tells smbd whether to +

    oplocks (S)

    + This boolean option tells smbd whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve the speed of access to files on Samba servers. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers). For more information see the file - Speed.txt in the Samba docs/ - directory.

    Oplocks may be selectively turned off on certain files with a - share. See the veto oplock files parameter. On some systems + Speed.txt in the Samba + docs/ directory. +

    + Oplocks may be selectively turned off on certain files with a share. See + the veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the - kernel oplocks parameter for details.

    Default: oplocks = yes + kernel oplocks parameter for details. +

    Default: oplocks = yes

    os2 driver map (G)

    The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:

    <nt driver name> = <os2 driver name>.<device name>

    For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.

    - The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the book Samba3-HOWTO. For more - details on OS/2 clients, please refer to ???. -

    Default: os2 driver map = + The need for the file is due to the printer driver namespace problem described in + the chapter on Classical Printing in the Samba3-HOWTO book. For more + details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book. +

    Default: os2 driver map =

    os level (G)

    This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) -has a chance of becoming a local master browser for the workgroup in the local broadcast area.

    Note :By default, Samba will win - a local master browsing election over all Microsoft operating - systems except a Windows NT 4.0/2000 Domain Controller. This - means that a misconfigured Samba host can effectively isolate - a subnet for browsing purposes. See BROWSING.txt - in the Samba docs/ directory - for details.

    Default: os level = 20 +has a chance of becoming a local master browser for the workgroup in the local broadcast area.

    + Note :By default, Samba will win a local master browsing election over all Microsoft operating + systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can + effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 + release series and it is seldom necessary to manually over-ride the default setting. Please refer to + chapter 9 of the Samba-3 HOWTO document for further information regarding the use of this parameter. +

    Default: os level = 20

    Example: os level = 65 @@ -2684,13 +2911,14 @@ this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in - passwd program. + passwd program. It should be possible to enable this without changing your - passwd chat parameter for most setups.

    Default: pam password change = no + passwd chat parameter for most setups.

    Default: pam password change = no

    panic action (G)

    This is a Samba developer option that allows a system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to -draw attention to the fact that a problem occurred.

    Default: panic action = + draw attention to the fact that a problem occurred. +

    Default: panic action =

    Example: panic action = "/bin/sleep 90000" @@ -2714,10 +2942,10 @@ backend. Takes a path to the smbpasswd file as an optional argument.

  • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the private dir directory.

  • ldapsam - The LDAP based passdb + in the private dir directory.

  • ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)

    LDAP connections should be secured where possible. This may be done using either - Start-TLS (see ldap ssl) or by + Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument.

    Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. @@ -2733,7 +2961,7 @@

    Examples of use are: -
    +
     passdb backend = tdbsam:/etc/samba/private/passdb.tdb \
     smbpasswd:/etc/samba/smbpasswd
 
@@ -2751,19 +2979,27 @@
 passdb backend = mysql:my_plugin_args tdbsam
 
    Default: passdb backend = smbpasswd
 
+
    • passdb expand explicit (G)

    + This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We + used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable + %G_osver% in which %G would have been substituted by the user's primary group. +

    + This parameter is set to "yes" by default, but this is about to change in the future. +

    Default: passdb expand explicit = yes +

    passwd chat (G)

    This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the - passwd program and what to expect back. If the expected output is not + passwd program and what to expect back. If the expected output is not received then the password is not changed.

    This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS - etc).

    Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is + etc).

    Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is then called AS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of - NIS/YP, this means that the passwd program must + NIS/YP, this means that the passwd program must be executed on the NIS master.

    The string can contain the macro %n which is substituted for the new password. The chat sequence can also contain the standard @@ -2772,7 +3008,7 @@ a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.

    If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the - expect string is a full stop then no string is expected.

    If the pam password change parameter is set to yes, the + expect string is a full stop then no string is expected.

    If the pam password change parameter is set to yes, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions.

    Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed* @@ -2783,13 +3019,13 @@ parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a - debug level + debug level of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the smbd log. It is available to help Samba admins debug their passwd chat scripts when calling the passwd program and should be turned off after this has been done. This option has no effect if the - pam password change + pam password change paramter is set. This parameter is off by default.

    Default: passwd chat debug = no

    passwd chat timeout (G)

    This integer specifies the number of seconds smbd will wait for an initial @@ -2836,7 +3072,7 @@ process a new connection.

    A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.

    This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when encrypt passwords = No.

    Default: password level = 0 + since samba-3.0.0). Use this only when encrypt passwords = No.

    Default: password level = 0

    Example: password level = 4 @@ -2852,7 +3088,7 @@ Samba will use the standard LDAP port of tcp/389. Note that port numbers have no effect on password servers for Windows NT 4.0 domains or netbios connections.

    If parameter is a name, it is looked up using the - parameter name resolve order and so may resolved + parameter name resolve order and so may resolved by any method and order described in that parameter.

    The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

    Note

    Using a password server means your UNIX box (running @@ -2914,23 +3150,24 @@ on this connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting - up pseudo home directories for users.

    Note that this path will be based on root dir + up pseudo home directories for users.

    Note that this path will be based on root dir if one was specified.

    Default: path =

    Example: path = /home/fred -

    pid directory (G)

    This option specifies the directory where pid - files will be placed.

    Default: pid directory = ${prefix}/var/locks +

    pid directory (G)

    + This option specifies the directory where pid files will be placed. +

    Default: pid directory = ${prefix}/var/locks

    Example: pid directory = pid directory = /var/run/ -

    posix locking (S)

    The smbd(8) - daemon maintains an database of file locks obtained by SMB clients. - The default behavior is to map this internal database to POSIX - locks. This means that file locks obtained by SMB clients are - consistent with those seen by POSIX compliant applications accessing - the files via a non-SMB method (e.g. NFS or local file access). - You should never need to disable this parameter.

    Default: posix locking = yes +

    posix locking (S)

    + The smbd(8) + daemon maintains an database of file locks obtained by SMB clients. The default behavior is + to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are + consistent with those seen by POSIX compliant applications accessing the files via a non-SMB + method (e.g. NFS or local file access). You should never need to disable this parameter. +

    Default: posix locking = yes

    postexec (S)

    This option specifies a command to be run whenever the service is disconnected. It takes the usual @@ -2947,34 +3184,36 @@ preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

    Of course, this could get annoying after a while :-)

    - See also preexec close and postexec. + See also preexec close and postexec.

    Default: preexec =

    Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log -

    preexec close (S)

    This boolean option controls whether a non-zero - return code from preexec should close the service being connected to.

    Default: preexec close = no - -

    prefered master

    This parameter is a synonym for preferred master.

    preferred master (G)

    This boolean parameter controls if - nmbd(8) is a preferred master - browser for its workgroup.

    If this is set to yes, on startup, nmbd - will force an election, and it will have a slight advantage in - winning the election. It is recommended that this parameter is - used in conjunction with - domain master = yes, so - that nmbd can guarantee becoming a domain master.

    Use this option with caution, because if there are several - hosts (whether Samba servers, Windows 95 or NT) that are - preferred master browsers on the same subnet, they will each - periodically and continuously attempt to become the local - master browser. This will result in unnecessary broadcast - traffic and reduced browsing capabilities.

    Default: preferred master = auto +

    preexec close (S)

    + This boolean option controls whether a non-zero return code from preexec + should close the service being connected to. +

    Default: preexec close = no + +

    prefered master

    This parameter is a synonym for preferred master.

    preferred master (G)

    + This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup. +

    + If this is set to yes, on startup, nmbd will force + an election, and it will have a slight advantage in winning the election. It is recommended that this + parameter is used in conjunction with domain master = yes, so that + nmbd can guarantee becoming a domain master. +

    + Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) + that are preferred master browsers on the same subnet, they will each periodically and continuously attempt + to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing + capabilities. +

    Default: preferred master = auto

    auto services

    This parameter is a synonym for preload.

    preload (G)

    This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

    Note that if you just want all printers in your - printcap file loaded then the load printers + printcap file loaded then the load printers option is easier.

    Default: preload = @@ -2986,15 +3225,18 @@

    Example: preload modules = /usr/lib/samba/passdb/mysql.so -

    preserve case (S)

    This controls if new filenames are created - with the case that the client passes, or if they are forced to - be the default case.

    See the section on NAME MANGLING for a fuller discussion.

    Default: preserve case = yes +

    preserve case (S)

    + This controls if new filenames are created with the case that the client passes, or if + they are forced to be the default case. +

    + See the section on NAME MANGLING for a fuller discussion. +

    Default: preserve case = yes

    print ok

    This parameter is a synonym for printable.

    printable (S)

    If this parameter is yes, then clients may open, write to and submit spool files on the directory specified for the service.

    Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling - of print data. The read only parameter controls only non-printing access to + of print data. The read only parameter controls only non-printing access to the resource.

    Default: printable = no

    printcap cache time (G)

    This option specifies the number of seconds before the printing @@ -3007,34 +3249,38 @@

    Example: printcap cache time = 600 -

    printcap

    This parameter is a synonym for printcap name.

    printcap name (S)

    This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this.

    To use the CUPS printing interface set printcap name = cups - . This should be supplemented by an addtional setting - printing = cups in the [global] - section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS - configuration file. -

    On System V systems that use lpstat to +

    printcap

    This parameter is a synonym for printcap name.

    printcap name (S)

    + This parameter may be used to override the compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this. +

    + To use the CUPS printing interface set printcap name = cups . This should + be supplemented by an addtional setting printing = cups in the [global] + section. printcap name = cups will use the "dummy" printcap + created by CUPS, as specified in your CUPS configuration file. +

    + On System V systems that use lpstat to list available printers you can use printcap name = lpstat to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If printcap name is set to lpstat on these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list.

    A minimal printcap file would look something like this:

    +    attempt to parse the output to obtain a printer list.
+	
    
+	A minimal printcap file would look something like this:
+
     print1|My Printer 1
 print2|My Printer 2
 print3|My Printer 3
 print4|My Printer 4
 print5|My Printer 5
-
    where the '|' separates aliases of a printer. The fact 
-    that the second alias has a space in it gives a hint to Samba 
-    that it's a comment.
    Note
    Under AIX the default printcap 
-    name is /etc/qconfig. Samba will assume the 
-    file is in AIX qconfig format if the string
-	qconfig appears in the printcap filename.
    Default: printcap name = /etc/printcap
+

    + where the '|' separates aliases of a printer. The fact that the second alias has a space in + it gives a hint to Samba that it's a comment. +

    Note

    + Under AIX the default printcap name is /etc/qconfig. Samba will + assume the file is in AIX qconfig format if the string qconfig appears in the printcap filename. +

    Default: printcap name = /etc/printcap

    Example: printcap name = /etc/myprintcap @@ -3061,17 +3307,17 @@ printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed.

    Note that printing may fail on some UNIXes from the nobody account. If this happens then create - an alternative guest account that can print and set the guest account + an alternative guest account that can print and set the guest account in the [global] section.

    You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ';' is the usual separator for command in shell scripts.

    print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

    You may have to vary this command considerably depending on how you normally print files on your system. The default for - the parameter varies depending on the setting of the printing + the parameter varies depending on the setting of the printing parameter.

    Default: For printing = BSD, AIX, QNX, LPRNG or PLP :

    print command = lpr -r -P%p %s

    For printing = SYSV or HPUX :

    print command = lp -c -d%p %s; rm %s

    For printing = SOFTQ :

    print command = lp -d%p -s %s; rm %s

    For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups + libcups, then printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands with the -oraw option for printing, i.e. it @@ -3088,6 +3334,10 @@ Note: The root user always has admin rights. Use caution with use in the global stanza as this can cause side effects. +

    + This parameter has been marked deprecated in favor + of using the SePrintOperatorPrivilege and individual + print security descriptors. It will be removed in a future release.

    Default: printer admin =

    Example: printer admin = admin, @staff @@ -3099,7 +3349,7 @@ If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.

    - The default value of the printer name may be lp on many + The default value of the printer name may be lp on many systems.

    Default: printer name = none @@ -3131,7 +3381,8 @@ packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba share. -

    When not in domain mode with winbindd then the security info copied +

    + When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the @@ -3140,14 +3391,16 @@ BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile.

    Note that if you have multiple users logging + user to access the profile. +

    + Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user. -

    Default: profile acls = no +

    Default: profile acls = no

    queuepause command (S)

    This parameter specifies the command to be executed on the server host in order to pause the printer queue.

    This command should be a program or script which takes @@ -3163,7 +3416,7 @@

    queueresume command (S)

    This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the - previous parameter (queuepause command).

    This command should be a program or script which takes + previous parameter (queuepause command).

    This command should be a program or script which takes a printer name as its only parameter and resumes the printer queue, such that queued jobs are resubmitted to the printer.

    This command is not supported by Windows for Workgroups, but can be issued from the Printers window under Windows 95 @@ -3183,15 +3436,15 @@

    read list (S)

    This is a list of users that are given read-only access to a service. If the connecting user is in this list - then they will not be given write access, no matter what the read only option is set - to. The list can include group names using the syntax described in the invalid users + then they will not be given write access, no matter what the read only option is set + to. The list can include group names using the syntax described in the invalid users parameter. -

    This parameter will not work with the security = share in +

    This parameter will not work with the security = share in Samba 3.0. This is by design.

    Default: read list =

    Example: read list = mary, @students -

    read only (S)

    An inverted synonym is writeable.

    If this parameter is yes, then users +

    read only (S)

    An inverted synonym is writeable.

    If this parameter is yes, then users of a service may not create or modify files in the service's directory.

    Note that a printable service (printable = yes) will ALWAYS allow writing to the directory @@ -3213,38 +3466,103 @@

    Example: realm = mysambabox.mycompany.com -

    remote announce (G)

    This option allows you to setup nmbd(8)to periodically announce itself - to arbitrary IP addresses with an arbitrary workgroup name.

    This is useful if you want your Samba server to appear - in a remote workgroup for which the normal browse propagation - rules don't work. The remote workgroup can be anywhere that you - can send IP packets to.

    For example:

    remote announce = 192.168.2.255/SERVERS - 192.168.4.255/STAFF

    the above line would cause nmbd to announce itself - to the two given IP addresses using the given workgroup names. - If you leave out the workgroup name then the one given in - the workgroup parameter is used instead.

    The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable.

    See NetworkBrowsing.

    Default: remote announce = +

    remote announce (G)

    + This option allows you to setup nmbd(8)to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. +

    + This is useful if you want your Samba server to appear in a remote workgroup for + which the normal browse propagation rules don't work. The remote workgroup can be + anywhere that you can send IP packets to. +

    + For example: +

    +remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
+

    + the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. If you leave out the + workgroup name then the one given in the workgroup parameter + is used instead. +

    + The IP addresses you choose would normally be the broadcast addresses of the remote + networks, but can also be the IP addresses of known browse masters if your network + config is that stable. +

    + See the chapter on Network Browsing in the Samba-HOWTO book. +

    Default: remote announce = -

    remote browse sync (G)

    This option allows you to setup nmbd(8) to periodically request +

    remote browse sync (G)

    + This option allows you to setup nmbd(8) to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to gain browse lists for multiple workgroups across routed networks. This - is done in a manner that does not work with any non-Samba servers.

    This is useful if you want your Samba server and all local + is done in a manner that does not work with any non-Samba servers. +

    + This is useful if you want your Samba server and all local clients to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere - that you can send IP packets to.

    For example:

    remote browse sync = 192.168.2.255 192.168.4.255

    the above line would cause nmbd to request - the master browser on the specified subnets or addresses to - synchronize their browse lists with the local server.

    The IP addresses you choose would normally be the broadcast + that you can send IP packets to. +

    + For example: +

    +remote browse sync = 192.168.2.255 192.168.4.255
+

    + the above line would cause nmbd to request the master browser on the + specified subnets or addresses to synchronize their browse lists with + the local server. +

    + The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable. If a machine IP address is given Samba makes NO attempt to validate that the remote machine is available, is listening, nor that it - is in fact the browse master on its segment.

    Default: remote browse sync = + is in fact the browse master on its segment. +

    + The remote browse sync may be used on networks + where there is no WINS server, and may be used on disjoint networks where + each network has its own WINS server. +

    Default: remote browse sync = + +

    rename user script (G)

    + This is the full pathname to a script that will be run as root by smbd(8) under special circumstances described below. +

    + When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager + for Domains), this script will be run to rename the POSIX user. Two variables, %uold and + %unew, will be substituted with the old and new usernames, respectively. The script should + return 0 upon successful completion, and nonzero otherwise. +

    Note

    + The script has all responsibility to rename all the necessary data that is accessible in this posix method. + This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care + of the contents of their respective files, so the script is responsible only for changing the POSIX username, and + other data that may required for your circumstances, such as home directory. Please also consider whether or + not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, + because of the potential issues with renaming the LDAP naming attribute. In this case the script is + responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that + needs to change for other applications using the same directory. +

    Default: rename user script = no + +

    reset on zero vc (S)

    + This boolean option controls whether an incoming session setup + should kill other connections coming from the same IP. This matches + the default Windows 2003 behaviour. + + Setting this parameter to yes becomes necessary when you have a flaky + network and windows decides to reconnect while the old connection + still has files with share modes open. These files become inaccessible + over the new connection. + + The client sends a zero VC on the new connection, and Windows 2003 + kills all other connections coming from the same IP. This way the + locked files are accessible again. + + Please be aware that enabling this option will kill connections behind + a masquerading router. + +

    Default: reset on zero vc = no

    restrict anonymous (G)

    The setting of this parameter determines whether user and group list information is returned for an anonymous connection. and mirrors the effects of the -

    +
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
            Control\LSA\RestrictAnonymous
 
    
@@ -3261,7 +3579,7 @@
 	means.
 	
    Note
    
     The security advantage of using restrict anonymous = 2 is removed
-    by setting guest ok = yes on any share.
+    by setting guest ok = yes on any share.
 	
    Default: restrict anonymous = 0
    root

    This parameter is a synonym for root directory.

    root dir

    This parameter is a synonym for root directory.

    root directory (G)

    The server will chroot() (i.e. @@ -3271,7 +3589,7 @@ It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the - wide smbconfoptions parameter). + wide smbconfoptions parameter).

    Adding a root directory entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the @@ -3287,15 +3605,17 @@

    Example: root directory = /homes/smb -

    root postexec (S)

    This is the same as the postexec - parameter except that the command is run as root. This - is useful for unmounting filesystems - (such as CDROMs) after a connection is closed.

    Default: root postexec = - -

    root preexec (S)

    This is the same as the preexec - parameter except that the command is run as root. This - is useful for mounting filesystems (such as CDROMs) when a - connection is opened.

    Default: root preexec = +

    root postexec (S)

    + This is the same as the postexec + parameter except that the command is run as root. This is useful for + unmounting filesystems (such as CDROMs) after a connection is closed. +

    Default: root postexec = + +

    root preexec (S)

    + This is the same as the preexec + parameter except that the command is run as root. This is useful for + mounting filesystems (such as CDROMs) when a connection is opened. +

    Default: root preexec =

    root preexec close (S)

    This is the same as the preexec close parameter except that the command is run as root.

    Default: root preexec close = no @@ -3324,9 +3644,9 @@ want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with security = user, see - the map to guestparameter for details.

    It is possible to use smbd in a + the map to guestparameter for details.

    It is possible to use smbd in a hybrid mode where it is offers both user and share - level security under different NetBIOS aliases.

    The different settings will now be explained.

    SECURITY = SHARE

    When clients connect to a share level security server they + level security under different NetBIOS aliases.

    The different settings will now be explained.

    SECURITY = SHARE

    When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with @@ -3339,10 +3659,10 @@ in share level security, smbd uses several techniques to determine the correct UNIX user to use on behalf of the client.

    A list of possible UNIX usernames to match with the given - client password is constructed using the following methods :

    • If the guest only parameter is set, then all the other - stages are missed and only the guest account username is checked. + client password is constructed using the following methods :

      • If the guest only parameter is set, then all the other + stages are missed and only the guest account username is checked.

      • Is a username is sent with the share connection - request, then this username (after mapping - see username map), + request, then this username (after mapping - see username map), is added as a potential username.

      • If the client did a previous logon request (the SessionSetup SMB call) then the @@ -3351,7 +3671,7 @@ added as a potential username.

      • The NetBIOS name of the client is added to the list as a potential username. -

      • Any users on the user list are added as potential usernames. +

      • Any users on the user list are added as potential usernames.

      If the guest only parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the @@ -3363,17 +3683,17 @@ be used in granting access.

      See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      SECURITY = USER

      This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the encrypted passwords parameter) can also - be used in this security mode. Parameters such as user and guest only if set are then applied and + valid username and password (which can be mapped using the username map + parameter). Encrypted passwords (see the encrypted passwords parameter) can also + be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

      Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.

      See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      SECURITY = DOMAIN

      This mode will only work correctly if net(8) has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.

      See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      SECURITY = DOMAIN

      This mode will only work correctly if net(8) has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly @@ -3387,13 +3707,13 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.

      See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      See also the password server parameter and - the encrypted passwords parameter.

      SECURITY = SERVER

      + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.

      See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      See also the password server parameter and + the encrypted passwords parameter.

      SECURITY = SERVER

      In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the - encrypted passwords parameter to be set to yes, unless the remote + encrypted passwords parameter to be set to yes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. @@ -3413,10 +3733,10 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.

      See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      See also the password server parameter and the - encrypted passwords parameter.

      SECURITY = ADS

      In this mode, Samba will act as a domain member in an ADS realm. To operate + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.

      See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.

      See also the password server parameter and the + encrypted passwords parameter.

      SECURITY = ADS

      In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.

      Note that this mode does NOT make Samba operate as a Active Directory Domain @@ -3429,7 +3749,7 @@ UNIX permission on a file using the native NT security dialog box.

      This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not - in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. + in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.

      Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

      @@ -3444,7 +3764,7 @@

    server schannel (G)

    This controls whether the server offers or even demands the use of the netlogon schannel. - server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. + server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.

    Please note that with this set to no you will have to apply the WindowsXP @@ -3470,11 +3790,14 @@

    Example: server string = University of GNUs Samba Server -

    set directory (S)

    If set directory = no, then - users of the service may not use the setdir command to change - directory.

    The setdir command is only implemented +

    set directory (S)

    + If set directory = no, then users of the + service may not use the setdir command to change directory. +

    + The setdir command is only implemented in the Digital Pathworks client. See the Pathworks documentation - for details.

    Default: set directory = no + for details. +

    Default: set directory = no

    set primary group script (G)

    Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script @@ -3515,8 +3838,8 @@

    short preserve case (S)

    This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced - to be the default case - . This option can be use with preserve case = yes + to be the default case + . This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.

    See the section on NAME MANGLING.

    Default: short preserve case = yes @@ -3558,18 +3881,18 @@ /sbin/shutdown $3 $4 +$time $1 &

    -Shutdown does not return so we need to launch it in background. -

    Default: shutdown script = + Shutdown does not return so we need to launch it in background. +

    Default: shutdown script =

    Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

    smb passwd file (G)

    This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

    - An example of use is: -

    +    An example of use is:
+
     smb passwd file = /etc/samba/smbpasswd
 
    
-	
    Default: smb passwd file = ${prefix}/private/smbpasswd
+    
    Default: smb passwd file = ${prefix}/private/smbpasswd
    smb ports (G)

    Specifies which ports the server should listen on for SMB traffic.

    Default: smb ports = 445 139 @@ -3613,18 +3936,17 @@ speed up case insensitive name mappings. You should never need to change this parameter.

    Default: stat cache = yes -

    store dos attributes (S)

    If this parameter is set Samba no longer attempts to - map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY - to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended - attribute in the UNIX filesystem, associated with the file or directory. - For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. - This parameter writes the DOS attributes as a string into the - extended attribute named "user.DOSATTRIB". This extended attribute - is explicitly hidden from smbd clients requesting an EA list. - On Linux the filesystem must have been mounted with the mount - option user_xattr in order for extended attributes to work, also - extended attributes must be compiled into the Linux kernel. -

    Default: store dos attributes = no +

    store dos attributes (S)

    + If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or + READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such + as occurs with map hidden and map readonly). When set, DOS + attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or + directory. For no other mapping to occur as a fall-back, the parameters map hidden, + map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended + attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an + EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for + extended attributes to work, also extended attributes must be compiled into the Linux kernel. +

    Default: store dos attributes = yes

    strict allocate (S)

    This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes @@ -3638,13 +3960,16 @@ out of quota messages on systems that are restricting the disk quota of users.

    Default: strict allocate = no -

    strict locking (S)

    This is a boolean that controls the handling of - file locking in the server. When this is set to yes, - the server will check every read and write access for file locks, and - deny access if locks exist. This can be slow on some systems.

    When strict locking is disabled, the server performs file - lock checks only when the client explicitly asks for them.

    Well-behaved clients always ask for lock checks when it - is important. So in the vast majority of cases, strict - locking = no is acceptable.

    Default: strict locking = yes +

    strict locking (S)

    + This is a boolean that controls the handling of file locking in the server. When this is set to yes, + the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on + some systems. +

    + When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them. +

    + Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, + strict locking = no is acceptable. +

    Default: strict locking = yes

    strict sync (S)

    Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing @@ -3660,6 +3985,19 @@ addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.

    Default: strict sync = no +

    svcctl list (G)

    This option defines a list of init scripts that smbd + will use for starting and stopping Unix services via the Win32 + ServiceControl API. This allows Windows administrators to + utilize the MS Management Console plug-ins to manage a + Unix server running Samba.

    The administrator must create a directory + name svcctl in Samba's $(libdir) + and create symbolic links to the init scripts in + /etc/init.d/. The name of the links + must match the names given as part of the svcctl list. +

    Default: svcctl list = + +

    Example: svcctl list = cups postfix portmap httpd +

    sync always (S)

    This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is no then the server will be @@ -3671,19 +4009,20 @@ yes in order for this parameter to have any affect.

    Default: sync always = no -

    syslog (G)

    This parameter maps how Samba debug messages - are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERR, debug - level one maps onto LOG_WARNING, debug level - two maps onto LOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to - LOG_DEBUG.

    This parameter sets the threshold for sending messages - to syslog. Only messages with debug level less than this value - will be sent to syslog.

    Default: syslog = 1 - -

    syslog only (G)

    If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files.

    Default: syslog only = no +

    syslog (G)

    + This parameter maps how Samba debug messages are logged onto the system syslog logging levels. + Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto + LOG_WARNING, debug level two maps onto LOG_NOTICE, + debug level three maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG. +

    + This parameter sets the threshold for sending messages to syslog. Only messages with debug + level less than this value will be sent to syslog. +

    Default: syslog = 1 + +

    syslog only (G)

    + If this parameter is set then Samba debug messages are logged into the system + syslog only, and not to the debug log files. +

    Default: syslog only = no

    template homedir (G)

    When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this @@ -3740,8 +4079,8 @@ passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to no.

    - In order for this parameter to be operative the encrypt passwords parameter must - be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work. + In order for this parameter to be operative the encrypt passwords parameter must + be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work.

    Note that even when this parameter is set a user authenticating to smbd must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) @@ -3774,13 +4113,16 @@ server.

    Default: use client driver = no

    use kerberos keytab (G)

    -Specifies whether Samba should attempt to maintain service principals in the systems -keytab file for host/FQDN and cifs/FQDN. -

    When you are using the heimdal Kerberos libraries, you must also -specify the following in /etc/krb5.conf:

    +	Specifies whether Samba should attempt to maintain service principals in the systems
+	keytab file for host/FQDN and cifs/FQDN.
+	
    
+	When you are using the heimdal Kerberos libraries, you must also specify the following in
+	/etc/krb5.conf:
+
     [libdefaults]
-  default_keytab_name = FILE:/etc/krb5.keytab
-
    Default: use kerberos keytab = False
+default_keytab_name = FILE:/etc/krb5.keytab
+

    +

    Default: use kerberos keytab = False

    use mmap (G)

    This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent @@ -3810,7 +4152,7 @@ they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.

    To restrict a service to a particular set of users you - can use the valid users parameter.

    If any of the usernames begin with a '@' then the name + can use the valid users parameter.

    If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users @@ -3844,82 +4186,91 @@

    Example: username level = 5 -

    username map (G)

    This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files.

    Please note that for user or share mode security, the - username map is applied prior to validating the user credentials. - Domain member servers (domain or ads) apply the username map - after the user has been successfully authenticated by the domain - controller and require fully qualified enties in the map table - (e.g. biddle = DOMAIN\foo).

    The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long.

    The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line.

    If any line begins with a '#' or a ';' then it is ignored

    If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file.

    For example to map from the name admin - or administrator to the UNIX name - root you would use:

    root = admin administrator

    Or to map anyone in the UNIX group system - to the UNIX name sys you would use:

    sys = @system

    You can have as many mappings as you like in a username map file.

    If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups.

    You can map Windows usernames that have spaces in them - by using double quotes around the name. For example:

    tridge = "Andrew Tridgell"

    would map the windows username "Andrew Tridgell" to the - unix username "tridge".

    The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line.

    +
    username map (G)

    + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. +

    + Please note that for user or share mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. + biddle = DOMAIN\foo). +

    + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. +

    + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. +

    + If any line begins with a '#' or a ';' then it is ignored. +

    + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. +

    + For example to map from the name admin or administrator to the UNIX + name root you would use: +

    +root = admin administrator
+

    + Or to map anyone in the UNIX group system to the UNIX name sys you would use: +

    +sys = @system
+

    +

    + You can have as many mappings as you like in a username map file. +

    + If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups. +

    + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: +

    +tridge = "Andrew Tridgell"
+

    + would map the windows username "Andrew Tridgell" to the unix username "tridge". +

    + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: +

     !sys = mary fred
 guest = *
-

    Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the password server (if you have one). The password - server will receive whatever username the client supplies without - modification.

    Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job.

    - Samba versions prior to 3.0.8 would only support reading the fully qualified - username (e.g.: DOMAIN\user) from the username map when performing a - kerberos login from a client. However, when looking up a map - entry for a user authenticated by NTLM[SSP], only the login name would be - used for matches. This resulted in inconsistent behavior sometimes - even on the same server. +

    +

    + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you will actually be connecting to + \\server\mary and will need to supply a password suitable for mary not + fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client + supplies without modification. +

    + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. +

    + Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server.

    The following functionality is obeyed in version 3.0.8 and later:

    - When performing local authentication, the username map is - applied to the login name before attempting to authenticate + When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection.

    - When relying upon a external domain controller for validating - authentication requests, smbd will apply the username map - to the fully qualified username (i.e. DOMAIN\user) only - after the user has been successfully authenticated. + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.

    - An example of use is: -

    +    An example of use is:
+
     username map = /usr/local/samba/lib/users.map
 
    
-	
    Default: username map = 
+    
    Default: username map = 
 # no username map
    username map script (G)

    This script is a mutually exclusive alternative to the - username map parameter. This parameter + username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which @@ -3929,13 +4280,14 @@

    Example: username map script = /etc/samba/scripts/mapusers.sh -

    use sendfile (S)

    If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX - and ReadRaw) will use the more efficient sendfile system call for files that +

    use sendfile (S)

    If this parameter is yes, and the sendfile() + system call is supported by the underlying operating system, then some SMB read calls + (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail). -

    Default: use sendfile = yes +

    Default: use sendfile = false

    use spnego (G)

    This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with @@ -3945,16 +4297,17 @@ implementation, there is no reason this should ever be disabled.

    Default: use spnego = yes -

    utmp (G)

    This boolean parameter is only available if - Samba has been configured and compiled with the option - --with-utmp. If set to yes then Samba will attempt - to add utmp or utmpx records (depending on the UNIX system) whenever a - connection is made to a Samba server. Sites may use this to record the - user connecting to a Samba share.

    Due to the requirements of the utmp record, we - are required to create a unique identifier for the - incoming user. Enabling this option creates an n^2 - algorithm to find this number. This may impede - performance on large installations.

    Default: utmp = no +

    utmp (G)

    + This boolean parameter is only available if Samba has been configured and compiled + with the option --with-utmp. If set to + yes then Samba will attempt to add utmp or utmpx records + (depending on the UNIX system) whenever a connection is made to a Samba server. + Sites may use this to record the user connecting to a Samba share. +

    + Due to the requirements of the utmp record, we are required to create a unique + identifier for the incoming user. Enabling this option creates an n^2 algorithm + to find this number. This may impede performance on large installations. +

    Default: utmp = no

    utmp directory (G)

    This parameter is only available if Samba has been configured and compiled with the option @@ -3977,35 +4330,42 @@ Samba uses this option internally to mark shares as deleted.

    Default: -valid = yes -

    valid users (S)

    This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter.

    If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user.

    The current servicename is substituted for %S - . This is useful in the [homes] section.

    Default: valid users = +

    valid users (S)

    + This is a list of users that should be allowed to login to this service. Names starting with + '@', '+' and '&' are interpreted using the same rules as described in the + invalid users parameter. +

    + If this is empty (the default) then any user can login. If a username is in both this list + and the invalid users list then access is denied + for that user. +

    + The current servicename is substituted for %S. + This is useful in the [homes] section. +

    Default: valid users = # No valid users list (anyone can login)

    Example: valid users = greg, @pcusers -

    veto files (S)

    This is a list of files and directories that - are neither visible nor accessible. Each entry in the list must - be separated by a '/', which allows spaces to be included - in the entry. '*' and '?' can be used to specify multiple files - or directories as in DOS wildcards.

    Each entry must be a unix path, not a DOS path and - must not include the unix directory - separator '/'.

    Note that the case sensitive option - is applicable in vetoing files.

    One feature of the veto files parameter that it - is important to be aware of is Samba's behaviour when - trying to delete a directory. If a directory that is - to be deleted contains nothing but veto files this - deletion will fail unless you also set - the delete veto files parameter to - yes.

    Setting this parameter will affect the performance - of Samba, as it will be forced to check all files and directories - for a match as they are scanned.

    +

    veto files (S)

    + This is a list of files and directories that are neither visible nor accessible. Each entry in + the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' + can be used to specify multiple files or directories as in DOS wildcards. +

    + Each entry must be a unix path, not a DOS path and must not include the + unix directory separator '/'. +

    + Note that the case sensitive option is applicable in vetoing files. +

    + One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this + deletion will fail unless you also set the delete veto files + parameter to yes. +

    + Setting this parameter will affect the performance of Samba, as it will be forced to check all files + and directories for a match as they are scanned. +

    Examples of use include: -

    +
     ; Veto any files containing the word Security,
 ; any ending in .tmp, and any directory containing the
 ; word root.
@@ -4017,21 +4377,22 @@
 
    
 	
    Default: veto files = No files or directories are vetoed.
 
-
    veto oplock files (S)

    This parameter is only valid when the - oplocks +

    veto oplock files (S)

    + This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the - veto files - parameter.

    You might want to do this on files that you know will - be heavily contended for by clients. A good example of this - is in the NetBench SMB benchmark program, which causes heavy - client contention for files ending in .SEM. - To cause Samba not to grant oplocks on these files you would use - the line (either in the [global] section or in the section for - the particular NetBench share :

    + veto files parameter. +

    + You might want to do this on files that you know will be heavily contended + for by clients. A good example of this is in the NetBench SMB benchmark + program, which causes heavy client contention for files ending in + .SEM. To cause Samba not to grant + oplocks on these files you would use the line (either in the [global] + section or in the section for the particular NetBench share. +

    An example of use is: -

    +
     veto oplock files = /.*SEM/
 
    
 	
    Default: veto oplock files = 
@@ -4092,6 +4453,26 @@
                  groups, you need to run nss_winbind.
    Please note that per 3.0.3 this is a new feature, so 
 		 handle with care.
    Default: winbind nested groups = no
 
+
    winbind nss info (G)

    This parameter is designed to control how Winbind retrieves Name + Service Information to construct a user's home directory and login shell. + Currently the following settings are available: + +

    • template + - The default, using the parameters of template + shell and template homedir) +

    • sfu + - When Samba is running in security = ads and your Active Directory + Domain Controller does support the Microsoft "Services for Unix" (SFU) + LDAP schema, winbind can retrieve the login shell and the home + directory attributes directly from your Directory Server. Note that + retrieving UID and GID from your ADS-Server requires to use + idmap backend = idmap_ad as well. +

    + +

    Default: winbind nss info = template + +

    Example: winbind nss info = template sfu +

    winbind separator (G)

    This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter @@ -4103,13 +4484,12 @@

    Example: winbind separator = + -

    winbind trusted domains only (G)

    This parameter is designed to allow Samba servers that - are members of a Samba controlled domain to use UNIX accounts - distributed via NIS, rsync, or LDAP as the uid's for winbindd users - in the hosts primary domain. Therefore, the user DOMAIN\user1 would - be mapped to the account user1 in /etc/passwd instead of allocating - a new uid for him or her. -

    Default: winbind trusted domains only = no +

    winbind trusted domains only (G)

    + This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use + UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. + Therefore, the user DOMAIN\user1 would be mapped to the account user1 in /etc/passwd + instead of allocating a new uid for him or her. +

    Default: winbind trusted domains only = no

    winbind use default domain (G)

    This parameter specifies whether the winbindd(8) daemon should operate on users @@ -4155,7 +4535,7 @@ separated from the ip address by a colon.

    Note

    You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet - browsing to work correctly.

    See the ???.

    Default: wins server = + browsing to work correctly.

    See the chapter in the Samba3-HOWTO on Network Browsing.

    Default: wins server =

    Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 @@ -4174,12 +4554,12 @@

    workgroup (G)

    This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with - the security = domain + the security = domain setting.

    Default: workgroup = WORKGROUP

    Example: workgroup = MYGROUP -

    writable

    This parameter is a synonym for writeable.

    writeable (S)

    Inverted synonym for read only.

    No default

    write cache size (S)

    If this integer parameter is set to non-zero value, +

    writable

    This parameter is a synonym for writeable.

    writeable (S)

    Inverted synonym for read only.

    No default

    write cache size (S)

    If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request @@ -4197,13 +4577,18 @@

    Example: write cache size = 262144 # for a 256k cache size per file -

    write list (S)

    This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the read only - option is set to. The list can include group names using the - @group syntax.

    Note that if a user is in both the read list and the - write list then they will be given write access.

    This parameter will not work with the security = share in - Samba 3.0. This is by design.

    Default: write list = +

    write list (S)

    + This is a list of users that are given read-write access to a service. If the + connecting user is in this list then they will be given write access, no matter + what the read only option is set to. The list can + include group names using the @group syntax. +

    + Note that if a user is in both the read list and the write list then they will be + given write access. +

    + By design, this parameter will not work with the + security = share in Samba 3.0. +

    Default: write list =

    Example: write list = admin, root, @staff @@ -4211,21 +4596,19 @@ will support raw write SMB's when transferring data from clients. You should never need to change this parameter.

    Default: write raw = yes -

    wtmp directory (G)

    This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the wtmp or wtmpx files (depending on the UNIX system) that - record user connections to a Samba server. The difference with - the utmp directory is the fact that user info is kept after a user - has logged out.

    - By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/wtmp on Linux).

    Default: wtmp directory = +

    wtmp directory (G)

    + This parameter is only available if Samba has been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on + the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact + that user info is kept after a user has logged out. +

    + By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually + /var/run/wtmp on Linux). +

    Default: wtmp directory =

    Example: wtmp directory = /var/log/wtmp -

    WARNINGS

    +

    WARNINGS

    Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.

    @@ -4238,8 +4621,8 @@ for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. -

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    - samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

    AUTHOR

    +

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    + samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbcontrol.1.html samba-3.0.21/docs/htmldocs/manpages/smbcontrol.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbcontrol.1.html 2005-08-19 12:56:22.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbcontrol.1.html 2005-12-19 10:17:05.000000000 -0600 @@ -1,5 +1,5 @@ -smbcontrol

    Name

    smbcontrol — send messages to smbd, nmbd or winbindd processes

    Synopsis

    smbcontrol [-i] [-s]

    smbcontrol [destination] [message-type] [parameter]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbcontrol is a very small program, which - sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system.

    OPTIONS

    -h|--help

    Print a summary of command line options. +smbcontrol

    Name

    smbcontrol — send messages to smbd, nmbd or winbindd processes

    Synopsis

    smbcontrol [-i] [-s]

    smbcontrol [destination] [message-type] [parameter]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbcontrol is a very small program, which + sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system.

    OPTIONS

    -h|--help

    Print a summary of command line options.

    -s <configuration file>

    The file specified contains the configuration details required by the server. The information in this file includes server-specific @@ -16,7 +16,7 @@ nmbd.pid file.

    If a single process ID is given, the message is sent to only that process.

    message-type

    Type of message to send. See the section MESSAGE-TYPES for details. -

    parameters

    any parameters required for the message-type

    MESSAGE-TYPES

    Available message types are:

    close-share

    Order smbd to close the client +

    parameters

    any parameters required for the message-type

    MESSAGE-TYPES

    Available message types are:

    close-share

    Order smbd to close the client connections to the named share. Note that this doesn't affect client connections to any other shares. This message-type takes an argument of the share name for which client connections will be closed, or the @@ -59,8 +59,8 @@ to update their local version of the driver. Can only be sent to smbd.

    reload-config

    Force daemon to reload smb.conf configuration file. Can be sent to smbd, nmbd, or winbindd. -

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    nmbd(8) and smbd(8).

    AUTHOR

    The original Samba software and related utilities +

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    nmbd(8) and smbd(8).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbcquotas.1.html samba-3.0.21/docs/htmldocs/manpages/smbcquotas.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbcquotas.1.html 2005-08-19 12:56:26.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbcquotas.1.html 2005-12-19 10:17:07.000000000 -0600 @@ -1,4 +1,4 @@ -smbcquotas

    Name

    smbcquotas — Set or get QUOTAs of NTFS 5 shares

    Synopsis

    smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbcquotas program manipulates NT Quotas on SMB file shares.

    OPTIONS

    The following options are available to the smbcquotas program.

    -u user

    Specifies the user of whom the quotas are get or set. +smbcquotas

    Name

    smbcquotas — Set or get QUOTAs of NTFS 5 shares

    Synopsis

    smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbcquotas program manipulates NT Quotas on SMB file shares.

    OPTIONS

    The following options are available to the smbcquotas program.

    -u user

    Specifies the user of whom the quotas are get or set. By default the current user's username will be used.

    -L

    Lists all quota records of the share.

    -F

    Show the share quota status and default limits.

    -S QUOTA_SET_COMMAND

    This command sets/modifies quotas for a user or on the share, depending on the QUOTA_SET_COMMAND parameter which is described later.

    -n

    This option displays all QUOTA information in numeric format. The default is to convert SIDs to names and QUOTA limits @@ -15,7 +15,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -27,7 +27,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -60,7 +60,7 @@ many systems the command line of a running process may be seen via the ps command. To be safe always allow rpcclient to prompt for a password and type -it in directly.

    QUOTA_SET_COMAND

    The format of an ACL is one or more ACL entries separated by +it in directly.

    QUOTA_SET_COMAND

    The format of an ACL is one or more ACL entries separated by either commas or newlines. An ACL entry is one of the following:

    for setting user quotas for the user specified by -u or the current username:

    @@ -73,13 +73,13 @@ for changing the share quota settings:

    FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT -

    EXIT STATUS

    The smbcquotas program sets the exit status +

    EXIT STATUS

    The smbcquotas program sets the exit status depending on the success or otherwise of the operations performed. The exit status may be one of the following values.

    If the operation succeeded, smbcquotas returns an exit status of 0. If smbcquotas couldn't connect to the specified server, or when there was an error getting or setting the quota(s), an exit status of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities + arguments, an exit status of 2 is returned.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    smbcquotas was written by Stefan Metzmacher.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbd.8.html samba-3.0.21/docs/htmldocs/manpages/smbd.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbd.8.html 2005-08-19 12:56:29.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbd.8.html 2005-12-19 10:17:10.000000000 -0600 @@ -1,4 +1,4 @@ -smbd

    Name

    smbd — server to provide SMB/CIFS services to clients

    Synopsis

    smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]

    DESCRIPTION

    This program is part of the samba(7) suite.

    smbd is the server daemon that +smbd

    Name

    smbd — server to provide SMB/CIFS services to clients

    Synopsis

    smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]

    DESCRIPTION

    This program is part of the samba(7) suite.

    smbd is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol. This is compatible @@ -21,7 +21,7 @@ can force a reload by sending a SIGHUP to the server. Reloading the configuration file will not affect connections to any service that is already established. Either the user will have to - disconnect from the service, or smbd killed and restarted.

    OPTIONS

    -D

    If specified, this parameter causes + disconnect from the service, or smbd killed and restarted.

    OPTIONS

    -D

    If specified, this parameter causes the server to operate as a daemon. That is, it detaches itself and runs in the background, fielding requests on the appropriate port. Operating the server as a @@ -56,7 +56,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -68,7 +68,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -76,9 +76,9 @@

    -b

    Prints information about how Samba was built.

    -p <port number(s)>

    port number(s) is a space or comma-separated list of TCP ports smbd should listen on. - The default value is taken from the ports parameter in smb.conf

    The default ports are 139 (used for SMB over NetBIOS over TCP) + The default value is taken from the ports parameter in smb.conf

    The default ports are 139 (used for SMB over NetBIOS over TCP) and port 445 (used for plain SMB over TCP). -

    FILES

    /etc/inetd.conf

    If the server is to be run by the +

    FILES

    /etc/inetd.conf

    If the server is to be run by the inetd meta-daemon, this file must contain suitable startup information for the meta-daemon. @@ -92,20 +92,20 @@

    /usr/local/samba/lib/smb.conf

    This is the default location of the smb.conf(5) server configuration file. Other common places that systems install this file are /usr/samba/lib/smb.conf and /etc/samba/smb.conf.

    This file describes all the services the server - is to make available to clients. See smb.conf(5) for more information.

    LIMITATIONS

    On some systems smbd cannot change uid back + is to make available to clients. See smb.conf(5) for more information.

    LIMITATIONS

    On some systems smbd cannot change uid back to root after a setuid() call. Such systems are called trapdoor uid systems. If you have such a system, you will be unable to connect from a client (such as a PC) as two different users at once. Attempts to connect the second user will result in access denied or - similar.

    ENVIRONMENT VARIABLES

    PRINTER

    If no printer name is specified to + similar.

    ENVIRONMENT VARIABLES

    PRINTER

    If no printer name is specified to printable services, most systems will use the value of this variable (or lp if this variable is not defined) as the name of the printer to use. This - is not specific to the server, however.

    PAM INTERACTION

    Samba uses PAM for authentication (when presented with a plaintext + is not specific to the server, however.

    PAM INTERACTION

    Samba uses PAM for authentication (when presented with a plaintext password), for account checking (is this account disabled?) and for session management. The degree too which samba supports PAM is restricted - by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply: + by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply:

    • Account Validation: All accesses to a samba server are checked against PAM to see if the account is vaild, not disabled and is permitted to @@ -115,8 +115,8 @@ is granted. Note however, that this is bypassed in share level secuirty. Note also that some older pam configuration files may need a line added for session support. -

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    DIAGNOSTICS

    Most diagnostics issued by the server are logged +

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    DIAGNOSTICS

    Most diagnostics issued by the server are logged in a specified log file. The log file name is specified at compile time, but may be overridden on the command line.

    The number and nature of diagnostics available depends on the debug level used by the server. If you have problems, set @@ -125,10 +125,10 @@ available in the source code to warrant describing each and every diagnostic. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the - diagnostics you are seeing.

    TDB FILES

    Samba stores it's data in several TDB (Trivial Database) files, usually located in /var/lib/samba.

    + diagnostics you are seeing.

    TDB FILES

    Samba stores it's data in several TDB (Trivial Database) files, usually located in /var/lib/samba.

    (*) information persistent across restarts (but not necessarily important to backup). -

    account_policy.tdb*

    NT account policy settings such as pw expiration, etc...

    brlock.tdb

    byte range locks

    browse.dat

    browse lists

    connections.tdb

    share connections (used to enforce max connections, etc...)

    gencache.tdb

    generic caching db

    group_mapping.tdb*

    group mapping information

    locking.tdb

    share modes & oplocks

    login_cache.tdb*

    bad pw attempts

    messages.tdb

    Samba messaging system

    netsamlogon_cache.tdb*

    cache of user net_info_3 struct from net_samlogon() request (as a domain member)

    ntdrivers.tdb*

    installed printer drivers

    ntforms.tdb*

    installed printer forms

    ntprinters.tdb*

    installed printer information

    printing/

    directory containing tdb per print queue of cached lpq output

    registry.tdb

    Windows registry skeleton (connect via regedit.exe)

    sessionid.tdb

    session information (e.g. support for 'utmp = yes')

    share_info.tdb*

    share acls

    winbindd_cache.tdb

    winbindd's cache of user lists, etc...

    winbindd_idmap.tdb*

    winbindd's local idmap db

    wins.dat*

    wins database when 'wins support = yes'

    SIGNALS

    Sending the smbd a SIGHUP will cause it to +

    account_policy.tdb*

    NT account policy settings such as pw expiration, etc...

    brlock.tdb

    byte range locks

    browse.dat

    browse lists

    connections.tdb

    share connections (used to enforce max connections, etc...)

    gencache.tdb

    generic caching db

    group_mapping.tdb*

    group mapping information

    locking.tdb

    share modes & oplocks

    login_cache.tdb*

    bad pw attempts

    messages.tdb

    Samba messaging system

    netsamlogon_cache.tdb*

    cache of user net_info_3 struct from net_samlogon() request (as a domain member)

    ntdrivers.tdb*

    installed printer drivers

    ntforms.tdb*

    installed printer forms

    ntprinters.tdb*

    installed printer information

    printing/

    directory containing tdb per print queue of cached lpq output

    registry.tdb

    Windows registry skeleton (connect via regedit.exe)

    sessionid.tdb

    session information (e.g. support for 'utmp = yes')

    share_info.tdb*

    share acls

    winbindd_cache.tdb

    winbindd's cache of user lists, etc...

    winbindd_idmap.tdb*

    winbindd's local idmap db

    wins.dat*

    wins database when 'wins support = yes'

    SIGNALS

    Sending the smbd a SIGHUP will cause it to reload its smb.conf configuration file within a short period of time.

    To shut down a user's smbd process it is recommended that SIGKILL (-9) NOT @@ -143,11 +143,11 @@ smbd is in a state of waiting for an incoming SMB before issuing them. It is possible to make the signal handlers safe by un-blocking the signals before the select call and re-blocking - them after, however this would affect performance.

    SEE ALSO

    hosts_access(5), inetd(8), nmbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the + them after, however this would affect performance.

    SEE ALSO

    hosts_access(5), inetd(8), nmbd(8), smb.conf(5), smbclient(1), testparm(1), testprns(1), and the Internet RFC's rfc1001.txt, rfc1002.txt. In addition the CIFS (formerly SMB) specification is available as a link from the Web page - http://samba.org/cifs/.

    AUTHOR

    The original Samba software and related utilities + http://samba.org/cifs/.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbget.1.html samba-3.0.21/docs/htmldocs/manpages/smbget.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbget.1.html 2005-08-19 12:56:33.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbget.1.html 2005-12-19 10:17:13.000000000 -0600 @@ -1,14 +1,14 @@ -smbget

    Name

    smbget — wget-like utility for download files over SMB

    Synopsis

    smbget [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line. +smbget

    Name

    smbget — wget-like utility for download files over SMB

    Synopsis

    smbget [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.

    The files should be in the smb-URL standard, e.g. use smb://host/share/file for the UNC path \\\\HOST\\SHARE\\file. -

    OPTIONS

    -a, --guest

    Work as user guest

    -r, --resume

    Automatically resume aborted files

    -R, --recursive

    Recursively download files

    -u, --username=STRING

    Username to use

    -p, --password=STRING

    Password to use

    -w, --workgroup=STRING

    Workgroup to use (optional)

    -n, --nonprompt

    Don't ask anything (non-interactive)

    -d, --debuglevel=INT

    Debuglevel to use

    -D, --dots

    Show dots as progress indication

    -P, --keep-permissions

    Set same permissions on local file as are set on remote file.

    -o, --outputfile

    Write the file that is being download to the specified file. Can not be used together with -R.

    -f, --rcfile

    Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile.

    -q, --quiet

    Be quiet

    -v, --verbose

    Be verbose

    -b, --blocksize

    Number of bytes to download in a block. Defaults to 64000.

    -?, --help

    Show help message

    --usage

    Display brief usage message

    SMB URLS

    SMB URL's should be specified in the following format:

    +

    OPTIONS

    -a, --guest

    Work as user guest

    -r, --resume

    Automatically resume aborted files

    -R, --recursive

    Recursively download files

    -u, --username=STRING

    Username to use

    -p, --password=STRING

    Password to use

    -w, --workgroup=STRING

    Workgroup to use (optional)

    -n, --nonprompt

    Don't ask anything (non-interactive)

    -d, --debuglevel=INT

    Debuglevel to use

    -D, --dots

    Show dots as progress indication

    -P, --keep-permissions

    Set same permissions on local file as are set on remote file.

    -o, --outputfile

    Write the file that is being download to the specified file. Can not be used together with -R.

    -f, --rcfile

    Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile.

    -q, --quiet

    Be quiet

    -v, --verbose

    Be verbose

    -b, --blocksize

    Number of bytes to download in a block. Defaults to 64000.

    -?, --help

    Show help message

    --usage

    Display brief usage message

    SMB URLS

    SMB URL's should be specified in the following format:

     smb://[[[domain;]user[:password@]]server[/share[/path[/file]]]]
 
     smb:// means all the workgroups
 
     smb://name/ means, if name is a workgroup, all the servers in this workgroup, or if name is a server, all the shares on this server.
-

    EXAMPLES

    +

    EXAMPLES

     # Recursively download 'src' directory
 smbget -R smb://rhonwyn/jelmer/src
 # Download FreeBSD ISO and enable resuming
@@ -17,10 +17,10 @@
 smbget -Rr smb://rhonwyn/isos
 # Backup my data on rhonwyn
 smbget -Rr smb://rhonwyn/
-

    BUGS

    Permission denied is returned in some cases where the cause of the error is unknown +

    BUGS

    Permission denied is returned in some cases where the cause of the error is unknown (such as an illegally formatted smb:// url or trying to get a directory without -R -turned on).

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    AUTHOR

    The original Samba software and related utilities +turned on).

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The smbget manpage was written by Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbgetrc.5.html samba-3.0.21/docs/htmldocs/manpages/smbgetrc.5.html --- samba-3.0.20b/docs/htmldocs/manpages/smbgetrc.5.html 2005-08-19 12:56:36.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbgetrc.5.html 2005-12-19 10:17:15.000000000 -0600 @@ -1,17 +1,17 @@ -smbgetrc

    Name

    smbgetrc — configuration file for smbget

    Synopsis

    smbgetrc

    DESCRIPTION

    +smbgetrc

    Name

    smbgetrc — configuration file for smbget

    Synopsis

    smbgetrc

    DESCRIPTION

    This manual page documents the format and options of the smbgetrc file. This is the configuration file used by the smbget(1) utility. The file contains of key-value pairs, one pair on each line. The key and value should be separated by a space.

    By default, smbget reads its configuration from $HOME/.smbgetrc, though - other locations can be specified using the command-line options.

    OPTIONS

    + other locations can be specified using the command-line options.

    OPTIONS

    The following keys can be set:

    resume on|off

    Whether aborted downloads should be automatically resumed.

    recursive on|off

    Whether directories should be downloaded recursively

    username name

    Username to use when logging in to the remote server. Use an empty string for anonymous access. -

    password pass

    Password to use when logging in.

    workgroup wg

    Workgroup to use when logging in

    nonprompt on|off

    Turns off asking for username and password. Useful for scripts.

    debuglevel int

    (Samba) debuglevel to run at. Useful for tracking down protocol level problems.

    dots on|off

    Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator.

    blocksize int

    Number of bytes to put in a block.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smbget(1) and Samba(7). -

    AUTHOR

    The original Samba software and related utilities +

    password pass

    Password to use when logging in.

    workgroup wg

    Workgroup to use when logging in

    nonprompt on|off

    Turns off asking for username and password. Useful for scripts.

    debuglevel int

    (Samba) debuglevel to run at. Useful for tracking down protocol level problems.

    dots on|off

    Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator.

    blocksize int

    Number of bytes to put in a block.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smbget(1) and Samba(7). +

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    This manual page was written by Jelmer Vernooij

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbmnt.8.html samba-3.0.21/docs/htmldocs/manpages/smbmnt.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbmnt.8.html 2005-08-19 12:56:40.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbmnt.8.html 2005-12-19 10:17:17.000000000 -0600 @@ -1,10 +1,10 @@ -smbmnt

    Name

    smbmnt — helper utility for mounting SMB filesystems

    Synopsis

    smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]

    DESCRIPTION

    smbmnt is a helper application used +smbmnt

    Name

    smbmnt — helper utility for mounting SMB filesystems

    Synopsis

    smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]

    DESCRIPTION

    smbmnt is a helper application used by the smbmount program to do the actual mounting of SMB shares. smbmnt can be installed setuid root if you want normal users to be able to mount their SMB shares.

    A setuid smbmnt will only allow mounts on directories owned by the user, and that the user has write permission on.

    The smbmnt program is normally invoked by smbmount(8). It should not be invoked directly by users.

    smbmount searches the normal PATH for smbmnt. You must ensure - that the smbmnt version in your path matches the smbmount used.

    OPTIONS

    -r

    mount the filesystem read-only + that the smbmnt version in your path matches the smbmount used.

    OPTIONS

    -r

    mount the filesystem read-only

    -u uid

    specify the uid that the files will be owned by

    -g gid

    specify the gid that the files will be owned by

    -f mask

    specify the octal file mask applied @@ -13,7 +13,7 @@ list of options that are passed as-is to smbfs, if this command is run on a 2.4 or higher Linux kernel.

    -h|--help

    Print a summary of command line options. -

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield +

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield and others.

    The current maintainer of smbfs and the userspace tools smbmount, smbumount, and smbmnt is Urban Widmark. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbmount.8.html samba-3.0.21/docs/htmldocs/manpages/smbmount.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbmount.8.html 2005-08-19 12:56:45.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbmount.8.html 2005-12-19 10:17:19.000000000 -0600 @@ -1,4 +1,4 @@ -smbmount

    Name

    smbmount — mount an smbfs filesystem

    Synopsis

    smbmount {service} {mount-point} [-o options]

    DESCRIPTION

    smbmount mounts a Linux SMB filesystem. It +smbmount

    Name

    smbmount — mount an smbfs filesystem

    Synopsis

    smbmount {service} {mount-point} [-o options]

    DESCRIPTION

    smbmount mounts a Linux SMB filesystem. It is usually invoked as mount.smbfs by the mount(8) command when using the "-t smbfs" option. This command only works in Linux, and the kernel must @@ -13,22 +13,18 @@ smbmount process may also be called mount.smbfs.

    Note

    smbmount calls smbmnt(8) to do the actual mount. You must make sure that smbmnt is in the path so - that it can be found.

    OPTIONS

    username=<arg>

    specifies the username to connect as. If - this is not given, then the environment variable - USER is used. This option can also take the - form "user%password" or "user/workgroup" or - "user/workgroup%password" to allow the password and workgroup - to be specified as part of the username.

    password=<arg>

    specifies the SMB password. If this - option is not given then the environment variable - PASSWD is used. If it can find - no password smbmount will prompt - for a passeword, unless the guest option is - given.

    - Note that passwords which contain the argument delimiter - character (i.e. a comma ',') will failed to be parsed correctly - on the command line. However, the same password defined - in the PASSWD environment variable or a credentials file (see - below) will be read correctly. + that it can be found.

    OPTIONS

    username=<arg>

    + specifies the username to connect as. If this is not given, then the environment variable USER + is used. This option can also take the form "user%password" or "user/workgroup" or "user/workgroup%password" + to allow the password and workgroup to be specified as part of the username. +

    password=<arg>

    + specifies the SMB password. If this option is not given then the environment + variable PASSWD is used. If it can find no password + smbmount will prompt for a passeword, unless the guest option is given. +

    + Note that passwords which contain the argument delimiter character (i.e. a comma ',') will failed to be parsed + correctly on the command line. However, the same password defined in the PASSWD environment variable or a + credentials file (see below) will be read correctly.

    credentials=<filename>

    specifies a file that contains a username and/or password. The format of the file is: 

    @@ -75,7 +71,7 @@
 		like 10000ms (10 seconds) is probably more reasonable
 		in many cases.
 		(Note: only kernel 2.4.2 or later)
-

    ENVIRONMENT VARIABLES

    The variable USER may contain the username of the +

    ENVIRONMENT VARIABLES

    The variable USER may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords. The variable can be used to set both username and @@ -84,7 +80,11 @@ protocol level is high enough to support session-level passwords.

    The variable PASSWD_FILE may contain the pathname of a file to read the password from. A single line of input is - read and used as the password.

    BUGS

    Passwords and other options containing , can not be handled. + read and used as the password.

    OTHER COMMANDS

    + File systems that have been mounted using the smbmount + can be unmounted using the smbumount or the UNIX system + umount command. +

    BUGS

    Passwords and other options containing , can not be handled. For passwords an alternative way of passing them is in a credentials file or in the PASSWD environment.

    The credentials file does not handle usernames or passwords with leading space.

    One smbfs bug is important enough to mention here, even if it @@ -95,9 +95,9 @@ trigger this bug are known.

    Note that the typical response to a bug report is suggestion to try the latest version first. So please try doing that first, and always include which versions you use of relevant software - when reporting bugs (minimum: samba, kernel, distribution)

    SEE ALSO

    Documentation/filesystems/smbfs.txt in the linux kernel + when reporting bugs (minimum: samba, kernel, distribution)

    SEE ALSO

    Documentation/filesystems/smbfs.txt in the linux kernel source tree may contain additional options and information.

    FreeBSD also has a smbfs, but it is not related to smbmount

    For Solaris, HP-UX and others you may want to look at smbsh(1) or at other solutions, such as - Sharity or perhaps replacing the SMB server with a NFS server.

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield + Sharity or perhaps replacing the SMB server with a NFS server.

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield and others.

    The current maintainer of smbfs and the userspace tools smbmount, smbumount, and smbmnt is Urban Widmark. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbpasswd.5.html samba-3.0.21/docs/htmldocs/manpages/smbpasswd.5.html --- samba-3.0.20b/docs/htmldocs/manpages/smbpasswd.5.html 2005-08-19 12:56:49.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbpasswd.5.html 2005-12-19 10:17:22.000000000 -0600 @@ -1,8 +1,8 @@ -smbpasswd

    Name

    smbpasswd — The Samba encrypted password file

    Synopsis

    smbpasswd

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbpasswd is the Samba encrypted password file. It contains +smbpasswd

    Name

    smbpasswd — The Samba encrypted password file

    Synopsis

    smbpasswd

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with - Samba and has had several different formats in the past.

    FILE FORMAT

    The format of the smbpasswd file used by Samba 2.2 + Samba and has had several different formats in the past.

    FILE FORMAT

    The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry @@ -54,31 +54,32 @@ traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.

    Account Flags

    This section contains flags that describe - the attributes of the users account. In the Samba 2.2 release - this field is bracketed by '[' and ']' characters and is always - 13 characters in length (including the '[' and ']' characters). + the attributes of the users account. This field is bracketed by + '[' and ']' characters and is always 13 characters in length + (including the '[' and ']' characters). The contents of this field may be any of the following characters:

    • U - This means - this is a "User" account, i.e. an ordinary user. Only User - and Workstation Trust accounts are currently supported - in the smbpasswd file.

    • N - This means the + this is a "User" account, i.e. an ordinary user.

    • N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in the smb.conf(5) config file.

    • D - This means the account - is disabled and no SMB/CIFS logins will be allowed for this user.

    • W - This means this account + is disabled and no SMB/CIFS logins will be allowed for this user.

    • X - This means the password + does not expire.

    • W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.

    Other flags may be added as the code is extended in future. - The rest of this field space is filled in with spaces.

    Last Change Time

    This field consists of the time the account was + The rest of this field space is filled in with spaces. For further + information regarding the flags that are supported please refer to the + man page for the pdbedit command.

    Last Change Time

    This field consists of the time the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made. -

    All other colon separated fields are ignored at this time.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smbpasswd(8), Samba(7), and +

    All other colon separated fields are ignored at this time.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4 algorithm. -

    AUTHOR

    The original Samba software and related utilities +

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbpasswd.8.html samba-3.0.21/docs/htmldocs/manpages/smbpasswd.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbpasswd.8.html 2005-08-19 12:56:53.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbpasswd.8.html 2005-12-19 10:17:24.000000000 -0600 @@ -1,4 +1,4 @@ -smbpasswd

    Name

    smbpasswd — change a user's SMB password

    Synopsis

    smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbpasswd program has several different +smbpasswd

    Name

    smbpasswd — change a user's SMB password

    Synopsis

    smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The smbpasswd program has several different functions, depending on whether it is run by the root user or not. When run as a normal user it allows the user to change the password used for their SMB sessions on any machines that store @@ -25,7 +25,7 @@ the attributes of the user in this file to be made. When run by root, smbpasswd accesses the local smbpasswd file directly, thus enabling changes to be made even if smbd is not - running.

    OPTIONS

    -a

    This option specifies that the username + running.

    OPTIONS

    -a

    This option specifies that the username following should be added to the local smbpasswd file, with the new password typed (type <Enter> for the old password). This option is ignored if the username following already exists in @@ -126,7 +126,7 @@ is to aid people writing scripts to drive smbpasswd

    -w password

    This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with the - ldap admin dn. Note that the password is stored in + ldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be @@ -139,7 +139,7 @@ root only options to operate on. Only root can specify this parameter as only root has the permission needed to modify attributes directly in the local smbpasswd file. -

    NOTES

    Since smbpasswd works in client-server +

    NOTES

    Since smbpasswd works in client-server mode communicating with a local smbd for a non-root user then the smbd daemon must be running for this to work. A common problem is to add a restriction to the hosts that may access the @@ -147,7 +147,7 @@ hosts or deny hosts entry in the smb.conf(5) file and neglecting to allow "localhost" access to the smbd.

    In addition, the smbpasswd command is only useful if Samba - has been set up to use encrypted passwords.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    smbpasswd(5), Samba(7).

    AUTHOR

    The original Samba software and related utilities + has been set up to use encrypted passwords.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    smbpasswd(5), Samba(7).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbsh.1.html samba-3.0.21/docs/htmldocs/manpages/smbsh.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbsh.1.html 2005-08-19 12:56:56.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbsh.1.html 2005-12-19 10:17:26.000000000 -0600 @@ -1,9 +1,9 @@ smbsh

    Name

    smbsh — Allows access to remote SMB shares - using UNIX commands

    Synopsis

    smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbsh allows you to access an NT filesystem + using UNIX commands

    Synopsis

    smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbsh allows you to access an NT filesystem using UNIX commands such as ls, egrep, and rcp. You must use a shell that is dynamically linked in order for smbsh - to work correctly.

    OPTIONS

    -W WORKGROUP

    Override the default workgroup specified in the + to work correctly.

    OPTIONS

    -W WORKGROUP

    Override the default workgroup specified in the workgroup parameter of the smb.conf(5) file for this session. This may be needed to connect to some servers.

    -U username[%pass]

    Sets the SMB username or username and password. @@ -21,7 +21,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -33,7 +33,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -R <name resolve order>

    This option is used to determine what naming services and in what order to resolve host names to IP addresses. The option takes a space-separated @@ -66,13 +66,13 @@ being on a locally connected subnet.

    If this parameter is not set then the name resolve order defined in the smb.conf file parameter -() will be used. +() will be used.

    The default order is lmhosts, host, wins, bcast. Without -this parameter or any entry in the parameter of the smb.conf file, the name +this parameter or any entry in the parameter of the smb.conf file, the name resolution methods will be attempted in this order.

    -L libdir

    This parameter specifies the location of the shared libraries used by smbsh. The default value is specified at compile time. -

    EXAMPLES

    To use the smbsh command, execute +

    EXAMPLES

    To use the smbsh command, execute smbsh from the prompt and enter the username and password that authenticates you to the machine running the Windows NT operating system. @@ -89,14 +89,14 @@ ls /smb/MYGROUP/<machine-name> will show the share names for that machine. You could then, for example, use the cd command to change directories, vi to - edit files, and rcp to copy files.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    BUGS

    smbsh works by intercepting the standard + edit files, and rcp to copy files.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    BUGS

    smbsh works by intercepting the standard libc calls with the dynamically loaded versions in smbwrapper.o. Not all calls have been "wrapped", so some programs may not function correctly under smbsh .

    Programs which are not dynamically linked cannot make use of smbsh's functionality. Most versions of UNIX have a file command that will - describe how a program was linked.

    SEE ALSO

    smbd(8), smb.conf(5)

    AUTHOR

    The original Samba software and related utilities + describe how a program was linked.

    SEE ALSO

    smbd(8), smb.conf(5)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbspool.8.html samba-3.0.21/docs/htmldocs/manpages/smbspool.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbspool.8.html 2005-08-19 12:57:00.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbspool.8.html 2005-12-19 10:17:28.000000000 -0600 @@ -1,4 +1,4 @@ -smbspool

    Name

    smbspool — send a print file to an SMB printer

    Synopsis

    smbspool {job} {user} {title} {copies} {options} [filename]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbspool is a very small print spooling program that +smbspool

    Name

    smbspool — send a print file to an SMB printer

    Synopsis

    smbspool {job} {user} {title} {copies} {options} [filename]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbspool is a very small print spooling program that sends a print file to an SMB printer. The command-line arguments are position-dependent for compatibility with the Common UNIX Printing System, but you can use smbspool with any printing system @@ -10,7 +10,7 @@ or argv[1] if that is not the case.

    Programs using the exec(2) functions can pass the URI in argv[0], while shell scripts must set the DEVICE_URI environment variable prior to - running smbspool.

    OPTIONS

    • The job argument (argv[1]) contains the + running smbspool.

    OPTIONS

    • The job argument (argv[1]) contains the job ID number and is presently not used by smbspool.

    • The user argument (argv[2]) contains the print user's name and is presently not used by smbspool. @@ -23,7 +23,7 @@ the print options in a single string and is currently not used by smbspool.

    • The filename argument (argv[6]) contains the name of the file to print. If this argument is not specified - then the print file is read from the standard input.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    smbd(8) and samba(7).

    AUTHOR

    smbspool was written by Michael Sweet + then the print file is read from the standard input.

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    smbd(8) and samba(7).

    AUTHOR

    smbspool was written by Michael Sweet at Easy Software Products.

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbstatus.1.html samba-3.0.21/docs/htmldocs/manpages/smbstatus.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbstatus.1.html 2005-08-19 12:57:05.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbstatus.1.html 2005-12-19 10:17:31.000000000 -0600 @@ -1,5 +1,5 @@ -smbstatus

    Name

    smbstatus — report on current Samba connections

    Synopsis

    smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbstatus is a very simple program to - list the current Samba connections.

    OPTIONS

    -P|--profile

    If samba has been compiled with the +smbstatus

    Name

    smbstatus — report on current Samba connections

    Synopsis

    smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbstatus is a very simple program to + list the current Samba connections.

    OPTIONS

    -P|--profile

    If samba has been compiled with the profiling option, print only the contents of the profiling shared memory area.

    -b|--brief

    gives brief output.

    -V

    Prints the program version number.

    -s <configuration file>

    The file specified contains the @@ -9,7 +9,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -21,15 +21,15 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

    -v|--verbose

    gives verbose output.

    -L|--locks

    causes smbstatus to only list locks.

    -B|--byterange

    causes smbstatus to include byte range locks.

    -p|--processes

    print a list of smbd(8) processes and exit. Useful for scripting.

    -S|--shares

    causes smbstatus to only list shares.

    -h|--help

    Print a summary of command line options. -

    -u|--user=<username>

    selects information relevant to username only.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smbd(8) and smb.conf(5).

    AUTHOR

    The original Samba software and related utilities +

    -u|--user=<username>

    selects information relevant to username only.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smbd(8) and smb.conf(5).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbtar.1.html samba-3.0.21/docs/htmldocs/manpages/smbtar.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbtar.1.html 2005-08-19 12:57:09.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbtar.1.html 2005-12-19 10:17:33.000000000 -0600 @@ -1,6 +1,6 @@ smbtar

    Name

    smbtar — shell script for backing up SMB/CIFS shares - directly to UNIX tape drives

    Synopsis

    smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbtar is a very small shell script on top - of smbclient(1) which dumps SMB shares directly to tape.

    OPTIONS

    -s server

    The SMB/CIFS server that the share resides + directly to UNIX tape drives

    Synopsis

    smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbtar is a very small shell script on top + of smbclient(1) which dumps SMB shares directly to tape.

    OPTIONS

    -s server

    The SMB/CIFS server that the share resides upon.

    -x service

    The share name on the server to connect to. The default is "backup".

    -X

    Exclude mode. Exclude filenames... from tar create or restore.

    -d directory

    Change to initial directory @@ -17,14 +17,14 @@ up if they have the archive bit set. The archive bit is reset after each file is read.

    -r

    Restore. Files are restored to the share from the tar file.

    -l log level

    Log (debug) level. Corresponds to the - -d flag of smbclient(1).

    ENVIRONMENT VARIABLES

    The $TAPE variable specifies the + -d flag of smbclient(1).

    ENVIRONMENT VARIABLES

    The $TAPE variable specifies the default tape device to write to. May be overridden - with the -t option.

    BUGS

    The smbtar script has different - options from ordinary tar and from smbclient's tar command.

    CAVEATS

    Sites that are more careful about security may not like + with the -t option.

    BUGS

    The smbtar script has different + options from ordinary tar and from smbclient's tar command.

    CAVEATS

    Sites that are more careful about security may not like the way the script handles PC passwords. Backup and restore work on entire shares; should work on file lists. smbtar works best - with GNU tar and may not work well with other versions.

    DIAGNOSTICS

    See the DIAGNOSTICS section for the smbclient(1) command.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smbd(8), smbclient(1), smb.conf(5).

    AUTHOR

    The original Samba software and related utilities + with GNU tar and may not work well with other versions.

    DIAGNOSTICS

    See the DIAGNOSTICS section for the smbclient(1) command.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smbd(8), smbclient(1), smb.conf(5).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    Ricky Poulten diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbtree.1.html samba-3.0.21/docs/htmldocs/manpages/smbtree.1.html --- samba-3.0.20b/docs/htmldocs/manpages/smbtree.1.html 2005-08-19 12:57:14.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbtree.1.html 2005-12-19 10:17:36.000000000 -0600 @@ -1,10 +1,10 @@ smbtree

    Name

    smbtree — A text based smb network browser -

    Synopsis

    smbtree [-b] [-D] [-S]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbtree is a smb browser program +

    Synopsis

    smbtree [-b] [-D] [-S]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    smbtree is a smb browser program in text mode. It is similar to the "Network Neighborhood" found on Windows computers. It prints a tree with all the known domains, the servers in those domains and the shares on the servers. -

    OPTIONS

    -b

    Query network nodes by sending requests +

    OPTIONS

    -b

    Query network nodes by sending requests as broadcasts instead of querying the local master browser.

    -D

    Only print a list of all the domains known on broadcast or by the @@ -19,7 +19,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -31,7 +31,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -65,8 +65,8 @@ via the ps command. To be safe always allow rpcclient to prompt for a password and type it in directly.

    -h|--help

    Print a summary of command line options. -

    VERSION

    This man page is correct for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities +

    VERSION

    This man page is correct for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The smbtree man page was written by Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/smbumount.8.html samba-3.0.21/docs/htmldocs/manpages/smbumount.8.html --- samba-3.0.20b/docs/htmldocs/manpages/smbumount.8.html 2005-08-19 12:57:18.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/smbumount.8.html 2005-12-19 10:17:38.000000000 -0600 @@ -1,11 +1,10 @@ -smbumount

    Name

    smbumount — smbfs umount for normal users

    Synopsis

    smbumount {mount-point}

    DESCRIPTION

    With this program, normal users can unmount smb-filesystems, +smbumount

    Name

    smbumount — smbfs umount for normal users

    Synopsis

    smbumount {mount-point}

    DESCRIPTION

    With this program, normal users can unmount smb-filesystems, provided that it is suid root. smbumount has been written to give normal Linux users more control over their resources. It is safe to install this program suid root, because only the user who has mounted a filesystem is allowed to unmount it again. For root it is not necessary to use smbumount. The normal umount - program works perfectly well, but it would certainly be problematic - to make umount setuid root.

    OPTIONS

    mount-point

    The directory to unmount.

    SEE ALSO

    smbmount(8)

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield + program works perfectly well.

    OPTIONS

    mount-point

    The directory to unmount.

    SEE ALSO

    smbmount(8)

    AUTHOR

    Volker Lendecke, Andrew Tridgell, Michael H. Warfield and others.

    The current maintainer of smbfs and the userspace tools smbmount, smbumount, and smbmnt is Urban Widmark. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/swat.8.html samba-3.0.21/docs/htmldocs/manpages/swat.8.html --- samba-3.0.20b/docs/htmldocs/manpages/swat.8.html 2005-08-19 12:57:22.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/swat.8.html 2005-12-19 10:17:41.000000000 -0600 @@ -1,8 +1,8 @@ -swat

    Name

    swat — Samba Web Administration Tool

    Synopsis

    swat [-s <smb config file>] [-a] [-P]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    swat allows a Samba administrator to +swat

    Name

    swat — Samba Web Administration Tool

    Synopsis

    swat [-s <smb config file>] [-a] [-P]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    swat allows a Samba administrator to configure the complex smb.conf(5) file via a Web browser. In addition, a swat configuration page has help links to all the configurable options in the smb.conf file allowing an - administrator to easily look up the effects of any change.

    swat is run from inetd

    OPTIONS

    -s smb configuration file

    The default configuration file path is + administrator to easily look up the effects of any change.

    swat is run from inetd

    OPTIONS

    -s smb configuration file

    The default configuration file path is determined at compile time. The file specified contains the configuration details required by the smbd(8) server. This is the file that swat will modify. @@ -24,7 +24,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -36,19 +36,19 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

    -h|--help

    Print a summary of command line options. -

    INSTALLATION

    Swat is included as binary package with most distributions. The +

    INSTALLATION

    Swat is included as binary package with most distributions. The package manager in this case takes care of the installation and configuration. This section is only for those who have compiled swat from scratch.

    After you compile SWAT you need to run make install to install the swat binary and the various help files and images. A default install would put - these in:

    • /usr/local/samba/sbin/swat

    • /usr/local/samba/swat/images/*

    • /usr/local/samba/swat/help/*

    Inetd Installation

    You need to edit your /etc/inetd.conf + these in:

    • /usr/local/samba/sbin/swat

    • /usr/local/samba/swat/images/*

    • /usr/local/samba/swat/help/*

    Inetd Installation

    You need to edit your /etc/inetd.conf and /etc/services to enable SWAT to be launched via inetd.

    In /etc/services you need to add a line like this:

    swat 901/tcp

    Note for NIS/YP and LDAP users - you may need to rebuild the @@ -62,21 +62,21 @@ /usr/local/samba/sbin/swat swat

    Once you have edited /etc/services and /etc/inetd.conf you need to send a HUP signal to inetd. To do this use kill -1 PID - where PID is the process ID of the inetd daemon.

    LAUNCHING

    To launch SWAT just run your favorite web browser and + where PID is the process ID of the inetd daemon.

    LAUNCHING

    To launch SWAT just run your favorite web browser and point it at "http://localhost:901/".

    Note that you can attach to SWAT from any IP connected machine but connecting from a remote machine leaves your connection open to password sniffing as passwords will be sent - in the clear over the wire.

    FILES

    /etc/inetd.conf

    This file must contain suitable startup + in the clear over the wire.

    FILES

    /etc/inetd.conf

    This file must contain suitable startup information for the meta-daemon.

    /etc/services

    This file must contain a mapping of service name (e.g., swat) to service port (e.g., 901) and protocol type (e.g., tcp).

    /usr/local/samba/lib/smb.conf

    This is the default location of the smb.conf(5) server configuration file that swat edits. Other common places that systems install this file are /usr/samba/lib/smb.conf and /etc/smb.conf . This file describes all the services the server - is to make available to clients.

    WARNINGS

    swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all + is to make available to clients.

    WARNINGS

    swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all comments, include= and copy= options. If you have a carefully crafted - smb.conf then back it up or don't use swat!

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    inetd(5), smbd(8), smb.conf(5)

    AUTHOR

    The original Samba software and related utilities + smb.conf then back it up or don't use swat!

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    SEE ALSO

    inetd(5), smbd(8), smb.conf(5)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/tdbbackup.8.html samba-3.0.21/docs/htmldocs/manpages/tdbbackup.8.html --- samba-3.0.20b/docs/htmldocs/manpages/tdbbackup.8.html 2005-08-19 12:57:25.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/tdbbackup.8.html 2005-12-19 10:17:43.000000000 -0600 @@ -1,8 +1,8 @@ -tdbbackup

    Name

    tdbbackup — tool for backing up and for validating the integrity of samba .tdb files

    Synopsis

    tdbbackup [-s suffix] [-v] [-h]

    DESCRIPTION

    This tool is part of the samba(1) suite.

    tdbbackup is a tool that may be used to backup samba .tdb +tdbbackup

    Name

    tdbbackup — tool for backing up and for validating the integrity of samba .tdb files

    Synopsis

    tdbbackup [-s suffix] [-v] [-h]

    DESCRIPTION

    This tool is part of the samba(1) suite.

    tdbbackup is a tool that may be used to backup samba .tdb files. This tool may also be used to verify the integrity of the .tdb files prior to samba startup or during normal operation. If it finds file damage and it finds a prior backup the backup file will be restored. -

    OPTIONS

    -h

    +

    OPTIONS

    -h

    Get help information.

    -s suffix

    The -s option allows the adminisistrator to specify a file @@ -11,7 +11,7 @@

    -v

    The -v will check the database for damages (currupt data) which if detected causes the backup to be restored. -

    COMMANDS

    GENERAL INFORMATION

    +

    COMMANDS

    GENERAL INFORMATION

    The tdbbackup utility can safely be run at any time. It was designed so that it can be used at any time to validate the integrity of tdb files, even during Samba operation. Typical usage for the command will be: @@ -29,7 +29,7 @@

  • *.tdb located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories. -

    • VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    +

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/tdbdump.8.html samba-3.0.21/docs/htmldocs/manpages/tdbdump.8.html --- samba-3.0.20b/docs/htmldocs/manpages/tdbdump.8.html 2005-08-19 12:57:29.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/tdbdump.8.html 2005-12-19 10:17:46.000000000 -0600 @@ -1,9 +1,9 @@ -tdbdump

    Name

    tdbdump — tool for printing the contents of a TDB file

    Synopsis

    tdbdump {filename}

    DESCRIPTION

    This tool is part of the samba(1) suite.

    tdbdump is a very simple utility that 'dumps' the +tdbdump

    Name

    tdbdump — tool for printing the contents of a TDB file

    Synopsis

    tdbdump {filename}

    DESCRIPTION

    This tool is part of the samba(1) suite.

    tdbdump is a very simple utility that 'dumps' the contents of a TDB (Trivial DataBase) file to standard output in a human-readable format.

    This tool can be used when debugging problems with TDB files. It is intended for those who are somewhat familiar with Samba internals. -

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    +

    VERSION

    This man page is correct for version 3.0 of the Samba suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/testparm.1.html samba-3.0.21/docs/htmldocs/manpages/testparm.1.html --- samba-3.0.20b/docs/htmldocs/manpages/testparm.1.html 2005-08-19 12:57:33.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/testparm.1.html 2005-12-19 10:17:49.000000000 -0600 @@ -1,5 +1,5 @@ testparm

    Name

    testparm — check an smb.conf configuration file for - internal correctness

    Synopsis

    testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    testparm is a very simple test program + internal correctness

    Synopsis

    testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    testparm is a very simple test program to check an smbd(8) configuration file for internal correctness. If this program reports no problems, you can use the configuration file with confidence that smbd @@ -11,7 +11,7 @@ has access to each service.

    If testparm finds an error in the smb.conf file it returns an exit code of 1 to the calling program, else it returns an exit code of 0. This allows shell scripts - to test the output from testparm.

    OPTIONS

    -s

    Without this option, testparm + to test the output from testparm.

    OPTIONS

    -s

    Without this option, testparm will prompt for a carriage return after printing the service names and before dumping the service definitions.

    -h|--help

    Print a summary of command line options.

    -V

    Prints the program version number. @@ -32,14 +32,14 @@ this parameter is supplied, the hostIP parameter must also be supplied.

    hostIP

    This is the IP address of the host specified in the previous parameter. This address must be supplied - if the hostname parameter is supplied.

    FILES

    smb.conf(5)

    This is usually the name of the configuration + if the hostname parameter is supplied.

    FILES

    smb.conf(5)

    This is usually the name of the configuration file used by smbd(8). -

    DIAGNOSTICS

    The program will issue a message saying whether the +

    DIAGNOSTICS

    The program will issue a message saying whether the configuration file loaded OK or not. This message may be preceded by errors and warnings if the file did not load. If the file was loaded OK, the program then dumps all known service details - to stdout.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    smb.conf(5), smbd(8)

    AUTHOR

    The original Samba software and related utilities + to stdout.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    smb.conf(5), smbd(8)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/testprns.1.html samba-3.0.21/docs/htmldocs/manpages/testprns.1.html --- samba-3.0.20b/docs/htmldocs/manpages/testprns.1.html 2005-08-19 12:57:37.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/testprns.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,38 +0,0 @@ -testprns

    Name

    testprns — check printer name for validity with smbd

    Synopsis

    testprns {printername} [printcapname]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    testprns is a very simple test program - to determine whether a given printer name is valid for use in - a service to be provided by smbd(8).

    "Valid" in this context means "can be found in the - printcap specified". This program is very stupid - so stupid in - fact that it would be wisest to always specify the printcap file - to use.

    OPTIONS

    printername

    The printer name to validate.

    Printer names are taken from the first field in each - record in the printcap file, single printer names and sets - of aliases separated by vertical bars ("|") are recognized. - Note that no validation or checking of the printcap syntax is - done beyond that required to extract the printer name. It may - be that the print spooling system is more forgiving or less - forgiving than testprns. However, if - testprns finds the printer then smbd(8) should do so as well.

    printcapname

    This is the name of the printcap file within - which to search for the given printer name.

    If no printcap name is specified testprns - will attempt to scan the printcap file name - specified at compile time.

    FILES

    /etc/printcap

    This is usually the default printcap - file to scan. See printcap (5). -

    DIAGNOSTICS

    If a printer is found to be valid, the message - "Printer name <printername> is valid" will be - displayed.

    If a printer is found to be invalid, the message - "Printer name <printername> is not valid" will be - displayed.

    All messages that would normally be logged during - operation of the Samba daemons are logged by this program to the - file test.log in the current directory. The - program runs at debuglevel 3, so quite extensive logging - information is written. The log should be checked carefully - for errors and warnings.

    Other messages are self-explanatory.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    printcap(5), - smbd(8), smbclient(1)

    AUTHOR

    The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/umount.cifs.8.html samba-3.0.21/docs/htmldocs/manpages/umount.cifs.8.html --- samba-3.0.20b/docs/htmldocs/manpages/umount.cifs.8.html 2005-08-19 12:57:41.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/umount.cifs.8.html 2005-12-19 10:17:51.000000000 -0600 @@ -1,4 +1,4 @@ -umount.cifs

    Name

    umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts

    Synopsis

    umount.cifs {mount-point} [-nVvhfle]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    umount.cifs unmounts a Linux CIFS filesystem. It can be invoked +umount.cifs

    Name

    umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts

    Synopsis

    umount.cifs {mount-point} [-nVvhfle]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    umount.cifs unmounts a Linux CIFS filesystem. It can be invoked indirectly by the umount(8) command when umount.cifs is in /sbin directory, unless you specify the "-i" option to umount. Specifying -i to umount avoids execution of umount helpers such as umount.cifs. The umount.cifs command only works in Linux, and the kernel must @@ -11,24 +11,24 @@ It is possible to set the mode for umount.cifs to setuid root (or equivalently update the /etc/permissions file) to allow non-root users to umount shares to directories for which they have write permission. The umount.cifs utility is typically not needed if unmounts need only be performed by root users, or if user mounts and unmounts -can rely on specifying explicit entries in /etc/fstab See

    fstab(5)

    OPTIONS

    --verbose

    print additional debugging information

    --no-mtab

    Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information)

    NOTES

    This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab

    CONFIGURATION

    +can rely on specifying explicit entries in /etc/fstab See

    fstab(5)

    OPTIONS

    --verbose

    print additional debugging information

    --no-mtab

    Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information)

    NOTES

    This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab

    CONFIGURATION

    The primary mechanism for making configuration changes and for reading debug information for the cifs vfs is via the Linux /proc filesystem. In the directory /proc/fs/cifs are various configuration files and pseudo files which can display debug information. For more information see the kernel file fs/cifs/README. -

    BUGS

    At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time). +

    BUGS

    At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time).

    If the same mount point is mounted multiple times by cifs, umount.cifs will remove all of the matching entries from the mount table (although umount.cifs will actually only unmount the last one), rather than only removing the last matching entry in /etc/mtab. The pseudofile /proc/mounts will display correct information though, and the lack of an entry in /etc/mtab does not prevent subsequent unmounts.

    Note that the typical response to a bug report is a suggestion to try the latest version first. So please try doing that first, and always include which versions you use of relevant software when reporting bugs (minimum: umount.cifs (try umount.cifs -V), kernel (see /proc/version) and server type you are trying to contact. -

    VERSION

    This man page is correct for version 1.34 of - the cifs vfs filesystem (roughly Linux kernel 2.6.12).

    SEE ALSO

    +

    VERSION

    This man page is correct for version 1.34 of + the cifs vfs filesystem (roughly Linux kernel 2.6.12).

    SEE ALSO

    Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel source tree may contain additional options and information. -

    mount.cifs(8)

    AUTHOR

    Steve French

    The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French

    The maintainer of the Linux cifs vfs and the userspace +

    mount.cifs(8)

    AUTHOR

    Steve French

    The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French

    The maintainer of the Linux cifs vfs and the userspace tool umount.cifs is Steve French. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/vfstest.1.html samba-3.0.21/docs/htmldocs/manpages/vfstest.1.html --- samba-3.0.20b/docs/htmldocs/manpages/vfstest.1.html 2005-08-19 12:57:45.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/vfstest.1.html 2005-12-19 10:17:53.000000000 -0600 @@ -1,8 +1,8 @@ -vfstest

    Name

    vfstest — tool for testing samba VFS modules

    Synopsis

    vfstest [-d debuglevel] [-c command] [-l logdir] [-h]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    vfstest is a small command line +vfstest

    Name

    vfstest — tool for testing samba VFS modules

    Synopsis

    vfstest [-d debuglevel] [-c command] [-l logdir] [-h]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    vfstest is a small command line utility that has the ability to test dso samba VFS modules. It gives the user the ability to call the various VFS functions manually and supports cascaded VFS modules. -

    OPTIONS

    -c|--command=command

    Execute the specified (colon-separated) commands. +

    OPTIONS

    -c|--command=command

    Execute the specified (colon-separated) commands. See below for the commands that are available.

    -h|--help

    Print a summary of command line options.

    -l|--logfile=logbasename

    File name for log/debug files. The extension @@ -16,7 +16,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -28,14 +28,14 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. -

    COMMANDS

    VFS COMMANDS

    • load <module.so> - Load specified VFS module

    • populate <char> <size> - Populate a data buffer with the specified data +

    COMMANDS

    VFS COMMANDS

    • load <module.so> - Load specified VFS module

    • populate <char> <size> - Populate a data buffer with the specified data

    • showdata [<offset> <len>] - Show data currently in data buffer -

    • connect - VFS connect()

    • disconnect - VFS disconnect()

    • disk_free - VFS disk_free()

    • opendir - VFS opendir()

    • readdir - VFS readdir()

    • mkdir - VFS mkdir()

    • rmdir - VFS rmdir()

    • closedir - VFS closedir()

    • open - VFS open()

    • close - VFS close()

    • read - VFS read()

    • write - VFS write()

    • lseek - VFS lseek()

    • rename - VFS rename()

    • fsync - VFS fsync()

    • stat - VFS stat()

    • fstat - VFS fstat()

    • lstat - VFS lstat()

    • unlink - VFS unlink()

    • chmod - VFS chmod()

    • fchmod - VFS fchmod()

    • chown - VFS chown()

    • fchown - VFS fchown()

    • chdir - VFS chdir()

    • getwd - VFS getwd()

    • utime - VFS utime()

    • ftruncate - VFS ftruncate()

    • lock - VFS lock()

    • symlink - VFS symlink()

    • readlink - VFS readlink()

    • link - VFS link()

    • mknod - VFS mknod()

    • realpath - VFS realpath()

    GENERAL COMMANDS

    • conf <smb.conf> - Load a different configuration file

    • help [<command>] - Get list of commands or info about specified command

    • debuglevel <level> - Set debug level

    • freemem - Free memory currently in use

    • exit - Exit vfstest

    VERSION

    This man page is correct for version 3.0 of the Samba - suite.

    AUTHOR

    The original Samba software and related utilities +

  • connect - VFS connect()

  • disconnect - VFS disconnect()

  • disk_free - VFS disk_free()

  • opendir - VFS opendir()

  • readdir - VFS readdir()

  • mkdir - VFS mkdir()

  • rmdir - VFS rmdir()

  • closedir - VFS closedir()

  • open - VFS open()

  • close - VFS close()

  • read - VFS read()

  • write - VFS write()

  • lseek - VFS lseek()

  • rename - VFS rename()

  • fsync - VFS fsync()

  • stat - VFS stat()

  • fstat - VFS fstat()

  • lstat - VFS lstat()

  • unlink - VFS unlink()

  • chmod - VFS chmod()

  • fchmod - VFS fchmod()

  • chown - VFS chown()

  • fchown - VFS fchown()

  • chdir - VFS chdir()

  • getwd - VFS getwd()

  • utime - VFS utime()

  • ftruncate - VFS ftruncate()

  • lock - VFS lock()

  • symlink - VFS symlink()

  • readlink - VFS readlink()

  • link - VFS link()

  • mknod - VFS mknod()

  • realpath - VFS realpath()

    • GENERAL COMMANDS

    • conf <smb.conf> - Load a different configuration file

    • help [<command>] - Get list of commands or info about specified command

    • debuglevel <level> - Set debug level

    • freemem - Free memory currently in use

    • exit - Exit vfstest

    VERSION

    This man page is correct for version 3.0 of the Samba + suite.

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    The vfstest man page was written by Jelmer Vernooij.

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/wbinfo.1.html samba-3.0.21/docs/htmldocs/manpages/wbinfo.1.html --- samba-3.0.20b/docs/htmldocs/manpages/wbinfo.1.html 2005-08-19 12:57:48.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/wbinfo.1.html 2005-12-19 10:17:55.000000000 -0600 @@ -1,7 +1,7 @@ -wbinfo

    Name

    wbinfo — Query information from winbind daemon

    Synopsis

    wbinfo [-a user%password] [-c username] [-C groupname] [--domain domain] [-I ip] [-s sid] [-u] [-U uid] [-g] [--get-auth-user] [-G gid] [-m] [-n name] [-N netbios-name] [-o user:group] [-O user:group] [-p] [-r user] [--set-auth-user user%password] [--sequence] [-S sid] [-t] [-x username] [-X groupname] [-Y sid]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The wbinfo program queries and returns information +wbinfo

    Name

    wbinfo — Query information from winbind daemon

    Synopsis

    wbinfo [-a user%password] [-c username] [-C groupname] [--domain domain] [-I ip] [-s sid] [-u] [-U uid] [-g] [--get-auth-user] [-G gid] [-m] [-n name] [-N netbios-name] [-o user:group] [-O user:group] [-p] [-r user] [--set-auth-user user%password] [--sequence] [-S sid] [-t] [-x username] [-X groupname] [-Y sid]

    DESCRIPTION

    This tool is part of the samba(7) suite.

    The wbinfo program queries and returns information created and used by the winbindd(8) daemon.

    The winbindd(8) daemon must be configured and running for the wbinfo program to be able - to return information.

    OPTIONS

    -a username%password

    Attempt to authenticate a user via winbindd. + to return information.

    OPTIONS

    -a username%password

    Attempt to authenticate a user via winbindd. This checks both authenticaion methods and reports its results.

    Note

    Do not be tempted to use this functionality for authentication in third-party @@ -74,10 +74,10 @@ does not correspond to a UNIX group mapped by winbindd(8) then the operation will fail.

    -V

    Prints the program version number.

    -h|--help

    Print a summary of command line options. -

    EXIT STATUS

    The wbinfo program returns 0 if the operation +

    EXIT STATUS

    The wbinfo program returns 0 if the operation succeeded, or 1 if the operation failed. If the winbindd(8) daemon is not working wbinfo will always return - failure.

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    winbindd(8) and ntlm_auth(1)

    AUTHOR

    The original Samba software and related utilities + failure.

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    winbindd(8) and ntlm_auth(1)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    wbinfo and winbindd diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/manpages/winbindd.8.html samba-3.0.21/docs/htmldocs/manpages/winbindd.8.html --- samba-3.0.20b/docs/htmldocs/manpages/winbindd.8.html 2005-08-19 12:57:51.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/manpages/winbindd.8.html 2005-12-19 10:17:57.000000000 -0600 @@ -1,13 +1,13 @@ winbindd

    Name

    winbindd — Name Service Switch daemon for resolving names - from NT servers

    Synopsis

    winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

    DESCRIPTION

    This program is part of the samba(7) suite.

    winbindd is a daemon that provides + from NT servers

    Synopsis

    winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

    DESCRIPTION

    This program is part of the samba(7) suite.

    winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitary applications via PAM and ntlm_auth and to Samba itself.

    Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers. In this configuraiton the - idmap uid and - idmap gid + idmap uid and + idmap gid parameters are not required. (This is known as `netlogon proxy only mode'.)

    The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured @@ -52,7 +52,7 @@ resolve hostnames from /etc/hosts and then from the WINS server.

     hosts:		files wins
-

    OPTIONS

    -F

    If specified, this parameter causes +

    OPTIONS

    -F

    If specified, this parameter causes the main winbindd process to not daemonize, i.e. double-fork and disassociate with the terminal. Child processes are still created as normal to service @@ -72,7 +72,7 @@ as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at -compile time.

    -d|--debug=debuglevel

    debuglevel is an integer +compile time.

    -d|--debuglevel=level

    level is an integer from 0 to 10. The default value if this parameter is not specified is zero.

    The higher this value, the more detail will be logged to the log files about the activities of the @@ -84,7 +84,7 @@ investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

    Note that specifying this parameter here will -override the parameter +override the parameter in the smb.conf file.

    -l|--logfile=logdirectory

    Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. @@ -105,7 +105,7 @@ as a single process (the mode of operation in Samba 2.2). Winbindd's default behavior is to launch a child process that is responsible for updating expired cache entries. -

    NAME AND ID RESOLUTION

    Users and groups on a Windows NT server are assigned +

    NAME AND ID RESOLUTION

    Users and groups on a Windows NT server are assigned a security id (SID) which is globally unique when the user or group is created. To convert the Windows NT user or group into a unix user or group, a mapping between SIDs and unix user @@ -120,21 +120,21 @@ where the user and group mappings are stored by winbindd. If this file is deleted or corrupted, there is no way for winbindd to determine which user and group ids correspond to Windows NT user - and group rids.

    See the parameter in + and group rids.

    See the parameter in smb.conf for options for sharing this - database, such as via LDAP.

    CONFIGURATION

    Configuration of the winbindd daemon + database, such as via LDAP.

    CONFIGURATION

    Configuration of the winbindd daemon is done through configuration parameters in the smb.conf(5) file. All parameters should be specified in the [global] section of smb.conf.

    • - winbind separator

    • - idmap uid

    • - idmap gid

    • - idmap backend

    • - winbind cache time

    • - winbind enum users

    • - winbind enum groups

    • - template homedir

    • - template shell

    • - winbind use default domain

    EXAMPLE SETUP

    + winbind separator

  • + idmap uid

  • + idmap gid

  • + idmap backend

  • + winbind cache time

  • + winbind enum users

  • + winbind enum groups

  • + template homedir

  • + template shell

  • + winbind use default domain

    • EXAMPLE SETUP

    To setup winbindd for user and group lookups plus authentication from a domain controller use something like the following setup. This was tested on an early Red Hat Linux box. @@ -150,10 +150,13 @@ auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_pwdb.so \ +auth required /lib/security/pam_unix.so \ use_first_pass shadow nullok

    -

    Note in particular the use of the sufficient +

    Note

    + The PAM module pam_unix has recently replaced the module pam_pwdb. + Some Linux systems use the module pam_unix2 in place of pam_unix. +

    Note in particular the use of the sufficient keyword and the use_first_pass keyword.

    Now replace the account lines with this:

    account required /lib/security/pam_winbind.so

    The next step is to join the domain. To do that use the net program like this:

    net join -S PDC -U Administrator

    The username after the -U can be any @@ -182,15 +185,15 @@ and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username. You may wish to use the commands getent passwd and getent group - to confirm the correct operation of winbindd.

    NOTES

    The following notes are useful when configuring and + to confirm the correct operation of winbindd.

    NOTES

    The following notes are useful when configuring and running winbindd:

    nmbd(8) must be running on the local machine for winbindd to work.

    PAM is really easy to misconfigure. Make sure you know what you are doing when modifying PAM configuration files. It is possible to set up PAM such that you can no longer log into your system.

    If more than one UNIX machine is running winbindd, then in general the user and groups ids allocated by winbindd will not be the same. The user and group ids will only be valid for the local - machine, unless a shared is configured.

    If the the Windows NT SID to UNIX user and group id mapping - file is damaged or destroyed then the mappings will be lost.

    SIGNALS

    The following signals can be used to manipulate the + machine, unless a shared is configured.

    If the the Windows NT SID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

    SIGNALS

    The following signals can be used to manipulate the winbindd daemon.

    SIGHUP

    Reload the smb.conf(5) file and apply any parameter changes to the running version of winbindd. This signal also clears any cached @@ -198,7 +201,7 @@ by winbindd is also reloaded.

    SIGUSR2

    The SIGUSR2 signal will cause winbindd to write status information to the winbind log file.

    Log files are stored in the filename specified by the - log file parameter.

    FILES

    /etc/nsswitch.conf(5)

    Name service switch configuration file.

    /tmp/.winbindd/pipe

    The UNIX pipe over which clients communicate with + log file parameter.

    FILES

    /etc/nsswitch.conf(5)

    Name service switch configuration file.

    /tmp/.winbindd/pipe

    The UNIX pipe over which clients communicate with the winbindd program. For security reasons, the winbind client will only attempt to connect to the winbindd daemon if both the /tmp/.winbindd directory @@ -219,8 +222,8 @@ compiled using the --with-lockdir option. This directory is by default /usr/local/samba/var/locks .

    $LOCKDIR/winbindd_cache.tdb

    Storage for cached user and group information. -

    VERSION

    This man page is correct for version 3.0 of - the Samba suite.

    SEE ALSO

    nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5), pam_winbind(8)

    AUTHOR

    The original Samba software and related utilities +

    VERSION

    This man page is correct for version 3.0 of + the Samba suite.

    SEE ALSO

    nsswitch.conf(5), samba(7), wbinfo(1), ntlm_auth(8), smb.conf(5), pam_winbind(8)

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    wbinfo and winbindd were diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/2000users.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/2000users.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/2000users.html 2005-08-19 12:59:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/2000users.html 2005-12-19 10:19:17.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 6. A Distributed 2000-User Network

    Chapter 6. A Distributed 2000-User Network
    Prev Part I. Example Network Configurations Next

    Chapter 6. A Distributed 2000-User Network

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers

    +Chapter 6. A Distributed 2000-User Network

    Chapter 6. A Distributed 2000-User Network
    Prev Part I. Example Network Configurations Next

    Chapter 6. A Distributed 2000-User Network

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers

    There is something indeed mystical about things that are big. Large networks exhibit a certain magnetism and exude a sense of importance that obscures reality. You and I know that it is no more @@ -30,7 +30,7 @@ Samba are largely under control. So in this section you focus on the specifics of implementing LDAP changes, Samba changes, and approach and design of the solution and its deployment. -

    Introduction

    +

    Introduction

    Abmas is a miracle company. Most businesses would have collapsed under the weight of rapid expansion that this company has experienced. Samba is flexible, so there is no need to reinstall the whole operating @@ -39,19 +39,19 @@ and then do a near-live conversion. There is no need to reinstall a Samba server just to change the way your network should function.

    - + Network growth is common to all organizations. In this exercise, your preoccupation is with the mechanics of implementing Samba and LDAP so that network users on each network segment can work without impediment. -

    Assignment Tasks

    +

    Assignment Tasks

    Starting with the configuration files for the server called MASSIVE in ???, you now deal with the issues that are particular to large distributed networks. Your task is simple identify the challenges, consider the alternatives, and then design and implement a solution.

    - + Remember, you have users based in London (UK), Los Angeles, Washington. DC, and, three buildings in New York. A significant portion of your workforce have notebook computers and roam all over the @@ -72,18 +72,18 @@ You have outsourced all desktop deployment and management to DirectPointe. Your concern is server maintenance and third-level support. Build a plan and show what must be done. -

    Dissection and Discussion

    - - +

    Dissection and Discussion

    + + In ???, you implemented an LDAP server that provided the passdb backend for the Samba servers. You explored ways to accelerate Windows desktop profile handling and you took control of network performance.

    - - - - + + + + The implementation of an LDAP-based passdb backend (known as ldapsam in Samba parlance), or some form of database that can be distributed, is essential to permit the deployment of Samba @@ -96,8 +96,8 @@ support the range of account facilities demanded by modern network managers.

    - - + + The new tdbsam facility supports functionality that is similar to an ldapsam, but the lack of distributed infrastructure sorely limits the scope for its @@ -105,10 +105,10 @@ an XML-based backend, or for that matter, why not use an SQL-based backend? Is support for these tools broken? Answers to these questions require a bit of background.

    - - - - + + + + What is a directory? A directory is a collection of information regarding objects that can be accessed to rapidly find information that is relevant in a particular and @@ -116,19 +116,19 @@ generally more often searched (read) than updated. As a consequence, the information is organized to facilitate read access rather than to support transaction processing.

    - - - - + + + + The Lightweight Directory Access Protocol (LDAP) differs considerably from a traditional database. It has a simple search facility that uniquely makes a highly preferred mechanism for managing user identities. LDAP provides a scalable mechanism for distributing the data repository and for keeping all copies (slaves) in sync with the master repository.

    - - - + + + Samba is a flexible and powerful file and print sharing technology. It can use many external authentication sources and can be part of a total authentication and identity management @@ -136,7 +136,7 @@ are Microsoft Active Directory and LDAP. Sites that specifically wish to avoid the proprietary implications of Microsoft Active Directory naturally gravitate toward OpenLDAP.

    - + In ???, you had to deal with a locally routed network. All deployment concerns focused around making users happy, and that simply means taking control over all network practices and @@ -147,12 +147,12 @@ between offices. You must take into account the way users need to access information globally. And you must make the network robust enough so that it can sustain partial breakdown without causing loss of -productivity.

    Technical Issues

    +productivity.

    Technical Issues

    There are at least three areas that need to be addressed as you approach the challenge of designing a network solution for the newly expanded business: -

    • - User needs such as mobility and data access

    • The nature of Windows networking protocols

    • Identity management infrastructure needs

    Let's look at each in turn.

    User Needs

    +

    • + User needs such as mobility and data access

    • The nature of Windows networking protocols

    • Identity management infrastructure needs

    Let's look at each in turn.

    User Needs

    The new company has three divisions. Staff for each division are spread across the company. Some staff are office-bound and some are mobile users. Mobile users travel globally. Some spend considerable periods working in other offices. @@ -163,7 +163,7 @@ curtail user needs. Parts of the global Internet infrastructure remain shielded off for reasons outside the scope of this discussion.

    - + Decisions must be made regarding where data is to be stored, how it will be replicated (if at all), and what the network bandwidth implications are. For example, one decision that can be made is to give each office its own master @@ -174,8 +174,8 @@ This way, they can synchronize all files that have changed since each logon to the network.

    - - + + No matter which way you look at this, the bandwidth requirements for acceptable performance are substantial even if only 10 percent of staff are global data users. A company with 3,500 employees, @@ -188,11 +188,11 @@ profile involves a transfer of over 750 KB from the profile server to and from the client.

    - + Obviously then, user needs and wide-area practicalities dictate the economic and technical aspects of your network design as well as for standard operating procedures. -

    The Nature of Windows Networking Protocols

    - +

    The Nature of Windows Networking Protocols

    + Network logons that include roaming profile handling requires from 140 KB to 2 MB. The inclusion of support for a minimal set of common desktop applications can push the size of a complete profile to over 15 MB. This has substantial implications @@ -200,8 +200,8 @@ determining the nature and style of mandatory profiles that may be enforced as part of a total service-level assurance program that might be implemented.

    - - + + One way to reduce the network bandwidth impact of user logon traffic is through folder redirection. In ???, you implemented this in the new Windows XP Professional standard @@ -210,14 +210,14 @@ also be excluded from synchronization to and from the server on logon or logout. Redirected folders are analogous to network drive connections. -

    +

    Of course, network applications should only be run off local application servers. As a general rule, even with 2 Mb/sec network bandwidth, it would not make sense at all for someone who is working out of the London office to run applications off a server that is located in New York.

    - + When network bandwidth becomes a precious commodity (that is most of the time), there is a significant demand to understand network processes and to mold the limits of acceptability around the @@ -226,15 +226,15 @@ When a Windows NT4/200x/XP Professional client user logs onto the network, several important things must happen.

    • - + The client obtains an IP address via DHCP. (DHCP is necessary so that users can roam between offices.)

    • - - + + The client must register itself with the WINS and/or DNS server.

    • - + The client must locate the closest domain controller.

    • The client must log onto a domain controller and obtain as part of @@ -256,15 +256,15 @@ name both by broadcast and Unicast registration that is directed at the WINS server.

      - - + + Given that the client is already a domain member, it then sends a directed (Unicast) request to the WINS server seeking the list of IP addresses for domain controllers (NetBIOS name type 0x1C). The WINS server replies with the information requested.

      - - - + + + The client sends two netlogon mailslot broadcast requests to the local network and to each of the IP addresses returned by the WINS server. Whichever answers this request first appears to @@ -274,9 +274,9 @@ was listed in the WINS server response to a request for the list of domain controllers.

      - - - + + + The logon process begins with negotiation of the SMB/CIFS protocols that are to be used; this is followed by an exchange of information that ultimately includes the client sending the @@ -287,10 +287,10 @@ needs. A secondary fact we need to know is, what happens when local domain controllers fail or break?

      - - - - + + + + Under most circumstances, the nearest domain controller responds to the netlogon mailslot broadcast. The exception to this norm occurs when the nearest domain controller is too busy or is out @@ -299,18 +299,18 @@ domain controllers. Since there can be only one PDC, all additional domain controllers are by definition BDCs.

      - - + + The provision of sufficient servers that are BDCs is an important design factor. The second important design factor involves how each of the BDCs obtains user authentication data. That is the subject of the next section, which involves key decisions regarding Identity Management facilities. -

    Identity Management Needs

    - - - - +

    Identity Management Needs

    + + + + Network managers recognize that in large organizations users generally need to be given resource access based on needs, while being excluded from other resources for reasons of privacy. It is @@ -319,9 +319,9 @@ by which user credentials are validated and filtered and appropriate rights and privileges are allocated.

    - - - + + + Unfortunately, network resources tend to have their own Identity Management facilities, the quality and manageability of which varies from quite poor to exceptionally good. Corporations that use a mixture @@ -333,7 +333,7 @@ What was once called Yellow Pages is today known as Network Information System (NIS).

    - + NIS gained a strong following throughout the UNIX/VMS space in a short period of time and retained that appeal and use for over a decade. Security concerns and inherent limitations have caused it to enter its @@ -343,9 +343,9 @@ demands as the demand for directory services that can be coupled with other information systems is catching on.

    - - - + + + Nevertheless, both NIS and NIS+ continue to hold ground in business areas where UNIX still has major sway. Examples of organizations that remain firmly attached to the use of NIS and @@ -353,14 +353,14 @@ and large corporations that have a scientific or engineering focus.

    - - + + Today's networking world needs a scalable, distributed Identity Management infrastructure, commonly called a directory. The most popular technologies today are Microsoft Active Directory service and a number of LDAP implementations.

    - + The problem of managing multiple directories has become a focal point over the past decade, creating a large market for metadirectory products and services that allow organizations that @@ -369,15 +369,15 @@ another. The attendant benefit to end users is the promise of having to remember and deal with fewer login identities and passwords.

    - + The challenge of every large network is to find the optimum balance of internal systems and facilities for Identity Management resources. How well the solution is chosen and implemented has potentially significant impact on network bandwidth and systems response needs.

    - - - + + + In ???, you implemented a single LDAP server for the entire network. This may work for smaller networks, but almost certainly fails to meet the needs of large and complex networks. The @@ -386,8 +386,8 @@ What is the best method for implementing master/slave LDAP servers within the context of a distributed 2,000-user network is a question that remains to be answered.

    - - + + One possibility that has great appeal is to create a single, large distributed domain. The practical implications of this design (see ???) demands the placement of @@ -398,7 +398,7 @@ productivity against the cost of network management and maintenance.

    - + The network design in ??? takes the approach that management of networks that are too remote to be managed effectively from New York ought to be given a certain degree of @@ -409,22 +409,22 @@ the ability for network users to roam globally without some compromise in how they may access global resources.

    - + Desk-bound users need not be negatively affected by this design, since the use of interdomain trusts can be used to satisfy the need for global data sharing.

    - - - + + + When Samba-3 is configured to use an LDAP backend, it stores the domain account information in a directory entry. This account entry contains the domain SID. An unintended but exploitable side effect is that this makes it possible to operate with more than one PDC on a distributed network.

    - - - + + + How might this peculiar feature be exploited? The answer is simple. It is imperative that each network segment have its own WINS server. Major servers on remote network segments can be given a static WINS entry in @@ -434,8 +434,8 @@ same domain SID. Since all domain account information can be stored in a single LDAP backend, users have unfettered ability to roam.

    - - + + This concept has not been exhaustively validated, though we can see no reason why this should not work. The important facets are the following: The name of the domain must be identical in all locations. Each network segment must have @@ -446,10 +446,10 @@ on every network segment. Finally, the BDCs should each use failover LDAP servers that are in fact slave LDAP servers on the local segments.

    - - - - + + + + With a single master LDAP server, all network updates are effected on a single server. In the event that this should become excessively fragile or network bandwidth limiting, one could implement a delegated LDAP domain. This is also @@ -463,7 +463,7 @@ administrators must of necessity follow the same standard procedures for managing the directory, because retroactive correction of inconsistent directory information can be exceedingly difficult. -

    Political Issues

    +

    Political Issues

    As organizations grow, the number of points of control increases also. In a large distributed organization, it is important that the Identity Management system be capable of being updated from @@ -471,11 +471,11 @@ become usable in a reasonable period, typically minutes rather than days (the old limitation of highly manual systems). -

    Implementation

    - - - - +

    Implementation

    + + + + Samba-3 has the ability to use multiple password (authentication and identity resolution) backends. The diagram in ??? demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system @@ -483,13 +483,13 @@ authentication and identity resolution (obtaining a UNIX UID/GID) using the specific systems shown.

    Figure 6.1. Samba and Authentication Backend Search Pathways

    Samba and Authentication Backend Search Pathways

    - - - - - - - + + + + + + + Samba is capable of using the smbpasswd, tdbsam, xmlsam, and mysqlsam authentication databases. The SMB @@ -497,7 +497,7 @@ backend. LDAP is the preferred passdb backend for distributed network operations.

    - + Additionally, it is possible to use multiple passdb backends concurrently as well as have multiple LDAP backends. As a result, you can specify a failover LDAP backend. The syntax for specifying a @@ -509,8 +509,8 @@

    This configuration tells Samba to use a single LDAP server, as shown in ???.

    Figure 6.2. Samba Configuration to Use a Single LDAP Server

    Samba Configuration to Use a Single LDAP Server

    - - + + The addition of a failover LDAP server can simply be done by adding a second entry for the failover server to the single ldapsam entry, as shown here (note the particular use of the double quotes): @@ -532,7 +532,7 @@ ldapsam:ldap://slave.abmas.biz ...

    - + The effect of this style of entry is that Samba lists the users that are in both LDAP databases. If both contain the same information, it results in each record being shown twice. This is, of course, not the @@ -553,9 +553,9 @@ It is assumed that the network you are working with follows in a pattern similar to what was covered in ???. The following steps permit the operation of a master/slave OpenLDAP arrangement. -

    Procedure 6.1. Implementation Steps for an LDAP Slave Server

    1. - - +

      Procedure 6.1. Implementation Steps for an LDAP Slave Server

      1. + + Log onto the master LDAP server as root. You are about to change the configuration of the LDAP server, so it makes sense to temporarily halt it. Stop OpenLDAP from running on @@ -568,7 +568,7 @@ root# service ldap stop

      2. - + Edit the /etc/openldap/slapd.conf file so it matches the content of ???.

      3. @@ -592,8 +592,8 @@ root# slapadd -v -l admin-accts.ldif

      4. - - + + Change directory to a suitable place to dump the contents of the LDAP server. The dump file (and LDIF file) is used to preload the slave LDAP server database. You can dump the database by executing: @@ -602,7 +602,7 @@

        Each record is written to the file.

      5. - + Copy the file LDAP-transfer-LDIF.txt to the intended slave LDAP server. A good location could be in the directory /etc/openldap/preload. @@ -652,9 +652,9 @@ root# chkconfig ldap on

      6. - - - + + + Go back to the master LDAP server. Execute the following to start LDAP as well as slurpd, the synchronization daemon, as shown here: 

        @@ -663,10 +663,10 @@
 root#  rcslurpd start
 root#  chkconfig slurpd on

        - + On Red Hat Linux, check the equivalent command to start slurpd.

      7. - + On the master LDAP server you may now add an account to validate that replication is working. Assuming the configuration shown in ???, execute: 

        @@ -791,12 +791,12 @@
 index sambaPrimaryGroupSID  eq
 index sambaDomainName       eq
 index default               sub
-

      Example 6.3. Primary Domain Controller smb.conf File Part A

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      passdb backend = ldapsam:ldap://massive.abmas.biz
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 0
      smb ports = 139
      name resolve order = wins bcast hosts
      time server = Yes
      printcap name = CUPS
      add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
      delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
      add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'
      delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
      add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'
      delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'
      set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
      add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
      shutdown script = /var/lib/samba/scripts/shutdown.sh
      abort shutdown script = /sbin/shutdown -c
      logon script = scripts\logon.bat
      logon path = \\%L\profiles\%U
      logon drive = X:
      domain logons = Yes
      domain master = Yes
      wins support = Yes
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz
      idmap backend = ldap://massive.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      printer admin = root
      printing = cups

      Example 6.4. Primary Domain Controller smb.conf File Part B

      [IPC$]
      path = /tmp
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      read only = No
      [service]
      comment = Financial Services Files
      path = /data/service
      read only = No
      [pidata]
      comment = Property Insurance Files
      path = /data/pidata
      read only = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No

      Example 6.5. Primary Domain Controller smb.conf File Part C

      [apps]
      comment = Application Files
      path = /apps
      admin users = bjones
      read only = No
      [netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      admin users = root, Administrator
      guest ok = Yes
      locking = No
      [profiles]
      comment = Profile Share
      path = /var/lib/samba/profiles
      read only = No
      profile acls = Yes
      [profdata]
      comment = Profile Data Share
      path = /var/lib/samba/profdata
      read only = No
      profile acls = Yes
      [print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      write list = root
      admin users = root, Administrator

      Example 6.6. Backup Domain Controller smb.conf File Part A

      # # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      netbios name = BLDG1
      passdb backend = ldapsam:ldap://lapdc.abmas.biz
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 50
      smb ports = 139
      name resolve order = wins bcast hosts
      printcap name = CUPS
      show add printer wizard = No
      logon script = scripts\logon.bat
      logon path = \\%L\profiles\%U
      logon drive = X:
      domain logons = Yes
      os level = 63
      domain master = No
      wins server = 192.168.2.1
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz
      utmp = Yes
      idmap backend = ldap://massive.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      printing = cups
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      read only = No
      [service]
      comment = Financial Services Files
      path = /data/service
      read only = No

      Example 6.7. Backup Domain Controller smb.conf File Part B

      [pidata]
      comment = Property Insurance Files
      path = /data/pidata
      read only = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No
      [apps]
      comment = Application Files
      path = /apps
      admin users = bjones
      read only = No
      [netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      guest ok = Yes
      locking = No
      [profiles]
      comment = Profile Share
      path = /var/lib/samba/profiles
      read only = No
      profile acls = Yes
      [profdata]
      comment = Profile Data Share
      path = /var/lib/samba/profdata
      read only = No
      profile acls = Yes

      Key Points Learned

      • - +

      Example 6.3. Primary Domain Controller smb.conf File Part A

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      passdb backend = ldapsam:ldap://massive.abmas.biz
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 0
      smb ports = 139
      name resolve order = wins bcast hosts
      time server = Yes
      printcap name = CUPS
      add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
      delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
      add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'
      delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
      add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'
      delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'
      set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
      add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
      shutdown script = /var/lib/samba/scripts/shutdown.sh
      abort shutdown script = /sbin/shutdown -c
      logon script = scripts\logon.bat
      logon path = \\%L\profiles\%U
      logon drive = X:
      domain logons = Yes
      domain master = Yes
      wins support = Yes
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz
      idmap backend = ldap://massive.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      printer admin = root
      printing = cups

      Example 6.4. Primary Domain Controller smb.conf File Part B

      [IPC$]
      path = /tmp
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      read only = No
      [service]
      comment = Financial Services Files
      path = /data/service
      read only = No
      [pidata]
      comment = Property Insurance Files
      path = /data/pidata
      read only = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No

      Example 6.5. Primary Domain Controller smb.conf File Part C

      [apps]
      comment = Application Files
      path = /apps
      admin users = bjones
      read only = No
      [netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      admin users = root, Administrator
      guest ok = Yes
      locking = No
      [profiles]
      comment = Profile Share
      path = /var/lib/samba/profiles
      read only = No
      profile acls = Yes
      [profdata]
      comment = Profile Data Share
      path = /var/lib/samba/profdata
      read only = No
      profile acls = Yes
      [print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      write list = root
      admin users = root, Administrator

      Example 6.6. Backup Domain Controller smb.conf File Part A

      # # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      netbios name = BLDG1
      passdb backend = ldapsam:ldap://lapdc.abmas.biz
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 50
      smb ports = 139
      name resolve order = wins bcast hosts
      printcap name = CUPS
      show add printer wizard = No
      logon script = scripts\logon.bat
      logon path = \\%L\profiles\%U
      logon drive = X:
      domain logons = Yes
      os level = 63
      domain master = No
      wins server = 192.168.2.1
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz
      utmp = Yes
      idmap backend = ldap://massive.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      printing = cups
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      read only = No
      [service]
      comment = Financial Services Files
      path = /data/service
      read only = No

      Example 6.7. Backup Domain Controller smb.conf File Part B

      [pidata]
      comment = Property Insurance Files
      path = /data/pidata
      read only = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No
      [apps]
      comment = Application Files
      path = /apps
      admin users = bjones
      read only = No
      [netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      guest ok = Yes
      locking = No
      [profiles]
      comment = Profile Share
      path = /var/lib/samba/profiles
      read only = No
      profile acls = Yes
      [profdata]
      comment = Profile Data Share
      path = /var/lib/samba/profdata
      read only = No
      profile acls = Yes

      Key Points Learned

      • + Where Samba-3 is used as a domain controller, the use of LDAP is an essential component to permit the use of BDCs.

      • - + Replication of the LDAP master server to create a network of BDCs is an important mechanism for limiting WAN traffic.

      • @@ -808,55 +808,55 @@ Roaming profiles must be contained to the local network segment. Any departure from this may clog wide-area arteries and slow legitimate network traffic to a crawl. -

      Figure 6.6. Network Topology 2000 User Complex Design A

      Network Topology 2000 User Complex Design A

      Figure 6.7. Network Topology 2000 User Complex Design B

      Network Topology 2000 User Complex Design B

      Questions and Answers

      +

    Figure 6.6. Network Topology 2000 User Complex Design A

    Network Topology 2000 User Complex Design A

    Figure 6.7. Network Topology 2000 User Complex Design B

    Network Topology 2000 User Complex Design B

    Questions and Answers

    There is much rumor and misinformation regarding the use of MS Windows networking protocols. These questions are just a few of those frequently asked. -

    +

    DHCP networkbandwidth Is it true that DHCP uses lots of WAN bandwidth? -
    +
    background communication LDAPmaster/slavebackground communication How much background communication takes place between a master LDAP server and its slave LDAP servers? -
    +
    LDAP has a database. Is LDAP not just a fancy database front end? -
    +
    OpenLDAP Can Active Directory obtain account information from an OpenLDAP server? -
    +
    What are the parts of a roaming profile? How large is each part? -
    +
    Can the My Documents folder be stored on a network drive? -
    +
    wide-area networkbandwidth WINS How much WAN bandwidth does WINS consume? -
    +
    How many BDCs should I have? What is the right number of Windows clients per server? -
    +
    NIS serverLDAP I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server? -
    +
    Can I use NIS in place of LDAP? -

    - - +

    + + Is it true that DHCP uses lots of WAN bandwidth?

    - - - + + + It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network routers. This makes it possible to run fewer DHCP servers.

    - - + + A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew @@ -874,28 +874,28 @@

    From this can be seen that the traffic impact would be minimal.

    - - + + Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, the impact of the update is no more than the DHCP IP address renewal traffic and thus still insignificant for most practical purposes. -

    - - +

    + + How much background communication takes place between a master LDAP server and its slave LDAP servers?

    - + The process that controls the replication of data from the master LDAP server to the slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) two user accounts requires less than 10KB traffic. -

    +

    LDAP has a database. Is LDAP not just a fancy database front end?

    - - - - + + + + LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular pre-programmed ways. General external @@ -904,17 +904,17 @@ orientation and typically allows external programs to perform ad hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific simple queries. The term database is heavily overloaded and thus much misunderstood. -

    - +

    + Can Active Directory obtain account information from an OpenLDAP server?

    - + No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface to OpenLDAP using standard LDAP queries and updates. -

    +

    What are the parts of a roaming profile? How large is each part? -

    +

    A roaming profile consists of

    • Desktop folders such as Desktop, My Documents, @@ -922,39 +922,39 @@ Cookies, Application Data, Local Settings, and more. See ???, ???.

      - + Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See ??? for more information regarding folder redirection.

    • A static or rewritable portion that is typically only a few files (2-5 KB of information).

    • - - + + The registry load file that modifies the HKEY_LOCAL_USER hive. This is the NTUSER.DAT file. It can be from 0.4 to 1.5 MB.

    - + Microsoft Outlook PST files may be stored in the Local Settings\Application Data folder. It can be up to 2 GB in size per PST file. -

    +

    Can the My Documents folder be stored on a network drive?

    - - + + Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a UNC name. See ???. -

    - - - +

    + + + How much WAN bandwidth does WINS consume?

    - - - + + + MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, @@ -966,7 +966,7 @@

    In conclusion, the total load afforded through WINS traffic is again marginal to total operational usage as it should be. -

    +

    How many BDCs should I have? What is the right number of Windows clients per server?

    It is recommended to have at least one BDC per network segment, including the segment served @@ -980,19 +980,19 @@

    As unsatisfactory as the answer might sound, it all depends on network and server load characteristics. -

    - +

    + I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server?

    The correct answer to both questions is yes. But do understand that an LDAP server has a configurable schema that can store far more information for many more purposes than just NIS. -

    +

    Can I use NIS in place of LDAP?

    - - + + No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/appendix.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/appendix.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/appendix.html 2005-08-19 12:59:37.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/appendix.html 2005-12-19 10:19:29.000000000 -0600 @@ -1,18 +1,18 @@ -Chapter 15. A Collection of Useful Tidbits

    Chapter 15. A Collection of Useful Tidbits
    Prev Part III. Reference Section Next

    Chapter 15. A Collection of Useful Tidbits

    Table of Contents

    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls

    - - +Chapter 15. A Collection of Useful Tidbits

    Chapter 15. A Collection of Useful Tidbits
    Prev Part III. Reference Section Next

    Chapter 15. A Collection of Useful Tidbits

    Table of Contents

    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls

    + + Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, as shown in the example given below.

    Joining a Domain: Windows 200x/XP Professional

    - + Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. -

    Procedure 15.1. Steps to Join a Domain

    1. +

      Procedure 15.1. Steps to Join a Domain

      1. Click Start.

      2. Right-click My Computer, and then select Properties. @@ -50,19 +50,19 @@ The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. Joining the domain is now complete.

      - - + + The screen capture shown in ??? has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.

      - - + + Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are domain controllers or which machines have the Netlogon service running).

      - + The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. @@ -70,12 +70,12 @@ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. Where the client is a member of a Samba domain, it is preferable to leave this field blank.

      - + According to Microsoft documentation, “If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is used only if Group Policy is disabled or unspecified.” -

    Samba System File Location

    +

    Samba System File Location

    One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -83,7 +83,7 @@

    Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team default. -

    +

    Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -92,13 +92,13 @@ /usr/share/swat. There are additional support files for smbd in the /usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the passdb backend as well as for the VFS modules. -

    +

    Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba.

    When Samba is built and installed using the default Samba Team process, all files are located under the /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. -

    +

    One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example: 

    @@ -131,7 +131,7 @@
 	
    
 	Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
 	by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
-	executing:
+	executing:
 
     root#  rpm -qa | grep samba
 samba3-pdb-3.0.20-1
@@ -143,9 +143,9 @@
 samba3-doc-3.0.20-1
 samba3-client-3.0.20-1
 samba3-cifsmount-3.0.20-1
-	
    
+

    The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. -

    Starting Samba

    +

    Starting Samba

    Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -186,19 +186,19 @@ fi exit 0

    nmbd

    - - + + This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.

    smbd

    - - + + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.

    winbindd

    - - + + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid @@ -252,22 +252,22 @@ echo "Usage: smb {start|stop|restart|status}" exit 1 esac -

    +

    SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently executed from the command line is shown in ???. This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. -

    +

    A sample startup script for a Red Hat Linux system is shown in ???. This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. If you want to find more information regarding startup scripts please refer to the packaging section of the Samba source code distribution tarball. The packaging files for each platform include a startup control file. -

    DNS Configuration Files

    +

    DNS Configuration Files

    The following files are common to all DNS server configurations. Rather than repeat them multiple times, they are presented here for general reference. -

    The Forward Zone File for the Loopback Adaptor

    +

    The Forward Zone File for the Loopback Adaptor

    The forward zone file for the loopback address never changes. An example file is shown in ???. All traffic destined for an IP address that is hosted on a physical interface on the machine itself is routed to the loopback adaptor. This is @@ -284,7 +284,7 @@ IN NS @ IN A 127.0.0.1 -

    The Reverse Zone File for the Loopback Adaptor

    +

    The Reverse Zone File for the Loopback Adaptor

    The reverse zone file for the loopback address as shown in ??? is necessary so that references to the address 127.0.0.1 can be resolved to the correct name of the interface. @@ -344,15 +344,15 @@ . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File -

    DNS Root Server Hint File

    +

    DNS Root Server Hint File

    The content of the root hints file as shown in ??? changes slowly over time. Periodically this file should be updated from the source shown. Because of its size, this file is located at the end of this chapter. -

    Alternative LDAP Database Initialization

    +

    Alternative LDAP Database Initialization

    The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. -

    Initialization of the LDAP Database

    +

    Initialization of the LDAP Database

    The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be preloaded. This is necessary to create the containers into which the user, group, and other accounts are written. It is also necessary to @@ -373,12 +373,12 @@ respectively, parts A, B, and C of the SMBLDAP-ldif-preconfig.sh file.

  • Install the files shown in ??? and ??? into the directory - /etc/openldap/SambaInit/nit-ldif.pat. These two files are + /etc/openldap/SambaInit/. These two files are parts A and B, respectively, of the init-ldif.pat file.

  • Change to the /etc/openldap/SambaInit directory. Execute the following: 

    -root#  ./SMBLDAP-ldif-preconfig.sh
+root#  sh SMBLDAP-ldif-preconfig.sh
 
 How do you wish to refer to your organization?
 Suggestions:
@@ -664,6 +664,11 @@
 objectClass: organizationalUnit
 ou: Idmap
 
+dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Domains
+
 dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
 objectClass: sambaDomain
 sambaDomainName: DOMNAME
@@ -700,14 +705,14 @@
 sambaGroupType: 2
 displayName: Domain Users
 description: Domain Users
-

    • The LDAP Account Manager

    - - - - - - - +

    The LDAP Account Manager

    + + + + + + + The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage @@ -719,24 +724,24 @@ The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.

    - - - + + + Requirements:

    • A web server that will work with PHP4.

    • PHP4 (available from the PHP home page.)

    • OpenLDAP 2.0 or later.

    • A Web browser that supports CSS.

    • Perl.

    • The gettext package.

    • mcrypt + mhash (optional).

    • It is also a good idea to install SSL support.

    LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to: - - - + + +

    • Display user/group/host and Domain entries.

    • Manage entries (Add/Delete/Edit).

    • Filter and sort entries.

    • Store and use multiple operating profiles.

    • Edit organizational units (OUs).

    • Upload accounts from a file.

    • Is compatible with Samba-2.2.x and Samba-3.

    When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.

    - - - - + + + + The default password is “lam.” It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections @@ -755,7 +760,7 @@ For example, on SUSE Linux Enterprise Server 9, copy to the /srv/www/htdocs directory.

  • - + Set file permissions using the following commands: 

     root#  chown -R wwwrun:www /srv/www/htdocs/lam
@@ -765,7 +770,7 @@
 root#  chmod 755 /srv/www/htdocs/lam/lib/*pl

  • - + Using your favorite editor create the following config.cfg LAM configuration file: 

    @@ -773,8 +778,8 @@
 root#  cp config.cfg_sample config.cfg
 root#  vi config.cfg

    - - + + An example file is shown in ???. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM @@ -789,7 +794,7 @@ lam.conf then, using your favorite editor, change the settings to match local site needs.

    • - + An example of a working file is shown here in ???. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -797,12 +802,12 @@ Your configuration file obviously reflects the configuration options that are preferred at your site.

    - + It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in ???.

    Figure 15.6. The LDAP Account Manager Login Screen

    The LDAP Account Manager Login Screen

    - + The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in ???. It is important that you correctly set the minimum and maximum UID/GID values that are @@ -812,13 +817,13 @@ the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.

    Figure 15.7. The LDAP Account Manager Configuration Screen

    The LDAP Account Manager Configuration Screen

    - + LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.

    - + When you log onto LAM the opening screen drops you right into the user manager as shown in ???. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -832,7 +837,7 @@ shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.

    Figure 15.9. The LDAP Account Manager Group Edit Screen

    The LDAP Account Manager Group Edit Screen

    Figure 15.10. The LDAP Account Manager Group Membership Edit Screen

    The LDAP Account Manager Group Membership Edit Screen

    - + The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen ??? will, in most cases, not be used. @@ -878,7 +883,7 @@ samba3: yes cachetimeout: 5 pwdhash: SSHA -

    IDEALX Management Console

    +

    IDEALX Management Console

    IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive web-based management interface for UNIX and Linux systems.

    @@ -892,7 +897,7 @@

    For further information regarding IMC refer to the web site. Prebuilt RPM packages are also available. -

    Effect of Setting File and Directory SUID/SGID Permissions Explained

    +

    Effect of Setting File and Directory SUID/SGID Permissions Explained

    The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as @@ -962,34 +967,34 @@ total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt

    -

    Shared Data Integrity

    +

    Shared Data Integrity

    The integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.

    The solution to concurrent multiuser data access problems must consider three separate areas - from which the problem may stem: -

    • application-level locking controls

    • client-side locking controls

    • server-side locking controls

    + from which the problem may stem: +

    • application-level locking controls

    • client-side locking controls

    • server-side locking controls

    Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided here because this is the most common application for which problems have been reported. -

    +

    Common applications that are affected by client- and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. -

    Microsoft Access

    +

    Microsoft Access

    The best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include: -

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;208778

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

    +

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;208778

    • http://support.microsoft.com/default.aspx?scid=kb;en-us;299373

    Make sure that your MS Access database file is configured for multiuser access (not set for exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder.

    You can configure MS Access file sharing behavior as follows: click [tab] Advanced. - Set: -

    • Default open mode: Shared

    • Default Record Locking: Edited Record

    • Open databases using record_level locking

    + Set: +

    • Default open mode: Shared

    • Default Record Locking: Edited Record

    • Open databases using record_level locking

    You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart it, and then validate that these settings have not changed. -

    Act! Database Sharing

    +

    Act! Database Sharing

    Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site @@ -997,7 +1002,7 @@ 1998223162925 as well as from article 200110485036. -

    +

    These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides @@ -1005,18 +1010,18 @@ registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site. -

    Opportunistic Locking Controls

    +

    Opportunistic Locking Controls

    Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,[14] oplock + and record locking. For applications that are known not to be compatible,[14] oplock support may need to be disabled both on the Samba server and on the Windows workstations. -

    +

    Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. -

    +

    Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the Samba server. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/Big500users.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/Big500users.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/Big500users.html 2005-08-19 12:59:24.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/Big500users.html 2005-12-19 10:19:10.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 4. The 500-User Office

    Chapter 4. The 500-User Office
    Prev Part I. Example Network Configurations Next

    Chapter 4. The 500-User Office

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers

    +Chapter 4. The 500-User Office

    Chapter 4. The 500-User Office
    Prev Part I. Example Network Configurations Next

    Chapter 4. The 500-User Office

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers

    The Samba-3 networking you explored in ??? covers the finer points of configuration of peripheral services such as DHCP and DNS, and WINS. You experienced implementation of a simple configuration of the services that are important adjuncts @@ -17,9 +17,9 @@ that same approach to printing, but ??? presents an opportunity to make printing more complex for the administrator while making it easier for the user.

    - - - + + + ??? demonstrates operation of a DHCP server and a DNS server as well as a central WINS server. You validated the operation of these services and saw an effective implementation of a Samba domain controller using the @@ -41,7 +41,7 @@ improve network management and control while reducing human resource overheads. You should take the opportunity to innovate and expand on the methods presented here and explore them to the fullest. -

    Introduction

    +

    Introduction

    Business continues to go well for Abmas. Mr. Meany is driving your success and the network continues to grow thanks to the hard work Christine has done. You recently hired Stanley Soroka as manager of information systems. Christine recommended Stan @@ -66,7 +66,7 @@ and to allow Stan and Christine to fully stage the new network and test it before it is rolled out. Your strategy is to complete the new network so that it is ready for operation when the old office moves into the new premises. -

    Assignment Tasks

    +

    Assignment Tasks

    The acquired business had 280 network users. The old Abmas building housed 220 network users in unbelievably cramped conditions. The network that initially served 130 users now handles 220 users quite well. @@ -107,7 +107,7 @@ DirectPointe Inc. receives from you a new standard desktop configuration every four months. They automatically roll that out to each desktop system. You must keep DirectPointe informed of all changes. -

    +

    The new network has a single Samba Primary Domain Controller (PDC) located in the Network Operation Center (NOC). Buildings 1 and 2 each have a local server for local application servicing. It is a domain member. The new system @@ -115,8 +115,8 @@

    Printing is based on raw pass-through facilities just as it has been used so far. All printer drivers are installed on the desktop and notebook computers. -

    Dissection and Discussion

    - +

    Dissection and Discussion

    + The example you are building in this chapter is of a network design that works, but this does not make it a design that is recommended. As a general rule, there should be at least one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind @@ -127,22 +127,22 @@ responsiveness. This network will have 500 clients serviced by one central domain controller. This is not a good omen for user satisfaction. You, of course, address this very soon (see ???). -

    Technical Issues

    +

    Technical Issues

    Stan has talked you into a horrible compromise, but it is addressed. Just make certain that the performance of this network is well validated before going live.

    Design decisions made in this design include the following:

    • - - - + + + A single PDC is being implemented. This limitation is based on the choice not to use LDAP. Many network administrators fear using LDAP because of the perceived complexity of implementation and management of an LDAP-based backend for all user identity management as well as to store network access credentials.

    • - - + + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the only choice that makes sense with 500 users is to use the tdbsam passwd backend. This type of backend is not receptive to replication to BDCs. If the tdbsam @@ -156,7 +156,7 @@ for a simple mode of operation but has to be balanced with network performance and integrity of operations considerations.

    • - + A single central WINS server is being used. The PDC is also the WINS server. Any attempt to operate a routed network without a WINS server while using NetBIOS over TCP/IP protocols does not work unless on each client the name resolution @@ -167,12 +167,12 @@ At this time the Samba WINS database cannot be replicated. That is why a single WINS server is being implemented. This should work without a problem.

    • - + BDCs make use of winbindd to provide access to domain security credentials for file system access and object storage.

    • - - + + Configuration of Windows XP Professional clients is achieved using DHCP. Each subnet has its own DHCP server. Backup DHCP serving is provided by one alternate DHCP server. This necessitates enabling of the DHCP Relay agent on @@ -188,13 +188,13 @@ The network address and subnetmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing. -

    Political Issues

    +

    Political Issues

    This case gets close to the real world. You and I know the right way to implement domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in ???. -

    Implementation

    +

    Implementation

    The following configuration process begins following installation of Red Hat Fedora Core2 on the three servers shown in the network topology diagram in ???. You have selected hardware that is appropriate to the task. @@ -205,9 +205,9 @@

    The abbreviation shown in this table as {VLN} refers to the directory location beginning with /var/lib/named. -

    Table 4.1. Domain: MEGANET, File Locations for Servers

    File InformationServer Name
    SourceTarget LocationMASSIVEBLDG1BLDG2
    ???/etc/samba/smb.confYesNoNo
    ???/etc/samba/dc-common.confYesNoNo
    ???/etc/samba/common.confYesYesYes
    ???/etc/samba/smb.confNoYesNo
    ???/etc/samba/smb.confNoNoYes
    ???/etc/samba/dommem.confNoYesYes
    ???/etc/dhcpd.confYesNoNo
    ???/etc/dhcpd.confNoYesNo
    ???/etc/dhcpd.confNoNoYes
    ???/etc/named.conf (part A)YesNoNo
    ???/etc/named.conf (part B)YesNoNo
    ???/etc/named.conf (part C)YesNoNo
    ???{VLN}/master/abmas.biz.hostsYesNoNo
    ???{VLN}/master/abmas.us.hostsYesNoNo
    ???/etc/named.conf (part A)NoYesYes
    ???/etc/named.conf (part B)NoYesYes
    ???{VLN}/localhost.zoneYesYesYes
    ???{VLN}/127.0.0.zoneYesYesYes
    ???{VLN}/root.hintYesYesYes

    Server Preparation: All Servers

    +

    Table 4.1. Domain: MEGANET, File Locations for Servers

    File InformationServer Name
    SourceTarget LocationMASSIVEBLDG1BLDG2
    ???/etc/samba/smb.confYesNoNo
    ???/etc/samba/dc-common.confYesNoNo
    ???/etc/samba/common.confYesYesYes
    ???/etc/samba/smb.confNoYesNo
    ???/etc/samba/smb.confNoNoYes
    ???/etc/samba/dommem.confNoYesYes
    ???/etc/dhcpd.confYesNoNo
    ???/etc/dhcpd.confNoYesNo
    ???/etc/dhcpd.confNoNoYes
    ???/etc/named.conf (part A)YesNoNo
    ???/etc/named.conf (part B)YesNoNo
    ???/etc/named.conf (part C)YesNoNo
    ???{VLN}/master/abmas.biz.hostsYesNoNo
    ???{VLN}/master/abmas.us.hostsYesNoNo
    ???/etc/named.conf (part A)NoYesYes
    ???/etc/named.conf (part B)NoYesYes
    ???{VLN}/localhost.zoneYesYesYes
    ???{VLN}/127.0.0.zoneYesYesYes
    ???{VLN}/root.hintYesYesYes

    Server Preparation: All Servers

    The following steps apply to all servers. Follow each step carefully. -

    Procedure 4.1. Server Preparation Steps

    1. +

      Procedure 4.1. Server Preparation Steps

      1. Using the UNIX/Linux system tools, set the name of the server as shown in the network topology diagram in ???. For SUSE Linux products, the tool that permits this is called yast2; for Red Hat Linux products, @@ -221,8 +221,8 @@ root# hostname -f

      2. - - + + Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system is able to resolve all its own names to the IP address prior to @@ -230,7 +230,7 @@ CUPS print server is started before the DNS server (named), you should also include an entry for the printers in the /etc/hosts file.

      3. - + All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf so it has the following content: @@ -241,8 +241,8 @@ This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses.

      4. - - + + Add the root user to the password backend: 

         root#  smbpasswd -a root
@@ -255,8 +255,8 @@
 			deleted. If for any reason the account is deleted, you may not be able to recreate this account
 			without considerable trouble.

      5. - - + + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -294,16 +294,16 @@ Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - + +

      6. - + Only on the server to which the printer is attached configure the CUPS Print Queues as follows: 

         root#  lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E

        - + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for @@ -323,9 +323,9 @@ root# /usr/bin/accept printque

      7. - - - + + + This step, as well as the next one, may be omitted where CUPS version 1.1.18 or later is in use. Although it does no harm to follow it anyway, and may help to avoid time spent later trying to figure out why print jobs may be @@ -336,7 +336,7 @@ application/octet-stream application/vnd.cups-raw 0 -

      8. - + Edit the file /etc/cups/mime.types to uncomment the line: 

         application/octet-stream
@@ -359,17 +359,17 @@
 	processes to automap Windows client drives to an application server that is nearest to the client. This
 	is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
 	as elegantly as you see in the next chapter.
-

    Server-Specific Preparation

    +

    Server-Specific Preparation

    There are some steps that apply to particular server functionality only. Each step is critical to correct server operation. The following step-by-step installation guidance will assist you in working through the process of configuring the PDC and then both BDC's. -

    Configuration for Server: MASSIVE

    +

    Configuration for Server: MASSIVE

    The steps presented here attempt to implement Samba installation in a generic manner. While some steps are clearly specific to Linux, it should not be too difficult to apply them to your platform of choice. -

    Procedure 4.2. Primary Domain Controller Preparation

    1. - - +

      Procedure 4.2. Primary Domain Controller Preparation

      1. + + The host server acts as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: @@ -397,7 +397,7 @@ startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat) /etc/rc.d/init.d/rc.local.

      2. - + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -405,24 +405,24 @@ hosts: files dns wins

      3. - + Create and map Windows domain groups to UNIX groups. A sample script is provided in ???. Create a file containing this script. You called yours /etc/samba/initGrps.sh. Set this file so it can be executed and then execute the script. An example of the execution of this script as well as its validation are shown in Section 4.3.2, Step 5.

      4. - - - + + + For each user who needs to be given a Windows domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account, and use the Samba smbpasswd to create a domain user account.

        - - - + + + There are a number of tools for user management under UNIX, such as useradd, adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. @@ -435,7 +435,7 @@ file is /data. Format the file system as required and mount the formatted file system partition using appropriate system tools.

      5. - + Create the top-level file storage directories for data and applications as follows: 

         root#  mkdir -p /data/{accounts,finsvcs,pidata}
@@ -475,8 +475,8 @@
 root#  chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'

      6. - - + + Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unxi2dos and dos2unix) are installed. @@ -518,8 +518,8 @@ The following steps will guide you through the nuances of implementing BDCs for the broadcast isolated network segments. Remember that if the target installation platform is not Linux, it may be necessary to adapt some commands to the equivalent on the target platform. -

        Procedure 4.3. Backup Domain Controller Configuration Steps

        1. - +

          Procedure 4.3. Backup Domain Controller Configuration Steps

          1. + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -532,14 +532,14 @@ Follow the steps outlined in ??? to start all services. Do not start Samba at this time. Samba is controlled by the process called smb.

          2. - + You must now attempt to join the domain member servers to the domain. The following instructions should be executed to effect this: 

             root#  net rpc join

          3. - + You now start the Samba services by executing: 

             root#  service smb start
@@ -548,7 +548,7 @@
                         Your server is ready for validation testing. Do not proceed with the steps in
                         ??? until after the operation of the server has been
                         validated following the same methods as outlined in ???.
-

      Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf

      # Global parameters
      [global]
      workgroup = MEGANET
      netbios name = MASSIVE
      interfaces = eth1, lo
      bind interfaces only = Yes
      passdb backend = tdbsam
      smb ports = 139
      add user script = /usr/sbin/useradd -m '%u'
      delete user script = /usr/sbin/userdel -r '%u'
      add group script = /usr/sbin/groupadd '%g'
      delete group script = /usr/sbin/groupdel '%g'
      add user to group script = /usr/sbin/usermod -G '%g' '%u'
      add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
      preferred master = Yes
      wins support = Yes
      include = /etc/samba/dc-common.conf
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      read only = No
      [service]
      comment = Financial Services Files
      path = /data/service
      read only = No
      [pidata]
      comment = Property Insurance Files
      path = /data/pidata
      read only = No

      Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf

      # Global parameters
      [global]
      shutdown script = /var/lib/samba/scripts/shutdown.sh
      abort shutdown script = /sbin/shutdown -c
      logon script = scripts\logon.bat
      logon path = \%L\profiles\%U
      logon drive = X:
      logon home = \%L\%U
      domain logons = Yes
      preferred master = Yes
      include = /etc/samba/common.conf
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [netlogon]
      comment = Network Logon Service
      path = /var/lib/samba/netlogon
      guest ok = Yes
      locking = No
      [profiles]
      comment = Profile Share
      path = /var/lib/samba/profiles
      read only = No
      profile acls = Yes

      Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

      [global]
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 50
      smb ports = 139
      name resolve order = wins bcast hosts
      time server = Yes
      printcap name = CUPS
      show add printer wizard = No
      shutdown script = /var/lib/samba/scripts/shutdown.sh
      abort shutdown script = /sbin/shutdown -c
      utmp = Yes
      map acl inherit = Yes
      printing = cups
      veto files = /*.eml/*.nws/*.{*}/
      veto oplock files = /*.doc/*.xls/*.mdb/
      include =
      # Share and Service Definitions are common to all servers
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      use client driver = Yes
      default devmode = Yes
      browseable = No
      [apps]
      comment = Application Files
      path = /apps
      admin users = bjordan
      read only = No

      Example 4.4. Server: BLDG1 (Member), File: smb.conf

      # Global parameters
      [global]
      workgroup = MEGANET
      netbios name = BLDG1
      include = /etc/samba/dom-mem.conf

      Example 4.5. Server: BLDG2 (Member), File: smb.conf

      # Global parameters
      [global]
      workgroup = MEGANET
      netbios name = BLDG2
      include = /etc/samba/dom-mem.conf

      Example 4.6. Common Domain Member Include File: dom-mem.conf

      # Global parameters
      [global]
      shutdown script = /var/lib/samba/scripts/shutdown.sh
      abort shutdown script = /sbin/shutdown -c
      preferred master = Yes
      wins server = 172.16.0.1
      idmap uid = 15000-20000
      idmap gid = 15000-20000
      include = /etc/samba/common.conf

      Example 4.7. Server: MASSIVE, File: dhcpd.conf

      +

    Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf

    # Global parameters
    [global]
    workgroup = MEGANET
    netbios name = MASSIVE
    interfaces = eth1, lo
    bind interfaces only = Yes
    passdb backend = tdbsam
    smb ports = 139
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
    preferred master = Yes
    wins support = Yes
    include = /etc/samba/dc-common.conf
    [accounts]
    comment = Accounting Files
    path = /data/accounts
    read only = No
    [service]
    comment = Financial Services Files
    path = /data/service
    read only = No
    [pidata]
    comment = Property Insurance Files
    path = /data/pidata
    read only = No

    Example 4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf

    # Global parameters
    [global]
    shutdown script = /var/lib/samba/scripts/shutdown.sh
    abort shutdown script = /sbin/shutdown -c
    logon script = scripts\logon.bat
    logon path = \%L\profiles\%U
    logon drive = X:
    logon home = \%L\%U
    domain logons = Yes
    preferred master = Yes
    include = /etc/samba/common.conf
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
    [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes

    Example 4.3. Common Samba Configuration File: /etc/samba/common.conf

    [global]
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    time server = Yes
    printcap name = CUPS
    show add printer wizard = No
    shutdown script = /var/lib/samba/scripts/shutdown.sh
    abort shutdown script = /sbin/shutdown -c
    utmp = Yes
    map acl inherit = Yes
    printing = cups
    veto files = /*.eml/*.nws/*.{*}/
    veto oplock files = /*.doc/*.xls/*.mdb/
    include =
    # Share and Service Definitions are common to all servers
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    use client driver = Yes
    default devmode = Yes
    browseable = No
    [apps]
    comment = Application Files
    path = /apps
    admin users = bjordan
    read only = No

    Example 4.4. Server: BLDG1 (Member), File: smb.conf

    # Global parameters
    [global]
    workgroup = MEGANET
    netbios name = BLDG1
    include = /etc/samba/dom-mem.conf

    Example 4.5. Server: BLDG2 (Member), File: smb.conf

    # Global parameters
    [global]
    workgroup = MEGANET
    netbios name = BLDG2
    include = /etc/samba/dom-mem.conf

    Example 4.6. Common Domain Member Include File: dom-mem.conf

    # Global parameters
    [global]
    shutdown script = /var/lib/samba/scripts/shutdown.sh
    abort shutdown script = /sbin/shutdown -c
    preferred master = Yes
    wins server = 172.16.0.1
    idmap uid = 15000-20000
    idmap gid = 15000-20000
    include = /etc/samba/common.conf

    Example 4.7. Server: MASSIVE, File: dhcpd.conf

     # Abmas Accounting Inc.
 
 default-lease-time 86400;
@@ -898,8 +898,8 @@
 net groupmap add ntgroup="Financial Services"  unixgroup=finsrvcs type=d
 net groupmap add ntgroup="Insurance Group"     unixgroup=piops type=d

    Process Startup Configuration

    - - + + There are two essential steps to process startup configuration. A process must be configured so that it is automatically restarted each time the server is rebooted. This step involves use of the chkconfig tool that @@ -908,7 +908,7 @@ directories. Links are created so that when the system run-level is changed, the necessary start or kill script is run.

    - + In the event that a service is provided not as a daemon but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory @@ -918,10 +918,10 @@ Last, each service must be started to permit system validation to proceed. The following steps are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you are installing Samba. -

    Procedure 4.4. Process Startup Configuration Steps

    1. +

      Procedure 4.4. Process Startup Configuration Steps

      1. Use the standard system tool to configure each service to restart automatically at every system reboot. For example, - + 

         root#  chkconfig dhpc on
 root#  chkconfig named on
@@ -930,9 +930,9 @@
 root#  chkconfig swat on

      2. - - - + + + Now start each service to permit the system to be validated. Execute each of the following in the sequence shown: @@ -946,11 +946,11 @@

    Windows Client Configuration

    The procedure for desktop client configuration for the network in this chapter is similar to that used for the previous one. There are a few subtle changes that should be noted. -

    Procedure 4.5. Windows Client Configuration Steps

    1. +

      Procedure 4.5. Windows Client Configuration Steps

      1. Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. - - + + DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet.

      2. @@ -985,7 +985,7 @@ also configure use of the identical printers that are located in the financial services department. Install printers on each machine using the following steps: -

        Procedure 4.6. Steps to Install Printer Drivers on Windows Clients

        1. +

          Procedure 4.6. Steps to Install Printer Drivers on Windows Clients

          1. Click Start->Settings->Printers+Add Printer+Next. Do not click Network printer. Ensure that Local printer is selected.

          2. @@ -1038,7 +1038,7 @@ user, of course.

          3. Instruct all users to log onto the workstation using their assigned username and password. -

        Key Points Learned

        +

    Key Points Learned

    The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see performance problems, at which time the modifications demonstrated in ??? @@ -1054,33 +1054,33 @@ to resources on the domain member servers

  • The introduction of roaming profiles -

    • Questions and Answers

    -

    +

    Questions and Answers

    +

    The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are? -
    +
    Why does the include file common.conf have an empty include statement? -
    +
    I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! So what is the problem? -
    +
    You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash? -
    +
    How does the Windows client find the PDC? -
    +
    Why did you enable IP forwarding (routing) only on the server called MASSIVE? -
    +
    You did nothing special to implement roaming profiles. Why? -
    +
    On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission? -
    +
    You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this? -
    +
    The domain controller has an auto-shutdown script. Isn't that dangerous? -

    +

    The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are?

    @@ -1088,7 +1088,7 @@ 

     root#  testparm -s | less

    -

    +

    Why does the include file common.conf have an empty include statement?

    The use of the empty include statement nullifies further includes. For example, let's say you @@ -1101,7 +1101,7 @@ If the include parameter was not in the common.conf file, the final smb.conf file leaves the include in place, even though the file it points to has already been included. This is a bug that will be fixed at a future date. -

    +

    I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! @@ -1111,7 +1111,7 @@ contents between the PDC and BDCs. The most notable symptom is that workstations may not be able to log onto the network following a reboot and may have to rejoin the domain to recover network access capability. -

    +

    You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?

    No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server @@ -1120,26 +1120,26 @@

    The only exception to this rule is when the client makes a directed request from a specific DHCP server for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. -

    +

    How does the Windows client find the PDC?

    The Windows client obtains the WINS server address from the DHCP lease information. It also obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast) to register itself with the WINS server and to obtain enumeration of vital network information to enable it to operate successfully. -

    +

    Why did you enable IP forwarding (routing) only on the server called MASSIVE?

    The server called MASSIVE is acting as a router to the Internet. No other server (BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network. Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network segments to the router that is its gateway to them. -

    +

    You did nothing special to implement roaming profiles. Why?

    Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional clients is to use roaming profiles. -

    +

    On the domain member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission?

    @@ -1148,7 +1148,7 @@ member servers using Windows networking usernames and passwords, it is necessary to configure PAM to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name service switch (NSS). -

    +

    You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?

    Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed @@ -1157,7 +1157,7 @@ of smb.conf include files because SWAT optimizes them out into an aggregated file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to handle this functionality gracefully. -

    +

    The domain controller has an auto-shutdown script. Isn't that dangerous?

    Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ch14.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/ch14.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ch14.html 2005-08-19 12:59:36.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/ch14.html 2005-12-19 10:19:27.000000000 -0600 @@ -1,9 +1,9 @@ -Chapter 14. Samba Support

    Chapter 14. Samba Support
    Prev Part III. Reference Section Next

    Chapter 14. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    - +Chapter 14. Samba Support

    Chapter 14. Samba Support
    Prev Part III. Reference Section Next

    Chapter 14. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    + One of the most difficult to answer questions in the information technology industry is, “What is support?”. That question irritates some folks, as much as common answers may annoy others.

    - + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: “Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.

    - - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.

    - - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.

    - - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -

    Free Support

    - - - - - - +

    Free Support

    + + + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.

    - - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.

    - - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.

    - - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.

    - + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -

    Commercial Support

    +

    Commercial Support

    There are six basic support oriented services that are most commonly sought by Samba sites:

    • Assistance with network design

    • Staff Training

    • Assistance with Samba network deployment and installation

    • Priority telephone or email Samba configuration assistance

    • Trouble-shooting and diagnostic assistance

    • Provision of quality assured ready-to-install Samba binary packages

    - - + + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.

    - + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.

    - + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/DMSMig.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/DMSMig.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/DMSMig.html 2005-08-19 12:59:34.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/DMSMig.html 2005-12-19 10:19:23.000000000 -0600 @@ -1,4 +1,4 @@ -Part II. Domain Members, Updating Samba and Migration

    Part II. Domain Members, Updating Samba and Migration
    Prev   Next

    Domain Members, Updating Samba and Migration

    Domain Members, Updating Samba and Migration

    +Part II. Domain Members, Updating Samba and Migration

    Part II. Domain Members, Updating Samba and Migration
    Prev   Next

    Domain Members, Updating Samba and Migration

    Domain Members, Updating Samba and Migration

    This section Samba-3 by Example covers two main topics: How to add Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier @@ -7,4 +7,4 @@ Those who are making use of the chapter on Adding UNIX clients and servers running Samba to a Samba or a Windows networking domain may also benefit by referring to the book The Official Samba-3 HOWTO and Reference Guide. -

    Table of Contents

    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    Prev   Next
    Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
    +

    Table of Contents

    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    Prev   Next
    Chapter 6. A Distributed 2000-User Network Home Chapter 7. Adding Domain Member Servers and Clients
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/DomApps.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/DomApps.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/DomApps.html 2005-08-19 12:59:35.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/DomApps.html 2005-12-19 10:19:25.000000000 -0600 @@ -1,9 +1,9 @@ -Chapter 12. Integrating Additional Services
    Chapter 12. Integrating Additional Services
    Prev Part III. Reference Section Next

    Chapter 12. Integrating Additional Services

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers

    - - - - - +Chapter 12. Integrating Additional Services

    Chapter 12. Integrating Additional Services
    Prev Part III. Reference Section Next

    Chapter 12. Integrating Additional Services

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers

    + + + + + You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role, and where authentication was required, you have used one or another of @@ -14,7 +14,7 @@ implementing Samba and Samba-supported services in a domain controlled by the latest Windows authentication technologies. Let's get started this is leading edge. -

    Introduction

    +

    Introduction

    Abmas has continued its miraculous growth; indeed, nothing seems to be able to stop its diversification into multiple (and seemingly unrelated) fields. Its latest acquisition is Abmas Snack Foods, a big player in the snack-food @@ -30,17 +30,17 @@ You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. -

    Assignment Tasks

    - - +

    Assignment Tasks

    + + You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground.

    - - + + Abmas Snack Foods has several thousand users housed at its head office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these @@ -50,9 +50,9 @@ the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA.

    - - - + + + The team is not happy with ISA. Because it never lived up to its marketing promises, it underperformed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's @@ -63,7 +63,7 @@

    This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. -

    Dissection and Discussion

    +

    Dissection and Discussion

    The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: @@ -73,20 +73,20 @@ Distributed system to accommodate load and geographical distribution of users

  • Seamless and transparent interoperability with the existing Active Directory domain -

    • Technical Issues

    - - - - - - - - - - - - - +

    Technical Issues

    + + + + + + + + + + + + + Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application @@ -107,25 +107,25 @@ Configuring, compiling, and then installing the supporting Samba-3 components

  • Tying it all together -

    • Political Issues

    +

    Political Issues

    You are a stranger in a strange land, and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. -

    Implementation

    - +

    Implementation

    + First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed.

    - + The following packages should be available on your Red Hat Linux system:

    • - - + + krb5-libs

    • krb5-devel @@ -136,14 +136,14 @@

    • pam_krb5

    - + In the case of SUSE Linux, these packages are called:

    • heimdal-lib

    • heimdal-devel

    • - + heimdal

    • pam_krb5 @@ -152,26 +152,26 @@ them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated.

      Note

      - - - + + + If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating.

      - - + + Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.

      Removal of Pre-Existing Conflicting RPMs

      - + If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source.

      - - - + + + Locating the packages to be un-installed can be achieved by running: 

       root#  rpm -qa | grep -i samba
@@ -181,11 +181,11 @@
 
       root#  rpm -e samba-common
 
      
-	
      Kerberos Configuration
      
-	
-	
-	
-	
+	
      Kerberos Configuration
      
+	
+	
+	
+	
 	The systems Kerberos installation must be configured to communicate with 
 	your primary Active Directory server (ADS KDC).
 	
      
@@ -193,13 +193,13 @@
 	although the current default Red Hat MIT version 1.2.7 gives acceptable results 
 	unless you are using Windows 2003 servers.
 	
      
-	
-	
-	
-	
-	
-	
-	
+	
+	
+	
+	
+	
+	
+	
 	Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf 
 	file in order to work correctly. All ADS domains automatically create SRV records in the 
 	DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both 
@@ -207,25 +207,25 @@
 	automatically find the KDCs. In addition, krb5.conf allows 
 	specifying only a single KDC, even if there is more than one. Using the DNS lookup 
 	allows the KRB5 libraries to use whichever KDCs are available.
-	
      Procedure 12.1. Kerberos Configuration Steps
      1. 
-		
+	
        Procedure 12.1. Kerberos Configuration Steps
        1. 
+		
 		If you find the need to manually configure the krb5.conf, you should edit it
 		to have the contents shown in ???. The final fully qualified path for this file 
 		should be /etc/krb5.conf.
 		
        2. 
-		
-		
-		
-		
-		
-		
-		
-		
-		
-		
-		
-		
-		
+		
+		
+		
+		
+		
+		
+		
+		
+		
+		
+		
+		
+		
 		The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
 		be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting
 		initial credentials”.  Kerberos is picky about time synchronization. The time
@@ -241,7 +241,7 @@
 		NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
 		when you try to join the realm.
 		
        3. 
-		
+		
 		You are now ready to test your installation by issuing the command:
 
           root#  kinit [USERNAME@REALM]
@@ -261,29 +261,29 @@
 	LONDON.ABMAS.BIZ = {
 	kdc = w2k3s.london.abmas.biz
 	}
-
        
+

      The command 

       root#  klist -e

      shows the Kerberos tickets cached by the system. -

      Samba Configuration

      - +

      Samba Configuration

      + Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it has the necessary components to interface with Active Directory. -

      Procedure 12.2. Securing Samba-3 With ADS Support Steps

      1. - - - - - +

        Procedure 12.2. Securing Samba-3 With ADS Support Steps

        1. + + + + + Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.

          - - + + The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary @@ -293,11 +293,11 @@ Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in ???.

        2. - - - i - - + + + i + + Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. @@ -307,11 +307,11 @@ root# net ads join -U administrator%vulcon

        3. - - - - - + + + + + Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: 

          @@ -320,11 +320,11 @@
 root#  winbindd -B

        4. - - - - - + + + + + We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -357,8 +357,8 @@

          This enumerates all the groups in your Active Directory tree.

        5. - - + + Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command: 

          @@ -370,14 +370,14 @@
 root#  NT_STATUS_OK: Success (0x0)

        6. - - - - - - - - + + + + + + + + The ntlm_auth helper, when run from a command line as the user “root”, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. @@ -395,37 +395,37 @@ root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged

          -

      NSS Configuration

      - - - +

    NSS Configuration

    + + + For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.

    Edit your /etc/nsswitch.conf file so it has the parameters shown in ???. -

    Example 12.2. Samba Configuration File: /etc/samba/smb.conf

    [global]
    workgroup = LONDON
    netbios name = W2K3S
    realm = LONDON.ABMAS.BIZ
    security = ads
    encrypt passwords = yes
    password server = w2k3s.london.abmas.biz
    # separate domain and username with '/', like DOMAIN/username
    winbind separator = /
    # use UIDs from 10000 to 20000 for domain users
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    # allow enumeration of winbind users and groups
    winbind enum users = yes
    winbind enum groups = yes
    winbind user default domain = yes

    Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf

    +	
    Example 12.2. Samba Configuration  File: /etc/samba/smb.conf
     
    [global]
    workgroup = LONDON
    netbios name = W2K3S
    realm = LONDON.ABMAS.BIZ
    security = ads
    encrypt passwords = yes
    password server = w2k3s.london.abmas.biz
    # separate domain and username with '/', like DOMAIN/username
    winbind separator = /
    # use UIDs from 10000 to 20000 for domain users
    idmap uid = 10000-20000
    # use GIDs from 10000 to 20000 for domain groups
    idmap gid = 10000-20000
    # allow enumeration of winbind users and groups
    winbind enum users = yes
    winbind enum groups = yes
    winbind user default domain = yes
    Example 12.3. NSS Configuration File Extract  File: /etc/nsswitch.conf
     passwd: files winbind
 shadow: files
 group: files winbind
-

    Squid Configuration

    - - +

    Squid Configuration

    + + Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. -

    Configuration

    Procedure 12.3. Squid Configuration Steps

    1. - - - +

    Configuration

    Procedure 12.3. Squid Configuration Steps

    1. + + + If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can therefore omit the steps that would build the Squid binary programs.

    2. - - - - - + + + + + Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default @@ -433,16 +433,16 @@ squid user in /etc/passwd and a squid group in /etc/group if these aren't there already.

    3. - - + + You now need to change the permissions on Squid's var directory. Enter the following command: 

       root#  chown -R squid /var/cache/squid

    4. - - + + Squid must also have control over its logging. Enter the following commands: 

       root#  chown -R chown squid:squid /var/log/squid
@@ -456,11 +456,11 @@
 root#  chmod 770 /var/cache/squid

    5. - + The /etc/squid/squid.conf file must be edited to include the lines from ??? and ???.

    6. - + You must create Squid's cache directories before it may be run. Enter the following command: 

       root#  squid -z
@@ -487,23 +487,23 @@
 	auth_param basic credentialsttl 2 hours
 	acl AuthorizedUsers proxy_auth REQUIRED
 	http_access allow all AuthorizedUsers
-

    Key Points Learned

    - - - - - +

    Key Points Learned

    + + + + + Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. -

    Questions and Answers

    - - - - +

    Questions and Answers

    + + + + The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -522,34 +522,34 @@ You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. -

    +

    What does Samba have to do with Web proxy serving? -
    +
    What other services does Samba provide? -
    +
    Does use of Samba (ntlm_auth) improve the performance of Squid? -

    +

    What does Samba have to do with Web proxy serving?

    - - - - - + + + + + To provide transparent interoperability between Windows clients and the network services that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project.

    - - - - - - - - - + + + + + + + + + The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his or her Windows logon credentials. This facility is available with @@ -557,36 +557,36 @@ There are a few open source initiatives to provide support for these protocols in the Apache Web server also.

    - + The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. -

    +

    What other services does Samba provide?

    - - - - - + + + + + Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the identity resolver daemon, winbindd.

    - - + + Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.

    - - - - - + + + + + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). -

    +

    Does use of Samba (ntlm_auth) improve the performance of Squid?

    Not really. Samba's ntlm_auth module handles only authentication. It requires that diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ExNetworks.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/ExNetworks.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ExNetworks.html 2005-08-19 12:59:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/ExNetworks.html 2005-12-19 10:19:17.000000000 -0600 @@ -1,4 +1,4 @@ -Part I. Example Network Configurations

    Part I. Example Network Configurations
    Prev   Next

    Example Network Configurations

    Example Network Configurations

    +Part I. Example Network Configurations

    Part I. Example Network Configurations
    Prev   Next

    Example Network Configurations

    Example Network Configurations

    This section of Samba-3 by Example provides example network configurations that can be copied, or modified as needed, and deployed as-is.

    @@ -19,4 +19,4 @@ commercial support options may be obtained from the commercial support pages from the Samba web site. -

    Table of Contents

    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    Prev   Next
    Preface Home Chapter 1. No-Frills Samba Servers
    +

    Table of Contents

    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    Prev   Next
    Preface Home Chapter 1. No-Frills Samba Servers
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/go01.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/go01.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/go01.html 2005-08-19 12:59:39.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/go01.html 2005-12-19 10:19:32.000000000 -0600 @@ -1,4 +1,4 @@ -Glossary
    Glossary
    Prev   Next

    Glossary

    Access Control List

    +Glossary

    Glossary
    Prev   Next

    Glossary

    Access Control List

    A detailed list of permissions granted to users or groups with respect to file and network resource access.

    Active Directory Service

    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/HA.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/HA.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/HA.html 2005-08-19 12:59:36.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/HA.html 2005-12-19 10:19:27.000000000 -0600 @@ -1,7 +1,7 @@ -Chapter 13. Performance, Reliability, and Availability

    Chapter 13. Performance, Reliability, and Availability
    Prev Part III. Reference Section Next

    Chapter 13. Performance, Reliability, and Availability

    Table of Contents

    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned

    - - - +Chapter 13. Performance, Reliability, and Availability

    Chapter 13. Performance, Reliability, and Availability
    Prev Part III. Reference Section Next

    Chapter 13. Performance, Reliability, and Availability

    Table of Contents

    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned

    + + + Well, you have reached one of the last chapters of this book. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the chapter that should draw conclusions. This book is a suspense thriller, and since @@ -10,8 +10,8 @@ regarding some of the things everyone can do to deliver a reliable Samba-3 network.

     

    In a world so full of noise, how can the sparrow be heard? -

    		 
     --Anonymous

    Introduction

    - +

    		 
     --Anonymous

    Introduction

    + The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -20,22 +20,22 @@ itself to discussion of clustering because each clustering methodology uses its own custom tools and methods. Only passing comments are offered concerning these methods.

    - - - + + + A search for “samba cluster” produced 71,600 hits. And a search for “highly available samba” and “highly available windows” produced an amazing number of references. It is clear from the resources on the Internet that Windows file and print services availability, reliability, and scalability are of vital interest to corporate network users.

    - + So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. -

    Dissection and Discussion

    - - +

    Dissection and Discussion

    + + If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -44,8 +44,8 @@ make life easier for your successor. Simple implementations can be more readily audited than can complex ones.

    - - + + Problems reported by users fall into three categories: configurations that do not work, those that have broken behavior, and poor performance. The term broken behavior means that the function of a particular Samba component appears to work sometimes, but not at @@ -54,12 +54,12 @@ list of Windows machines in MS Explorer changes, sometimes listing machines that are running and at other times not listing them even though the machines are in use on the network.

    - - - - - - + + + + + + A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools @@ -70,32 +70,32 @@ common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it.

    - + The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project.

    Table 13.1 lists typical causes of:

    • Not Working (NW)

    • Broken Behavior (BB)

    • Poor Performance (PP)

    Table 13.1. Effect of Common Problems

    Problem

    NW

    BB

    PP

    File locking

    -

    X

    -

    Hardware problems

    X

    X

    X

    Incorrect authentication

    X

    X

    -

    Incorrect configuration

    X

    X

    X

    LDAP problems

    X

    X

    -

    Name resolution

    X

    X

    X

    Printing problems

    X

    X

    -

    Slow file transfer

    -

    -

    X

    Winbind problems

    X

    X

    -

    - + It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. -

    Guidelines for Reliable Samba Operation

    - - +

    Guidelines for Reliable Samba Operation

    + + Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. -

    Name Resolution

    +

    Name Resolution

    There are three basic current problem areas: bad hostnames, routed networks, and network collisions. These are covered in the following discussion. -

    Bad Hostnames

    - - - - - +

    Bad Hostnames

    + + + + + When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -107,13 +107,13 @@ the local Windows machine itself. Hostnames must be valid for Windows networking to function correctly.

    - + A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address.

    - - + + A Samba server called FRED in a NetBIOS domain called COLLISION in a network environment that is part of the fully-qualified Internet domain namespace known as parrots.com, results in DNS name lookups for fred.parrots.com @@ -122,49 +122,49 @@ attempts to resolve fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS namespace.

    Note

    - - - + + + An Active Directory realm called collision.parrots.com is perfectly okay, although it too must be capable of being resolved via DNS, something that functions correctly if Windows 200x ADS has been properly installed and configured. -

    Routed Networks

    - - - +

    Routed Networks

    + + + NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use of UDP-based broadcast traffic, as you saw during the exercises in ???.

    - - - + + + UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made:

    • - - - + + + Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to add to the Samba server smb.conf file the parameters remote announce and remote browse sync. For more information, refer to the online manual page for the smb.conf file.

    • - + Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration.

    Note

    - - + + The use of DNS is not an acceptable substitute for WINS. DNS does not store specific information regarding NetBIOS networking particulars that get stored in the WINS name resolution database and that Windows clients require and depend on. -

    Network Collisions

    - - - - +

    Network Collisions

    + + + + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network @@ -173,9 +173,9 @@ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined in ???.

    - - - + + + Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became @@ -183,13 +183,13 @@ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance immediately returned to 11 MB/sec. -

    Samba Configuration

    +

    Samba Configuration

    As a general rule, the contents of the smb.conf file should be kept as simple as possible. No parameter should be specified unless you know it is essential to operation.

    - - - + + + Many UNIX administrators like to fully document the settings in the smb.conf file. This is a bad idea because it adds content to the file. The smb.conf file is re-read by every smbd process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). @@ -197,7 +197,7 @@ As the size of the smb.conf file grows, the risk of introducing parsing errors also increases. It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only with an optimized file. -

    +

    The preferred way to maintain a documented file is to call it something like smb.conf.master. You can generate the optimized file by executing: 

    @@ -223,7 +223,7 @@
 Server role: ROLE_DOMAIN_PDC
 Press enter to see a dump of your service definitions

    - + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -233,28 +233,28 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.

    - - - + + + There are two parameters that can cause severe network performance degradation: socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them.

    - - - - + + + + Another smb.conf parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often used with the sync always parameter. This, too, can severely degrade network performance, so do not set it; if you must, do so with caution.

    - - - - + + + + Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to @@ -262,12 +262,12 @@ support, do so only on the share on which it is required. That way, all other shares can provide oplock support for operations that are tolerant of it. See ??? for more information. -

    Use and Location of BDCs

    - - - - - +

    Use and Location of BDCs

    + + + + + On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily @@ -275,13 +275,13 @@ to a BDC on a distant network segment. This significantly hinders WAN operations and is undesirable.

    - - + + As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add domain member servers. This practice ensures that there are always sufficient domain controllers to handle logon requests and authentication traffic. -

    Use One Consistent Version of MS Windows Client

    +

    Use One Consistent Version of MS Windows Client

    Every network client has its own peculiarities. From a management perspective, it is easier to deal with one version of MS Windows that is maintained to a consistent update level than it is to deal with a mixture of clients. @@ -289,61 +289,61 @@ On a number of occasions, particular Microsoft service pack updates of a Windows server or client have necessitated special handling from the Samba server end. If you want to remain sane, keep you client workstation configurations consistent. -

    For Scalability, Use SAN-Based Storage on Samba Servers

    - - +

    For Scalability, Use SAN-Based Storage on Samba Servers

    + + Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques.

    - - + + The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. -

    Distribute Network Load with MSDFS

    - - +

    Distribute Network Load with MSDFS

    + + Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual servers. Refer to TOSHARG2, Chapter 19, for information regarding implementation of an MSDFS installation.

    - - + + The combination of multiple backend servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. -

    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth

    - - - +

    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth

    + + + Consider using rsync to replicate data across the WAN during times of low utilization. Users can then access the replicated data store rather than needing to do so across the WAN. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. -

    Hardware Problems

    - - - - - - +

    Hardware Problems

    + + + + + + Networking hardware prices have fallen sharply over the past 5 years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective HUBs, switches, and cables.

    - + Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action.

    - - - - - + + + + + Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent or persistent data corruption, slow network throughput, low performance, or even as BSOD problems with MS Windows clients. In one case, a company updated several workstations with newer, faster @@ -352,14 +352,14 @@

    Defective hardware problems may take patience and persistence before the real cause can be discovered.

    - + Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network administrator until the entire server was replaced. While you may well think that this would never happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone. -

    Large Directories

    +

    Large Directories

    There exist applications that create or manage directories containing many thousands of files. Such applications typically generate many small files (less than 100 KB). At the best of times, under UNIX, listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x, @@ -379,7 +379,7 @@ that the file system is on will be thrashing wildly.

    Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is - really in the case sensitive = True line. This tells smbd never to scan + really in the case sensitive = True line. This tells smbd never to scan for case-insensitive versions of names. So if an application asks for a file called FOO, and it can not be found by a simple stat call, then smbd will return "file not found" immediately without scanning the containing directory for a version of a different case. @@ -399,7 +399,7 @@ All files and directories under the path directory must be in the same case as specified in the smb.conf stanza. This means that smbd will not be able to find lower case filenames with these settings. Note, this is done on a per-share basis. -

    Key Points Learned

    +

    Key Points Learned

    This chapter has touched in broad sweeps on a number of simple steps that can be taken to ensure that your Samba network is resilient, scalable, and reliable, and that it performs well. @@ -408,7 +408,7 @@ In the long term, that may not be you. Spare a thought for your successor and give him or her an even break.

    - + Last, but not least, you should not only keep the network design simple, but also be sure it is well documented. This book may serve as your pattern for documenting every aspect of your design, its implementation, and particularly the objects and assumptions diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/happy.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/happy.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/happy.html 2005-08-19 12:59:27.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/happy.html 2005-12-19 10:19:15.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 5. Making Happy Users

    Chapter 5. Making Happy Users
    Prev Part I. Example Network Configurations Next

    Chapter 5. Making Happy Users

    Table of Contents

    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers

    +Chapter 5. Making Happy Users

    Chapter 5. Making Happy Users
    Prev Part I. Example Network Configurations Next

    Chapter 5. Making Happy Users

    Table of Contents

    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers

    It is said that “a day that is without troubles is not fulfilling. Rather, give me a day of troubles well handled so that I can be content with my achievements.

    @@ -6,7 +6,7 @@ or experience them. The design of the network implemented in ??? may create problems for some network users. The following lists some of the problems that may occur: -

    Caution

    +

    Caution

    A significant number of network administrators have responded to the guidance given here. It should be noted that there are sites that have a single PDC for many hundreds of concurrent network clients. Network bandwidth, network bandwidth utilization, and server load @@ -19,8 +19,8 @@ overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows clients is conservative and if followed will minimize problems but it is not absolute.

    Users experiencing difficulty logging onto the network

    - - + + When a Windows client logs onto the network, many data packets are exchanged between the client and the server that is providing the network logon services. Each request between the client and the server must complete within a specific @@ -30,9 +30,9 @@ 30 to 150 clients. The actual limits are determined by network operational characteristics.

    - - - + + + If the domain controller provides only network logon services and all file and print activity is handled by domain member servers, one domain controller per 150 clients on a single network segment may suffice. In any @@ -46,25 +46,25 @@ that can be supported is limited by the CPU speed, memory and the workload on the Samba server as well as network bandwidth utilization.

    Slow logons and log-offs

    - + Slow logons and log-offs may be caused by many factors that include:

    • - - + + Excessive delays in the resolution of a NetBIOS name to its IP address. This may be observed when an overloaded domain controller is also the WINS server. Another cause may be the failure to use a WINS server (this assumes that there is a single network segment).

    • - - - + + + Network traffic collisions due to overloading of the network segment. One short-term workaround to this may be to replace network HUBs with Ethernet switches.

    • - + Defective networking hardware. Over the past few years, we have seen on the Samba mailing list a significant increase in the number of problems that were traced to a defective network interface controller, @@ -72,8 +72,8 @@ it was the erratic nature of the problem that ultimately pointed to the cause of the problem.

    • - - + + Excessively large roaming profiles. This type of problem is typically the result of poor user education as well as poor network management. It can be avoided by users not storing huge quantities of email in @@ -81,7 +81,7 @@ These are old bad habits that require much discipline and vigilance on the part of network management.

    • - + You should verify that the Windows XP WebClient service is not running. The use of the WebClient service has been implicated in many Windows networking-related problems. @@ -90,26 +90,26 @@ Loss of access to network resources during client operation may be caused by a number of factors, including:

      • - + Network overload (typically indicated by a high network collision rate)

      • Server overload

      • - + Timeout causing the client to close a connection that is in use but has been latent (no traffic) for some time (5 minutes or more)

      • - + Defective networking hardware

      - + No matter what the cause, a sudden loss of access to network resources can result in BSOD (blue screen of death) situations that necessitate rebooting of the client workstation. In the case of a mild problem, retrying to access the network drive of the printer may restore operations, but in any case this is a serious problem that may lead to the next problem, data corruption.

    Potential data corruption

    - + Data corruption is one of the most serious problems. It leads to uncertainty, anger, and frustration, and generally precipitates immediate corrective demands. Management response to this type of problem may be rational, as well as highly irrational. There have been @@ -123,29 +123,29 @@ anticipate and combat network performance issues. You can work through complex and thorny methods to improve the reliability of your network environment, but be warned that all such steps demand the price of complexity. -

    Regarding LDAP Directories and Windows Computer Accounts

    - +

    Regarding LDAP Directories and Windows Computer Accounts

    + Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some constraints that are described in this section.

    - - - - + + + + The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats them. A user account and a machine account are indistinguishable from each other, except that the machine account ends in a $ character, as do trust accounts.

    - - + + The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID is a design decision that was made a long way back in the history of Samba development. It is unlikely that this decision will be reversed or changed during the remaining life of the Samba-3.x series.

    - - + + The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that must refer back to the host operating system on which Samba is running. The name service switch (NSS) is the preferred mechanism that shields applications (like Samba) from the @@ -158,13 +158,13 @@ possible to do this via LDAP, and for that Samba provides the appropriate hooks so that all account entities can be located in an LDAP directory.

    - + For many the weapon of choice is to use the PADL nss_ldap utility. This utility must be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That is fundamentally an LDAP design question. The information provided on the Samba list and in the documentation is directed at providing working examples only. The design of an LDAP directory is a complex subject that is beyond the scope of this documentation. -

    Introduction

    +

    Introduction

    You just opened an email from Christine that reads:

    Good morning, @@ -193,8 +193,8 @@ regain control of our vital IT operations.

    		 
     --Christine

    - - + + Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a single domain controller is a poor design that has obvious operational effects that may frustrate users. Here is your reply: @@ -204,56 +204,56 @@ boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait for approval; I appreciate the urgency. -

    		 
     --Bob

    Assignment Tasks

    +

    		 
     --Bob

    Assignment Tasks

    The priority of assigned tasks in this chapter is:

    1. - - - - + + + + Implement Backup Domain Controllers (BDCs) in each building. This involves a change from a tdbsam backend that was used in the previous chapter to an LDAP-based backend.

      You can implement a single central LDAP server for this purpose.

    2. - - - - + + + + Rectify the problem of excessive logon times. This involves redirection of folders to network shares as well as modification of all user desktops to exclude the redirected folders from being loaded at login time. You can also create a new default profile that can be used for all new users.

    - + You configure a new MS Windows XP Professional workstation disk image that you roll out to all desktop users. The instructions you have created are followed on a staging machine from which all changes can be carefully tested before inflicting them on your network users.

    - + This is the last network example in which specific mention of printing is made. The example again makes use of the CUPS printing system. -

    Dissection and Discussion

    - - - +

    Dissection and Discussion

    + + + The implementation of Samba BDCs necessitates the installation and configuration of LDAP. For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial LDAP servers in current use with Samba-3 include:

    • - + Novell eDirectory is being successfully used by some sites. Information on how to use eDirectory can be obtained from the Samba mailing lists or from Novell.

    • - + IBM Tivoli Directory Server can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba source code tarball under the directory ~samba/example/LDAP.

    • - + Sun ONE Identity Server product suite provides an LDAP server that can be used for Samba. Example schema files are provided in the Samba source code tarball under the directory @@ -264,19 +264,19 @@ initialize the LDAP directory database. OpenLDAP itself has only command-line tools to help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.

      - + For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database requires an understanding of what you are doing, why you are doing it, and the tools that you must use.

      - - - - - - - + + + + + + + When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. High availability operation may be obtained through directory replication/synchronization and master/slave server configurations. OpenLDAP is a mature platform to host the organizational @@ -286,10 +286,10 @@ contents with greater ability to back up, restore, and modify the directory than is generally possible with Microsoft Active Directory.

      - - - - + + + + A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured for a specific task orientation. It comes with a set of administrative tools that is entirely customized @@ -300,8 +300,8 @@ MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services of OpenLDAP.

      - - + + You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management tools and the creation of shell and Perl scripts a bit @@ -309,7 +309,7 @@ many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file that is required for use as a passdb backend.

      - + For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, there are a few nice Web-based tools that may help you to manage your users and groups more effectively. The Web-based tools you might like to consider include the @@ -334,10 +334,10 @@ LDAP System Administration, by Jerry Carter quite useful.

      - - - - + + + + Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must be loaded over the WAN connection. The addition of BDCs on each network segment significantly @@ -345,31 +345,31 @@ user desktops, and this must be done in a way that wins their support and does not cause further loss of staff morale. The following procedures solve this problem.

      - + There is also an opportunity to implement smart printing features. You add this to the Samba configuration so that future printer changes can be managed without need to change desktop configurations.

      You add the ability to automatically download new printer drivers, even if they are not installed in the default desktop profile. Only one example of printing configuration is given. It is assumed that you can extrapolate the principles and use them to install all printers that may be needed. -

      Technical Issues

      - - - +

      Technical Issues

      + + + The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account attributes Samba needs. Samba-3 can use the LDAP backend to store:

      • Windows Networking User Accounts

      • Windows NT Group Accounts

      • Mapping Information between UNIX Groups and Windows NT Groups

      • ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)

      - - - - - - - - - + + + + + + + + + The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the PADL LDAP tools. The resolution @@ -378,16 +378,16 @@ that integrates with the NSS. The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in ???.

      Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts

      The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts

      - - + + You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really ought to learn how to configure secure communications over LDAP so that site security is not at risk. This is not covered in the following guidance.

      - - - - + + + + When OpenLDAP has been made operative, you configure the PDC called MASSIVE. You initialize the Samba secrets.tdb file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. @@ -395,27 +395,27 @@ You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools that help to manage user and group configuration.

      - - - + + + In order to effect folder redirection and to add robustness to the implementation, create a network default profile. All network users workstations are configured to use the new profile. Roaming profiles will automatically be deleted from the workstation when the user logs off.

      - + The profile is configured so that users cannot change the appearance of their desktop. This is known as a mandatory profile. You make certain that users are able to use their computers efficiently.

      - + A network logon script is used to deliver flexible but consistent network drive connections.

      Addition of Machines to the Domain

      - - - - + + + + Samba versions prior to 3.0.11 necessitated the use of a domain administrator account that maps to the UNIX UID=0. The UNIX operating system permits only the root user to add user and group accounts. Samba 3.0.11 introduced a new facility known as @@ -425,13 +425,13 @@ In this network example use is made of one of the supported privileges purely to demonstrate how any user can now be given the ability to add machines to the domain using a normal user account that has been given the appropriate privileges. -

      Roaming Profile Background

      +

      Roaming Profile Background

      As XP roaming profiles grow, so does the amount of time it takes to log in and out.

      - - - - + + + + An XP roaming profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the @@ -453,20 +453,20 @@ user to not place large files on the desktop and to use his or her mapped home directory instead of the My Documents folder for saving documents.

      - + Using a folder other than My Documents is a nuisance for some users, since many applications use it by default.

      - - - + + + The secret to rapid loading of roaming profiles is to prevent unnecessary data from being copied back and forth, without losing any functionality. This is not difficult; it can be done by making changes to the Local Group Policy on each client as well as changing some paths in each user's NTUSER.DAT hive.

      - - + + Every user profile has its own NTUSER.DAT file. This means you need to edit every user's profile, unless a better method can be followed. Fortunately, with the right preparations, this is not difficult. @@ -475,10 +475,10 @@ necessary to copy all files from redirected folders to the network share to which they are redirected.

      The Local Group Policy

      - - - - + + + + Without an Active Directory PDC, you cannot take full advantage of Group Policy Objects. However, you can still make changes to the Local Group Policy by using the Group Policy editor (gpedit.msc). @@ -492,26 +492,26 @@ Simply add the folders you do not wish to be copied back and forth to this semicolon-separated list. Note that this change must be made on all clients that are using roaming profiles. -

      Profile Changes

      - - +

      Profile Changes

      + + There are two changes that should be done to each user's profile. Move each of the directories that you have excluded from being copied back and forth out of the usual profile path. Modify each user's NTUSER.DAT file to point to the new paths that are shared over the network instead of to the default path (C:\Documents and Settings\%USERNAME%).

      - - + + The above modifies existing user profiles. So that newly created profiles have these settings, you need to modify the NTUSER.DAT in the C:\Documents and Settings\Default User folder on each client machine, changing the same registry keys. You could do this by copying NTUSER.DAT to a Linux box and using regedt32. The basic method is described under ???. -

      Using a Network Default User Profile

      - - +

      Using a Network Default User Profile

      + + If you are using Samba as your PDC, you should create a file share called NETLOGON and within that create a directory called Default User, which is a copy of the desired default user @@ -520,10 +520,10 @@ the first login from a new account pulls its configuration from it. See also the Real Men Don't Click Web site. -

      Installation of Printer Driver Auto-Download

      - - - +

      Installation of Printer Driver Auto-Download

      + + + The subject of printing is quite topical. Printing problems run second place to name resolution issues today. So far in this book, you have experienced only what is generally known as “dumb” printing. Dumb printing is the arrangement by which all drivers @@ -532,8 +532,8 @@ many problems, but it has its limitations also. Dumb printing is better known as Raw-Print-Through printing.

      - - + + Samba permits the configuration of smart printing using the Microsoft Windows point-and-click (also called drag-and-drop) printing. What this provides is essentially the ability to print to any printer. If the local client does not yet have a @@ -547,9 +547,9 @@ then invokes a suitable print filter to convert the incoming data stream into a format suited to the printer to which the job is dispatched.

      - - - + + + The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed @@ -574,10 +574,10 @@ simple problems efficiently and effectively.

      Here are some diagnostic guidelines that can be referred to when things go wrong: -

      Preliminary Advice: Dangers Can Be Avoided

      +

      Preliminary Advice: Dangers Can Be Avoided

      The best advice regarding how to mend a broken leg is “Never break a leg!

      - + Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!

      @@ -593,7 +593,7 @@ Do not be lulled into thinking that you can easily adopt the examples in this book and adapt them without first working through the examples provided. A little thing overlooked can cause untold pain and may permanently tarnish your experience. -

      The Name Service Caching Daemon

      +

      The Name Service Caching Daemon

      The name service caching daemon (nscd) is a primary cause of difficulties with name resolution, particularly where winbind is used. Winbind does its own caching, thus nscd causes double caching which can lead to peculiar problems during @@ -660,17 +660,17 @@ root# chkconfig nscd off root# rcnscd off

      -

      Debugging LDAP

      - - - +

      Debugging LDAP

      + + + In the example /etc/openldap/slapd.conf control file (see ???) there is an entry for loglevel 256. To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter and restart slapd.

      - - + + LDAP log information can be directed into a file that is separate from the normal system log files by changing the /etc/syslog.conf file so it has the following contents: @@ -689,7 +689,7 @@ local site needs. The configuration used later in this chapter reflects such customization with the intent that LDAP log files will be stored at a location that meets local site needs and wishes more fully. -

      Debugging NSS_LDAP

      +

      Debugging NSS_LDAP

      The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the /etc/ldap.conf file the following parameters: 

      @@ -702,7 +702,7 @@

      The diagnostic process should follow these steps: -

      Procedure 5.1. NSS_LDAP Diagnostic Steps

      1. +

        Procedure 5.1. NSS_LDAP Diagnostic Steps

        1. Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries in the /etc/ldap.conf file and compare them closely with the directory tree location that was chosen when the directory was first created. @@ -792,7 +792,7 @@ Check that the bindpw entry in the /etc/ldap.conf or in the /etc/ldap.secrets file is correct, as specified in the /etc/openldap/slapd.conf file. -

      Debugging Samba

      +

    Debugging Samba

    The following parameters in the smb.conf file can be useful in tracking down Samba-related problems: 

     [global]
@@ -822,17 +822,17 @@
 		
    
 		Search for hints of what may have failed by looking for the words fail
 		and error.
-
    Debugging on the Windows Client

    +

    Debugging on the Windows Client

    MS Windows 2000 Professional and Windows XP Professional clients can be configured to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search the Microsoft knowledge base for detailed instructions. The techniques vary a little with each version of MS Windows. -

    Political Issues

    +

    Political Issues

    MS Windows network users are generally very sensitive to limits that may be imposed when confronted with locked-down workstation configurations. The challenge you face must be promoted as a choice between reliable, fast network operation and a constant flux of problems that result in user irritation. -

    Installation Checklist

    +

    Installation Checklist

    You are starting a complex project. Even though you went through the installation of a complex network in ???, this network is a bigger challenge because of the large number of complex applications that must be configured before the first few steps @@ -840,14 +840,14 @@ frequently review the steps ahead while making at least a mental note of what has already been completed. The following task list may help you to keep track of the task items that are covered: -

    • Samba-3 PDC Server Configuration

      1. DHCP and DNS servers

      2. OpenLDAP server

      3. PAM and NSS client tools

      4. Samba-3 PDC

      5. Idealx smbldap scripts

      6. LDAP initialization

      7. Create user and group accounts

      8. Printers

      9. Share point directory roots

      10. Profile directories

      11. Logon scripts

      12. Configuration of user rights and privileges

    • Samba-3 BDC Server Configuration

      1. DHCP and DNS servers

      2. PAM and NSS client tools

      3. Printers

      4. Share point directory roots

      5. Profiles directories

    • Windows XP Client Configuration

      1. Default profile folder redirection

      2. MS Outlook PST file relocation

      3. Delete roaming profile on logout

      4. Upload printer drivers to Samba servers

      5. Install software

      6. Creation of roll-out images

    Samba Server Implementation

    - - +

    • Samba-3 PDC Server Configuration

      1. DHCP and DNS servers

      2. OpenLDAP server

      3. PAM and NSS client tools

      4. Samba-3 PDC

      5. Idealx smbldap scripts

      6. LDAP initialization

      7. Create user and group accounts

      8. Printers

      9. Share point directory roots

      10. Profile directories

      11. Logon scripts

      12. Configuration of user rights and privileges

    • Samba-3 BDC Server Configuration

      1. DHCP and DNS servers

      2. PAM and NSS client tools

      3. Printers

      4. Share point directory roots

      5. Profiles directories

    • Windows XP Client Configuration

      1. Default profile folder redirection

      2. MS Outlook PST file relocation

      3. Delete roaming profile on logout

      4. Upload printer drivers to Samba servers

      5. Install software

      6. Creation of roll-out images

    Samba Server Implementation

    + + The network design shown in ??? is not comprehensive. It is assumed that you will install additional file servers and possibly additional BDCs.

    Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend

    Network Topology 500 User Network Using ldapsam passdb backend

    - - + + All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to adjust the locations for your particular Linux system distribution/implementation. @@ -868,22 +868,22 @@ with newly installed Linux servers, you must complete the steps shown in ??? before commencing at ???.

    OpenLDAP Server Configuration

    - - - + + + Confirm that the packages shown in ??? are installed on your system.

    Table 5.2. Required OpenLDAP Linux Packages

    SUSE Linux 8.xSUSE Linux 9.xRed Hat Linux
    nss_ldapnss_ldapnss_ldap
    pam_ldappam_ldappam_ldap
    openldap2openldap2openldap
    openldap2-clientopenldap2-client 

    Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you follow these guidelines, the resulting system should work fine. -

    Procedure 5.2. OpenLDAP Server Configuration Steps

    1. - +

      Procedure 5.2. OpenLDAP Server Configuration Steps

      1. + Install the file shown in ??? in the directory /etc/openldap.

      2. - - - + + + Remove all files from the directory /data/ldap, making certain that the directory exists with permissions: 

        @@ -892,14 +892,14 @@

        This may require you to add a user and a group account for LDAP if they do not exist.

      3. - + Install the file shown in ??? in the directory /data/ldap. In the event that this file is added after ldap has been started, it is possible to cause the new settings to take effect by shutting down the LDAP server, executing the db_recover command inside the /data/ldap directory, and then restarting the LDAP server.

      4. - + Performance logging can be enabled and should preferably be sent to a file on a file system that is large enough to handle significantly sized logs. To enable the logging at a verbose level to permit detailed analysis, uncomment the entry in @@ -975,31 +975,31 @@ index sambaDomainName eq index default sub

    PAM and NSS Client Configuration

    - - - + + + The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.

    - - + + Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely that you may want to use them for UNIX system (Linux) local machine logons. This necessitates correct configuration of PAM. The pam_ldap open source package provides the PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so module also has the ability to redirect authentication requests through LDAP.

    - - - - + + + + You have chosen to configure these services by directly editing the system files, but of course, you know that this configuration can be done using system tools provided by the Linux system vendor. SUSE Linux has a facility in YaST (the system admin tool) through yast->system->ldap-client that permits configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig tool for this. -

    Procedure 5.3. PAM and NSS Client Configuration Steps

    Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf

    +	
    Procedure 5.3. PAM and NSS Client Configuration Steps
    Example 5.4. Configuration File for NSS LDAP Support  /etc/ldap.conf
     host 127.0.0.1
 
 base dc=abmas,dc=biz
@@ -1042,9 +1042,9 @@
 
 ssl off
 
    1. 
-		
-		
-		
+		
+		
+		
 		Execute the following command to find where the nss_ldap module
 		expects to find its control file:
 
      @@ -1057,7 +1057,7 @@
 		On the servers called BLDG1 and BLDG2, install the file shown in
 		??? into the path that was obtained from the step above.
 		
    2. 
-		
+		
 		Edit the NSS control file (/etc/nsswitch.conf) so that the lines that
 		control user and group resolution will obtain information from the normal system files as
 		well as from ldap:
@@ -1080,7 +1080,7 @@
 		Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
 		nsswitch.conf file is a significant cause of operational problems with LDAP.
 		
    3. 
-		
+		
 		For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
 		files in the /etc/pam.d directory: login, password,
 		samba, sshd.  In each file, locate every entry that has the
@@ -1102,7 +1102,7 @@
 session   required   pam_limits.so

    - + On other Linux systems that do not have an LDAP-enabled pam_unix2.so module, you must edit these files by adding the pam_ldap.so modules as shown here: 

    @@ -1126,14 +1126,14 @@
 		implementation, but if the pam_unix2.so on your system supports
 		LDAP, you probably want to use it rather than add an additional module.

    Samba-3 PDC Configuration

    - + Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the choice to either build your own or obtain the packages from a dependable source. Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that is included with this book. -

    Procedure 5.4. Configuration of PDC Called MASSIVE

    1. +

      Procedure 5.4. Configuration of PDC Called MASSIVE

      1. Install the files in ???, ???, ???, and ??? into the /etc/samba/ @@ -1143,7 +1143,7 @@ on the master file. The operational smb.conf is then generated as shown in the next step.

      2. - + Create and verify the contents of the smb.conf file that is generated by: 

         root#  testparm -s smb.conf.master > smb.conf
@@ -1180,8 +1180,8 @@
 root#  rm /var/log/samba/*

      3. - - + + Samba-3 communicates with the LDAP server. The password that it uses to authenticate to the LDAP server must be stored in the secrets.tdb file. Execute the following to create the new secrets.tdb files @@ -1194,8 +1194,8 @@ Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb

      4. - - + + Samba-3 generates a Windows Security Identifier (SID) only when smbd has been started. For this reason, you start Samba. After a few seconds delay, execute: @@ -1229,10 +1229,10 @@

      5. When a positive domain SID has been reported, stop Samba.

      6. - - - - + + + + Configure the NFS server for your Linux system. So you can complete the steps that follow, enter into the /etc/exports the following entry: 

        @@ -1250,8 +1250,8 @@

      Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with configuration of the LDAP server. -

      Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      netbios name = MASSIVE
      interfaces = eth1, lo
      bind interfaces only = Yes
      passdb backend = ldapsam:ldap://massive.abmas.biz
      enable privileges = Yes
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 50
      smb ports = 139
      name resolve order = wins bcast hosts
      time server = Yes
      printcap name = CUPS
      show add printer wizard = No
      add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
      delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
      add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
      delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
      add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
      delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
      set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
      add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

      Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B

      logon script = scripts\logon.bat
      logon path = \\%L\profiles\%U
      logon drive = X:
      domain logons = Yes
      preferred master = Yes
      wins support = Yes
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=Manager,dc=abmas,dc=biz
      idmap backend = ldap:ldap://massive.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      map acl inherit = Yes
      printing = cups
      printer admin = root, chrisr

    Install and Configure Idealx smbldap-tools Scripts

    - +

    Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    netbios name = MASSIVE
    interfaces = eth1, lo
    bind interfaces only = Yes
    passdb backend = ldapsam:ldap://massive.abmas.biz
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    time server = Yes
    printcap name = CUPS
    show add printer wizard = No
    add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
    delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
    add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
    delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
    add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

    Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B

    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = X:
    domain logons = Yes
    preferred master = Yes
    wins support = Yes
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://massive.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    map acl inherit = Yes
    printing = cups
    printer admin = root, chrisr

    Install and Configure Idealx smbldap-tools Scripts

    + The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts on the LDAP server. You have chosen the Idealx scripts because they are the best-known LDAP configuration scripts. The use of these scripts will help avoid the necessity @@ -1268,7 +1268,7 @@ The smbldap-tools are located in /opt/IDEALX/sbin. The scripts are not needed on BDC machines because all LDAP updates are handled by the PDC alone. -

    Installation of smbldap-tools from the Tarball

    +

    Installation of smbldap-tools from the Tarball

    To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:

    Procedure 5.5. Unpacking and Installation Steps for the smbldap-tools Tarball

    1. Create the /opt/IDEALX/sbin directory, and set its permissions @@ -1320,10 +1320,10 @@

      The smbldap-tools scripts are now ready for the configuration step outlined in ???. -

    Installing smbldap-tools from the RPM Package

    +

    Installing smbldap-tools from the RPM Package

    In the event that you have elected to use the RPM package provided by Idealx, download the source RPM smbldap-tools-0.9.1-1.src.rpm, then follow this procedure: -

    Procedure 5.6. Installation Steps for smbldap-tools RPM's

    1. +

      Procedure 5.6. Installation Steps for smbldap-tools RPM's

      1. Install the source RPM that has been downloaded as follows: 

         root#  rpm -i smbldap-tools-0.9.1-1.src.rpm
@@ -1368,7 +1368,7 @@
 	
        
 	The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
 	in the smb.conf file.
-	
        Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
        1. 
+	
          Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
          1. 
 		Change into the directory that contains the configure.pl script.
 
             root#  cd /opt/IDEALX/sbin
@@ -1474,7 +1474,7 @@
 		then verify its contents.
 		
          
 	The smbldap-tools are now ready for use.
-

      LDAP Initialization and Creation of User and Group Accounts

      +

    LDAP Initialization and Creation of User and Group Accounts

    The LDAP database must be populated with well-known Windows domain user accounts and domain group accounts before Samba can be used. The following procedures step you through the process.

    @@ -1487,12 +1487,12 @@

    Addition of an account to the LDAP backend can be done in two ways:

    • - - - - - - + + + + + + If you always have a user account in the /etc/passwd on every server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in LDAP. In this case, you can add Windows domain user accounts using the @@ -1510,20 +1510,20 @@ Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, is included on the enclosed CD-ROM under Chap06/Tools.

    - + If you wish to have more control over how the LDAP database is initialized or if you don't want to use the Idealx smbldap-tools, you should refer to ???, ???.

    - + The following steps initialize the LDAP database, and then you can add user and group accounts that Samba can use. You use the smbldap-populate to seed the LDAP database. You then manually add the accounts shown in ???. The list of users does not cover all 500 network users; it provides examples only.

    Note

    - - - + + + In the following examples, as the LDAP database is initialized, we do create a container for Computer (machine) accounts. In the Samba-3 smb.conf files, specific use is made of the People container, not the Computers container, for domain member accounts. This is not a @@ -1600,7 +1600,7 @@ Starting ldap-server done

  • - + So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -1609,7 +1609,7 @@ dn: ou=Idmap,dc=abmas,dc=biz ou: idmap

    - + If the execution of this command does not return IDMAP entries, you need to create an LDIF template file (see ???). You can add the required entries using the following command: @@ -1619,7 +1619,7 @@

    Samba automatically populates this LDAP directory container when it needs to.

  • - + It looks like all has gone well, as expected. Let's confirm that this is the case by running a few tests. First we check the contents of the database directly by running slapcat as follows (the output has been cut down): @@ -1657,7 +1657,7 @@

    This looks good so far.

  • - + The next step is to prove that the LDAP server is running and responds to a search request. Execute the following as shown (output has been cut to save space): 

    @@ -1702,7 +1702,7 @@

    Good. It is all working just fine.

  • - + You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands: 

    @@ -1715,16 +1715,16 @@
 Domain Guests:x:514:
 Domain Computers:x:553:

    - + This demonstrates that the nss_ldap library is functioning as it should. If these two steps fail to produce this information, refer to ??? for diagnostic procedures that can be followed to isolate the cause of the problem. Proceed to the next step only when the previous steps have been successfully completed.

  • - - - + + + Our database is now ready for the addition of network users. For each user for whom an account must be created, execute the following: 

    @@ -1740,7 +1740,7 @@

    where username is the login ID for each user.

  • - + Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the following: 

    @@ -1768,7 +1768,7 @@
 		This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
 		by system tools that make a getentpw() system call.

  • - + The root account must have UID=0; if not, this means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. Additionally, it is @@ -1802,8 +1802,8 @@

    This is precisely what we want to see.

  • - - + + The final validation step involves making certain that Samba-3 can obtain the user accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: 

    @@ -1834,7 +1834,7 @@

    This looks good. Of course, you fully expected that it would all work, didn't you?

  • - + Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown: 

    @@ -1845,7 +1845,7 @@
 		The addition of groups does not involve keyboard interaction, so the lack of console
 		output is of no concern.

  • - + You really do want to confirm that UNIX group resolution from LDAP is functioning as it should. Let's do this as shown here: 

    @@ -1862,7 +1862,7 @@
 		The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
 		as our own site-specific group accounts, are correctly listed. This is looking good.

  • - + The final step we need to validate is that Samba can see all the Windows domain groups and that they are correctly mapped to the respective UNIX group account. To do this, just execute the following command: @@ -1917,7 +1917,7 @@ root# rcwinbind restart

  • - + You may now check Samba-3 operation as follows: 

     root#  smbclient -L massive -U%
@@ -1963,12 +1963,12 @@

    • The server MASSIVE is now configured, and it is time to move onto the next task.

    Printer Configuration

    - + The configuration for Samba-3 to enable CUPS raw-print-through printing has already been taken care of in the smb.conf file. The only preparation needed for smart printing to be possible involves creation of the directories in which Samba-3 stores Windows printing driver files. -

    Procedure 5.9. Printer Configuration Steps

    1. +

      Procedure 5.9. Printer Configuration Steps

      1. Configure all network-attached printers to have a fixed IP address.

      2. Create an entry in the DNS database on the server MASSIVE @@ -1980,18 +1980,18 @@ Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - + +

      3. - - + + Only on the server to which the printer is attached, configure the CUPS Print Queues as follows: 

         root#  lpadmin -p printque
 	 -v socket://printer-name.abmas.biz:9100 -E

        - + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, that is, printing without use of filters. The name printque is the name you have assigned for @@ -2011,15 +2011,15 @@ root# /usr/bin/accept printque

      4. - - - + + + Edit the file /etc/cups/mime.convs to uncomment the line: 

         application/octet-stream     application/vnd.cups-raw      0     -

      5. - + Edit the file /etc/cups/mime.types to uncomment the line: 

         application/octet-stream
@@ -2038,7 +2038,7 @@
 root#  chown -R root:root /var/lib/samba/drivers
 root#  chmod -R ug=rwx,o=rx /var/lib/samba/drivers

        -

    Samba-3 BDC Configuration

    Procedure 5.10. Configuration of BDC Called: BLDG1

    1. +

    Samba-3 BDC Configuration

    Procedure 5.10. Configuration of BDC Called: BLDG1

    1. Install the files in ???, ???, and ??? into the /etc/samba/ directory. The three files @@ -2081,7 +2081,7 @@

      This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.

    2. - + The next step in the verification process involves testing the operation of UNIX group resolution via the NSS LDAP resolver. Execute these commands: 

      @@ -2111,7 +2111,7 @@
 		This is also the correct and desired output, because it demonstrates that the LDAP client
 		is able to communicate correctly with the LDAP server (MASSIVE).

    3. - + You must now set the LDAP administrative password into the Samba-3 secrets.tdb file by executing this command: 

      @@ -2143,7 +2143,7 @@

      This indicates that the domain security account for the BDC has been correctly created.

    4. - + Verify that user and group account resolution works via Samba-3 tools as follows: 

       root#  pdbedit -L
@@ -2231,19 +2231,19 @@
 		should be added together to form the smb.conf file.

    5. Follow carefully the steps shown in ???, starting at step 2. -

    Example 5.8. LDAP Based smb.conf File, Server: BLDG1

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    netbios name = BLDG1
    passdb backend = ldapsam:ldap://massive.abmas.biz
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    show add printer wizard = No
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    wins server = 172.16.0.1
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://massive.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    printing = cups
    printer admin = root, chrisr

    Example 5.9. LDAP Based smb.conf File, Server: BLDG2

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    netbios name = BLDG2
    passdb backend = ldapsam:ldap://massive.abmas.biz
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    show add printer wizard = No
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    wins server = 172.16.0.1
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://massive.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    printing = cups
    printer admin = root, chrisr

    Example 5.10. LDAP Based smb.conf File, Shares Section Part A

    [accounts]
    comment = Accounting Files
    path = /data/accounts
    read only = No
    [service]
    comment = Financial Services Files
    path = /data/service
    read only = No
    [pidata]
    comment = Property Insurance Files
    path = /data/pidata
    read only = No
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No

    Example 5.11. LDAP Based smb.conf File, Shares Section Part B

    [apps]
    comment = Application Files
    path = /apps
    admin users = bjordan
    read only = No
    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
    [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes
    [profdata]
    comment = Profile Data Share
    path = /var/lib/samba/profdata
    read only = No
    profile acls = Yes
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    browseable = yes
    guest ok = no
    read only = yes
    write list = root, chrisr

    Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF

    +

    Example 5.8. LDAP Based smb.conf File, Server: BLDG1

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    netbios name = BLDG1
    passdb backend = ldapsam:ldap://massive.abmas.biz
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    show add printer wizard = No
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    wins server = 172.16.0.1
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://massive.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    printing = cups
    printer admin = root, chrisr

    Example 5.9. LDAP Based smb.conf File, Server: BLDG2

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    netbios name = BLDG2
    passdb backend = ldapsam:ldap://massive.abmas.biz
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    show add printer wizard = No
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    wins server = 172.16.0.1
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://massive.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    printing = cups
    printer admin = root, chrisr

    Example 5.10. LDAP Based smb.conf File, Shares Section Part A

    [accounts]
    comment = Accounting Files
    path = /data/accounts
    read only = No
    [service]
    comment = Financial Services Files
    path = /data/service
    read only = No
    [pidata]
    comment = Property Insurance Files
    path = /data/pidata
    read only = No
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No

    Example 5.11. LDAP Based smb.conf File, Shares Section Part B

    [apps]
    comment = Application Files
    path = /apps
    admin users = bjordan
    read only = No
    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
    [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes
    [profdata]
    comment = Profile Data Share
    path = /var/lib/samba/profdata
    read only = No
    profile acls = Yes
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    browseable = yes
    guest ok = no
    read only = yes
    write list = root, chrisr

    Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF

     dn: ou=Idmap,dc=abmas,dc=biz
 objectClass: organizationalUnit
 ou: idmap
 structuralObjectClass: organizationalUnit
-

    Miscellaneous Server Preparation Tasks

    +

    Miscellaneous Server Preparation Tasks

    My father would say, “Dinner is not over until the dishes have been done.” The makings of a great network environment take a lot of effort and attention to detail. So far, you have completed most of the complex (and to many administrators, the interesting part of server configuration) steps, but remember to tie it all together. Here are a few more steps that must be completed so that your network runs like a well-rehearsed orchestra. -

    Configuring Directory Share Point Roots

    +

    Configuring Directory Share Point Roots

    In your smb.conf file, you have specified Windows shares. Each has a path parameter. Even though it is obvious to all, one of the common Samba networking problems is caused by forgetting to verify that every such share root directory actually exists and that it @@ -2261,7 +2261,7 @@ root# chmod -R ug+rwxs,o-rwx /data root# chmod -R ug+rwx,o+rx-w /apps

    -

    Configuring Profile Directories

    +

    Configuring Profile Directories

    You made a conscious decision to do everything it would take to improve network client performance. One of your decisions was to implement folder redirection. This means that Windows user desktop profiles are now made up of two components: a dynamically loaded part and a set of file @@ -2286,8 +2286,8 @@ root# chmod -R 750 username

    - - + + You have three options insofar as the dynamically loaded portion of the roaming profile is concerned:

    • You may permit the user to obtain a default profile.

    • You can create a mandatory profile.

    • You can create a group profile (which is almost always a mandatory profile).

    @@ -2295,8 +2295,8 @@ profile is effected by renaming the NTUSER.DAT to NTUSER.MAN, that is, just by changing the filename extension.

    - - + + The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. You can manage this using the Idealx smbldap-tools or using the Windows NT4 Domain User Manager. @@ -2309,8 +2309,8 @@ /var/lib/samba/profiles/username root# chmod 700 /var/lib/samba/profiles/username

    -

    Preparation of Logon Scripts

    - +

    Preparation of Logon Scripts

    + The use of a logon script with Windows XP Professional is an option that every site should consider. Unless you have locked down the desktop so the user cannot change anything, there is risk that a vital network drive setting may be broken or that printer connections may be lost. Logon scripts @@ -2335,7 +2335,7 @@ You should research the options for logon script implementation by referring to TOSHARG2, Chapter 24, Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon facilities in use today is called KiXtart. -

    Assigning User Rights and Privileges

    +

    Assigning User Rights and Privileges

    The ability to perform tasks such as joining Windows clients to the domain can be assigned to normal user accounts. By default, only the domain administrator account (root on UNIX systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant @@ -2347,7 +2347,7 @@ Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who are granted rights can be restricted to particular machines. It is left to the network administrator to determine which rights should be provided and to whom. -

    Procedure 5.12. Steps for Assignment of User Rights and Privileges

    1. +

      Procedure 5.12. Steps for Assignment of User Rights and Privileges

      1. Log onto the PDC as the root account.

      2. Execute the following command to grant the Domain Admins group all @@ -2405,8 +2405,8 @@ SeRemoteShutdownPrivilege SeDiskOperatorPrivilege

        -

    Windows Client Configuration

    - +

    Windows Client Configuration

    + In the next few sections, you can configure a new Windows XP Professional disk image on a staging machine. You will configure all software, printer settings, profile and policy handling, and desktop default profile settings on this system. When it is complete, you copy the contents of the @@ -2419,24 +2419,24 @@ Base Profile for All Users."

    Configuration of Default Profile with Folder Redirection

    - + Log onto the Windows XP Professional workstation as the local Administrator. It is necessary to expose folders that are generally hidden to provide access to the Default User folder. -

    Procedure 5.13. Expose Hidden Folders

    1. +

      Procedure 5.13. Expose Hidden Folders

      1. Launch the Windows Explorer by clicking Start->My Computer->Tools->Folder Options->View Tab. Select Show hidden files and folders, and click OK. Exit Windows Explorer.

      2. - + Launch the Registry Editor. Click Start->Run. Key in regedt32, and click OK.

      Procedure 5.14. Redirect Folders in Default System User Profile

      1. - - + + Give focus to HKEY_LOCAL_MACHINE hive entry in the left panel. Click File->Load Hive...->Documents and Settings->Default User->NTUSER->Open. In the dialog box that opens, enter the key name Default and click OK. @@ -2448,15 +2448,15 @@

        The right panel reveals the contents as shown in ???.

      2. - - + + You edit hive keys. Acceptable values to replace the %USERPROFILE% variable includes:

        • A drive letter such as U:

        • A direct network path such as \\MASSIVE\profdata

        • A network redirection (UNC name) that contains a macro such as

          %LOGONSERVER%\profdata\

      3. - + Set the registry keys as shown in ???. Your implementation makes the assumption that users have statically located machines. Notebook computers (mobile users) need to be accommodated using local profiles. This is not an uncommon assumption. @@ -2464,14 +2464,14 @@ Click back to the root of the loaded hive Default. Click File->Unload Hive...->Yes.

      4. - + Click File->Exit. This exits the Registry Editor.

      5. Now follow the procedure given in ???. Make sure that each folder you have redirected is in the exclusion list.

      6. - You are now ready to copy[11] + You are now ready to copy[11] the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, and use it to copy the full contents of the directory Default User that is in the C:\Documents and Settings to the root directory of the @@ -2482,13 +2482,13 @@ Before punching out new desktop images for the client workstations, it is perhaps a good idea that desktop behavior should be returned to the original Microsoft settings. The following steps achieve that ojective: -

        Procedure 5.15. Reset Folder Display to Original Behavior

        • +

          Procedure 5.15. Reset Folder Display to Original Behavior

          • To launch the Windows Explorer, click Start->My Computer->Tools->Folder Options->View Tab. Deselect Show hidden files and folders, and click OK. Exit Windows Explorer. -

          Figure 5.3. Windows XP Professional User Shared Folders

          Windows XP Professional User Shared Folders

          Table 5.4. Default Profile Redirections

          Registry KeyRedirected Value
          Cache%LOGONSERVER%\profdata\%USERNAME%\InternetFiles
          Cookies%LOGONSERVER%\profdata\%USERNAME%\Cookies
          History%LOGONSERVER%\profdata\%USERNAME%\History
          Local AppData%LOGONSERVER%\profdata\%USERNAME%\AppData
          Local Settings%LOGONSERVER%\profdata\%USERNAME%\LocalSettings
          My Pictures%LOGONSERVER%\profdata\%USERNAME%\MyPictures
          Personal%LOGONSERVER%\profdata\%USERNAME%\MyDocuments
          Recent%LOGONSERVER%\profdata\%USERNAME%\Recent

        Configuration of MS Outlook to Relocate PST File

        - +

      Figure 5.3. Windows XP Professional User Shared Folders

      Windows XP Professional User Shared Folders

      Table 5.4. Default Profile Redirections

      Registry KeyRedirected Value
      Cache%LOGONSERVER%\profdata\%USERNAME%\InternetFiles
      Cookies%LOGONSERVER%\profdata\%USERNAME%\Cookies
      History%LOGONSERVER%\profdata\%USERNAME%\History
      Local AppData%LOGONSERVER%\profdata\%USERNAME%\AppData
      Local Settings%LOGONSERVER%\profdata\%USERNAME%\LocalSettings
      My Pictures%LOGONSERVER%\profdata\%USERNAME%\MyPictures
      Personal%LOGONSERVER%\profdata\%USERNAME%\MyDocuments
      Recent%LOGONSERVER%\profdata\%USERNAME%\Recent

    Configuration of MS Outlook to Relocate PST File

    + Microsoft Outlook can store a Personal Storage file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, @@ -2501,10 +2501,10 @@ Tools->Options->Maintenance->Store Folder->Change.

    Follow the on-screen prompts to relocate the PST file to the desired location. -

    Configure Delete Cached Profiles on Logout

    +

    Configure Delete Cached Profiles on Logout

    Configure the Windows XP Professional client to auto-delete roaming profiles on logout:

    - + Click Start->Run. In the dialog box, enter MMC and click OK.

    @@ -2512,7 +2512,7 @@ profiles are deleted as network users log out of the system. Click File->Add/Remove Snap-in->Add->Group Policy->Add->Finish->Close->OK.

    - + The Microsoft Management Console now shows the Group Policy utility that enables you to set the policies needed. In the left panel, click Local Computer Policy->Administrative Templates->System->User Profiles. In the right panel, set the properties shown here by double-clicking on each @@ -2520,15 +2520,15 @@

    • Do not check for user ownership of Roaming Profile Folders = Enabled

    • Delete cached copies of roaming profiles = Enabled

    Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies made of this system to deploy the new standard desktop system. -

    Uploading Printer Drivers to Samba Servers

    - +

    Uploading Printer Drivers to Samba Servers

    + Users want to be able to use network printers. You have a vested interest in making it easy for them to print. You have chosen to install the printer drivers onto the Samba servers and to enable point-and-click (drag-and-drop) printing. This process results in Samba being able to automatically provide the Windows client with the driver necessary to print to the printer chosen. The following procedure must be followed for every network printer: -

    Procedure 5.16. Steps to Install Printer Drivers on the Samba Servers

    1. +

      Procedure 5.16. Steps to Install Printer Drivers on the Samba Servers

      1. Join your Windows XP Professional workstation (the staging machine) to the MEGANET2 domain. If you are not sure of the procedure, follow the guidance given in ???, ???. @@ -2553,8 +2553,8 @@ Note that the box labeled Driver is empty. Click the New Driver button that is next to the Driver box. This launches the “Add Printer Wizard”.

      2. - - + + The “Add Printer Driver Wizard on MASSIVE” panel is now presented. Click Next to continue. From the left panel, select the printer manufacturer. In your case, you are adding a driver for a printer manufactured by @@ -2563,12 +2563,12 @@ progress bar appears and instructs you as each file is being uploaded and that it is being directed at the network server \\massive\ps01-color.

      3. - - - - - - + + + + + + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, you are returned to the Advanced tab in the Properties panel. You can set the Location (under the General tab) and Security settings (under @@ -2577,7 +2577,7 @@ directory”. When this box is checked, the printer will be published in Active Directory (Applicable to Active Directory use only.)

      4. - + Click OK. It will take a minute or so to upload the settings to the server. You are now returned to the Printers and Faxes on Massive monitor. Right-click on the printer, click Properties->Device Settings. Now change the settings to suit @@ -2589,7 +2589,7 @@ just to initialize the Samba printers database entry for this printer. If you need to revert a setting, click Apply again.

      5. - + Verify that all printer settings are at the desired configuration. When you are satisfied that they are, click the General tab. Now click the Print Test Page button. A test page should print. Verify that it has printed correctly. Then click OK @@ -2599,7 +2599,7 @@ You must repeat this process for all network printers (i.e., for every printer on each server). When you have finished uploading drivers to all printers, close all applications. The next task is to install software your users require to do their work. -

    Software Installation

    +

    Software Installation

    Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. Notebooks require special handling that is beyond the scope of this chapter. @@ -2614,7 +2614,7 @@ When you believe that the overall configuration is complete, be sure to create a shared group profile and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in case a user may have specific needs you had not anticipated. -

    Roll-out Image Creation

    +

    Roll-out Image Creation

    The final steps before preparing the distribution Norton Ghost image file you might follow are:

    Unjoin the domain Each workstation requires a unique name and must be independently @@ -2623,7 +2623,7 @@ Defragment the hard disk While not obvious to the uninitiated, defragmentation results in better performance and often significantly reduces the size of the compressed disk image. That also means it will take less time to deploy the image onto 500 workstations. -

    Key Points Learned

    +

    Key Points Learned

    This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately avoided any consideration of security. Security does not just happen; you must design it into your total network. Security begins with a systems design and implementation that anticipates hostile behavior from @@ -2632,8 +2632,8 @@ practices, you must not deploy the design presented in this book in an environment where there is risk of compromise.

    - - + + As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be configured to use secure protocols for all communications over the network. Of course, secure networking does not result just from systems design and implementation but involves constant user education @@ -2660,37 +2660,37 @@ Control over roaming profiles, with particular focus on folder redirection to network drives.

  • Use of the CUPS printing system together with Samba-based printer driver auto-download. -

    • Questions and Answers

    +

    Questions and Answers

    Well, here we are at the end of this chapter and we have only ten questions to help you to remember so much. There are bound to be some sticky issues here. -

    +

    Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions? -
    +
    You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? -
    +
    You did not use SWAT to configure Samba. Is there something wrong with it? -
    +
    You have exposed a well-used password not24get. Is that not irresponsible? -
    +
    The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing? -
    +
    Can I use LDAP just for Samba accounts and not for UNIX system accounts? -
    +
    Why are the Windows domain RID portions not the same as the UNIX UID? -
    +
    Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work? -
    +
    Is folder redirection dangerous? I've heard that you can lose your data that way. -
    +
    Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile? -

    +

    Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions?

    @@ -2709,7 +2709,7 @@ This book makes little mention of backup techniques. Does that mean that I am recommending that you should implement a network without provision for data recovery and for disaster management? Back to our focus: The deployment of Samba has been clearly demonstrated. -

    +

    You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? @@ -2736,7 +2736,7 @@ of open source software. I favor neither and respect both. I like particular features of both products (companies also). No bias in presentation is intended. Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. -

    +

    You did not use SWAT to configure Samba. Is there something wrong with it?

    That is a good question. As it is, the smb.conf file configurations are presented @@ -2747,14 +2747,14 @@ There are people in the Linux and open source community who feel that SWAT is dangerous and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I hope to have brought their interests on board. SWAT is well covered is TOSHARG2. -

    +

    You have exposed a well-used password not24get. Is that not irresponsible?

    Well, I had to use a password of some sort. At least this one has been consistently used throughout. I guess you can figure out that in a real deployment it would make sense to use a more secure and original password. -

    +

    The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing?

    @@ -2762,7 +2762,7 @@ Let's give Idealx some credit for the contribution they have made. I appreciate their work and, besides, it does no harm to create accounts that are not now used at some time Samba may well use them. -

    +

    Can I use LDAP just for Samba accounts and not for UNIX system accounts?

    Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) @@ -2770,7 +2770,7 @@ the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense for the UNIX administrator who is still learning the craft and is migrating from MS Windows. -

    +

    Why are the Windows domain RID portions not the same as the UNIX UID?

    Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. @@ -2779,7 +2779,7 @@ assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does permit you to override that to some extent. See the smb.conf man page entry for algorithmic rid base. -

    +

    Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work?

    @@ -2789,7 +2789,7 @@ inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer. -

    +

    Is folder redirection dangerous? I've heard that you can lose your data that way.

    The only loss of data I know of that involved folder redirection was caused by @@ -2799,13 +2799,13 @@ he declined to move the data because he thought it was still in the local profile folder. That was not the case, so by declining to move the data back, he wiped out the data. You cannot hold the tool responsible for that. Caveat emptor still applies. -

    +

    Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile?

    Yes. If you do not do this, the data will still be copied from the network folder (share) to the local cached copy of the profile. -


    [11] +


    [11] There is an alternate method by which a default user profile can be added to the NETLOGON share. This facility in the Windows System tool permits profiles to be exported. The export target may be a particular user or Files samba-3.0.20b/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png and samba-3.0.21/docs/htmldocs/Samba3-ByExample/images/chap9-SambaDC.png differ diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/index.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/index.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/index.html 2005-08-19 13:01:08.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/index.html 2005-12-19 10:21:07.000000000 -0600 @@ -1,4 +1,4 @@ -Samba-3 by Example

    Samba-3 by Example
       Next

    Samba-3 by Example

    Practical Exercises in Successful Samba Deployment

    John H. Terpstra

    Samba Team

    June, 2005

    Table of Contents

    About the Cover Artwork
    Acknowledgments
    Foreword
    By John M. Weathersby, Executive Director, OSSI
    Preface
    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used
    I. Example Network Configurations
    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    II. Domain Members, Updating Samba and Migration
    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    III. Reference Section
    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License
    Preamble
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    Section 0
    Section 1
    Section 2
    Section 3 +Samba-3 by Example
    Samba-3 by Example
       Next

    Samba-3 by Example

    Practical Exercises in Successful Samba Deployment

    John H. Terpstra

    Samba Team

    June, 2005

    Table of Contents

    About the Cover Artwork
    Acknowledgments
    Foreword
    By John M. Weathersby, Executive Director, OSSI
    Preface
    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used
    I. Example Network Configurations
    1. No-Frills Samba Servers
    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers
    2. Small Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers
    3. Secure Office Networking
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    4. The 500-User Office
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Installation of DHCP, DNS, and Samba Control Files
    Server Preparation: All Servers
    Server-Specific Preparation
    Process Startup Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers
    5. Making Happy Users
    Regarding LDAP Directories and Windows Computer Accounts
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Installation Checklist
    Samba Server Implementation
    OpenLDAP Server Configuration
    PAM and NSS Client Configuration
    Samba-3 PDC Configuration
    Install and Configure Idealx smbldap-tools Scripts
    LDAP Initialization and Creation of User and Group Accounts
    Printer Configuration
    Samba-3 BDC Configuration
    Miscellaneous Server Preparation Tasks
    Configuring Directory Share Point Roots
    Configuring Profile Directories
    Preparation of Logon Scripts
    Assigning User Rights and Privileges
    Windows Client Configuration
    Configuration of Default Profile with Folder Redirection
    Configuration of MS Outlook to Relocate PST File
    Configure Delete Cached Profiles on Logout
    Uploading Printer Drivers to Samba Servers
    Software Installation
    Roll-out Image Creation
    Key Points Learned
    Questions and Answers
    6. A Distributed 2000-User Network
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Key Points Learned
    Questions and Answers
    II. Domain Members, Updating Samba and Migration
    7. Adding Domain Member Servers and Clients
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers
    8. Updating Samba-3
    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory
    9. Migrating NT4 Domain to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers
    10. Migrating NetWare Server to Samba-3
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend
    III. Reference Section
    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License
    Preamble
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    Section 0
    Section 1
    Section 2
    Section 3
    Section 4
    Section 5
    Section 6 diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ix01.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/ix01.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ix01.html 2005-08-19 13:01:08.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/ix01.html 2005-12-19 10:21:07.000000000 -0600 @@ -1 +1 @@ -Index
    Index
    Prev   

    Index

    Symbols

    #delete group script, NT4 Migration Using LDAP Backend
    #delete user from group script, NT4 Migration Using LDAP Backend
    #delete user script, NT4 Migration Using LDAP Backend
    #wins support, NT4 Migration Using LDAP Backend
    %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
    %USERNAME%, Roaming Profile Background, Profile Changes
    %USERPROFILE%, Configuration of Default Profile with Folder Redirection
    /data/ldap, OpenLDAP Server Configuration
    /etc/cups/mime.convs, Implementation, Implementation
    /etc/cups/mime.types, Implementation, Implementation
    /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
    /etc/exports, Samba-3 PDC Configuration
    /etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
    /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
    /etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    /etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    /etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/named.conf, Configuration of DHCP and DNS Servers
    /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
    /etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
    /etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
    /etc/rc.d/rc.local, Implementation
    /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
    /etc/samba, Samba System File Location
    /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
    /etc/samba/smbusers, Server Preparation: All Servers
    /etc/shadow, Replacing a Domain Member Server, Technical Issues
    /etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
    /etc/syslog.conf, Debugging LDAP
    /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
    /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
    /opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
    /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
    /usr/bin, Samba System File Location
    /usr/lib/samba, Samba System File Location
    /usr/local, Samba System File Location
    /usr/local/samba, Samba System File Location
    /usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
    /usr/sbin, Samba System File Location
    /usr/share, Samba System File Location
    /usr/share/samba/swat, Samba System File Location
    /usr/share/swat, Samba System File Location
    /var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
    /var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
    /var/log/ldaplogs, Debugging LDAP
    /var/log/samba, Samba System File Location
    8-bit, International Language Support

    , Application Share Configuration, Addition of Machines to the Domain, IDMAP_RID with Winbind, Location of config files
    Domain account, Technical Issues
    liability, Dissection and Discussion
    logon, Implementation
    problem, Dissection and Discussion
    transparent inter-operability, Questions and Answers

    A

    abmas-netfw.sh, Basic System Configuration
    abort shutdown script, Samba Configuration, Implementation, Implementation
    accept, Printer Configuration
    accepts liability, Dissection and Discussion
    access, Technical Issues, Checkpoint Controls
    access control, Kerberos Exposed, Using the MMC Computer Management Interface
    Access Control Lists (see ACLs)
    access control settings, Share Access Controls
    access controls, Technical Issues, Share Definition Controls
    accessible, Share Point Directory and File Permissions
    account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
    ADS Domain, Technical Issues
    account credentials, Findings and Comments
    account information, Questions and Answers
    account names, Questions and Answers
    account policies, The LDAP Account Manager
    accountable, Introduction, Dissection and Discussion
    accounts
    authoritative, Technical Issues
    Domain, Introduction, Questions and Answers
    group, Introduction, Questions and Answers, Introduction
    machine, Introduction, Questions and Answers
    manage, The LDAP Account Manager
    user, Introduction, Questions and Answers, Introduction
    ACL, Questions and Answers, Security Identifiers (SIDs), Checkpoint Controls
    ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
    acquisitions, Introduction
    Act!, Shared Data Integrity
    ACT! database, Act! Database Sharing
    Act!Diag, Act! Database Sharing
    Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
    authentication, Squid Configuration
    domain, Samba Configuration
    join, Active Directory Domain with Samba Domain Member Server
    management tools, Technical Issues
    realm, Bad Hostnames
    Replacement, Technical Issues
    server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
    Server, Technical Issues
    tree, Samba Configuration
    active directory, Technical Issues
    AD printer publishing, Uploading Printer Drivers to Samba Servers
    ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
    add group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    add machine script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Add Printer Wizard
    APW, Uploading Printer Drivers to Samba Servers
    add user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    add user to group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    adequate precautions, Introduction
    admin users, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    administrative installation, Application Share Configuration
    administrative rights, Checkpoint Controls
    administrator, Implementation, Samba Configuration, Server Preparation: All Servers
    ADMT, Migration of Samba Accounts to Active Directory
    ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
    server, Technical Issues
    ADS Domain, Technical Issues
    affordability, The Nature of Windows Networking Protocols
    alarm, Introduction
    algorithm, Technical Issues
    allow trusted domains, IDMAP_RID with Winbind
    alternative, Dissection and Discussion
    analysis, Technical Issues
    anonymous connection, Validation, Validation
    Apache Web server, Questions and Answers
    appliance mode, Technical Issues
    application server, Technical Issues, Application Share Configuration
    application servers, The Nature of Windows Networking Protocols
    application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    APW, Uploading Printer Drivers to Samba Servers
    arp, Validation
    assessment, Introduction
    assistance, Free Support
    assumptions, Key Points Learned
    authconfig, PAM and NSS Client Configuration
    authenticate, LDAP Server Configuration, Samba Configuration
    authenticated, Assignment Tasks
    authenticated connection, Validation, Validation
    authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
    plain-text, Questions and Answers
    authentication process, Implementation
    authentication protocols, Key Points Learned
    authoritative, Technical Issues
    authorized location, Kerberos Exposed
    auto-generated SID, Questions and Answers
    automatically allocate, Technical Issues
    availability, Performance, Reliability, and Availability

    B

    backends, Integrating Additional Services
    background communication, Questions and Answers
    Backup, Introduction
    Backup Domain Controller (see BDC)
    bandwidth, Assignment Tasks
    requirements, User Needs
    bandwidth calculations, Hardware Requirements
    BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    benefit, Questions and Answers, Dissection and Discussion
    best practices, Introduction
    bias, Questions and Answers
    binary database, Implementation
    binary files, Updating a Samba-3 Installation
    binary package, Updating a Samba-3 Installation
    bind interfaces only, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    broadcast, Routed Networks, Questions and Answers
    directed, The Nature of Windows Networking Protocols
    mailslot, The Nature of Windows Networking Protocols
    broadcast messages, Implementation
    broadcast storms, Network Collisions
    broken, Dissection and Discussion
    broken behavior, Dissection and Discussion
    browse, Technical Issues
    browse master, Findings
    Browse Master, Questions and Answers
    browse.dat, Replacing a Domain Member Server
    browseable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Browser Election Service, Questions and Answers
    browsing, Technical Issues, Technical Issues, Assignment Tasks
    budgetted, Introduction
    bug fixes, Introduction
    bug report, Free Support

    C

    cache, Opportunistic Locking Controls
    cache directories, Removal of Pre-Existing Conflicting RPMs
    caching, Samba Configuration
    case sensitive, Large Directories
    case-sensitive, Kerberos Configuration
    centralized storage, Questions and Answers
    character set, International Language Support
    check samba daemons, Validation, Validation
    check-point, Share Definition Controls
    check-point controls, Checkpoint Controls
    Checkpoint Controls, Checkpoint Controls
    chgrp, Samba Configuration
    chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
    chmod, Samba Configuration
    choice, Dissection and Discussion, Technical Issues
    chown, Removal of Pre-Existing Conflicting RPMs
    CIFS, Security Identifiers (SIDs), Findings
    cifsfs, Dissection and Discussion
    clean database, Questions and Answers
    clients per DC, Making Happy Users
    Clock skew, Kerberos Configuration
    cluster, Introduction
    clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
    code maintainer, Free Support
    codepage, International Language Support
    collision rates, Network Collisions
    comment, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    commercial, Dissection and Discussion
    commercial software, Dissection and Discussion
    commercial support, Samba Support, Commercial Support
    Common Internet File System (see CIFS)
    comparison
    Active Directory & OpenLDAP, Dissection and Discussion
    compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
    compatible, Technical Issues
    compile-time, Location of config files
    complexities, Dissection and Discussion
    compromise, Introduction, Introduction, Technical Issues
    computer account, Samba Configuration
    Computer Management, Share Access Controls, Questions and Answers
    computer name, Security Identifiers (SIDs)
    condemns, Technical Issues
    conferences, Technical Issues
    configuration files, Introduction
    configure.pl, NT4 Migration Using LDAP Backend
    connection, Share Access Controls
    connectivity, Questions and Answers
    consequential risk, Technical Issues
    consultant, Drafting Office, Introduction, Dissection and Discussion
    consumer, Dissection and Discussion, Technical Issues
    consumer expects, Samba Support
    contiguous directory, Implementation
    contributions, Updating Samba-3
    control files, Updating a Samba-3 Installation
    convmv, International Language Support
    copy, Questions and Answers, LDAP Server Configuration
    corrective action, Hardware Problems
    cost, Dissection and Discussion
    cost-benefit, Assignment Tasks
    country of origin, Commercial Support
    Courier-IMAP, LDAP Server Configuration
    create mask, LDAP Server Configuration
    credential, Share Definition Controls
    credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
    crippled, Dissection and Discussion
    criticism, Active Directory, Kerberos, and Security, Introduction
    Critics, Technical Issues
    Cryptographic, Technical Issues
    CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
    queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    cups options, Samba Configuration, LDAP Server Configuration
    cupsd, Basic System Configuration
    customer expected, Samba Support
    customers, Samba Support

    D

    daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
    daemon control, Process Startup Configuration
    data
    corruption, Making Happy Users
    integrity, Questions and Answers
    data corruption, Hardware Problems, Act! Database Sharing
    data integrity, Hardware Problems, Shared Data Integrity
    data storage, Implementation
    database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
    database applications, Shared Data Integrity
    DB_CONFIG, OpenLDAP Server Configuration
    DCE, Kerberos Exposed
    DDNS (see dynamic DNS)
    Debian, Migrating NetWare Server to Samba-3
    default devmode, Samba Configuration, Implementation
    default installation, Samba System File Location
    default password, The LDAP Account Manager
    default profile, Assignment Tasks, Technical Issues
    Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
    defective
    cables, Hardware Problems
    HUBs, Hardware Problems
    switches, Hardware Problems
    defects, Technical Issues
    defensible standards, Technical Issues
    defragmentation, Windows Client Configuration
    delete group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades
    delete user from group script, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, LDAP Server Configuration
    delete user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
    delimiter, Checkpoint Controls
    dependability, Technical Issues
    deployment, Free Support
    desired security setting, Setting Posix ACLs in UNIX/Linux
    development, Technical Issues
    DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
    client, Bad Hostnames
    relay, Technical Issues
    Relay Agent, Questions and Answers
    request, Questions and Answers
    requests, Technical Issues
    servers, Questions and Answers
    traffic, Questions and Answers
    dhcp client validation, Validation, Validation
    DHCP Server, Implementation
    DHCP server, Technical Issues
    diagnostic, IDMAP Storage in LDAP using Winbind
    diffusion, Technical Issues
    digital rights, Technical Issues
    digital sign'n'seal, Technical Issues
    digits, Bad Hostnames
    diligence, Technical Issues
    directory, Dissection and Discussion, Political Issues, Location of config files
    Computers container, LDAP Initialization and Creation of User and Group Accounts
    management, Dissection and Discussion
    People container, LDAP Initialization and Creation of User and Group Accounts
    replication, Dissection and Discussion
    schema, Dissection and Discussion
    server, Technical Issues
    synchronization, Dissection and Discussion
    directory mask, LDAP Server Configuration
    directory tree, Setting Posix ACLs in UNIX/Linux
    disable, Introduction
    disable spoolss, Implementation, Implementation
    disaster recovery, Introduction
    disk image, Assignment Tasks
    disruptive, Dissection and Discussion
    distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
    distributed domain, Identity Management Needs
    DMB, Questions and Answers
    DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
    DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
    configuration, Questions and Answers
    Dynamic, Questions and Answers
    dynamic, Joining a Domain: Windows 200x/XP Professional
    lookup, Questions and Answers, Kerberos Configuration
    name lookup, Bad Hostnames
    SRV records, Kerberos Configuration
    suffix, Joining a Domain: Windows 200x/XP Professional
    DNS server, Implementation, Configuration of DHCP and DNS Servers
    document the settings, Samba Configuration
    documentation, Dissection and Discussion, Technical Issues
    documented, Samba Configuration
    Domain, Technical Issues, Questions and Answers
    group, Questions and Answers
    groups, Technical Issues
    user, Questions and Answers
    domain
    Active Directory, Technical Issues
    controller, Replacing a Domain Controller
    joining, A Collection of Useful Tidbits
    trusted, Questions and Answers
    Domain accounts, Technical Issues
    Domain Administrator, Share Access Controls
    Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
    closest, The Nature of Windows Networking Protocols
    domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
    domain controllers, Technical Issues
    Domain Controllers, Questions and Answers
    Domain Groups
    well-known, Initialization of the LDAP Database
    Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
    domain logons, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Domain logons, Questions and Answers
    domain master, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
    Domain Master Browser (see DMB)
    Domain Member, Use and Location of BDCs
    authoritative
    local accounts, Technical Issues
    client, Implementation
    desktop, Introduction
    server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
    servers, Questions and Answers, Checkpoint Controls
    workstations, Implementation
    domain member
    servers, Technical Issues
    Domain Member server, Technical Issues, Questions and Answers
    Domain Member servers, Questions and Answers
    domain members, Questions and Answers
    domain name space, Identity Management Needs
    domain replication, Questions and Answers
    domain SID, Security Identifiers (SIDs)
    Domain SID, Technical Issues, Questions and Answers
    domain tree, Identity Management Needs
    Domain User Manager, Configuring Profile Directories
    Domain users, Technical Issues
    DOS, Security Identifiers (SIDs)
    dos2unix, Samba Configuration, Configuration for Server: MASSIVE
    down-grade, Introduction
    drive letters, LDAP Server Configuration
    drive mapping, Technical Issues
    dumb printing, Installation of Printer Driver Auto-Download
    dump, Technical Issues, Questions and Answers
    duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    dynamic DNS, Technical Issues

    E

    e-Directory, Dissection and Discussion
    ea support, NT4 Migration Using LDAP Backend
    Easy Software Products, Installation of Printer Driver Auto-Download
    economically sustainable, Dissection and Discussion
    eDirectory, Dissection and Discussion
    education, Identity Management Needs
    election, Findings
    employment, Introduction, Dissection and Discussion
    enable, Printer Configuration
    enable privileges, Samba-3 PDC Configuration, Samba-3 BDC Configuration
    encrypt passwords, NSS Configuration, Questions and Answers
    encrypted, Findings and Comments
    encrypted password, Windows 200x/XP Client Interaction with Samba-3
    encrypted passwords, Questions and Answers
    End User License Agreement (see EULA)
    enumerating, Samba Configuration
    essential, Introduction
    Ethereal, Requirements and Notes
    ethereal, Exercises
    Ethernet switch, Technical Issues
    ethernet switch, Making Happy Users
    EULA, Dissection and Discussion
    Everyone, Share Access Controls
    Excel, Share Point Directory and File Permissions
    exclusive open, Microsoft Access
    experiment, Active Directory, Kerberos, and Security
    export, Technical Issues
    extent, Dissection and Discussion
    External Domains, Technical Issues
    extreme demand, Guidelines for Reliable Samba Operation

    F

    fail, The Nature of Windows Networking Protocols
    fail-over, Identity Management Needs, Implementation
    failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
    failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    failure, Questions and Answers, Samba Configuration
    familiar, Technical Issues
    fatal problem, Samba Configuration
    fear, Technical Issues
    fears, Technical Issues
    Fedora, Drafting Office
    FHS, Samba System File Location
    file and print server, Questions and Answers
    file and print service, Dissection and Discussion
    file caching, Samba Configuration, Opportunistic Locking Controls
    File Hierarchy System (see FHS)
    file locations, Samba System File Location
    file permissions, The LDAP Account Manager
    file server
    read-only, Dissection and Discussion
    file servers, Samba Server Implementation
    file system, Technical Issues
    access control, Samba Configuration
    Ext3, Implementation
    permissions, Samba Configuration, Configuration for Server: MASSIVE
    file system security, Questions and Answers
    filter, Share Access Controls
    financial responsibility, Introduction
    firewall, Technical Issues, Basic System Configuration, Introduction
    fix, Dissection and Discussion
    flaws, Introduction
    flexibility, Technical Issues
    flush
    cache memory, Opportunistic Locking Controls
    folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
    force group, Implementation, LDAP Server Configuration, Override Controls, Questions and Answers
    force printername, LDAP Server Configuration
    force user, Dissection and Discussion, Implementation, Override Controls, Questions and Answers
    forced settings, Override Controls
    foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
    foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
    forwarded, Routed Networks
    foundation members, Technical Issues
    Free Standards Group (see FSG)
    free support, Samba Support, Free Support
    front-end, Dissection and Discussion
    server, Distribute Network Load with MSDFS
    frustration, Introduction
    FSG, Samba System File Location
    FTP
    proxy, Questions and Answers
    full control, Share Access Controls, Using MS Windows Explorer (File Manager)
    fully qualified, Checkpoint Controls
    functional differences, Cautions and Notes

    G

    generation, Cautions and Notes
    Gentoo, Migrating NetWare Server to Samba-3
    getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    getfacl, Setting Posix ACLs in UNIX/Linux
    getgrgid(), Questions and Answers
    getgrnam, Technical Issues
    getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
    getpwnam(), Questions and Answers
    GID, Implementation, Questions and Answers, Questions and Answers
    Goettingen, Questions and Answers
    government, Identity Management Needs
    GPL, Comments Regarding Software Terms of Use
    group account, Implementation, OpenLDAP Server Configuration
    group management, Implementation
    group mapping, LDAP Server Configuration
    group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    group names, Questions and Answers
    group policies, Introduction
    Group Policy, Joining a Domain: Windows 200x/XP Professional
    Group Policy editor, The Local Group Policy
    Group Policy Objects, The Local Group Policy
    groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupmem, NT4 Migration Using LDAP Backend
    groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    GSS-API, Windows 200x/XP Client Interaction with Samba-3
    guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
    guest ok, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration

    H

    hackers, Introduction
    hardware prices, Hardware Problems
    hardware problems, Hardware Problems
    Heimdal, Implementation, Kerberos Configuration
    Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    Heimdal kerberos, IDMAP Storage in LDAP using Winbind
    help, Free Support
    helper agent, Removal of Pre-Existing Conflicting RPMs
    hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
    hide files, LDAP Server Configuration
    hierarchy of control, Share Definition Controls
    high availability, Dissection and Discussion
    hire, Dissection and Discussion
    HKEY_CURRENT_USER, Roaming Profile Background
    HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
    HKEY_LOCAL_USER, Questions and Answers
    host announcement, Assignment Tasks, Findings
    hostname, Basic System Configuration, Security Identifiers (SIDs)
    hosts, Questions and Answers
    hosts allow, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support
    HUB, Making Happy Users
    Hybrid, Questions and Answers
    hypothetical, Introduction

    I

    Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
    identifiers, Technical Issues
    identity, Questions and Answers, Kerberos Exposed
    management, Technical Issues
    identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
    Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
    Identity management, UNIX/Linux Client Domain Member
    Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
    Identity resolver, Questions and Answers
    IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
    idmap backend, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend
    IDMAP backend, Questions and Answers
    idmap gid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, NSS Configuration
    idmap uid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, NSS Configuration
    idmap_rid, IDMAP_RID with Winbind
    IMAP, Technical Issues
    import, Technical Issues
    include, Implementation
    income, Dissection and Discussion
    independent expert, Introduction
    inetd, Process Startup Configuration
    inetOrgPerson, Technical Issues
    inheritance, Setting Posix ACLs in UNIX/Linux
    initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    initial credentials, Kerberos Configuration
    inoperative, Dissection and Discussion
    install, Updating Samba-3
    installation, Dissection and Discussion
    integrate, Technical Issues
    integrity, Introduction, Kerberos Exposed
    inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
    inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
    interactive help, Free Support
    interdomain trusts, Identity Management Needs
    interfaces, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    intermittent, Hardware Problems
    internationalization, International Language Support
    Internet Explorer, Technical Issues
    Internet Information Server, Questions and Answers
    interoperability, Dissection and Discussion
    IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
    IPC$, Findings and Comments
    iptables, Technical Issues
    IRC, Free Support
    isolated, Introduction
    Italian, Questions and Answers

    J

    jobs, Introduction
    joining a domain, Joining a Domain: Windows 200x/XP Professional

    K

    KDC, Kerberos Configuration
    Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
    Heimdal, Active Directory Domain with Samba Domain Member Server
    interoperability, Kerberos Exposed
    libraries, Active Directory Domain with Samba Domain Member Server
    MIT, Active Directory Domain with Samba Domain Member Server
    unspecified fields, Kerberos Exposed
    kerberos, Kerberos Exposed
    server, Kerberos Exposed
    Kerberos ticket, Samba Configuration
    kinit, Kerberos Configuration
    Kixtart, LDAP Server Configuration
    klist, Kerberos Configuration
    krb5, Implementation
    krb5.conf, Kerberos Configuration

    L

    LAM, The LDAP Account Manager
    configuration editor, The LDAP Account Manager
    configuration file, The LDAP Account Manager
    login screen, The LDAP Account Manager
    opening screen, The LDAP Account Manager
    profile, The LDAP Account Manager
    wizard, The LDAP Account Manager
    large domain, IDMAP_RID with Winbind
    LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
    backend, Identity Management Needs
    database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
    directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
    fail-over, Implementation
    initial configuration, Alternative LDAP Database Initialization
    master, Identity Management Needs
    master/slave
    background communication, Questions and Answers
    preload, Implementation
    schema, Updating from Samba Versions between 3.0.6 and 3.0.10
    secure, Technical Issues
    server, Questions and Answers
    slave, Identity Management Needs
    updates, Identity Management Needs
    ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
    LDAP Account Manager (see LAM)
    ldap admin dn, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP backend, Technical Issues
    LDAP database, Questions and Answers
    ldap group suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap idmap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP Interchange Format (see LDIF)
    ldap machine suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap passwd sync, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP server, Identity Management Needs
    ldap ssl, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap timeout, NT4 Migration Using LDAP Backend
    ldap user suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP-transfer-LDIF.txt, Implementation
    ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
    ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsearch, LDAP Initialization and Creation of User and Group Accounts
    LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
    leadership, Technical Issues
    Lightweight Directory Access Protocol (see LDAP)
    limit, Questions and Answers
    Linux desktop, Introduction
    Linux Standards Base (see LSB)
    LMB, Findings, Questions and Answers
    LMHOSTS, Routed Networks
    load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
    local accounts, Technical Issues
    Local Group Policy, Roaming Profile Background
    local groups, Questions and Answers
    Local Master Announcement, Findings
    Local Master Browser (see LMB)
    local users, Questions and Answers
    localhost, Basic System Configuration, Bad Hostnames
    lock directory, Samba 1.9.x and 2.x Versions Without LDAP
    locking, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend
    Application level, Shared Data Integrity
    Client side, Shared Data Integrity
    Server side, Shared Data Integrity
    log file, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    log level, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logging, Removal of Pre-Existing Conflicting RPMs
    login, Technical Issues
    loglevel, Debugging LDAP
    logon credentials, Questions and Answers
    logon drive, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon home, Samba Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon hours, Technical Issues, Key Points Learned
    logon machines, Technical Issues
    logon path, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon process, Implementation
    logon scrip, Samba Configuration
    logon script, Implementation, Implementation, Samba Configuration, Implementation, Technical Issues, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Preparation of Logon Scripts, Implementation, Technical Issues, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon server, The Nature of Windows Networking Protocols
    logon services, Implementation
    logon time, Assignment Tasks
    logon traffic, The Nature of Windows Networking Protocols
    logon.kix, LDAP Server Configuration
    loopback, Validation
    low performance, Hardware Problems
    lower-case, Implementation
    lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
    LSB, Samba System File Location

    M

    machine, Security Identifiers (SIDs)
    machine account, Regarding LDAP Directories and Windows Computer Accounts
    machine accounts, Questions and Answers
    machine secret password, Technical Issues
    MACHINE.SID, Security Identifiers (SIDs)
    mailing list, Free Support
    mailing lists, Free Support
    managed, Technical Issues
    management, Political Issues, Questions and Answers
    group, Technical Issues
    User, Technical Issues
    mandatory profile, Technical Issues, Configuring Profile Directories
    Mandrake, Migrating NetWare Server to Samba-3
    map acl inherit, Samba Configuration, Implementation, Samba-3 PDC Configuration, NT4 Migration Using LDAP Backend
    map to guest, Implementation
    mapped drives, Questions and Answers
    mapping, Technical Issues, Kerberos Configuration
    consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
    Mars_NWE, Migrating NetWare Server to Samba-3
    master, Dissection and Discussion
    material, A Collection of Useful Tidbits
    max log size, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    memberUID, LDAP Server Configuration
    memory requirements, Hardware Requirements
    merge, Technical Issues, Questions and Answers
    merged, Technical Issues
    meta-directory, Questions and Answers
    meta-service, Questions and Answers
    Microsoft Access, Shared Data Integrity
    Microsoft Excel, Shared Data Integrity
    Microsoft ISA, Assignment Tasks
    Microsoft Management Console (see MMC)
    Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
    Microsoft Outlook
    PST files, Questions and Answers
    migrate, Updating Samba-3, Technical Issues
    migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
    objectives, Dissection and Discussion
    Migration speed, Questions and Answers
    mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    mime types, Implementation
    missing RPC's, Technical Issues
    MIT, Implementation, Kerberos Configuration
    MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    MIT kerberos, IDMAP Storage in LDAP using Winbind
    MIT KRB5, Samba Configuration
    mixed mode, Active Directory Domain with Samba Domain Member Server
    mixed-mode, Questions and Answers
    MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
    mobile computing, Dissection and Discussion
    mobility, Technical Issues
    modularization, Technical Issues
    modules, Questions and Answers
    MS Access
    validate, Microsoft Access
    MS Outlook
    PST file, Making Happy Users
    MS Windows Server 2003, Implementation
    MS Word, Share Point Directory and File Permissions
    MSDFS, Distribute Network Load with MSDFS
    multi-subnet, Routed Networks
    multi-user
    access, Microsoft Access
    data access, Shared Data Integrity
    multiple directories, Identity Management Needs
    multiple domain controllers, Making Happy Users
    multiple group mappings, Questions and Answers
    mutual assistance, Free Support
    My Documents, Roaming Profile Background
    My Network Places, Implementation
    mysqlsam, Implementation

    N

    name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
    Defective, Active Directory Domain with Samba Domain Member Server
    name resolve order, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend, LDAP Server Configuration, Questions and Answers
    name service switch, Implementation (see NSS)
    named, Basic System Configuration, Validation, Server Preparation: All Servers
    NAT, Technical Issues
    native, Questions and Answers
    net
    ads
    info, Active Directory Domain with Samba Domain Member Server
    join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
    status, Active Directory Domain with Samba Domain Member Server
    getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
    group, NT4 Migration Using tdbsam Backend
    groupmap
    add, Samba Configuration
    list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
    modify, Samba Configuration
    rpc
    info, Security Identifiers (SIDs)
    join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
    vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
    setlocalsid, Security Identifiers (SIDs)
    NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
    name cache, Questions and Answers
    name resolution
    delays, Making Happy Users
    Node Type, Questions and Answers
    netbios
    machine name, Change of hostname
    netbios forwarding, Network Collisions
    netbios name, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Security Identifiers (SIDs), Change of hostname, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration, Bad Hostnames
    NetBIOS name, Kerberos Configuration
    aliases, Identity Management Needs
    NETLOGON, Using a Network Default User Profile, Windows Client Configuration
    netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
    Netlogon, Joining a Domain: Windows 200x/XP Professional
    netmask, Implementation
    Netware, Small Office Networking
    NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
    network
    administrators, Technical Issues
    analyzer, Assignment Tasks
    bandwidth, Identity Management Needs, Questions and Answers
    broadcast, Introduction
    captures, Requirements and Notes
    collisions, Network Collisions
    load, Network Collisions
    logon, Making Happy Users
    logon scripts, Dissection and Discussion
    management, Introduction
    multi-segment, Introduction
    overload, Making Happy Users
    performance, Samba Configuration
    routed, Dissection and Discussion
    secure, Introduction
    segment, Dissection and Discussion
    services, Questions and Answers
    sniffer, Requirements and Notes
    timeout, Making Happy Users
    timeouts, Network Collisions
    trace, Assignment Tasks
    traffic
    observation, Technical Issues
    wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Network Address Translation (see NAT)
    network administrators, Technical Issues
    network attached storage (see NAS)
    network bandwidth
    utilization, Making Happy Users
    Network Default Profile, Roaming Profile Background
    network hardware
    defective, Making Happy Users
    network hygiene, Dissection and Discussion
    network Identities, Questions and Answers
    network load factors, Dissection and Discussion
    Network Neighborhood, Validation, Technical Issues
    network segment, Use and Location of BDCs
    network segments, Hardware Requirements
    network share, Assignment Tasks
    networking
    client, Security Identifiers (SIDs)
    networking hardware
    defective, Making Happy Users
    networking protocols, Technical Issues
    next generation, Technical Issues
    NextFreeUnixId, NT4 Migration Using LDAP Backend
    NFS server, Samba-3 PDC Configuration
    NICs, Hardware Problems
    NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
    nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NIS schema, Questions and Answers
    NIS server, Questions and Answers
    NIS+, Identity Management Needs
    nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NLM, Migrating NetWare Server to Samba-3
    nmap, Validation
    nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
    nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    Novell, Migrating NetWare Server to Samba-3, Introduction
    Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
    NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
    nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
    nt acl support, Dissection and Discussion, Implementation
    NT4 registry, Dissection and Discussion
    NTLM, Technical Issues
    NTLM authentication daemon, Technical Issues
    NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
    NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
    ntlm_auth, Samba Configuration, Questions and Answers
    NTP, Kerberos Configuration
    NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
    NULL connection, Validation
    NULL session, Findings and Comments
    NULL-Session, Discussion

    O

    objectClass, LDAP Server Configuration
    off-site storage, Introduction
    Open Magazine, Adding Domain Member Servers and Clients
    Open Source, Dissection and Discussion
    OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
    openldap, OpenLDAP Server Configuration
    OpenOffice, Application Share Configuration
    operating profiles, The LDAP Account Manager
    oplock break, Override Controls
    oplocks, Samba Configuration
    Oplocks
    disabled, Opportunistic Locking Controls
    opportunistic
    locking, Override Controls
    opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
    optimized, Samba Configuration
    options list, Questions and Answers
    organizational units, The LDAP Account Manager
    os level, Implementation
    OS/2, Security Identifiers (SIDs)
    Outlook
    PST, Configuration of MS Outlook to Relocate PST File
    Outlook Express, Political Issues
    over-ride, Technical Issues
    over-ride controls, Override Controls
    over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
    overheads, Override Controls
    ownership, Share Point Directory and File Permissions

    P

    package, Implementation
    package names, Samba System File Location
    packages, Updating a Samba-3 Installation
    PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
    PADL LDAP tools, Technical Issues
    PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
    paid-for support, Samba Support
    PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
    pam password change, Samba Configuration, LDAP Server Configuration
    pam_ldap, OpenLDAP Server Configuration
    pam_ldap.so, PAM and NSS Client Configuration
    pam_unix2.so, PAM and NSS Client Configuration
    use_ldap, PAM and NSS Client Configuration
    parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
    passdb backend, Implementation, Samba Configuration, The 500-User Office, Implementation, Dissection and Discussion, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, NT4 Migration Using LDAP Backend, Questions and Answers, LDAP Server Configuration
    passdb.tdb, Technical Issues
    passwd, Implementation, Implementation, Samba Configuration
    passwd chat, Implementation, Samba Configuration
    passwd program, Samba Configuration
    password
    backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    password caching, Implementation
    password change, Key Points Learned
    password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    password server, NSS Configuration
    path, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    payroll, Introduction
    pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
    PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    PDC/BDC ratio, Making Happy Users
    PDF, The LDAP Account Manager
    performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
    performance degradation, Override Controls, Samba Configuration
    Perl, LDAP Server Configuration, The LDAP Account Manager
    permission, Share Point Directory and File Permissions
    permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
    excessive, Technical Issues
    group, Share Point Directory and File Permissions
    user, Share Point Directory and File Permissions
    Permissions, Using the MMC Computer Management Interface
    permits, Technical Issues
    permitted group, Using the MMC Computer Management Interface
    PHP, The LDAP Account Manager
    PHP4, The LDAP Account Manager
    pile-driver, Share Definition Controls
    ping, Validation
    pitfalls, The LDAP Account Manager
    plain-text, Questions and Answers
    Pluggable Authentication Modules (see PAM)
    policy, Questions and Answers, Introduction
    poor performance, Dissection and Discussion
    POP3, Technical Issues
    Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
    POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
    Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
    Posix ACLs, Managing Windows 200x ACLs
    PosixAccount, LDAP Initialization and Creation of User and Group Accounts
    posixAccount, LDAP Server Configuration
    Postfix, LDAP Server Configuration
    Postscript, Installation of Printer Driver Auto-Download
    powers, Share Definition Controls
    practices, Introduction
    precaution, Introduction
    preferred master, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    presence and leadership, Technical Issues
    price paid, Dissection and Discussion
    primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    principals, Kerberos Exposed
    print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    print queue, Charity Administration Office, Dissection and Discussion
    print spooler, Charity Administration Office
    Print Test Page, Uploading Printer Drivers to Samba Servers
    printable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    printcap name, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    printer admin, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, IDMAP_RID with Winbind, LDAP Server Configuration
    printer validation, Validation, Validation
    printers
    Advanced, Uploading Printer Drivers to Samba Servers
    Default Settings, Uploading Printer Drivers to Samba Servers
    General, Uploading Printer Drivers to Samba Servers
    Properties, Uploading Printer Drivers to Samba Servers
    Security, Uploading Printer Drivers to Samba Servers
    Sharing, Uploading Printer Drivers to Samba Servers
    printing, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server
    drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
    dumb, Installation of Printer Driver Auto-Download
    point-n-click, Installation of Printer Driver Auto-Download
    raw, Dissection and Discussion
    privacy, Identity Management Needs
    Privilege Attribute Certificates (see PAC)
    privilege controls, Share Point Directory and File Permissions
    privileged pipe, Samba Configuration
    privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
    problem report, Free Support
    problem resolution, Samba Support
    product defects, Dissection and Discussion
    professional support, Free Support
    profile
    default, Assignment Tasks
    mandatory, The Nature of Windows Networking Protocols
    roaming, Making Happy Users
    profile acls, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    profile path, Technical Issues
    profile share, Implementation
    profiles, Security Identifiers (SIDs)
    profiles share, Dissection and Discussion
    programmer, Dissection and Discussion
    project, Free Support
    project maintainers, Technical Issues
    Properties, Using the MMC Computer Management Interface
    proprietary, Technical Issues
    protected, Technical Issues
    protection, Technical Issues
    protocol
    negotiation, The Nature of Windows Networking Protocols
    protocol analysis, Requirements and Notes
    protocols, Technical Issues
    provided services, Samba Support
    proxy, Assignment Tasks, Technical Issues
    public specifications, Technical Issues
    purchase support, Free Support

    Q

    Qbasic, LDAP Server Configuration
    qualified problem, Free Support

    R

    RAID, Hardware Requirements
    RAID controllers, Hardware Problems
    Raw Print Through, Installation of Printer Driver Auto-Download
    raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    Rbase, LDAP Server Configuration
    rcldap, Implementation
    read only, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    realm, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Kerberos Configuration, NSS Configuration
    recognize, Technical Issues
    record locking, Microsoft Access
    recursively, Setting Posix ACLs in UNIX/Linux
    Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
    Red Hat Fedora Linux, Samba Configuration
    Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
    redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
    refereed standards, Technical Issues
    regedit, Implementation
    regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
    registry, Questions and Answers
    keys
    SAM, Dissection and Discussion
    SECURITY, Dissection and Discussion
    registry change, Questions and Answers
    Registry Editor, Configuration of Default Profile with Folder Redirection
    registry hacks, Questions and Answers
    registry keys, Configuration of Default Profile with Folder Redirection
    reimburse, Dissection and Discussion
    rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
    rejoin, Questions and Answers
    reliability, Performance, Reliability, and Availability
    remote announce, Routed Networks
    remote browse sync, Routed Networks
    remote procedure call (see RPC)
    replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    replicated, Dissection and Discussion
    requesting payment, Free Support
    resilient, Guidelines for Reliable Samba Operation
    resolution, Replacing a Domain Member Server
    resolve, Technical Issues, Bad Hostnames
    response, IDMAP_RID with Winbind
    responsibility, Dissection and Discussion
    responsible, Technical Issues
    restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
    restricted export, Kerberos Exposed
    Restrictive security, Active Directory Domain with Samba Domain Member Server
    reverse DNS, Kerberos Configuration
    rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    RID, IDMAP_RID with Winbind, LDAP Server Configuration
    risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
    road-map, Technical Issues
    published, Technical Issues
    roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
    roaming profiles, Technical Issues, Implementation, Roaming Profile Background
    routed network, Use and Location of BDCs
    router, Implementation
    routers, Questions and Answers, Routed Networks
    RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    rpc, Security Identifiers (SIDs)
    rpcclient, Security Identifiers (SIDs)
    RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
    install, Implementation
    rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
    RPMs, Samba Configuration
    rpms, Removal of Pre-Existing Conflicting RPMs
    rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    rsyncd.conf, LDAP Server Configuration
    run-time control files, Samba System File Location

    S

    safe-guards, Technical Issues
    SAM, Dissection and Discussion
    samba, Removal of Pre-Existing Conflicting RPMs
    starting samba, Implementation
    Samba, Samba Configuration
    Samba accounts, Technical Issues
    samba cluster, Introduction
    samba control script, Starting Samba
    Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
    Samba Domain server, Using the MMC Computer Management Interface
    Samba RPM Packages, Samba-3 PDC Configuration
    Samba Tea, Samba Configuration
    sambaDomainName, NT4 Migration Using LDAP Backend
    sambaGroupMapping, LDAP Server Configuration
    SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
    SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
    sambaSamAccount, LDAP Server Configuration
    SambaXP conference, Questions and Answers
    SAN, For Scalability, Use SAN-Based Storage on Samba Servers
    SAS, Security Identifiers (SIDs)
    scalability, Introduction
    scalable, Identity Management Needs
    schannel, Technical Issues, Key Points Learned, Questions and Answers
    schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
    scripts, The LDAP Account Manager
    secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
    secret, Kerberos Exposed
    secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
    secure, Introduction
    secure account password, Questions and Answers
    secure connections, The LDAP Account Manager
    secure networking, Technical Issues
    secure networking protocols, Technical Issues
    security, Implementation, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers, NSS Configuration
    identifier, Security Identifiers (SIDs)
    share mode, Dissection and Discussion
    user mode, Dissection and Discussion
    Security, Technical Issues, Using the MMC Computer Management Interface
    Security Account Manager (see SAM)
    security controls, Technical Issues
    security descriptors, Dissection and Discussion
    security fixes, Technical Issues
    security updates, Technical Issues
    SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    server
    domain member, Security Identifiers (SIDs)
    stand-alone, Security Identifiers (SIDs)
    server string, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, LDAP Server Configuration
    service, Implementation
    smb
    start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
    Service Packs, Application Share Configuration
    services, Key Points Learned
    services provided, Samba Support
    session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    Session Setup, Simple Windows Client Connection Characteristics
    SessionSetUpAndX, Security Identifiers (SIDs)
    set primary group script, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    setfacl, Setting Posix ACLs in UNIX/Linux
    severely degrade, Samba Configuration
    SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
    SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
    shadow-utils, Questions and Answers
    share, Questions and Answers
    Share Access Controls, Share Access Controls
    share ACLs, Questions and Answers
    share definition, Technical Issues
    Share Definition
    Controls, Share Definition Controls
    share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
    share level access controls, Questions and Answers
    share level ACL, Questions and Answers
    Share Permissions, Share Access Controls
    shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
    shares, Technical Issues
    show add printer wizard, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, LDAP Server Configuration
    shutdown script, Samba Configuration, Implementation, Implementation
    SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
    side effects, Managing Windows 200x ACLs
    Sign'n'seal, Key Points Learned, Questions and Answers
    silent return, Active Directory Domain with Samba Domain Member Server
    simple, Dissection and Discussion
    Single Sign-On (see SSO)
    slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
    slapd, Debugging LDAP
    slapd.conf, NT4 Migration Using LDAP Backend
    slave, Dissection and Discussion
    slow logon, Making Happy Users
    slow network, Hardware Problems
    slurpd, Implementation, Questions and Answers
    smart printing, Dissection and Discussion
    SMB, Security Identifiers (SIDs)
    SMB passwords, Implementation
    smb ports, Samba Configuration, Questions and Answers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend
    SMB/CIFS, Questions and Answers
    smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
    smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    location of files, Samba System File Location
    smbfs, Dissection and Discussion
    smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbldap-groupmod, LDAP Server Configuration
    smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
    smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
    smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
    smbldap-tools updating, NT4 Migration Using LDAP Backend
    smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
    smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbmnt, Dissection and Discussion
    smbmount, Dissection and Discussion
    smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
    smbumnt, Dissection and Discussion
    smbumount, Dissection and Discussion
    SMTP, Technical Issues
    snap-shot, Dissection and Discussion
    socket address, Samba Configuration
    socket options, Samba Configuration
    software, Dissection and Discussion
    solve, Dissection and Discussion
    source code, Dissection and Discussion
    SPNEGO, Windows 200x/XP Client Interaction with Samba-3
    SQL, Dissection and Discussion, Questions and Answers
    Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
    squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
    Squid proxy, Technical Issues
    SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
    SSL, The LDAP Account Manager
    stand-alone server, Security Identifiers (SIDs)
    starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
    starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    nmbd, Starting Samba
    smbd, Starting Samba
    winbindd, Starting Samba
    startingCUPS, Implementation
    startup script, Starting Samba
    sticky bit, Implementation
    storage capacity, Hardware Requirements
    strategic, Technical Issues
    strategy, Questions and Answers
    straw-man, Active Directory, Kerberos, and Security
    strict sync, Samba Configuration
    stripped, Samba 1.9.x and 2.x Versions Without LDAP
    strong cryptography, Kerberos Exposed
    subscription, Free Support
    SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
    Sun ONE Identity Server, Dissection and Discussion
    super daemon, Process Startup Configuration
    support, Dissection and Discussion, Samba Support
    survey, Adding Domain Member Servers and Clients
    SUSE, Migrating NetWare Server to Samba-3
    SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
    SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
    SWAT, Samba System File Location
    sync always, Samba Configuration
    synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
    synchronize, User Needs, LDAP Server Configuration
    synchronized, Questions and Answers
    syslog, Implementation, Samba Configuration, Implementation, OpenLDAP Server Configuration, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    system level logins, Questions and Answers
    system security, Technical Issues

    T

    tattooing, Questions and Answers
    TCP/IP, Questions and Answers
    tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
    template primary group, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server
    template shell, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
    ticket, Samba Configuration
    time server, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, LDAP Server Configuration
    Tivoli Directory Server, Dissection and Discussion
    TLS, LDAP Server Configuration
    token, Technical Issues
    tool, Questions and Answers, Dissection and Discussion
    TOSHARG2, Implementation
    track record, Dissection and Discussion
    traffic collisions, Making Happy Users
    transaction processing, Dissection and Discussion
    transactional, Questions and Answers
    transfer, Questions and Answers
    translate, Managing Windows 200x ACLs
    traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    tree, Dissection and Discussion
    Tree Connect, Simple Windows Client Connection Characteristics
    trust account, Regarding LDAP Directories and Windows Computer Accounts
    trusted computing, Introduction
    Trusted Domains, Technical Issues
    trusted domains, Questions and Answers
    trusted third-party, Kerberos Exposed
    trusting, Kerberos Exposed
    turn-around time, Technical Issues

    U

    UDP
    broadcast, Routed Networks
    UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
    un-join, Questions and Answers
    unauthorized activities, Kerberos Exposed
    UNC name, Questions and Answers
    unencrypted, The LDAP Account Manager
    Unicast, The Nature of Windows Networking Protocols
    unicode, International Language Support
    Universal Naming Convention (see UNC name)
    UNIX, LDAP Server Configuration
    groups, Technical Issues, Implementation
    UNIX account, Questions and Answers
    UNIX accounts, Technical Issues
    unix charset, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server
    unix password sync, Samba Configuration
    UNIX/Linux server, Technical Issues
    unix2dos, Samba Configuration, Configuration for Server: MASSIVE
    unknown, Technical Issues
    unsupported software, Commercial Support
    update, Introduction, Cautions and Notes
    updates, Introduction, Technical Issues
    updating smbldap-tools, NT4 Migration Using LDAP Backend
    upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
    uppercase, Implementation
    use client driver, Implementation, Implementation, Implementation, Samba Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    user
    management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    user account, Making Happy Users, OpenLDAP Server Configuration
    User and Group Controls, Technical Issues
    user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
    user errors, Questions and Answers
    user groups, Free Support
    user identities, Implementation
    user logins, Questions and Answers
    user management, Implementation
    User Manager, NT4 Migration Using LDAP Backend
    User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
    userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
    usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    username, Security Identifiers (SIDs)
    username map, Implementation, Samba Configuration, Server Preparation: All Servers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    UTF-8, International Language Support
    utilities, Questions and Answers
    utmp, Samba Configuration, Implementation, Implementation

    V

    valid users, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using LDAP Backend, LDAP Server Configuration, Checkpoint Controls, Questions and Answers
    validate, Questions and Answers, Checkpoint Controls
    validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
    validation, Validation, Validation, Questions and Answers
    vampire, Questions and Answers
    vendor, Dissection and Discussion
    vendors, Updating a Samba-3 Installation
    veto files, Samba Configuration, Implementation, LDAP Server Configuration
    veto oplock files, Samba Configuration, Implementation
    VFS modules, Samba System File Location
    virus, Implementation
    VPN, Assignment Tasks
    vulnerabilities, Introduction

    W

    wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    weakness, Technical Issues
    web
    caching, Assignment Tasks
    proxying, Assignment Tasks
    Web
    proxy, Questions and Answers
    access, Key Points Learned
    Web browsers, Key Points Learned
    WebClient, Making Happy Users
    WHATSNEW.txt, Samba-2.x with LDAP Support
    white-pages, Technical Issues, LDAP Server Configuration
    wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
    Winbind, Questions and Answers, Technical Issues, Key Points Learned
    winbind enable local accounts, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Questions and Answers
    winbind enum groups, IDMAP_RID with Winbind, NSS Configuration
    winbind enum users, IDMAP_RID with Winbind, NSS Configuration
    winbind nested groups, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend
    winbind separator, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
    winbind trusted domains only, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers
    winbind use default domain, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Checkpoint Controls
    winbind user default domain, NSS Configuration
    winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    winbindd_cache.tdb, Technical Issues
    winbindd_idmap.tdb, Technical Issues
    Windows, LDAP Server Configuration
    client, Security Identifiers (SIDs)
    NT, Security Identifiers (SIDs)
    Windows 2000 ACLs, Managing Windows 200x ACLs
    Windows 2003 Serve, Introduction
    Windows 200x ACLs, Questions and Answers
    Windows accounts, Technical Issues
    Windows ACLs, Setting Posix ACLs in UNIX/Linux
    Windows Address Book, LDAP Server Configuration
    Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Windows clients, Questions and Answers
    Windows Explorer, Validation
    Windows explorer, Questions and Answers
    Windows security identifier (see SID)
    Windows Servers, Introduction
    Windows Services for UNIX (see SUS)
    Windows XP, Assignment Tasks
    WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
    lookup, Questions and Answers
    name resolution, Routed Networks
    server, Making Happy Users, Routed Networks
    WINS server, The 500-User Office, Questions and Answers
    wins server, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend
    WINS serving, Implementation
    wins support, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, LDAP Server Configuration
    wins.dat, Identity Management Needs, Replacing a Domain Member Server
    Word, Share Point Directory and File Permissions
    workgroup, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
    Workgroup Announcement, Findings
    workstation, Implementation
    wrapper, Questions and Answers
    write list, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    write lock, Opportunistic Locking Controls

    X

    xinetd, Process Startup Configuration
    XML, Dissection and Discussion
    xmlsam, Implementation

    Y

    YaST, PAM and NSS Client Configuration
    Yellow Pages, Identity Management Needs
    yellow pages (see NIS)
    Prev   
    Glossary Home 
    +Index
    Index
    Prev   

    Index

    Symbols

    #delete group script, NT4 Migration Using LDAP Backend
    #delete user from group script, NT4 Migration Using LDAP Backend
    #delete user script, NT4 Migration Using LDAP Backend
    #wins support, NT4 Migration Using LDAP Backend
    %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
    %USERNAME%, Roaming Profile Background, Profile Changes
    %USERPROFILE%, Configuration of Default Profile with Folder Redirection
    /data/ldap, OpenLDAP Server Configuration
    /etc/cups/mime.convs, Implementation, Implementation
    /etc/cups/mime.types, Implementation, Implementation
    /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
    /etc/exports, Samba-3 PDC Configuration
    /etc/group, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Replacing a Domain Member Server, Questions and Answers, Removal of Pre-Existing Conflicting RPMs
    /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation: All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
    /etc/krb5.conf, IDMAP Storage in LDAP using Winbind, Kerberos Configuration
    /etc/ldap.conf, PAM and NSS Client Configuration, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    /etc/mime.convs, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/mime.types, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    /etc/named.conf, Configuration of DHCP and DNS Servers
    /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, NT4 Migration Using LDAP Backend
    /etc/openldap/slapd.conf, Debugging LDAP, OpenLDAP Server Configuration, Implementation
    /etc/passwd, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Replacing a Domain Member Server, Technical Issues, Questions and Answers, Technical Issues, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
    /etc/rc.d/rc.local, Implementation
    /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation: All Servers
    /etc/samba, Samba System File Location
    /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
    /etc/samba/smbusers, Server Preparation: All Servers
    /etc/shadow, Replacing a Domain Member Server, Technical Issues
    /etc/squid/squid.conf, Removal of Pre-Existing Conflicting RPMs
    /etc/syslog.conf, Debugging LDAP
    /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
    /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
    /opt/IDEALX/sbin, NT4 Migration Using LDAP Backend
    /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
    /usr/bin, Samba System File Location
    /usr/lib/samba, Samba System File Location
    /usr/local, Samba System File Location
    /usr/local/samba, Samba System File Location
    /usr/local/samba/var/locks, Samba 1.9.x and 2.x Versions Without LDAP
    /usr/sbin, Samba System File Location
    /usr/share, Samba System File Location
    /usr/share/samba/swat, Samba System File Location
    /usr/share/swat, Samba System File Location
    /var/cache/samba, Samba 1.9.x and 2.x Versions Without LDAP
    /var/lib/samba, Samba 1.9.x and 2.x Versions Without LDAP, Samba System File Location
    /var/log/ldaplogs, Debugging LDAP
    /var/log/samba, Samba System File Location
    8-bit, International Language Support

    , Application Share Configuration, Addition of Machines to the Domain, IDMAP_RID with Winbind, Location of config files
    Domain account, Technical Issues
    liability, Dissection and Discussion
    logon, Implementation
    problem, Dissection and Discussion
    transparent inter-operability, Questions and Answers

    A

    abmas-netfw.sh, Basic System Configuration
    abort shutdown script, Samba Configuration, Implementation, Implementation
    accept, Printer Configuration
    accepts liability, Dissection and Discussion
    access, Technical Issues, Checkpoint Controls
    access control, Kerberos Exposed, Using the MMC Computer Management Interface
    Access Control Lists (see ACLs)
    access control settings, Share Access Controls
    access controls, Technical Issues, Share Definition Controls
    accessible, Share Point Directory and File Permissions
    account, Regarding LDAP Directories and Windows Computer Accounts, Share Access Controls
    ADS Domain, Technical Issues
    account credentials, Findings and Comments
    account information, Questions and Answers
    account names, Questions and Answers
    account policies, The LDAP Account Manager
    accountable, Introduction, Dissection and Discussion
    accounts
    authoritative, Technical Issues
    Domain, Introduction, Questions and Answers
    group, Introduction, Questions and Answers, Introduction
    machine, Introduction, Questions and Answers
    manage, The LDAP Account Manager
    user, Introduction, Questions and Answers, Introduction
    ACL, Questions and Answers, Security Identifiers (SIDs), Checkpoint Controls
    ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
    acquisitions, Introduction
    Act!, Shared Data Integrity
    ACT! database, Act! Database Sharing
    Act!Diag, Act! Database Sharing
    Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
    authentication, Squid Configuration
    domain, Samba Configuration
    join, Active Directory Domain with Samba Domain Member Server
    management tools, Technical Issues
    realm, Bad Hostnames
    Replacement, Technical Issues
    server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
    Server, Technical Issues
    tree, Samba Configuration
    active directory, Technical Issues
    AD printer publishing, Uploading Printer Drivers to Samba Servers
    ADAM, Dissection and Discussion, IDMAP Storage in LDAP using Winbind
    add group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    add machine script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Add Printer Wizard
    APW, Uploading Printer Drivers to Samba Servers
    add user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    add user to group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    adequate precautions, Introduction
    admin users, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    administrative installation, Application Share Configuration
    administrative rights, Checkpoint Controls
    administrator, Implementation, Samba Configuration, Server Preparation: All Servers
    ADMT, Migration of Samba Accounts to Active Directory
    ADS, IDMAP Storage in LDAP using Winbind, Technical Issues, Kerberos Configuration, Bad Hostnames
    server, Technical Issues
    ADS Domain, Technical Issues
    affordability, The Nature of Windows Networking Protocols
    alarm, Introduction
    algorithm, Technical Issues
    allow trusted domains, IDMAP_RID with Winbind
    alternative, Dissection and Discussion
    analysis, Technical Issues
    anonymous connection, Validation, Validation
    Apache Web server, Questions and Answers
    appliance mode, Technical Issues
    application server, Technical Issues, Application Share Configuration
    application servers, The Nature of Windows Networking Protocols
    application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    APW, Uploading Printer Drivers to Samba Servers
    arp, Validation
    assessment, Introduction
    assistance, Free Support
    assumptions, Key Points Learned
    authconfig, PAM and NSS Client Configuration
    authenticate, LDAP Server Configuration, Samba Configuration
    authenticated, Assignment Tasks
    authenticated connection, Validation, Validation
    authentication, The Nature of Windows Networking Protocols, Questions and Answers, Dissection and Discussion, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
    plain-text, Questions and Answers
    authentication process, Implementation
    authentication protocols, Key Points Learned
    authoritative, Technical Issues
    authorized location, Kerberos Exposed
    auto-generated SID, Questions and Answers
    automatically allocate, Technical Issues
    availability, Performance, Reliability, and Availability

    B

    backends, Integrating Additional Services
    background communication, Questions and Answers
    Backup, Introduction
    Backup Domain Controller (see BDC)
    bandwidth, Assignment Tasks
    requirements, User Needs
    bandwidth calculations, Hardware Requirements
    BDC, Technical Issues, Making Happy Users, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, Technical Issues, Questions and Answers, Security Identifiers (SIDs), NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    benefit, Questions and Answers, Dissection and Discussion
    best practices, Introduction
    bias, Questions and Answers
    binary database, Implementation
    binary files, Updating a Samba-3 Installation
    binary package, Updating a Samba-3 Installation
    bind interfaces only, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    broadcast, Routed Networks, Questions and Answers
    directed, The Nature of Windows Networking Protocols
    mailslot, The Nature of Windows Networking Protocols
    broadcast messages, Implementation
    broadcast storms, Network Collisions
    broken, Dissection and Discussion
    broken behavior, Dissection and Discussion
    browse, Technical Issues
    browse master, Findings
    Browse Master, Questions and Answers
    browse.dat, Replacing a Domain Member Server
    browseable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Browser Election Service, Questions and Answers
    browsing, Technical Issues, Technical Issues, Assignment Tasks
    budgetted, Introduction
    bug fixes, Introduction
    bug report, Free Support

    C

    cache, Opportunistic Locking Controls
    cache directories, Removal of Pre-Existing Conflicting RPMs
    caching, Samba Configuration
    case sensitive, Large Directories
    case-sensitive, Kerberos Configuration
    centralized storage, Questions and Answers
    character set, International Language Support
    check samba daemons, Validation, Validation
    check-point, Share Definition Controls
    check-point controls, Checkpoint Controls
    Checkpoint Controls, Checkpoint Controls
    chgrp, Samba Configuration
    chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
    chmod, Samba Configuration
    choice, Dissection and Discussion, Technical Issues
    chown, Removal of Pre-Existing Conflicting RPMs
    CIFS, Security Identifiers (SIDs), Findings
    cifsfs, Dissection and Discussion
    clean database, Questions and Answers
    clients per DC, Making Happy Users
    Clock skew, Kerberos Configuration
    cluster, Introduction
    clustering, Introduction, For Scalability, Use SAN-Based Storage on Samba Servers
    code maintainer, Free Support
    codepage, International Language Support
    collision rates, Network Collisions
    comment, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    commercial, Dissection and Discussion
    commercial software, Dissection and Discussion
    commercial support, Samba Support, Commercial Support
    Common Internet File System (see CIFS)
    comparison
    Active Directory & OpenLDAP, Dissection and Discussion
    compat, Samba Domain with Samba Domain Member Server Using NSS LDAP
    compatible, Technical Issues
    compile-time, Location of config files
    complexities, Dissection and Discussion
    compromise, Introduction, Introduction, Technical Issues
    computer account, Samba Configuration
    Computer Management, Share Access Controls, Questions and Answers
    computer name, Security Identifiers (SIDs)
    condemns, Technical Issues
    conferences, Technical Issues
    configuration files, Introduction
    configure.pl, NT4 Migration Using LDAP Backend
    connection, Share Access Controls
    connectivity, Questions and Answers
    consequential risk, Technical Issues
    consultant, Drafting Office, Introduction, Dissection and Discussion
    consumer, Dissection and Discussion, Technical Issues
    consumer expects, Samba Support
    contiguous directory, Implementation
    contributions, Updating Samba-3
    control files, Updating a Samba-3 Installation
    convmv, International Language Support
    copy, Questions and Answers, LDAP Server Configuration
    corrective action, Hardware Problems
    cost, Dissection and Discussion
    cost-benefit, Assignment Tasks
    country of origin, Commercial Support
    Courier-IMAP, LDAP Server Configuration
    create mask, LDAP Server Configuration
    credential, Share Definition Controls
    credentials, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Technical Issues
    crippled, Dissection and Discussion
    criticism, Active Directory, Kerberos, and Security, Introduction
    Critics, Technical Issues
    Cryptographic, Technical Issues
    CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation: All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
    queue, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    cups options, Samba Configuration, LDAP Server Configuration
    cupsd, Basic System Configuration
    customer expected, Samba Support
    customers, Samba Support

    D

    daemon, Validation, Basic System Configuration, Security Identifiers (SIDs), Technical Issues, Questions and Answers, Starting Samba
    daemon control, Process Startup Configuration
    data
    corruption, Making Happy Users
    integrity, Questions and Answers
    data corruption, Hardware Problems, Act! Database Sharing
    data integrity, Hardware Problems, Shared Data Integrity
    data storage, Implementation
    database, Dissection and Discussion, Questions and Answers, Dissection and Discussion
    database applications, Shared Data Integrity
    DB_CONFIG, OpenLDAP Server Configuration
    DCE, Kerberos Exposed
    DDNS (see dynamic DNS)
    Debian, Migrating NetWare Server to Samba-3
    default devmode, Samba Configuration, Implementation
    default installation, Samba System File Location
    default password, The LDAP Account Manager
    default profile, Assignment Tasks, Technical Issues
    Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
    defective
    cables, Hardware Problems
    HUBs, Hardware Problems
    switches, Hardware Problems
    defects, Technical Issues
    defensible standards, Technical Issues
    defragmentation, Windows Client Configuration
    delete group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades
    delete user from group script, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, LDAP Server Configuration
    delete user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
    delimiter, Checkpoint Controls
    dependability, Technical Issues
    deployment, Free Support
    desired security setting, Setting Posix ACLs in UNIX/Linux
    development, Technical Issues
    DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
    client, Bad Hostnames
    relay, Technical Issues
    Relay Agent, Questions and Answers
    request, Questions and Answers
    requests, Technical Issues
    servers, Questions and Answers
    traffic, Questions and Answers
    dhcp client validation, Validation, Validation
    DHCP Server, Implementation
    DHCP server, Technical Issues
    diagnostic, IDMAP Storage in LDAP using Winbind
    diffusion, Technical Issues
    digital rights, Technical Issues
    digital sign'n'seal, Technical Issues
    digits, Bad Hostnames
    diligence, Technical Issues
    directory, Dissection and Discussion, Political Issues, Location of config files
    Computers container, LDAP Initialization and Creation of User and Group Accounts
    management, Dissection and Discussion
    People container, LDAP Initialization and Creation of User and Group Accounts
    replication, Dissection and Discussion
    schema, Dissection and Discussion
    server, Technical Issues
    synchronization, Dissection and Discussion
    directory mask, LDAP Server Configuration
    directory tree, Setting Posix ACLs in UNIX/Linux
    disable, Introduction
    disable spoolss, Implementation, Implementation
    disaster recovery, Introduction
    disk image, Assignment Tasks
    disruptive, Dissection and Discussion
    distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
    distributed domain, Identity Management Needs
    DMB, Questions and Answers
    DMS, Security Identifiers (SIDs), Replacing a Domain Member Server
    DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, LDAP Server Configuration, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
    configuration, Questions and Answers
    Dynamic, Questions and Answers
    dynamic, Joining a Domain: Windows 200x/XP Professional
    lookup, Questions and Answers, Kerberos Configuration
    name lookup, Bad Hostnames
    SRV records, Kerberos Configuration
    suffix, Joining a Domain: Windows 200x/XP Professional
    DNS server, Implementation, Configuration of DHCP and DNS Servers
    document the settings, Samba Configuration
    documentation, Dissection and Discussion, Technical Issues
    documented, Samba Configuration
    Domain, Technical Issues, Questions and Answers
    group, Questions and Answers
    groups, Technical Issues
    user, Questions and Answers
    domain
    Active Directory, Technical Issues
    controller, Replacing a Domain Controller
    joining, A Collection of Useful Tidbits
    trusted, Questions and Answers
    Domain accounts, Technical Issues
    Domain Administrator, Share Access Controls
    Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
    closest, The Nature of Windows Networking Protocols
    domain controller, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades
    domain controllers, Technical Issues
    Domain Controllers, Questions and Answers
    Domain Groups
    well-known, Initialization of the LDAP Database
    Domain join, Samba Domain with Samba Domain Member Server Using NSS LDAP
    domain logons, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    Domain logons, Questions and Answers
    domain master, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
    Domain Master Browser (see DMB)
    Domain Member, Use and Location of BDCs
    authoritative
    local accounts, Technical Issues
    client, Implementation
    desktop, Introduction
    server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
    servers, Questions and Answers, Checkpoint Controls
    workstations, Implementation
    domain member
    servers, Technical Issues
    Domain Member server, Technical Issues, Questions and Answers
    Domain Member servers, Questions and Answers
    domain members, Questions and Answers
    domain name space, Identity Management Needs
    domain replication, Questions and Answers
    domain SID, Security Identifiers (SIDs)
    Domain SID, Technical Issues, Questions and Answers
    domain tree, Identity Management Needs
    Domain User Manager, Configuring Profile Directories
    Domain users, Technical Issues
    DOS, Security Identifiers (SIDs)
    dos2unix, Samba Configuration, Configuration for Server: MASSIVE
    down-grade, Introduction
    drive letters, LDAP Server Configuration
    drive mapping, Technical Issues
    dumb printing, Installation of Printer Driver Auto-Download
    dump, Technical Issues, Questions and Answers
    duplicate accounts, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    dynamic DNS, Technical Issues

    E

    e-Directory, Dissection and Discussion
    ea support, NT4 Migration Using LDAP Backend
    Easy Software Products, Installation of Printer Driver Auto-Download
    economically sustainable, Dissection and Discussion
    eDirectory, Dissection and Discussion
    education, Identity Management Needs
    election, Findings
    employment, Introduction, Dissection and Discussion
    enable, Printer Configuration
    enable privileges, Samba-3 PDC Configuration, Samba-3 BDC Configuration
    encrypt passwords, NSS Configuration, Questions and Answers
    encrypted, Findings and Comments
    encrypted password, Windows 200x/XP Client Interaction with Samba-3
    encrypted passwords, Questions and Answers
    End User License Agreement (see EULA)
    enumerating, Samba Configuration
    essential, Introduction
    Ethereal, Requirements and Notes
    ethereal, Exercises
    Ethernet switch, Technical Issues
    ethernet switch, Making Happy Users
    EULA, Dissection and Discussion
    Everyone, Share Access Controls
    Excel, Share Point Directory and File Permissions
    exclusive open, Microsoft Access
    experiment, Active Directory, Kerberos, and Security
    export, Technical Issues
    extent, Dissection and Discussion
    External Domains, Technical Issues
    extreme demand, Guidelines for Reliable Samba Operation

    F

    fail, The Nature of Windows Networking Protocols
    fail-over, Identity Management Needs, Implementation
    failed, Samba Domain with Samba Domain Member Server Using NSS LDAP
    failed join, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    failure, Questions and Answers, Samba Configuration
    familiar, Technical Issues
    fatal problem, Samba Configuration
    fear, Technical Issues
    fears, Technical Issues
    Fedora, Drafting Office
    FHS, Samba System File Location
    file and print server, Questions and Answers
    file and print service, Dissection and Discussion
    file caching, Samba Configuration, Opportunistic Locking Controls
    File Hierarchy System (see FHS)
    file locations, Samba System File Location
    file permissions, The LDAP Account Manager
    file server
    read-only, Dissection and Discussion
    file servers, Samba Server Implementation
    file system, Technical Issues
    access control, Samba Configuration
    Ext3, Implementation
    permissions, Samba Configuration, Configuration for Server: MASSIVE
    file system security, Questions and Answers
    filter, Share Access Controls
    financial responsibility, Introduction
    firewall, Technical Issues, Basic System Configuration, Introduction
    fix, Dissection and Discussion
    flaws, Introduction
    flexibility, Technical Issues
    flush
    cache memory, Opportunistic Locking Controls
    folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
    force group, Implementation, LDAP Server Configuration, Override Controls, Questions and Answers
    force printername, LDAP Server Configuration
    force user, Dissection and Discussion, Implementation, Override Controls, Questions and Answers
    forced settings, Override Controls
    foreign, Samba Domain with Samba Domain Member Server Using NSS LDAP
    foreign SID, Samba Domain with Samba Domain Member Server Using NSS LDAP
    forwarded, Routed Networks
    foundation members, Technical Issues
    Free Standards Group (see FSG)
    free support, Samba Support, Free Support
    front-end, Dissection and Discussion
    server, Distribute Network Load with MSDFS
    frustration, Introduction
    FSG, Samba System File Location
    FTP
    proxy, Questions and Answers
    full control, Share Access Controls, Using MS Windows Explorer (File Manager)
    fully qualified, Checkpoint Controls
    functional differences, Cautions and Notes

    G

    generation, Cautions and Notes
    Gentoo, Migrating NetWare Server to Samba-3
    getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind
    getfacl, Setting Posix ACLs in UNIX/Linux
    getgrgid(), Questions and Answers
    getgrnam, Technical Issues
    getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP
    getpwnam(), Questions and Answers
    GID, Implementation, Questions and Answers, Questions and Answers
    Goettingen, Questions and Answers
    government, Identity Management Needs
    GPL, Comments Regarding Software Terms of Use
    group account, Implementation, OpenLDAP Server Configuration
    group management, Implementation
    group mapping, LDAP Server Configuration
    group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    group names, Questions and Answers
    group policies, Introduction
    Group Policy, Joining a Domain: Windows 200x/XP Professional
    Group Policy editor, The Local Group Policy
    Group Policy Objects, The Local Group Policy
    groupadd, Implementation, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupdel, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    groupmem, NT4 Migration Using LDAP Backend
    groupmod, Applicable to All Samba 2.x to Samba-3 Upgrades, Questions and Answers
    GSS-API, Windows 200x/XP Client Interaction with Samba-3
    guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
    guest ok, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration

    H

    hackers, Introduction
    hardware prices, Hardware Problems
    hardware problems, Hardware Problems
    Heimdal, Implementation, Kerberos Configuration
    Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    Heimdal kerberos, IDMAP Storage in LDAP using Winbind
    help, Free Support
    helper agent, Removal of Pre-Existing Conflicting RPMs
    hesiod, Samba Domain with Samba Domain Member Server Using NSS LDAP
    hide files, LDAP Server Configuration
    hierarchy of control, Share Definition Controls
    high availability, Dissection and Discussion
    hire, Dissection and Discussion
    HKEY_CURRENT_USER, Roaming Profile Background
    HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
    HKEY_LOCAL_USER, Questions and Answers
    host announcement, Assignment Tasks, Findings
    hostname, Basic System Configuration, Security Identifiers (SIDs)
    hosts, Questions and Answers
    hosts allow, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support
    HUB, Making Happy Users
    Hybrid, Questions and Answers
    hypothetical, Introduction

    I

    Idealx, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    smbldap-tools, Install and Configure Idealx smbldap-tools Scripts, LDAP Initialization and Creation of User and Group Accounts
    identifiers, Technical Issues
    identity, Questions and Answers, Kerberos Exposed
    management, Technical Issues
    identity management, Technical Issues, Dissection and Discussion, Political Issues, Dissection and Discussion
    Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
    Identity management, UNIX/Linux Client Domain Member
    Identity resolution, Samba Domain with Samba Domain Member Server Using NSS LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
    Identity resolver, Questions and Answers
    IDMAP, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind
    idmap backend, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend
    IDMAP backend, Questions and Answers
    idmap gid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, NSS Configuration
    idmap uid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend, NSS Configuration
    idmap_rid, IDMAP_RID with Winbind
    IMAP, Technical Issues
    import, Technical Issues
    include, Implementation
    income, Dissection and Discussion
    independent expert, Introduction
    inetd, Process Startup Configuration
    inetOrgPerson, Technical Issues
    inheritance, Setting Posix ACLs in UNIX/Linux
    initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    initial credentials, Kerberos Configuration
    inoperative, Dissection and Discussion
    install, Updating Samba-3
    installation, Dissection and Discussion
    integrate, Technical Issues
    integrity, Introduction, Kerberos Exposed
    inter-domain, Applicable to All Samba 2.x to Samba-3 Upgrades
    inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
    interactive help, Free Support
    interdomain trusts, Identity Management Needs
    interfaces, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    intermittent, Hardware Problems
    internationalization, International Language Support
    Internet Explorer, Technical Issues
    Internet Information Server, Questions and Answers
    interoperability, Dissection and Discussion
    IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
    IPC$, Findings and Comments
    iptables, Technical Issues
    IRC, Free Support
    isolated, Introduction
    Italian, Questions and Answers

    J

    jobs, Introduction
    joining a domain, Joining a Domain: Windows 200x/XP Professional

    K

    KDC, Kerberos Configuration
    Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
    Heimdal, Active Directory Domain with Samba Domain Member Server
    interoperability, Kerberos Exposed
    libraries, Active Directory Domain with Samba Domain Member Server
    MIT, Active Directory Domain with Samba Domain Member Server
    unspecified fields, Kerberos Exposed
    kerberos, Kerberos Exposed
    server, Kerberos Exposed
    Kerberos ticket, Samba Configuration
    kinit, Kerberos Configuration
    Kixtart, LDAP Server Configuration
    klist, Kerberos Configuration
    krb5, Implementation
    krb5.conf, Kerberos Configuration

    L

    LAM, The LDAP Account Manager
    configuration editor, The LDAP Account Manager
    configuration file, The LDAP Account Manager
    login screen, The LDAP Account Manager
    opening screen, The LDAP Account Manager
    profile, The LDAP Account Manager
    wizard, The LDAP Account Manager
    large domain, IDMAP_RID with Winbind
    LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, Preliminary Advice: Dangers Can Be Avoided, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Assignment Tasks, Technical Issues, Questions and Answers, Dissection and Discussion, LDAP Server Configuration, Technical Issues
    backend, Identity Management Needs
    database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
    directory, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs
    fail-over, Implementation
    initial configuration, Alternative LDAP Database Initialization
    master, Identity Management Needs
    master/slave
    background communication, Questions and Answers
    preload, Implementation
    schema, Updating from Samba Versions between 3.0.6 and 3.0.10
    secure, Technical Issues
    server, Questions and Answers
    slave, Identity Management Needs
    updates, Identity Management Needs
    ldap, Samba Domain with Samba Domain Member Server Using NSS LDAP
    LDAP Account Manager (see LAM)
    ldap admin dn, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP backend, Technical Issues
    LDAP database, Questions and Answers
    ldap group suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap idmap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP Interchange Format (see LDIF)
    ldap machine suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap passwd sync, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP server, Identity Management Needs
    ldap ssl, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    ldap timeout, NT4 Migration Using LDAP Backend
    ldap user suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    LDAP-transfer-LDIF.txt, Implementation
    ldap.conf, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, Integrating Additional Services
    ldapsam backend, Samba Domain with Samba Domain Member Server Using NSS LDAP
    ldapsearch, LDAP Initialization and Creation of User and Group Accounts
    LDIF, Technical Issues, Implementation, Technical Issues, LDAP Server Configuration, Initialization of the LDAP Database
    leadership, Technical Issues
    Lightweight Directory Access Protocol (see LDAP)
    limit, Questions and Answers
    Linux desktop, Introduction
    Linux Standards Base (see LSB)
    LMB, Findings, Questions and Answers
    LMHOSTS, Routed Networks
    load distribution, For Scalability, Use SAN-Based Storage on Samba Servers
    local accounts, Technical Issues
    Local Group Policy, Roaming Profile Background
    local groups, Questions and Answers
    Local Master Announcement, Findings
    Local Master Browser (see LMB)
    local users, Questions and Answers
    localhost, Basic System Configuration, Bad Hostnames
    lock directory, Samba 1.9.x and 2.x Versions Without LDAP
    locking, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend
    Application level, Shared Data Integrity
    Client side, Shared Data Integrity
    Server side, Shared Data Integrity
    log file, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    log level, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP Storage in LDAP using Winbind, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logging, Removal of Pre-Existing Conflicting RPMs
    login, Technical Issues
    loglevel, Debugging LDAP
    logon credentials, Questions and Answers
    logon drive, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon home, Samba Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon hours, Technical Issues, Key Points Learned
    logon machines, Technical Issues
    logon path, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon process, Implementation
    logon scrip, Samba Configuration
    logon script, Implementation, Implementation, Samba Configuration, Implementation, Technical Issues, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Preparation of Logon Scripts, Implementation, Technical Issues, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    logon server, The Nature of Windows Networking Protocols
    logon services, Implementation
    logon time, Assignment Tasks
    logon traffic, The Nature of Windows Networking Protocols
    logon.kix, LDAP Server Configuration
    loopback, Validation
    low performance, Hardware Problems
    lower-case, Implementation
    lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
    LSB, Samba System File Location

    M

    machine, Security Identifiers (SIDs)
    machine account, Regarding LDAP Directories and Windows Computer Accounts
    machine accounts, Questions and Answers
    machine secret password, Technical Issues
    MACHINE.SID, Security Identifiers (SIDs)
    mailing list, Free Support
    mailing lists, Free Support
    managed, Technical Issues
    management, Political Issues, Questions and Answers
    group, Technical Issues
    User, Technical Issues
    mandatory profile, Technical Issues, Configuring Profile Directories
    Mandrake, Migrating NetWare Server to Samba-3
    map acl inherit, Samba Configuration, Implementation, Samba-3 PDC Configuration, NT4 Migration Using LDAP Backend
    map to guest, Implementation
    mapped drives, Questions and Answers
    mapping, Technical Issues, Kerberos Configuration
    consistent, Samba Domain with Samba Domain Member Server Using NSS LDAP
    Mars_NWE, Migrating NetWare Server to Samba-3
    master, Dissection and Discussion
    material, A Collection of Useful Tidbits
    max log size, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    memberUID, LDAP Server Configuration
    memory requirements, Hardware Requirements
    merge, Technical Issues, Questions and Answers
    merged, Technical Issues
    meta-directory, Questions and Answers
    meta-service, Questions and Answers
    Microsoft Access, Shared Data Integrity
    Microsoft Excel, Shared Data Integrity
    Microsoft ISA, Assignment Tasks
    Microsoft Management Console (see MMC)
    Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
    Microsoft Outlook
    PST files, Questions and Answers
    migrate, Updating Samba-3, Technical Issues
    migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers, Migrating NetWare Server to Samba-3
    objectives, Dissection and Discussion
    Migration speed, Questions and Answers
    mime type, Implementation, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    mime types, Implementation
    missing RPC's, Technical Issues
    MIT, Implementation, Kerberos Configuration
    MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    MIT kerberos, IDMAP Storage in LDAP using Winbind
    MIT KRB5, Samba Configuration
    mixed mode, Active Directory Domain with Samba Domain Member Server
    mixed-mode, Questions and Answers
    MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
    mobile computing, Dissection and Discussion
    mobility, Technical Issues
    modularization, Technical Issues
    modules, Questions and Answers
    MS Access
    validate, Microsoft Access
    MS Outlook
    PST file, Making Happy Users
    MS Windows Server 2003, Implementation
    MS Word, Share Point Directory and File Permissions
    MSDFS, Distribute Network Load with MSDFS
    multi-subnet, Routed Networks
    multi-user
    access, Microsoft Access
    data access, Shared Data Integrity
    multiple directories, Identity Management Needs
    multiple domain controllers, Making Happy Users
    multiple group mappings, Questions and Answers
    mutual assistance, Free Support
    My Documents, Roaming Profile Background
    My Network Places, Implementation
    mysqlsam, Implementation

    N

    name resolution, Configuration of DHCP and DNS Servers, Questions and Answers, Assignment Tasks
    Defective, Active Directory Domain with Samba Domain Member Server
    name resolve order, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend, LDAP Server Configuration, Questions and Answers
    name service switch, Implementation (see NSS)
    named, Basic System Configuration, Validation, Server Preparation: All Servers
    NAT, Technical Issues
    native, Questions and Answers
    net
    ads
    info, Active Directory Domain with Samba Domain Member Server
    join, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Samba Configuration
    status, Active Directory Domain with Samba Domain Member Server
    getlocalsid, Samba-3 PDC Configuration, Security Identifiers (SIDs)
    group, NT4 Migration Using tdbsam Backend
    groupmap
    add, Samba Configuration
    list, Samba Configuration, LDAP Initialization and Creation of User and Group Accounts
    modify, Samba Configuration
    rpc
    info, Security Identifiers (SIDs)
    join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using tdbsam Backend
    vampire, Updating Samba-3, NT4 Migration Using tdbsam Backend
    setlocalsid, Security Identifiers (SIDs)
    NetBIOS, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks, Questions and Answers
    name cache, Questions and Answers
    name resolution
    delays, Making Happy Users
    Node Type, Questions and Answers
    netbios
    machine name, Change of hostname
    netbios forwarding, Network Collisions
    netbios name, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server without NSS Support, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Security Identifiers (SIDs), Change of hostname, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration, Bad Hostnames
    NetBIOS name, Kerberos Configuration
    aliases, Identity Management Needs
    NETLOGON, Using a Network Default User Profile, Windows Client Configuration
    netlogon, The Nature of Windows Networking Protocols, LDAP Server Configuration
    Netlogon, Joining a Domain: Windows 200x/XP Professional
    netmask, Implementation
    Netware, Small Office Networking
    NetWare, Migrating NetWare Server to Samba-3, LDAP Server Configuration
    network
    administrators, Technical Issues
    analyzer, Assignment Tasks
    bandwidth, Identity Management Needs, Questions and Answers
    broadcast, Introduction
    captures, Requirements and Notes
    collisions, Network Collisions
    load, Network Collisions
    logon, Making Happy Users
    logon scripts, Dissection and Discussion
    management, Introduction
    multi-segment, Introduction
    overload, Making Happy Users
    performance, Samba Configuration
    routed, Dissection and Discussion
    secure, Introduction
    segment, Dissection and Discussion
    services, Questions and Answers
    sniffer, Requirements and Notes
    timeout, Making Happy Users
    timeouts, Network Collisions
    trace, Assignment Tasks
    traffic
    observation, Technical Issues
    wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Network Address Translation (see NAT)
    network administrators, Technical Issues
    network attached storage (see NAS)
    network bandwidth
    utilization, Making Happy Users
    Network Default Profile, Roaming Profile Background
    network hardware
    defective, Making Happy Users
    network hygiene, Dissection and Discussion
    network Identities, Questions and Answers
    network load factors, Dissection and Discussion
    Network Neighborhood, Validation, Technical Issues
    network segment, Use and Location of BDCs
    network segments, Hardware Requirements
    network share, Assignment Tasks
    networking
    client, Security Identifiers (SIDs)
    networking hardware
    defective, Making Happy Users
    networking protocols, Technical Issues
    next generation, Technical Issues
    NextFreeUnixId, NT4 Migration Using LDAP Backend
    NFS server, Samba-3 PDC Configuration
    NICs, Hardware Problems
    NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
    nis, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NIS schema, Questions and Answers
    NIS server, Questions and Answers
    NIS+, Identity Management Needs
    nisplus, Samba Domain with Samba Domain Member Server Using NSS LDAP
    NLM, Migrating NetWare Server to Samba-3
    nmap, Validation
    nmbd, Validation, Validation, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Starting Samba
    nobody, Removal of Pre-Existing Conflicting RPMs, Findings and Comments
    Novell, Migrating NetWare Server to Samba-3, Introduction
    Novell SUSE SLES 9, NT4 Migration Using LDAP Backend
    NSS, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, IDMAP_RID with Winbind, UNIX/Linux Client Domain Member, Questions and Answers, LDAP Server Configuration, NSS Configuration (see same service switch)
    nss_ldap, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Replacing a Domain Member Server, NT4 Migration Using LDAP Backend
    nt acl support, Dissection and Discussion, Implementation
    NT4 registry, Dissection and Discussion
    NTLM, Technical Issues
    NTLM authentication daemon, Technical Issues
    NTLMSSP, Key Points Learned, Questions and Answers, Windows 200x/XP Client Interaction with Samba-3
    NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
    ntlm_auth, Samba Configuration, Questions and Answers
    NTP, Kerberos Configuration
    NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
    NULL connection, Validation
    NULL session, Findings and Comments
    NULL-Session, Discussion

    O

    objectClass, LDAP Server Configuration
    off-site storage, Introduction
    Open Magazine, Adding Domain Member Servers and Clients
    Open Source, Dissection and Discussion
    OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Technical Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
    openldap, OpenLDAP Server Configuration
    OpenOffice, Application Share Configuration
    operating profiles, The LDAP Account Manager
    oplock break, Override Controls
    oplocks, Samba Configuration
    Oplocks
    disabled, Opportunistic Locking Controls
    opportunistic
    locking, Override Controls
    opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
    optimized, Samba Configuration
    options list, Questions and Answers
    organizational units, The LDAP Account Manager
    os level, Implementation
    OS/2, Security Identifiers (SIDs)
    Outlook
    PST, Configuration of MS Outlook to Relocate PST File
    Outlook Express, Political Issues
    over-ride, Technical Issues
    over-ride controls, Override Controls
    over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
    overheads, Override Controls
    ownership, Share Point Directory and File Permissions

    P

    package, Implementation
    package names, Samba System File Location
    packages, Updating a Samba-3 Installation
    PADL, Technical Issues, IDMAP Storage in LDAP using Winbind
    PADL LDAP tools, Technical Issues
    PADL Software, Samba Domain with Samba Domain Member Server Using NSS LDAP
    paid-for support, Samba Support
    PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member, LDAP Server Configuration
    pam password change, Samba Configuration, LDAP Server Configuration
    pam_ldap, OpenLDAP Server Configuration
    pam_ldap.so, PAM and NSS Client Configuration
    pam_unix2.so, PAM and NSS Client Configuration
    use_ldap, PAM and NSS Client Configuration
    parameters, Applicable to All Samba 2.x to Samba-3 Upgrades
    passdb backend, Implementation, Samba Configuration, The 500-User Office, Implementation, Dissection and Discussion, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Assignment Tasks, NT4 Migration Using LDAP Backend, Questions and Answers, LDAP Server Configuration
    passdb.tdb, Technical Issues
    passwd, Implementation, Implementation, Samba Configuration
    passwd chat, Implementation, Samba Configuration
    passwd program, Samba Configuration
    password
    backend, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    password caching, Implementation
    password change, Key Points Learned
    password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    password server, NSS Configuration
    path, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    payroll, Introduction
    pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
    PDC, Assignment Tasks, Technical Issues, Making Happy Users, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, Questions and Answers, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Use and Location of BDCs
    PDC/BDC ratio, Making Happy Users
    PDF, The LDAP Account Manager
    performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
    performance degradation, Override Controls, Samba Configuration
    Perl, LDAP Server Configuration, The LDAP Account Manager
    permission, Share Point Directory and File Permissions
    permissions, Implementation, Technical Issues, Share Access Controls, Checkpoint Controls, Share Point Directory and File Permissions, Removal of Pre-Existing Conflicting RPMs
    excessive, Technical Issues
    group, Share Point Directory and File Permissions
    user, Share Point Directory and File Permissions
    Permissions, Using the MMC Computer Management Interface
    permits, Technical Issues
    permitted group, Using the MMC Computer Management Interface
    PHP, The LDAP Account Manager
    PHP4, The LDAP Account Manager
    pile-driver, Share Definition Controls
    ping, Validation
    pitfalls, The LDAP Account Manager
    plain-text, Questions and Answers
    Pluggable Authentication Modules (see PAM)
    policy, Questions and Answers, Introduction
    poor performance, Dissection and Discussion
    POP3, Technical Issues
    Posix, Dissection and Discussion, Technical Issues, Questions and Answers, Implementation, Questions and Answers, The LDAP Account Manager
    POSIX, Regarding LDAP Directories and Windows Computer Accounts, LDAP Server Configuration
    Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
    Posix ACLs, Managing Windows 200x ACLs
    PosixAccount, LDAP Initialization and Creation of User and Group Accounts
    posixAccount, LDAP Server Configuration
    Postfix, LDAP Server Configuration
    Postscript, Installation of Printer Driver Auto-Download
    powers, Share Definition Controls
    practices, Introduction
    precaution, Introduction
    preferred master, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
    presence and leadership, Technical Issues
    price paid, Dissection and Discussion
    primary group, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Point Directory and File Permissions
    principals, Kerberos Exposed
    print filter, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    print queue, Charity Administration Office, Dissection and Discussion
    print spooler, Charity Administration Office
    Print Test Page, Uploading Printer Drivers to Samba Servers
    printable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    printcap name, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    printer admin, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, IDMAP_RID with Winbind, LDAP Server Configuration
    printer validation, Validation, Validation
    printers
    Advanced, Uploading Printer Drivers to Samba Servers
    Default Settings, Uploading Printer Drivers to Samba Servers
    General, Uploading Printer Drivers to Samba Servers
    Properties, Uploading Printer Drivers to Samba Servers
    Security, Uploading Printer Drivers to Samba Servers
    Sharing, Uploading Printer Drivers to Samba Servers
    printing, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server
    drag-and-drop, Installation of Printer Driver Auto-Download, Uploading Printer Drivers to Samba Servers
    dumb, Installation of Printer Driver Auto-Download
    point-n-click, Installation of Printer Driver Auto-Download
    raw, Dissection and Discussion
    privacy, Identity Management Needs
    Privilege Attribute Certificates (see PAC)
    privilege controls, Share Point Directory and File Permissions
    privileged pipe, Samba Configuration
    privileges, Identity Management Needs, Updating from Samba Versions after 3.0.6 to a Current Release, Technical Issues, Share Definition Controls
    problem report, Free Support
    problem resolution, Samba Support
    product defects, Dissection and Discussion
    professional support, Free Support
    profile
    default, Assignment Tasks
    mandatory, The Nature of Windows Networking Protocols
    roaming, Making Happy Users
    profile acls, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    profile path, Technical Issues
    profile share, Implementation
    profiles, Security Identifiers (SIDs)
    profiles share, Dissection and Discussion
    programmer, Dissection and Discussion
    project, Free Support
    project maintainers, Technical Issues
    Properties, Using the MMC Computer Management Interface
    proprietary, Technical Issues
    protected, Technical Issues
    protection, Technical Issues
    protocol
    negotiation, The Nature of Windows Networking Protocols
    protocol analysis, Requirements and Notes
    protocols, Technical Issues
    provided services, Samba Support
    proxy, Assignment Tasks, Technical Issues
    public specifications, Technical Issues
    purchase support, Free Support

    Q

    Qbasic, LDAP Server Configuration
    qualified problem, Free Support

    R

    RAID, Hardware Requirements
    RAID controllers, Hardware Problems
    Raw Print Through, Installation of Printer Driver Auto-Download
    raw printing, Implementation, Printer Configuration, Server Preparation: All Servers, Printer Configuration
    Rbase, LDAP Server Configuration
    rcldap, Implementation
    read only, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    realm, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Kerberos Configuration, NSS Configuration
    recognize, Technical Issues
    record locking, Microsoft Access
    recursively, Setting Posix ACLs in UNIX/Linux
    Red Hat, Drafting Office, Migrating NetWare Server to Samba-3
    Red Hat Fedora Linux, Samba Configuration
    Red Hat Linux, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
    redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
    refereed standards, Technical Issues
    regedit, Implementation
    regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
    registry, Questions and Answers
    keys
    SAM, Dissection and Discussion
    SECURITY, Dissection and Discussion
    registry change, Questions and Answers
    Registry Editor, Configuration of Default Profile with Folder Redirection
    registry hacks, Questions and Answers
    registry keys, Configuration of Default Profile with Folder Redirection
    reimburse, Dissection and Discussion
    rejected, Samba Domain with Samba Domain Member Server Using NSS LDAP, Share Access Controls
    rejoin, Questions and Answers
    reliability, Performance, Reliability, and Availability
    remote announce, Routed Networks
    remote browse sync, Routed Networks
    remote procedure call (see RPC)
    replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    replicated, Dissection and Discussion
    requesting payment, Free Support
    resilient, Guidelines for Reliable Samba Operation
    resolution, Replacing a Domain Member Server
    resolve, Technical Issues, Bad Hostnames
    response, IDMAP_RID with Winbind
    responsibility, Dissection and Discussion
    responsible, Technical Issues
    restrict anonymous, Samba Domain with Samba Domain Member Server Using NSS LDAP
    restricted export, Kerberos Exposed
    Restrictive security, Active Directory Domain with Samba Domain Member Server
    reverse DNS, Kerberos Configuration
    rfc2307bis, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    RID, IDMAP_RID with Winbind, LDAP Server Configuration
    risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
    road-map, Technical Issues
    published, Technical Issues
    roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
    roaming profiles, Technical Issues, Implementation, Roaming Profile Background
    routed network, Use and Location of BDCs
    router, Implementation
    routers, Questions and Answers, Routed Networks
    RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
    rpc, Security Identifiers (SIDs)
    rpcclient, Security Identifiers (SIDs)
    RPM, Security Identifiers (SIDs), Samba 1.9.x and 2.x Versions Without LDAP, Dissection and Discussion
    install, Implementation
    rpm, Removal of Pre-Existing Conflicting RPMs, Samba System File Location
    RPMs, Samba Configuration
    rpms, Removal of Pre-Existing Conflicting RPMs
    rsync, Samba-3 PDC Configuration, Questions and Answers, LDAP Server Configuration, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    rsyncd.conf, LDAP Server Configuration
    run-time control files, Samba System File Location

    S

    safe-guards, Technical Issues
    SAM, Dissection and Discussion
    samba, Removal of Pre-Existing Conflicting RPMs
    starting samba, Implementation
    Samba, Samba Configuration
    Samba accounts, Technical Issues
    samba cluster, Introduction
    samba control script, Starting Samba
    Samba Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers
    Samba Domain server, Using the MMC Computer Management Interface
    Samba RPM Packages, Samba-3 PDC Configuration
    Samba Tea, Samba Configuration
    sambaDomainName, NT4 Migration Using LDAP Backend
    sambaGroupMapping, LDAP Server Configuration
    SambaSAMAccount, Regarding LDAP Directories and Windows Computer Accounts
    SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
    sambaSamAccount, LDAP Server Configuration
    SambaXP conference, Questions and Answers
    SAN, For Scalability, Use SAN-Based Storage on Samba Servers
    SAS, Security Identifiers (SIDs)
    scalability, Introduction
    scalable, Identity Management Needs
    schannel, Technical Issues, Key Points Learned, Questions and Answers
    schema, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Samba-2.x with LDAP Support, Updating from Samba Versions between 3.0.6 and 3.0.10
    scripts, The LDAP Account Manager
    secondary group, Samba Domain with Samba Domain Member Server Using NSS LDAP
    secret, Kerberos Exposed
    secrets.tdb, Technical Issues, Samba-3 PDC Configuration, Security Identifiers (SIDs), Location of config files
    secure, Introduction
    secure account password, Questions and Answers
    secure connections, The LDAP Account Manager
    secure networking, Technical Issues
    secure networking protocols, Technical Issues
    security, Implementation, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers, Security Identifiers (SIDs), Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers, NSS Configuration
    identifier, Security Identifiers (SIDs)
    share mode, Dissection and Discussion
    user mode, Dissection and Discussion
    Security, Technical Issues, Using the MMC Computer Management Interface
    Security Account Manager (see SAM)
    security controls, Technical Issues
    security descriptors, Dissection and Discussion
    security fixes, Technical Issues
    security updates, Technical Issues
    SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    server
    domain member, Security Identifiers (SIDs)
    stand-alone, Security Identifiers (SIDs)
    server string, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, LDAP Server Configuration
    service, Implementation
    smb
    start, Configuration Specific to Domain Member Servers: BLDG1, BLDG2
    Service Packs, Application Share Configuration
    services, Key Points Learned
    services provided, Samba Support
    session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    Session Setup, Simple Windows Client Connection Characteristics
    SessionSetUpAndX, Security Identifiers (SIDs)
    set primary group script, Samba-3 PDC Configuration, Implementation, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    setfacl, Setting Posix ACLs in UNIX/Linux
    severely degrade, Samba Configuration
    SFU, IDMAP, Active Directory, and MS Services for UNIX 3.5
    SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
    shadow-utils, Questions and Answers
    share, Questions and Answers
    Share Access Controls, Share Access Controls
    share ACLs, Questions and Answers
    share definition, Technical Issues
    Share Definition
    Controls, Share Definition Controls
    share definition controls, Share Definition Controls, Checkpoint Controls, Share Point Directory and File Permissions, Questions and Answers
    share level access controls, Questions and Answers
    share level ACL, Questions and Answers
    Share Permissions, Share Access Controls
    shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
    shares, Technical Issues
    show add printer wizard, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, LDAP Server Configuration
    shutdown script, Samba Configuration, Implementation, Implementation
    SID, Windows Client Configuration, Regarding LDAP Directories and Windows Computer Accounts, Identity Management Needs, Technical Issues, IDMAP_RID with Winbind, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, Questions and Answers, Initialization of the LDAP Database
    side effects, Managing Windows 200x ACLs
    Sign'n'seal, Key Points Learned, Questions and Answers
    silent return, Active Directory Domain with Samba Domain Member Server
    simple, Dissection and Discussion
    Single Sign-On (see SSO)
    slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using NSS LDAP, LDAP Server Configuration
    slapd, Debugging LDAP
    slapd.conf, NT4 Migration Using LDAP Backend
    slave, Dissection and Discussion
    slow logon, Making Happy Users
    slow network, Hardware Problems
    slurpd, Implementation, Questions and Answers
    smart printing, Dissection and Discussion
    SMB, Security Identifiers (SIDs)
    SMB passwords, Implementation
    smb ports, Samba Configuration, Questions and Answers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend
    SMB/CIFS, Questions and Answers
    smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, Questions and Answers
    smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Security Identifiers (SIDs), Location of config files, Samba 1.9.x and 2.x Versions Without LDAP, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    location of files, Samba System File Location
    smbfs, Dissection and Discussion
    smbldap-groupadd, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbldap-groupmod, LDAP Server Configuration
    smbldap-passwd, LDAP Initialization and Creation of User and Group Accounts
    smbldap-populate, LDAP Initialization and Creation of User and Group Accounts
    smbldap-tools, NT4 Migration Using LDAP Backend, LDAP Server Configuration, The LDAP Account Manager
    smbldap-tools updating, NT4 Migration Using LDAP Backend
    smbldap-useradd, LDAP Initialization and Creation of User and Group Accounts, Implementation
    smbldap-usermod, LDAP Initialization and Creation of User and Group Accounts, LDAP Server Configuration
    smbmnt, Dissection and Discussion
    smbmount, Dissection and Discussion
    smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation: All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Questions and Answers, Updating Samba-3, Security Identifiers (SIDs), Applicable to All Samba 2.x to Samba-3 Upgrades, Technical Issues, Questions and Answers, Integrating Additional Services
    smbumnt, Dissection and Discussion
    smbumount, Dissection and Discussion
    SMTP, Technical Issues
    snap-shot, Dissection and Discussion
    socket address, Samba Configuration
    socket options, Samba Configuration
    software, Dissection and Discussion
    solve, Dissection and Discussion
    source code, Dissection and Discussion
    SPNEGO, Windows 200x/XP Client Interaction with Samba-3
    SQL, Dissection and Discussion, Questions and Answers
    Squid, Implementation, Removal of Pre-Existing Conflicting RPMs, Samba Configuration, Squid Configuration
    squid, Removal of Pre-Existing Conflicting RPMs, Samba Configuration
    Squid proxy, Technical Issues
    SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
    SSL, The LDAP Account Manager
    stand-alone server, Security Identifiers (SIDs)
    starting CUPS, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
    starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
    nmbd, Starting Samba
    smbd, Starting Samba
    winbindd, Starting Samba
    startingCUPS, Implementation
    startup script, Starting Samba
    sticky bit, Implementation
    storage capacity, Hardware Requirements
    strategic, Technical Issues
    strategy, Questions and Answers
    straw-man, Active Directory, Kerberos, and Security
    strict sync, Samba Configuration
    stripped, Samba 1.9.x and 2.x Versions Without LDAP
    strong cryptography, Kerberos Exposed
    subscription, Free Support
    SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
    Sun ONE Identity Server, Dissection and Discussion
    super daemon, Process Startup Configuration
    support, Dissection and Discussion, Samba Support
    survey, Adding Domain Member Servers and Clients
    SUSE, Migrating NetWare Server to Samba-3
    SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
    SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-Existing Conflicting RPMs
    SWAT, Samba System File Location
    sync always, Samba Configuration
    synchronization, Kerberos Configuration, For Scalability, Use SAN-Based Storage on Samba Servers
    synchronize, User Needs, LDAP Server Configuration
    synchronized, Questions and Answers
    syslog, Implementation, Samba Configuration, Implementation, OpenLDAP Server Configuration, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    system level logins, Questions and Answers
    system security, Technical Issues

    T

    tattooing, Questions and Answers
    TCP/IP, Questions and Answers
    tdbdump, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NT4 Migration Using LDAP Backend
    tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Applicable to All Samba 2.x to Samba-3 Upgrades, Updating from Samba Versions between 3.0.6 and 3.0.10, Technical Issues, Questions and Answers
    template primary group, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server
    template shell, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension
    testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba 1.9.x and 2.x Versions Without LDAP, Samba Configuration
    ticket, Samba Configuration
    time server, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation, LDAP Server Configuration
    Tivoli Directory Server, Dissection and Discussion
    TLS, LDAP Server Configuration
    token, Technical Issues
    tool, Questions and Answers, Dissection and Discussion
    TOSHARG2, Implementation
    track record, Dissection and Discussion
    traffic collisions, Making Happy Users
    transaction processing, Dissection and Discussion
    transactional, Questions and Answers
    transfer, Questions and Answers
    translate, Managing Windows 200x ACLs
    traverse, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    tree, Dissection and Discussion
    Tree Connect, Simple Windows Client Connection Characteristics
    trust account, Regarding LDAP Directories and Windows Computer Accounts
    trusted computing, Introduction
    Trusted Domains, Technical Issues
    trusted domains, Questions and Answers
    trusted third-party, Kerberos Exposed
    trusting, Kerberos Exposed
    turn-around time, Technical Issues

    U

    UDP
    broadcast, Routed Networks
    UID, Dissection and Discussion, Regarding LDAP Directories and Windows Computer Accounts, Technical Issues, Implementation, Questions and Answers, Questions and Answers
    un-join, Questions and Answers
    unauthorized activities, Kerberos Exposed
    UNC name, Questions and Answers
    unencrypted, The LDAP Account Manager
    Unicast, The Nature of Windows Networking Protocols
    unicode, International Language Support
    Universal Naming Convention (see UNC name)
    UNIX, LDAP Server Configuration
    groups, Technical Issues, Implementation
    UNIX account, Questions and Answers
    UNIX accounts, Technical Issues
    unix charset, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server
    unix password sync, Samba Configuration
    UNIX/Linux server, Technical Issues
    unix2dos, Samba Configuration, Configuration for Server: MASSIVE
    unknown, Technical Issues
    unsupported software, Commercial Support
    update, Introduction, Cautions and Notes
    updates, Introduction, Technical Issues
    updating smbldap-tools, NT4 Migration Using LDAP Backend
    upgrade, Introduction, Cautions and Notes, LDAP Server Configuration
    uppercase, Implementation
    use client driver, Implementation, Implementation, Implementation, Samba Configuration, Implementation, NT4 Migration Using LDAP Backend, LDAP Server Configuration
    user
    management, Implementation, Samba Configuration, Configuration for Server: MASSIVE
    user account, Making Happy Users, OpenLDAP Server Configuration
    User and Group Controls, Technical Issues
    user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
    user errors, Questions and Answers
    user groups, Free Support
    user identities, Implementation
    user logins, Questions and Answers
    user management, Implementation
    User Manager, NT4 Migration Using LDAP Backend
    User Mode, Implementation, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
    useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE, Applicable to All Samba 2.x to Samba-3 Upgrades
    userdel, Applicable to All Samba 2.x to Samba-3 Upgrades
    usermod, Applicable to All Samba 2.x to Samba-3 Upgrades, NT4 Migration Using LDAP Backend
    username, Security Identifiers (SIDs)
    username map, Implementation, Samba Configuration, Server Preparation: All Servers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    UTF-8, International Language Support
    utilities, Questions and Answers
    utmp, Samba Configuration, Implementation, Implementation

    V

    valid users, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, Questions and Answers, NT4 Migration Using LDAP Backend, LDAP Server Configuration, Checkpoint Controls, Questions and Answers
    validate, Questions and Answers, Checkpoint Controls
    validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
    validation, Validation, Validation, Questions and Answers
    vampire, Questions and Answers
    vendor, Dissection and Discussion
    vendors, Updating a Samba-3 Installation
    veto files, Samba Configuration, Implementation, LDAP Server Configuration
    veto oplock files, Samba Configuration, Implementation
    VFS modules, Samba System File Location
    virus, Implementation
    VPN, Assignment Tasks
    vulnerabilities, Introduction

    W

    wbinfo, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
    weakness, Technical Issues
    web
    caching, Assignment Tasks
    proxying, Assignment Tasks
    Web
    proxy, Questions and Answers
    access, Key Points Learned
    Web browsers, Key Points Learned
    WebClient, Making Happy Users
    WHATSNEW.txt, Samba-2.x with LDAP Support
    white-pages, Technical Issues, LDAP Server Configuration
    wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
    Winbind, Questions and Answers, Technical Issues, Key Points Learned
    winbind enable local accounts, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Questions and Answers
    winbind enum groups, IDMAP_RID with Winbind, NSS Configuration
    winbind enum users, IDMAP_RID with Winbind, NSS Configuration
    winbind nested groups, IDMAP_RID with Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, NT4 Migration Using LDAP Backend
    winbind separator, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
    winbind trusted domains only, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Questions and Answers
    winbind use default domain, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Checkpoint Controls
    winbind user default domain, NSS Configuration
    winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using NSS LDAP, Questions and Answers, Samba 1.9.x and 2.x Versions Without LDAP, Updating from Samba Versions after 3.0.6 to a Current Release, Replacing a Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
    winbindd_cache.tdb, Technical Issues
    winbindd_idmap.tdb, Technical Issues
    Windows, LDAP Server Configuration
    client, Security Identifiers (SIDs)
    NT, Security Identifiers (SIDs)
    Windows 2000 ACLs, Managing Windows 200x ACLs
    Windows 2003 Serve, Introduction
    Windows 200x ACLs, Questions and Answers
    Windows accounts, Technical Issues
    Windows ACLs, Setting Posix ACLs in UNIX/Linux
    Windows Address Book, LDAP Server Configuration
    Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    Windows clients, Questions and Answers
    Windows Explorer, Validation
    Windows explorer, Questions and Answers
    Windows security identifier (see SID)
    Windows Servers, Introduction
    Windows Services for UNIX (see SUS)
    Windows XP, Assignment Tasks
    WINS, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers, Questions and Answers
    lookup, Questions and Answers
    name resolution, Routed Networks
    server, Making Happy Users, Routed Networks
    WINS server, The 500-User Office, Questions and Answers
    wins server, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, NT4 Migration Using LDAP Backend
    WINS serving, Implementation
    wins support, Implementation, Implementation, Implementation, Samba Configuration, Validation, Implementation, Samba-3 PDC Configuration, Implementation, LDAP Server Configuration
    wins.dat, Identity Management Needs, Replacing a Domain Member Server
    Word, Share Point Directory and File Permissions
    workgroup, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, IDMAP_RID with Winbind, IDMAP Storage in LDAP using Winbind, IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension, Security Identifiers (SIDs), Change of Workgroup (Domain) Name, NT4 Migration Using LDAP Backend, LDAP Server Configuration, NSS Configuration
    Workgroup Announcement, Findings
    workstation, Implementation
    wrapper, Questions and Answers
    write list, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using NSS LDAP, NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind, NT4/Samba Domain with Samba Domain Member Server without NSS Support, Active Directory Domain with Samba Domain Member Server, LDAP Server Configuration
    write lock, Opportunistic Locking Controls

    X

    xinetd, Process Startup Configuration
    XML, Dissection and Discussion
    xmlsam, Implementation

    Y

    YaST, PAM and NSS Client Configuration
    Yellow Pages, Identity Management Needs
    yellow pages (see NIS)
    Prev   
    Glossary Home 
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/kerberos.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/kerberos.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/kerberos.html 2005-08-19 12:59:35.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/kerberos.html 2005-12-19 10:19:24.000000000 -0600 @@ -1,10 +1,10 @@ -Chapter 11. Active Directory, Kerberos, and Security
    Chapter 11. Active Directory, Kerberos, and Security
    Prev Part III. Reference Section Next

    Chapter 11. Active Directory, Kerberos, and Security

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers

    +Chapter 11. Active Directory, Kerberos, and Security

    Chapter 11. Active Directory, Kerberos, and Security
    Prev Part III. Reference Section Next

    Chapter 11. Active Directory, Kerberos, and Security

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers

    By this point in the book, you have been exposed to many Samba-3 features and capabilities. More importantly, if you have implemented the examples given, you are well on your way to becoming a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to practice, you likely have thought of improvements and scenarios with which you can experiment. You are rather well plugged in to the many flexible ways Samba can be used. -

    +

    This is a book about Samba-3. Understandably, its intent is to present it in a positive light. The casual observer might conclude that this book is one-eyed about Samba. It is what would you expect? This chapter exposes some criticisms that have been raised concerning @@ -13,13 +13,13 @@ Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of criticism develops with respect to Abmas. -

    +

    This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled out of thin air. They were drawn from comments made by Samba users and from criticism during discussions with Windows network administrators. The tone of the objections reflects as closely as possible that of the original. The case presented is a straw-man example that is designed to permit each objection to be answered as it might occur in real life. -

    Introduction

    +

    Introduction

    Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took note of the spectacular projection of Abmas onto the global business stage. Abmas is building an interesting portfolio of companies that includes accounting services, financial advice, investment @@ -28,42 +28,42 @@ interesting business growth and development plan. Abmas Video Rentals was recently acquired. During the time that the acquisition was closing, the Video Rentals business upgraded its Windows NT4-based network to Windows 2003 Server and Active Directory. -

    +

    You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to operate with a solution that is viewed by Christine and her group as “an island of broken technologies.” This comment was made by one of Christine's staff as they were installing a new Samba-3 server at the new business. -

    +

    Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer should make such a comment. He felt that he had to prepare in case he might be criticized for his decision to use Active Directory. He decided he would defend his decision by hiring the services - of an outside security systems consultant to report[12] on his unit's operations + of an outside security systems consultant to report[12] on his unit's operations and to investigate the role of Samba at his site. Here are key extracts from this hypothetical report: -

    +

    ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. ... we took additional steps to validate the integrity of the installation and operation of Active Directory and are pleased that your staff are following sound practices.

    ... -

    +

    User and group accounts, and respective privileges, have been well thought out. File system shares are appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and effective off-site storage practices are considered to exceed industry norms. -

    +

    Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain a secure network. -

    +

    The recently installed Linux file and application server uses a tool called winbind that is indiscriminate about security. All user accounts in Active Directory can be used to access data stored on the Linux system. We are alarmed that secure information is accessible to staff who should not even be aware that it exists. We share the concerns of your network management staff who have gone to great lengths to set fine-grained controls that limit information access to those who need access. It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. -

    +

    Graham Judd [head of network administration] has locked down the security of all systems and is following the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network is isolated from the outside world, the [product name removed] firewall is under current contract @@ -72,7 +72,7 @@ detail and for following Microsoft recommended best practices.

    ... -

    +

    Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft ... what worries us regarding Samba is the need to disable essential Windows security features such as @@ -80,14 +80,14 @@ mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that with trusted computing initiatives that the Samba developers do not participate in. -

    +

    One wonders about the integrity of an open source program that is developed by a team of hackers who cannot be held accountable for the flaws in their code. The sheer number of updates and bug fixes they have released should ring alarm bells in any business. -

    +

    Another factor that should be considered is that buying Microsoft products and services helps to provide employment in the IT industry. Samba and Open Source software place those jobs at risk. -

    +

    This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple discussion, but it gets further out of hand. When you return to your office, you find the following email in your in-box: @@ -100,23 +100,23 @@ I also wish to advise that two of the recent recruits want to implement Kerberos authentication across all systems. I concur with the desire to improve security. One of the new guys who is championing the move to Kerberos was responsible for the comment that caused the embarrassment. -

    +

    I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, I would like to hire the services of a well-known Samba consultant to set the record straight. -

    +

    I intend to use this report to answer the criticism raised and would like to establish a policy that we will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce use of any centrally proposed standards, but make all noncompliance the financial responsibility of the out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. -

    		 
     --Stan

    Assignment Tasks

    +

    		 
     --Stan

    Assignment Tasks

    You agreed with Stan's recommendations and hired a consultant to help defuse the powder keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able to support his or her claims, keep emotions to the side, and answer technically. -

    Dissection and Discussion

    +

    Dissection and Discussion

    Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to make or reject. It is likely that your decision to use Samba can greatly benefit your company. The Samba Team obviously believes that the Samba software is a worthy choice. @@ -124,18 +124,18 @@ someone to help manage your Samba installation, you can create income and employment. Alternately, money saved by not spending in the IT area can be spent elsewhere in the business. All money saved or spent creates employment. -

    +

    In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted purely to provide file and print service interoperability on platforms that otherwise cannot provide access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. -

    +

    It would be foolish to adopt a technology that might put any data or users at risk. Security affects everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. The Samba documentation clearly reveals that full responsibility is accepted to fix anything that is broken. -

    +

    There is a mistaken perception in the IT industry that commercial software providers are fully accountable for the defects in products. Open Source software comes with no warranty, so it is often assumed that its use confers a higher degree of risk. Everyone should read commercial software @@ -143,34 +143,34 @@ extent of liability that is accepted. Doing so soon dispels the popular notion that commercial software vendors are willingly accountable for product defects. In many cases, the commercial vendor accepts liability only to reimburse the price paid for the software. -

    +

    The real issues that a consumer (like you) needs answered are What is the way of escape from technical problems, and how long will it take? The average problem turnaround time in the Open Source community is approximately 48 hours. What does the EULA offer? What is the track record in the commercial software industry? What happens when your commercial vendor decides to cease providing support? -

    +

    Open Source software at least puts you in possession of the source code. This means that when all else fails, you can hire a programmer to solve the problem. -

    Technical Issues

    +

    Technical Issues

    Each issue is now discussed and, where appropriate, example implementation steps are provided. -

    Winbind and Security

    +

    Winbind and Security

    Windows network administrators may be dismayed to find that winbind exposes all domain users so that they may use their domain account credentials to log on to a UNIX/Linux system. The fact that all users in the domain can see the UNIX/Linux server in their Network Neighborhood and can browse the shares on the server seems to excite them further. -

    +

    winbind provides for the UNIX/Linux domain member server or client, the same as one would obtain by adding a Microsoft Windows server or client to the domain. The real objection is the fact that Samba is not MS Windows and therefore requires handling a little differently from the familiar Windows systems. One must recognize fear of the unknown. -

    +

    Windows network administrators need to recognize that winbind does not, and cannot, override account controls set using the Active Directory management tools. The control is the same. Have no fear. -

    +

    Where Samba and the ADS domain account information obtained through the use of winbind permits access, by browsing or by the drive mapping to a share, to data that should be better protected. This can only happen when security @@ -178,14 +178,14 @@ on:

    • Shares themselves (i.e., the logical share itself)

    • The share definition in smb.conf

    • The shared directories and files using UNIX permissions

    • Using Windows 2000 ACLs if the file system is POSIX enabled

    Examples of each are given in ???. -

    User and Group Controls

    +

    User and Group Controls

    User and group management facilities as known in the Windows ADS environment may be used to provide equivalent access control constraints or to provide equivalent permissions and privileges on Samba servers. Samba offers greater flexibility in the use of user and group controls because it has additional layers of control compared to Windows 200x/XP. For example, access controls on a Samba server may be set within the share definition in a manner for which Windows has no equivalent. -

    +

    In any serious analysis of system security, it is important to examine the safeguards that remain when all other protective measures fail. An administrator may inadvertently set excessive permissions on the file system of a shared resource, or he may set excessive @@ -193,35 +193,35 @@ the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is possible to guard against that by enforcing controls on the share definition itself. You see a practical example of this a little later in this chapter. -

    +

    The report that is critical of Samba really ought to have exercised greater due diligence: the real weakness is on the side of a Microsoft Windows environment. -

    Security Overall

    +

    Security Overall

    Samba is designed in such a manner that weaknesses inherent in the design of Microsoft Windows networking ought not to expose the underlying UNIX/Linux file system in any way. All software has potential defects, and Samba is no exception. What matters more is how defects that are discovered get dealt with. -

    +

    The Samba Team totally agrees with the necessity to observe and fully implement every security facility to provide a level of protection and security that is necessary and that the end user (or network administrator) needs. Never would the Samba Team recommend a compromise to system security, nor would deliberate defoliation of security be publicly condoned; yet this is the practice by many Windows network administrators just to make happy users who have no notion of consequential risk. -

    +

    The report condemns Samba for releasing updates and security fixes, yet Microsoft online updates need to be applied almost weekly. The answer to the criticism lies in the fact that Samba development is continuing, documentation is improving, user needs are being increasingly met or exceeded, and security updates are issued with a short turnaround time. -

    +

    The release of Samba-4 is expected around late 2004 to early 2005 and involves a near complete rewrite to permit extensive modularization and to prepare Samba for new functionality planned for addition during the next-generation series. The Samba Team is responsible and can be depended upon; the history to date suggests a high degree of dependability and on charter development consistent with published roadmap projections. -

    +

    Not well published is the fact that Microsoft was a foundation member of the Common Internet File System (CIFS) initiative, together with the participation of the network attached storage (NAS) industry. Unfortunately, for the past few years, @@ -230,7 +230,7 @@ space. The Samba Team has maintained consistent presence and leadership at all CIFS conferences and at the interoperability laboratories run concurrently with them. -

    Cryptographic Controls (schannel, sign'n'seal)

    +

    Cryptographic Controls (schannel, sign'n'seal)

    The report correctly mentions that Samba did not support the most recent schannel and digital sign'n'seal features of Microsoft Windows NT/200x/XPPro products. This is one of the key features @@ -238,7 +238,7 @@ seldom a reflection of current practice, and in many respects reports are like a pathology report they reflect accurately (at best) status at a snapshot in time. Meanwhile, the world moves on. -

    +

    It should be pointed out that had clear public specifications for the protocols been published, it would have been much easier to implement these features and would have taken less time to do. The sole mechanism used to find an algorithm that is compatible @@ -246,7 +246,7 @@ and trial-and-error implementation of potential techniques. The real value of public and defensible standards is obvious to all and would have enabled more secure networking for everyone. -

    +

    Critics of Samba often ignore fundamental problems that may plague (or may have plagued) the users of Microsoft's products also. Those who are first to criticize Samba for not rushing into release of digital sign'n'seal support @@ -258,7 +258,7 @@ implementation of sign'n'seal. They provide a work-around that is not trivial for many Windows networking sites. From notes such as this it is clear that there are benefits from not rushing new technology out of the door too soon. -

    +

    One final comment is warranted. If companies want more secure networking protocols, the most effective method by which this can be achieved is by users seeking and working together to help define open and publicly refereed standards. The @@ -274,7 +274,7 @@ of them that uses RPCs that are not supported by any of these component technologies and yet by which they are made to interoperate in ways that the components do not support. -

    +

    In order to make the popular request for Samba to be an Active Directory Server a reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls that are not presently supported. The Samba Team has not been able to gain critical @@ -282,34 +282,34 @@ challenge of developing and integrating the necessary technologies. Therefore, if the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality into the Samba project, this dream request cannot become a reality. -

    +

    At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the Samba development roadmap. If it is not on the published roadmap, it cannot be delivered anytime soon. Ergo, ADS server support is not a current goal for Samba development. The Samba Team is most committed to permitting Samba to be a full ADS domain member that is increasingly capable of being managed using Microsoft Windows MMC tools. -

    Kerberos Exposed

    +

    Kerberos Exposed

    Kerberos is a network authentication protocol that provides secure authentication for client-server applications by using secret-key cryptography. Firewalls are an insufficient barrier mechanism in today's networking world; at best they only restrict incoming network traffic but cannot prevent network traffic that comes from authorized locations from performing unauthorized activities. -

    +

    Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. -

    +

    Kerberos is a trusted third-party service. That means that there is a third party (the kerberos server) that is trusted by all the entities on the network (users and services, usually called principals). All principals share a secret password (or key) with the kerberos server and this enables principals to verify that the messages from the kerberos server are authentic. Therefore, trusting the kerberos server, users and services can authenticate each other.

    - - - + + + Kerberos was, until recently, a technology that was restricted from being exported from the United States. For many years that hindered global adoption of more secure networking technologies both within the United States and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe @@ -318,11 +318,11 @@ It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications and in the general deployment and use of Kerberos across the spectrum of the information technology industry.

    - + A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation of it. For example, a 2002 IDG - report[13] by + report[13] by states:

    A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to @@ -330,7 +330,7 @@ with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's use of the Kerberos authentication specification, not everyone agrees.

    - + Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with @@ -338,8 +338,8 @@ Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so that software developers could add their own authorization information, he said.

    - - + + It so happens that Microsoft Windows clients depend on and expect the contents of the unspecified fields in the Kerberos 5 communications data stream for their Windows interoperability, particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability @@ -351,7 +351,7 @@ Microsoft makes the following comment in a reference in a technet article: -

    +

    The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. @@ -361,10 +361,10 @@ Windows NT access control information.

    Implementation

    The following procedures outline the implementation of the security measures discussed so far. -

    Share Access Controls

    +

    Share Access Controls

    Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as Windows XP Pro) attempts to make a connection to the Samba server. -

    Procedure 11.1. Create/Edit/Delete Share ACLs

    1. +

      Procedure 11.1. Create/Edit/Delete Share ACLs

      1. From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called root).

      2. @@ -373,16 +373,16 @@

      3. In the left panel, [Right mouse menu item] Computer Management (Local)->Connect to another computer ...->Browse...->Advanced->Find Now. In the lower panel, click on the name of the server you wish to - administer. Click OK->OK->OK. + administer. Click OK->OK->OK. In the left panel, the entry Computer Management (Local) should now reflect the change made. For example, if the server you are administering is called FRODO, the Computer Management entry should now say Computer Management (FRODO).

      4. In the left panel, click Computer Management (FRODO)->[+] Shared Folders->Shares. -

      5. +

      6. In the right panel, double-click on the share on which you wish to set/edit ACLs. This will bring up the Properties panel. Click the Share Permissions tab. -

      7. +

      8. You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -391,20 +391,20 @@

      9. When you are done with editing, close all panels by clicking through the OK buttons. -

    Share Definition Controls

    +

    Share Definition Controls

    Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a checkpoint can be used to require someone who wants to get through to meet certain requirements, so it is possible to require the user (or group the user belongs to) to meet specified credential-related objectives. It can be likened to a pile-driver by overriding default controls in that having met the credential-related objectives, the user can be granted powers and privileges that would not normally be available under default settings. -

    +

    It must be emphasized that the controls discussed here can act as a filter or give rights of passage that act as a superstructure over normal directory and file access controls. However, share-level ACLs act at a higher level than do share definition controls because the user must filter through the share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented by Samba and Windows networking consists of: -

    1. Share-level ACLs

    2. Share-definition controls

    3. Directory and file permissions

    4. Directory and file POSIX ACLs

    Checkpoint Controls

    +

    1. Share-level ACLs

    2. Share-definition controls

    3. Directory and file permissions

    4. Directory and file POSIX ACLs

    Checkpoint Controls

    Consider the following extract from a smb.conf file defining the share called Apps: 

     [Apps]
@@ -415,19 +415,19 @@

    This definition permits only those who are members of the group called Employees to access the share. -

    Note

    +

    Note

    On domain member servers and clients, even when the winbind use default domain has been specified, the use of domain accounts in security controls requires fully qualified domain specification, - for example, valid users = @"MEGANET\Northern Engineers". + for example, valid users = @"MEGANET\Northern Engineers". Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a delimiter. -

    +

    If there is an ACL on the share itself to permit read/write access for all Employees as well as read/write for the group Doctors, both groups are permitted through to the share. However, at the moment an attempt is made to set up a connection to the share, a member of the group Doctors, who is not also a member of the group Employees, would immediately fail to validate. -

    +

    Consider another example. In this case, you want to permit all members of the group Employees except the user patrickj to access the Apps share. This can be easily achieved by setting a share-level ACL permitting only Employees to access the share, @@ -440,7 +440,7 @@ read only = Yes invalid users = patrickj

    - + Let us assume that you want to permit the user gbshaw to manage any file in the UNIX/Linux file system directory /data/apps, but you do not want to grant any write permissions beyond that directory tree. Here is one way this can be done: @@ -452,7 +452,7 @@ invalid users = patrickj admin users = gbshaw

    - + Now we have a set of controls that permits only Employees who are also members of the group Doctors, excluding the user patrickj, to have read-only privilege, but the user gbshaw is granted administrative rights. @@ -474,11 +474,11 @@ admin users = gbshaw write list = peters

    - + This is a particularly complex example at this point, but it begins to demonstrate the possibilities. You should refer to the online manual page for the smb.conf file for more information regarding the checkpoint controls that Samba implements. -

    Override Controls

    +

    Override Controls

    Override controls implemented by Samba permit actions like the adoption of a different identity during file system operations, the forced overwriting of normal file and directory permissions, and so on. You should refer to the online manual page for the smb.conf file for more information regarding @@ -496,14 +496,14 @@ force user = billc force group = Mentors

    - + That is all there is to it. Well, it is almost that simple. The downside of this method is that users are logged onto the Windows client as themselves, and then immediately before accessing the file, Samba makes system calls to change the effective user and group to the forced settings specified, completes the file transaction, and then reverts to the actually logged-on identity. This imposes significant overhead on Samba. The alternative way to effectively achieve the same result (but with lower system CPU overheads) is described next. -

    +

    The use of the force user or the force group may also have a severe impact on system (particularly on Windows client) performance. If opportunistic locking is enabled on the share (the default), it causes an oplock break to be @@ -513,7 +513,7 @@ waiting for the file system transaction (read or write) to complete. The result can be a profound apparent performance degradation as the client continually attempts to reconnect to overcome the effect of the lost oplock break, or time-out. -

    Share Point Directory and File Permissions

    +

    Share Point Directory and File Permissions

    Samba has been designed and implemented so that it respects as far as is feasible the security and user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing with respect to file system access that violates file system permission settings, unless it is @@ -521,7 +521,7 @@ UNIX file system controls, this chapter does not document simple information that can be obtained from a basic UNIX training guide. Instead, one common example of a typical problem is used to demonstrate the most effective solution referred to in the immediately preceding paragraph. -

    +

    One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:

    1. @@ -541,7 +541,7 @@ There have been many postings over the years that report the same basic problem. Frequently Samba users want to know when this “bug” will be fixed. The fact is, this is not a bug in Samba at all. Here is the real sequence of what happens in this case. -

      +

      When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned by the user who creates the file (billc) and has the permissions that follow that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing @@ -559,7 +559,7 @@ The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these simple steps to create a share in which all files will consistently be owned by the same user and the same group: -

      Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership

      1. +

        Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership

        1. Change your share definition so that it matches this pattern: 

           [finance]
@@ -567,18 +567,18 @@
         browseable = Yes
         read only = No

          -

        2. +

        3. Set consistent user and group permissions recursively down the directory tree as shown here: 

           root#  chown -R janetp.users /usr/data/finance

          -

        4. +

        5. Set the files and directory permissions to be read/write for owner and group, and not accessible to others (everyone), using the following command: 

           root#  chmod ug+rwx,o-rwx /usr/data/finance

          -

        6. +

        7. Set the SGID (supergroup) bit on all directories from the top down. This means all files can be created with the permissions of the group set on the directory. It means all users who are members of the group finance can read and write all files in @@ -588,11 +588,11 @@ root# find /usr/data/finance -type d -exec chmod ug+s {}\;

          -

        8. +

        9. Make sure all users that must have read/write access to the directory have finance group membership as their primary group, for example, the group they belong to in /etc/passwd. -

      Managing Windows 200x ACLs

      +

    Managing Windows 200x ACLs

    Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means that some transactions are not possible from MS Windows clients. One of these is to reset the ownership @@ -600,7 +600,7 @@

    There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. -

    Using the MMC Computer Management Interface

    1. +

      Using the MMC Computer Management Interface

      1. From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called root).

      2. @@ -615,14 +615,14 @@ the Computer Management entry should now say: Computer Management (FRODO).

      3. In the left panel, click Computer Management (FRODO)->[+] Shared Folders->Shares. -

      4. +

      5. In the right panel, double-click on the share on which you wish to set/edit ACLs. This brings up the Properties panel. Click the Security tab. It is best to edit ACLs using the Advanced editing features. Click the Advanced button. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized with respect to a Samba domain server. -

      6. +

      7. You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -631,7 +631,7 @@

      8. When you are done with editing, close all panels by clicking through the OK buttons until the last panel closes. -

      Using MS Windows Explorer (File Manager)

      +

    Using MS Windows Explorer (File Manager)

    The following alternative method may be used from a Windows workstation. In this example we work with a domain called MEGANET, a server called MASSIVE, and a share called Apps. The underlying UNIX/Linux share point for this share is @@ -639,7 +639,7 @@

    1. Click Start->[right-click] My Computer->Explore->[left panel] [+] My Network Places->[+] Entire Network->[+] Microsoft Windows Network->[+] Meganet->[+] Massive->[right-click] Apps->Properties->Security->Advanced. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized for a Samba domain server. -

    2. +

    3. You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -648,7 +648,7 @@

    4. When you are done with editing, close all panels by clicking through the OK buttons until the last panel closes. -

    Setting Posix ACLs in UNIX/Linux

    +

    Setting Posix ACLs in UNIX/Linux

    Yet another alternative method for setting desired security settings on the shared resource files and directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 @@ -671,7 +671,7 @@ group::rwx other::r-x

    -

  • +

  • You want to add permission for AppsMgrs to enable them to manage the applications (apps) share. It is important to set the ACL recursively so that the AppsMgrs have this capability throughout the directory tree that is @@ -694,26 +694,26 @@ other::r-x

    This confirms that the change of POSIX ACL permissions has been effective. -

  • +

  • It is highly recommended that you read the online manual page for the setfacl and getfacl commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting inheritance properties. -

    • Key Points Learned

    +

    Key Points Learned

    The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. Looking back, this chapter could be broken into two, but it's too late now. It has been done. The highlights covered are as follows: -

    • +

      • Winbind honors and does not override account controls set in Active Directory. This means that password change, logon hours, and so on, are (or soon will be) enforced by Samba winbind. At this time, an out-of-hours login is denied and password change is enforced. At this time, if logon hours expire, the user is not forcibly logged off. That may be implemented at some later date. -

      • +

      • Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential problems acknowledged by Microsoft as having been fixed but reported by some as still possibly an open issue. -

      • +

      • The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft Active Directory. The possibility to do this is not planned in the current Samba-3 roadmap. Samba-3 does aim to provide further improvements in interoperability so that @@ -722,83 +722,83 @@ This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of the four key methodologies was reviewed with specific reference to example deployment techniques. -

    Questions and Answers

    -

    Sign'n'sealregistry hacks +

    Questions and Answers

    +

    Sign'n'sealregistry hacks Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? -
    +
    Does Samba-3 support Active Directory? -
    mixed-mode +
    mixed-mode When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -
    share level access controls +
    share level access controls Is it safe to set share-level access controls in Samba? -
    share ACLs +
    share ACLs Is it mandatory to set share ACLs to get a secure Samba-3 server? -
    valid users +
    valid users The valid users did not work on the [homes]. Has this functionality been restored yet? -
    force userforce groupbias +
    force userforce groupbias Is the bias against use of the force user and force group really warranted? -
    +
    The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? -
    Computer Management +
    Computer Management In the book, The Official Samba-3 HOWTO and Reference Guide, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? -
    valid usersActive DirectoryDomain Member server +
    valid usersActive DirectoryDomain Member server I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now? -

    +

    Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? -

    +

    No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a domain controller. -

    +

    Does Samba-3 support Active Directory? -

    +

    Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server. -

    +

    When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -

    +

    No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain. -

    +

    Is it safe to set share-level access controls in Samba?

    Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. -

    +

    Is it mandatory to set share ACLs to get a secure Samba-3 server? -

    +

    No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it. -

    +

    The valid users did not work on the [homes]. Has this functionality been restored yet? -

    +

    Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: - valid users = %S. -

    + valid users = %S. +

    Is the bias against use of the force user and force group really warranted? -

    +

    There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it? -

    +

    The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? -

    +

    Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it: 

    @@ -806,20 +806,20 @@

    Note that this required no more than removing the u argument so that the SUID bit is not set for the owner. -

    +

    In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? -

    +

    Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility. -

    +

    I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now?

    The use of this parameter has always required the full specification of the domain account, for example, valid users = @"MEGANET2\Domain Admins". -


    [13] ITWorld.com
    Prev Up Next
    Part III. Reference Section Home Chapter 12. Integrating Additional Services
    +


    [13] ITWorld.com
    Prev Up Next
    Part III. Reference Section Home Chapter 12. Integrating Additional Services
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ntmigration.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/ntmigration.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/ntmigration.html 2005-08-19 12:59:32.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/ntmigration.html 2005-12-19 10:19:22.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 9. Migrating NT4 Domain to Samba-3
    Chapter 9. Migrating NT4 Domain to Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 9. Migrating NT4 Domain to Samba-3

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers

    +Chapter 9. Migrating NT4 Domain to Samba-3

    Chapter 9. Migrating NT4 Domain to Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 9. Migrating NT4 Domain to Samba-3

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    NT4 Migration Using LDAP Backend
    NT4 Migration Using tdbsam Backend
    Key Points Learned
    Questions and Answers

    Ever since Microsoft announced that it was discontinuing support for Windows NT4, Samba users started to ask for detailed instructions on how to migrate from NT4 to Samba-3. This chapter provides background information that should @@ -6,23 +6,23 @@

    One wonders how many NT4 systems will be left in service by the time you read this book though. -

    Introduction

    +

    Introduction

    Network administrators who want to migrate off a Windows NT4 environment know one thing with certainty. They feel that NT4 has been abandoned, and they want to update. The desire to get off NT4 and to not adopt Windows 200x and Active Directory is driven by a mixture of concerns over complexity, cost, fear of failure, and much more.

    - - - - + + + + The migration from NT4 to Samba-3 can involve a number of factors, including migration of data to another server, migration of network environment controls such as group policies, and migration of the users, groups, and machine accounts.

    - + It should be pointed out now that it is possible to migrate some systems from a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly not possible in every case. It is possible to just migrate the domain accounts @@ -30,10 +30,10 @@ the exception than the rule. Most systems require some tweaking after migration before an environment that is acceptable for immediate use is obtained. -

    Assignment Tasks

    - - - +

    Assignment Tasks

    + + + You are about to migrate an MS Windows NT4 domain accounts database to a Samba-3 server. The Samba-3 server is using a passdb backend based on LDAP. The @@ -42,27 +42,27 @@

    Your objective is to document the process of migrating user and group accounts from several NT4 domains into a single Samba-3 LDAP backend database. -

    Dissection and Discussion

    - - - - - - +

    Dissection and Discussion

    + + + + + + The migration process takes a snapshot of information that is stored in the Windows NT4 registry-based accounts database. That information resides in the Security Account Manager (SAM) portion of the NT4 registry under keys called SAM and SECURITY.

    Warning

    - - + + The Windows NT4 registry keys called SAM and SECURITY are protected so that you cannot view the contents. If you change the security setting to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not do this unless you are willing to render your domain controller inoperative.

    - - + + Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, that may not be a good idea from an administration perspective. Since the process involves going @@ -70,9 +70,9 @@ review the structure of the network, how Windows clients are controlled and how they interact with the network environment.

    - - - + + + MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed have done little to keep the NT4 server environment up to date with more recent Windows releases, particularly Windows XP Professional. The migration provides opportunity to revise and update @@ -83,9 +83,9 @@ as a good time to update desktop systems also. In all, the extra effort should constitute no real disruption to users, but rather, with due diligence and care, should make their network experience a much happier one. -

    Technical Issues

    - - +

    Technical Issues

    + + Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic element. Many sites have asked for instructions regarding merging of multiple NT4 domains into one Samba-3 LDAP database. It seems that this is viewed as a significant @@ -93,35 +93,35 @@ Directory. The diagram in ??? illustrates the effect of migration from a Windows NT4 domain to a Samba domain.

    Figure 9.1. Schematic Explaining the net rpc vampire Process

    Schematic Explaining the net rpc vampire Process

    - - + + If you want to merge multiple NT4 domain account databases into one Samba domain, you must now dump the contents of the first migration and edit it as appropriate. Now clean out (remove) the tdbsam backend file (passdb.tdb) or the LDAP database files. You must start each migration with a new database into which you merge your NT4 domains. -

    +

    At this point, you are ready to perform the second migration, following the same steps as for the first. In other words, dump the database, edit it, and then you may merge the dump for the first and second migrations. -

    +

    You must be careful. If you choose to migrate to an LDAP backend, your dump file now contains the full account information, including the domain SID. The domain SID for each of the two NT4 domains will be different. You must choose one and change the domain portion of the account SIDs so that all are the same.

    - - - - - - - - - - - - + + + + + + + + + + + + If you choose to use a tdbsam (passdb.tdb) backend file, your best choice is to use pdbedit to export the contents of the tdbsam file into an smbpasswd data file. This automatically strips out all domain-specific information, @@ -131,7 +131,7 @@ file must have an account in /etc/passwd. The resulting smbpasswd file may be exported or imported into either a tdbsam (passdb.tdb) or an LDAP backend. -

    Figure 9.2. View of Accounts in NT4 Domain User Manager

    View of Accounts in NT4 Domain User Manager

    Political Issues

    +

    Figure 9.2. View of Accounts in NT4 Domain User Manager

    View of Accounts in NT4 Domain User Manager

    Political Issues

    The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3 domain may be seen by those who had power over them as a loss of prestige or a loss of power. The imposition of a single domain may even be seen as a threat. So in migrating and @@ -141,7 +141,7 @@ The best advice that can be given to those who set out to merge NT4 domains into a single Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers greater network interoperability and manageability. -

    Implementation

    +

    Implementation

    From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX server. If you contemplate doing this, please note that the steps that follow in this @@ -164,9 +164,9 @@ Prepare the target Samba-3 server. This involves configuring Samba-3 for migration to either a tdbsam or an ldapsam backend.

  • - - - + + + Clean up the source NT4 PDC. Delete all accounts that need not be migrated. Delete all files that should not be migrated. Where possible, change NT group names so there are no spaces or uppercase characters. This is important if @@ -174,14 +174,14 @@ names.

  • Step through the migration process. -

  • +

  • Remove the NT4 PDC from the network.

  • Upgrade the Samba-3 server from a BDC to a PDC, and validate all account information.

    • It may help to use the above outline as a pre-migration checklist. -

    NT4 Migration Using LDAP Backend

    +

    NT4 Migration Using LDAP Backend

    In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about to be migrated are shown in ???. In this example use is made of the smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. @@ -199,9 +199,9 @@ Delete the /etc/samba/secrets.tdb file and all Samba control tdb files before commencing the following configuration steps.

    Table 9.1. Samba smb.conf Scripts Essential to Samba Operation

    Entityldapsam Scripttdbsam Script
    Add User Accountssmbldap-useradduseradd
    Delete User Accountssmbldap-userdeluserdel
    Add Group Accountssmbldap-groupaddgroupadd
    Delete Group Accountssmbldap-groupdelgroupdel
    Add User to Groupsmbldap-groupmodusermod (See Note)
    Add Machine Accountssmbldap-useradduseradd

    Note

    - - - + + + The UNIX/Linux usermod utility does not permit simple user addition to (or deletion of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this capability, you must create your own tool to do this. Alternately, you can search the Web @@ -209,13 +209,13 @@ The groupmem utility was contributed to the shadow package but has not surfaced in the formal commands provided by Linux distributions (March 2004).

    Note

    - + The tdbdump utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your Linux distribution, you will need to build this yourself or else forgo its use.

    - + Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains. -

    Procedure 9.1. User Migration Steps

    Example 9.1. NT4 Migration Samba-3 Server smb.conf Part: A

    [global]
    workgroup = DAMNATION
    netbios name = MERLIN
    passdb backend = ldapsam:ldap://localhost
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 0
    smb ports = 139 445
    name resolve order = wins bcast hosts
    add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
    #delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
    add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'
    #delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
    add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'
    #delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
    add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
    logon script = scripts\logon.cmd
    logon path = \\%L\profiles\%U
    logon home = \\%L\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    #wins support = Yes
    wins server = 192.168.123.124
    ldap admin dn = cn=Manager,dc=terpstra-world,dc=org
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=People
    ldap passwd sync = Yes
    ldap suffix = dc=terpstra-world,dc=org
    ldap ssl = no
    ldap timeout = 20
    ldap user suffix = ou=People
    idmap backend = ldap:ldap://localhost
    idmap uid = 15000-20000
    idmap gid = 15000-20000
    winbind nested groups = Yes
    ea support = Yes
    map acl inherit = Yes

    Example 9.2. NT4 Migration Samba-3 Server smb.conf Part: B

    [apps]
    comment = Application Data
    path = /data/home/apps
    read only = No
    [homes]
    comment = Home Directories
    path = /home/users/%U/Documents
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    use client driver = No
    browseable = No
    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
    [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes
    [profdata]
    comment = Profile Data Share
    path = /var/lib/samba/profdata
    read only = No
    profile acls = Yes
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers

    Example 9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A

    +	
    Procedure 9.1. User Migration Steps
    Example 9.1. NT4 Migration Samba-3 Server smb.conf  Part: A
     
    [global]
    workgroup = DAMNATION
    netbios name = MERLIN
    passdb backend = ldapsam:ldap://localhost
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 0
    smb ports = 139 445
    name resolve order = wins bcast hosts
    add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
    #delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
    add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'
    #delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
    add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'
    #delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
    add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
    logon script = scripts\logon.cmd
    logon path = \\%L\profiles\%U
    logon home = \\%L\%U
    logon drive = X:
    domain logons = Yes
    domain master = No
    #wins support = Yes
    wins server = 192.168.123.124
    ldap admin dn = cn=Manager,dc=terpstra-world,dc=org
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=People
    ldap passwd sync = Yes
    ldap suffix = dc=terpstra-world,dc=org
    ldap ssl = no
    ldap timeout = 20
    ldap user suffix = ou=People
    idmap backend = ldap:ldap://localhost
    idmap uid = 15000-20000
    idmap gid = 15000-20000
    winbind nested groups = Yes
    ea support = Yes
    map acl inherit = Yes
    Example 9.2. NT4 Migration Samba-3 Server smb.conf  Part: B
     
    [apps]
    comment = Application Data
    path = /data/home/apps
    read only = No
     
    [homes]
    comment = Home Directories
    path = /home/users/%U/Documents
    valid users = %S
    read only = No
    browseable = No
     
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    use client driver = No
    browseable = No
     
    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
     
    [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes
     
    [profdata]
    comment = Profile Data Share
    path = /var/lib/samba/profdata
    read only = No
    profile acls = Yes
     
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    Example 9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf  Part A
     include         /etc/openldap/schema/core.schema
 include         /etc/openldap/schema/cosine.schema
 include         /etc/openldap/schema/inetorgperson.schema
@@ -336,18 +336,18 @@
 		The delete scripts are commented out so that during the process of migration
 		no account information can be deleted.
 		
  • 
-		
+		
 		Configure OpenLDAP in preparation for the migration. An example
 		sladp.conf file is shown in ???.
 		The rootpw value is an encrypted password string that can
 		be obtained by executing the slappasswd command.
 		
  • 
-		
-		
+		
+		
 		Install the PADL nss_ldap tool set, then configure the /etc/ldap.conf
 		as shown in ???.
 		
  • 
-		
+		
 		Edit the /etc/nsswitch.conf file so it has the entries shown
 		in ???. Note that the LDAP entries have been commented out.
 		This is deliberate. If these entries are active (not commented out), and the
@@ -392,10 +392,10 @@
 root#  net setlocalsid S-1-5-21-1385457007-882775198-1210191635
 
    • 
 		
  • 
-		
-		
-		
-		
+		
+		
+		
+		
 		Install the Idealx smbldap-tools software package, following
 		the instructions given in ???. The resulting perl scripts
 		should be located in the /opt/IDEALX/sbin directory.
@@ -489,10 +489,10 @@
   /etc/smbldap-tools/smbldap.conf done.
   /etc/smbldap-tools/smbldap_bind.conf done.

    • - - - - + + + + Note that the NT4 domain SID that was previously obtained was entered above. Also, the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is the location into which the Idealx smbldap-tools store the next available UID/GID @@ -545,7 +545,7 @@ The script tries to add the ou=People container twice, hence the error message. This is expected behavior.

  • - + Restart the LDAP server following initialization of the LDAP directory. Execute the system control script provided on your system. The following steps can be used on Novell SUSE SLES 9: @@ -712,10 +712,10 @@ shares and printing resources on the new Samba-3 server, copy all data across, set up privileges, and set share and file/directory access controls.

  • - - + + Edit the smb.conf file to reset the parameter - domain master = Yes so that + domain master = Yes so that the Samba server functions as a PDC for the purpose of migration. Also, uncomment the deletion scripts so they will now be fully functional, enable the wins support = yes parameter and @@ -841,7 +841,7 @@ Creating unix group: 'Server Operators' Creating unix group: 'Users'

    -

    • NT4 Migration Using tdbsam Backend

    +

    NT4 Migration Using tdbsam Backend

    In this example, we change the domain name of the NT4 server from DRUGPREP to MEGANET prior to the use of the vampire (migration) tool. This migration process makes use of Linux system tools @@ -849,22 +849,22 @@ UNIX/Linux /etc/passwd and /etc/group databases. These entries must therefore be present, and correct options specified, in your smb.conf file, or else the migration does not work as it should. -

    Procedure 9.2. Migration Steps Using tdbsam

    1. +

      Procedure 9.2. Migration Steps Using tdbsam

      1. Prepare a Samba-3 server precisely per the instructions shown in ???. Set the workgroup name to MEGANET. -

      2. +

      3. Edit the smb.conf file to temporarily change the parameter - domain master = No so + domain master = No so the Samba server functions as a BDC for the purpose of migration.

      4. Start Samba as you have done previously. -

      5. +

      6. Join the NT4 Domain as a BDC, as shown here: 

         root#  net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
 Joined domain MEGANET.

        -

      7. +

      8. You may vampire the accounts from the NT4 PDC by executing the command, as shown here: 

         root#  net rpc vampire -S oldnt4pdc -U Administrator%not24get
@@ -904,7 +904,7 @@
 Fetching BUILTIN database
 SAM_DELTA_DOMAIN_INFO not handled

        -

      9. +

      10. At this point, we can validate our migration. Let's look at the accounts in the form in which they are seen in a smbpasswd file. This achieves that: 

        @@ -936,7 +936,7 @@
 maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
      CF271B744F7A55AFDA277FF88D80C527:[UX         ]:LCT-3E8B4270:

        -

      11. +

      12. An expanded view of a user account entry shows more of what was obtained from the NT4 PDC: 

        @@ -962,7 +962,7 @@
 Password can change:  0
 Password must change: Mon, 18 Jan 2038 20:14:07 GMT

        -

      13. +

      14. The following command lists the long names of the groups that have been imported (vampired) from the NT4 PDC: 

        @@ -979,11 +979,11 @@
 Users                 Ordinary users

        Everything looks well and in order. -

      15. +

      16. Edit the smb.conf file to reset the parameter - domain master = Yes so + domain master = Yes so the Samba server functions as a PDC for the purpose of migration. -

    Key Points Learned

    +

    Key Points Learned

    Migration of an NT4 PDC database to a Samba-3 PDC is possible.

    • An LDAP backend is a suitable vehicle for NT4 migrations. @@ -995,52 +995,52 @@

    • The net Samba-3 domain most likely requires some administration and updating before going live. -

    Questions and Answers

    -

    clean database +

    Questions and Answers

    +

    clean database Why must I start each migration with a clean database? -
    Domain SID +
    Domain SID Is it possible to set my domain SID to anything I like? -
    /etc/passwd/etc/grouptdbsampassdb backendaccountsuseraccountsgroupaccountsDomain +
    /etc/passwd/etc/grouptdbsampassdb backendaccountsuseraccountsgroupaccountsDomain When using a tdbsam passdb backend, why must I have all domain user and group accounts in /etc/passwd and /etc/group? -
    validateconnectivitymigration +
    validateconnectivitymigration Why did you validate connectivity before attempting migration? -
    +
    How would you merge 10 tdbsam-based domains into an LDAP database? -
    machine accountsaccountsmachine +
    machine accountsaccountsmachine I want to change my domain name after I migrate all accounts from an NT4 domain to a Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? -
    multiple group mappings +
    multiple group mappings After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? -
    +
    How can I reset group membership after loading the account information into the LDAP database? -
    group names +
    group names What are the limits or constraints that apply to group names? -
    vampire +
    vampire My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 LDAP backend system using the vampire process? -

    +

    Why must I start each migration with a clean database? -

    +

    This is a recommendation that permits the data from each NT4 domain to be kept separate until you are ready to merge them. Also, if you do not start with a clean database, you may find errors due to users or groups from multiple domains having the same name but different SIDs. It is better to permit each migration to complete without undue errors and then to handle the merging of vampired data under proper supervision. -

    +

    Is it possible to set my domain SID to anything I like? -

    +

    Yes, so long as the SID you create has the same structure as an autogenerated SID. The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why would you really want to create your own SID? I cannot think of a good reason. You may want to set the SID to one that is already in use somewhere on your network, but that is a little different from straight out creating your own domain SID. -

    +

    When using a tdbsam passdb backend, why must I have all domain user and group accounts in /etc/passwd and /etc/group? -

    +

    Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba does not fabricate the UNIX IDs from thin air, but rather requires them to be located in a suitable place. @@ -1055,15 +1055,15 @@ migration to the LDAP database, the accounts may be removed from the UNIX database files. In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in LDAP, require UIDs/GIDs. -

    +

    Why did you validate connectivity before attempting migration?

    Access validation before attempting to migrate NT4 domain accounts helps to pinpoint potential problems that may otherwise affect or impede account migration. I am always mindful of the 4 P's of migration: Planning Prevents Poor Performance. -

    +

    How would you merge 10 tdbsam-based domains into an LDAP database? -

    +

    If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of accounts that have the same UNIX identifier (UID/GID). This means that you almost certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd @@ -1073,17 +1073,17 @@ tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that you have migrated before handing over access to a user. After all, too many users with a bad migration experience may threaten your career. -

    +

    I want to change my domain name after I migrate all accounts from an NT4 domain to a Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? -

    +

    I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries on each Windows NT4 and upward client that have a tattoo of the old domain name. If you unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid this tattooing effect. -

    +

    After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? -

    +

    Samba-3 currently does not implement multiple group membership internally. If you use the Windows NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend, @@ -1092,14 +1092,14 @@ file to which you migrated the NT4 Domain data, do not forget to edit the UNIX /etc/passwd and /etc/group information also. That is where the multiple group information is most closely at your fingertips. -

    +

    How can I reset group membership after loading the account information into the LDAP database? -

    +

    You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The installation file is called SRVTOOLS.EXE. -

    +

    What are the limits or constraints that apply to group names? -

    +

    A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows groups can contain upper- and lowercase characters, as well as spaces. @@ -1111,7 +1111,7 @@ of the POSIX standards and likewise do not permit uppercase or space characters in group or user account names. You have to experiment with your system to find what its peculiarities are. -

    +

    My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 LDAP backend system using the vampire process?

    @@ -1120,7 +1120,7 @@ you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. Please check this carefully before you attempt to effect a migration using the vampire process. -

    +

    Migration speed depends much on the processor speed, the network speed, disk I/O capability, and LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/nw4migration.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/nw4migration.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/nw4migration.html 2005-08-19 12:59:34.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/nw4migration.html 2005-12-19 10:19:23.000000000 -0600 @@ -1,6 +1,6 @@ -Chapter 10. Migrating NetWare Server to Samba-3

    Chapter 10. Migrating NetWare Server to Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 10. Migrating NetWare Server to Samba-3

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend

    - - +Chapter 10. Migrating NetWare Server to Samba-3

    Chapter 10. Migrating NetWare Server to Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 10. Migrating NetWare Server to Samba-3

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    NetWare Migration Using LDAP Backend

    + + Novell is a company any seasoned IT manager has to admire. It has become increasingly Linux-friendly and is emerging out of a deep regression that almost saw the company disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the @@ -8,24 +8,24 @@ It will be interesting to see what becomes of NetWare over time. Meanwhile, there can be no denying that Novell is a Linux company.

    - - - - + + + + Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with the knowledge that file locations may vary a little; even so, the information in this chapter should provide something of value.

    - + Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many years who surfaced on the Samba mailing list with a barrage of questions and who regularly helps other administrators to solve thorny Samba migration questions.

    - - - - + + + + One wonders how many NetWare servers remain in active service. Many are being migrated to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are ideal target platforms to which a NetWare server may be migrated. The migration method @@ -49,8 +49,8 @@ File paths have been modified to permit use of RPM packages provided by Novell. In the original documentation contributed by Misty, the Courier-IMAP package had been built directly from the original source tarball. -

    Introduction

    - +

    Introduction

    + Misty Stanley-Jones was recruited by Abmas to administer a network that had not received much attention for some years and was much in need of a makeover. As a brand-new sysadmin to this company, she inherited a very old Novell file server @@ -64,13 +64,13 @@ Users storing information on their local hard drives, causing backup integrity problems

    - + At one point disk space had filled up to 100 percent, causing the payroll database to become corrupt. This caused the accounting department to be down for over a week and necessitated deployment of another file server. The replacement server was created with very poor security and design considerations from a discarded desktop PC. -

    Assignment Tasks

    +

    Assignment Tasks

    Misty has provided this summary of her migration experience in the hope that it will help someone to avoid the challenges she faced. Perhaps her configuration files and background will accelerate your learning as you @@ -89,7 +89,7 @@ is the result of treatment given to her files in an attempt to make the overall information more useful to you.

    - + After management reviewed a cost-benefit report as well as an estimated time-to-completion, approval was given proceed with the solution proposed. The server was built from purchased components. The total project cost @@ -111,33 +111,33 @@

    The new system has operated for 6 months without problems. Over the past months much attention has been focused on cleaning up desktops and user profiles. -

    Dissection and Discussion

    - - - - +

    Dissection and Discussion

    + + + + A decision to use LDAP was made even though I knew nothing about LDAP except that I had been reading the book “LDAP System Administration,” by Gerald Carter. LDAP seemed to provide some of the functionality of Novell's e-Directory Services and would provide centralized authentication and identity management.

    - - - + + + Building the LDAP database took a while and a lot of trial and error. Following the guidance I obtained from “LDAP System Administration,” I installed OpenLDAP (from RPM; later I compiled a more current version from source) and built my initial LDAP tree. -

    Technical Issues

    - - - - - - - - - +

    Technical Issues

    + + + + + + + + + The first challenge was to create a company white pages, followed by manually entering everything from the printed company directory. This used only the inetOrgPerson object class from the OpenLDAP schemas. The next step was to write a shell script that @@ -189,15 +189,15 @@ the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text files (or from a name service such as NIS). This too set can be obtained from the PADL Web site. -

    Implementation

    -

    NetWare Migration Using LDAP Backend

    +

    Implementation

    +

    NetWare Migration Using LDAP Backend

    The following software must be installed on the SUSE Linux Enterprise Server to perform this migration:

    courier-imap

    courier-imap-ldap

    nss_ldap

    openldap2-client

    openldap2-devel (only for Samba compilation)

    openldap2

    pam_ldap

    samba-3.0.20 or later

    samba-client-3.0.20 or later

    samba-winbind-3.0.20 or later

    smbldap-tools Version 0.9.1

    Each software application must be carefully configured in preparation for migration. The configuration files used at Abmas are provided as a guide and should be modified to meet needs at your site. -

    LDAP Server Configuration

    +

    LDAP Server Configuration

    The /etc/openldap/slapd.conf file Misty used is shown here: 

     #/etc/openldap/slapd.conf
@@ -362,7 +362,7 @@
   by * read

    - + The /etc/ldap.conf file used is listed in ???.

    Example 10.2. NSS LDAP Control File /etc/ldap.conf

     # /etc/ldap.conf
@@ -416,8 +416,8 @@
 # possibilities to store hosts, services, ethers, and lots of other things.

    - - + + In my setup, users authenticate via PAM and NSS using LDAP-based accounts. The configuration file that controls the behavior of the PAM pam_unix2 module is shown in ??? file. @@ -458,7 +458,7 @@ account: use_ldap password: use_ldap session: none -

    • +

    • If your LDAP database goes down, nobody can authenticate except for root.

    • If failover is configured incorrectly, weird behavior can occur. For example, @@ -468,31 +468,31 @@ of this document, and steps for implementing it are well documented.

      The following services authenticate using LDAP: -

      UNIX login/ssh

      Postfix (SMTP)

      Courier-IMAP/IMAPS/POP3/POP3S

      - - +

      UNIX login/ssh

      Postfix (SMTP)

      Courier-IMAP/IMAPS/POP3/POP3S

      + + Companywide white pages can be searched using an LDAP client such as the one in the Windows Address Book.

      - - + + Having gained a solid understanding of LDAP and a relatively workable LDAP tree thus far, it was time to configure Samba. I compiled the latest stable Samba and also installed the latest smbldap-tools from Idealx.

      The Samba smb.conf file was configured as shown in ???. -

      Example 10.4. Samba Configuration File smb.conf Part A

      # Global parameters
      [global]
      workgroup = MEGANET2
      netbios name = MASSIVE
      server string = Corp File Server
      passdb backend = ldapsam:ldap://localhost
      pam password change = Yes
      username map = /etc/samba/smbusers
      log level = 1
      log file = /data/samba/log/%m.log
      name resolve order = wins host bcast
      time server = Yes
      printcap name = cups
      show add printer wizard = No
      cups options = Raw
      add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
      add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
      add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
      delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
      set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
      add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
      logon script = logon.bat
      logon path = \\%L\profiles\%U\%a
      logon drive = H:
      logon home = \\%L\%U
      domain logons = Yes
      wins support = Yes
      ldap admin dn = cn=Manager,dc=abmas,dc=biz
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=People
      ldap machine suffix = ou=People
      ldap passwd sync = Yes
      ldap suffix = ou=MEGANET2,dc=abmas,dc=biz
      ldap ssl = no
      ldap user suffix = ou=People
      admin users = root, "@Domain Admins"
      printer admin = "@Domain Admins"
      force printername = Yes

      Example 10.5. Samba Configuration File smb.conf Part B

      [netlogon]
      comment = Network logon service
      path = /data/samba/netlogon
      write list = "@Domain Admins"
      guest ok = Yes
      [profiles]
      comment = Roaming Profile Share
      path = /data/samba/profiles/
      read only = No
      profile acls = Yes
      veto files = desktop.ini
      browseable = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      create mask = 0770
      veto files = desktop.ini
      hide files = desktop.ini
      browseable = No
      [software]
      comment = Software for %a computers
      path = /data/samba/shares/software/%a
      guest ok = Yes
      [public]
      comment = Public Files
      path = /data/samba/shares/public
      read only = No
      guest ok = Yes
      [PDF]
      comment = Location of documents printed to PDFCreator printer
      path = /data/samba/shares/pdf
      guest ok = Yes

      Example 10.6. Samba Configuration File smb.conf Part C

      [EVERYTHING]
      comment = All shares
      path = /data/samba
      valid users = "@Domain Admins"
      read only = No
      [CDROM]
      comment = CD-ROM on MASSIVE
      path = /mnt
      guest ok = Yes
      [print$]
      comment = Printer Drivers Share
      path = /data/samba/drivers
      write list = root
      browseable = No
      [printers]
      comment = All Printers
      path = /data/samba/spool
      create mask = 0644
      printable = Yes
      browseable = No
      [acct_hp8500]
      comment = "Accounting Color Laser Printer"
      path = /data/samba/spool/private
      valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry
      create mask = 0644
      printable = Yes
      copy = printers
      [plotter]
      comment = Engineering Plotter
      path = /data/samba/spool
      create mask = 0644
      printable = Yes
      use client driver = Yes
      copy = printers

      Example 10.7. Samba Configuration File smb.conf Part D

      [APPS]
      path = /data/samba/shares/Apps
      force group = "Domain Users"
      read only = No
      [ACCT]
      path = /data/samba/shares/Accounting
      valid users = @acct, "@Domain Admins"
      force group = acct
      read only = No
      create mask = 0660
      directory mask = 0770
      [ACCT_ADMIN]
      path = /data/samba/shares/Acct_Admin
      valid users = @â€acct_adminâ€
      force group = acct_admin
      [HR_PR]
      path = /data/samba/shares/HR_PR
      valid users = @hr, @acct_admin
      force group = hr
      [ENGR]
      path = /data/samba/shares/Engr
      valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
      force group = engr
      read only = No
      create mask = 0770
      [DATA]
      path = /data/samba/shares/DATA
      valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
      force group = engr
      read only = No
      create mask = 0770
      copy = engr

      Example 10.8. Samba Configuration File smb.conf Part E

      [X]
      path = /data/samba/shares/X
      valid users = @engr, @acct
      force group = engr
      read only = No
      create mask = 0770
      copy = engr
      [NETWORK]
      path = /data/samba/shares/network
      valid users = "@Domain Users"
      read only = No
      create mask = 0770
      guest ok = Yes
      [UTILS]
      path = /data/samba/shares/Utils
      write list = "@Domain Admins"
      [SYS]
      path = /data/samba/shares/SYS
      valid users = chad
      read only = No
      browseable = No

      - - - +

      Example 10.4. Samba Configuration File smb.conf Part A

      # Global parameters
      [global]
      workgroup = MEGANET2
      netbios name = MASSIVE
      server string = Corp File Server
      passdb backend = ldapsam:ldap://localhost
      pam password change = Yes
      username map = /etc/samba/smbusers
      log level = 1
      log file = /data/samba/log/%m.log
      name resolve order = wins host bcast
      time server = Yes
      printcap name = cups
      show add printer wizard = No
      cups options = Raw
      add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
      add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
      add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
      delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
      set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
      add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
      logon script = logon.bat
      logon path = \\%L\profiles\%U\%a
      logon drive = H:
      logon home = \\%L\%U
      domain logons = Yes
      wins support = Yes
      ldap admin dn = cn=Manager,dc=abmas,dc=biz
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=People
      ldap machine suffix = ou=People
      ldap passwd sync = Yes
      ldap suffix = ou=MEGANET2,dc=abmas,dc=biz
      ldap ssl = no
      ldap user suffix = ou=People
      admin users = root, "@Domain Admins"
      printer admin = "@Domain Admins"
      force printername = Yes

      Example 10.5. Samba Configuration File smb.conf Part B

      [netlogon]
      comment = Network logon service
      path = /data/samba/netlogon
      write list = "@Domain Admins"
      guest ok = Yes
      [profiles]
      comment = Roaming Profile Share
      path = /data/samba/profiles/
      read only = No
      profile acls = Yes
      veto files = desktop.ini
      browseable = No
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      create mask = 0770
      veto files = desktop.ini
      hide files = desktop.ini
      browseable = No
      [software]
      comment = Software for %a computers
      path = /data/samba/shares/software/%a
      guest ok = Yes
      [public]
      comment = Public Files
      path = /data/samba/shares/public
      read only = No
      guest ok = Yes
      [PDF]
      comment = Location of documents printed to PDFCreator printer
      path = /data/samba/shares/pdf
      guest ok = Yes

      Example 10.6. Samba Configuration File smb.conf Part C

      [EVERYTHING]
      comment = All shares
      path = /data/samba
      valid users = "@Domain Admins"
      read only = No
      [CDROM]
      comment = CD-ROM on MASSIVE
      path = /mnt
      guest ok = Yes
      [print$]
      comment = Printer Drivers Share
      path = /data/samba/drivers
      write list = root
      browseable = No
      [printers]
      comment = All Printers
      path = /data/samba/spool
      create mask = 0644
      printable = Yes
      browseable = No
      [acct_hp8500]
      comment = "Accounting Color Laser Printer"
      path = /data/samba/spool/private
      valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry
      create mask = 0644
      printable = Yes
      copy = printers
      [plotter]
      comment = Engineering Plotter
      path = /data/samba/spool
      create mask = 0644
      printable = Yes
      use client driver = Yes
      copy = printers

      Example 10.7. Samba Configuration File smb.conf Part D

      [APPS]
      path = /data/samba/shares/Apps
      force group = "Domain Users"
      read only = No
      [ACCT]
      path = /data/samba/shares/Accounting
      valid users = @acct, "@Domain Admins"
      force group = acct
      read only = No
      create mask = 0660
      directory mask = 0770
      [ACCT_ADMIN]
      path = /data/samba/shares/Acct_Admin
      valid users = @â€acct_adminâ€
      force group = acct_admin
      [HR_PR]
      path = /data/samba/shares/HR_PR
      valid users = @hr, @acct_admin
      force group = hr
      [ENGR]
      path = /data/samba/shares/Engr
      valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
      force group = engr
      read only = No
      create mask = 0770
      [DATA]
      path = /data/samba/shares/DATA
      valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
      force group = engr
      read only = No
      create mask = 0770
      copy = engr

      Example 10.8. Samba Configuration File smb.conf Part E

      [X]
      path = /data/samba/shares/X
      valid users = @engr, @acct
      force group = engr
      read only = No
      create mask = 0770
      copy = engr
      [NETWORK]
      path = /data/samba/shares/network
      valid users = "@Domain Users"
      read only = No
      create mask = 0770
      guest ok = Yes
      [UTILS]
      path = /data/samba/shares/Utils
      write list = "@Domain Admins"
      [SYS]
      path = /data/samba/shares/SYS
      valid users = chad
      read only = No
      browseable = No

      + + + Most of these shares are only used by one company group, but they are required because of some ancient Qbasic and Rbase applications were that written expecting their own drive letters.

      - - - + + + Note: During the process of building the new server, I kept data files up to date with the Novell server via use of rsync. On a separate system (my workstation in fact), which could be rebooted @@ -739,7 +739,7 @@ with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"

    - + Note: I chose not to take advantage of the TLS capability of this. Eventually I may go back and tweak it. Also, I chose not to take advantage of the master/slave configuration as I heard horror stories that it was @@ -813,11 +813,11 @@ ...

    - - - - - + + + + + With the LDAP directory now initialized, it was time to create the Windows and POSIX (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. The easiest way to do this was to use smbldap-groupadd command. @@ -825,34 +825,34 @@ unique GID, and an automatically determined RID. I learned the hard way not to try to do this by hand.

    - - - + + + After I had my group mappings in place, I added users to the groups (the users don't really have to exist yet). I used the smbldap-groupmod command to accomplish this. It can also be done manually by adding memberUID attributes to the group entries in LDAP.

    - - - + + + The most monumental task of all was adding the sambaSamAccount information to each already existent posixAccount entry. I did it one at a time as I moved people onto the new server, by issuing the command: 

     root#  smbldap-usermod -a -P username

    - - - + + + I completed that step for every user after asking the person what his or her current NetWare password was. The wiser way to have done it would probably have been to dump the entire database to an LDIF file. This can be done by executing: 

     root#  slapcat > somefile.ldif

    - - + + Then update the LDIF file created by using a Perl script to parse and add the appropriate attributes and objectClasses to each entry, followed by re-importing the entire database into the LDAP directory. @@ -933,7 +933,7 @@ sambaAcctFlags: [W ]

    - + So now I could log on with a test user from the machine w2kengrspare. It was all well and good, but that user was in no groups yet and so had pretty boring access. I fixed that by writing the login script! To write the login script, I used @@ -942,7 +942,7 @@ easier to learn and more powerful than the standard netlogon scripts I have seen. I also did not have to do a logon script per user or per group.

    - + I downloaded Kixtart and put the following files in my netlogon share: 

     KIX32.EXE
@@ -954,7 +954,7 @@
           We can get around the need.

    - + I then wrote the logon.kix file that is shown in ???. I chose to keep it all in one file, but it can be split up and linked via include directives. @@ -1137,7 +1137,7 @@ have only three such machines, and one is going away in the very near future, so it was easier to do it by hand.

    - + At this point I was able to add the users. This is the part that really falls into upgrade. I moved the users over one group at a time, starting with the people who used the least amount of resources on the network. With each group diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr01.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr01.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr01.html 2005-08-19 12:59:17.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr01.html 2005-12-19 10:19:01.000000000 -0600 @@ -1,4 +1,4 @@ -About the Cover Artwork

    About the Cover Artwork
    Prev   Next

    About the Cover Artwork

    +About the Cover Artwork

    About the Cover Artwork
    Prev   Next

    About the Cover Artwork

    The cover artwork of this book continues the freedom theme of the first edition of “Samba-3 by Example”. The history of civilization demonstrates the fragile nature of freedom. It can be lost in a moment, diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr02.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr02.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr02.html 2005-08-19 12:59:17.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr02.html 2005-12-19 10:19:01.000000000 -0600 @@ -1,4 +1,4 @@ -Acknowledgments

    Acknowledgments
    Prev   Next

    Acknowledgments

    +Acknowledgments

    Acknowledgments
    Prev   Next

    Acknowledgments

    Samba-3 by Example would not have been written except as a result of feedback provided by reviewers and readers of the book The Official Samba-3 HOWTO and Reference Guide. This second edition diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr03.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr03.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/pr03.html 2005-08-19 12:59:17.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/pr03.html 2005-12-19 10:19:01.000000000 -0600 @@ -1,4 +1,4 @@ -Foreword

    Foreword
    Prev   Next

    Foreword

    Table of Contents

    By John M. Weathersby, Executive Director, OSSI

    By John M. Weathersby, Executive Director, OSSI

    +Foreword

    Foreword
    Prev   Next

    Foreword

    Table of Contents

    By John M. Weathersby, Executive Director, OSSI

    By John M. Weathersby, Executive Director, OSSI

    The Open Source Software Institute (OSSI) is comprised of representatives from a broad spectrum of business and non-business organizations that share a common interest in the promotion of development and implementation of open source software solutions globally, and in particular within the United States of America. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/preface.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/preface.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/preface.html 2005-08-19 12:59:17.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/preface.html 2005-12-19 10:19:02.000000000 -0600 @@ -1,4 +1,4 @@ -Preface

    Preface
    Prev   Next

    Preface

    Table of Contents

    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used

    +Preface

    Preface
    Prev   Next

    Preface

    Table of Contents

    Why Is This Book Necessary?
    Samba 3.0.20 Update Edition
    Prerequisites
    Approach
    Summary of Topics
    Conventions Used

    Network administrators live busy lives. We face distractions and pressures that drive us to seek proven, working case scenarios that can be easily implemented. Often this approach lands us in trouble. There is a @@ -33,7 +33,7 @@ detailed information regarding secure operation and configuration of peripheral services and applications such as OpenLDAP, DNS and DHCP, the need for which can be met from other resources that are dedicated to the subject. -

    Why Is This Book Necessary?

    +

    Why Is This Book Necessary?

    This book is the result of observations and feedback. The feedback from the Samba-HOWTO-Collection has been positive and complimentary. There have been requests for far more worked examples, a @@ -53,7 +53,7 @@ All example case configuration files, scripts, and other tools are provided on the CD-ROM. This book is descriptive, provides detailed diagrams, and makes deployment of Samba-3 a breeze. -

    Samba 3.0.20 Update Edition

    +

    Samba 3.0.20 Update Edition

    The Samba 3.0.x series has been remarkably popular. At the time this book first went to print samba-3.0.2 was being released. There have been significant modifications and enhancements between samba-3.0.2 and samba-3.0.14 (the current release) that @@ -126,7 +126,7 @@ means that functions such as adding machines to the domain, managing printers, etc. can now be delegated to normal user accounts or to groups of users.

    -

    Prerequisites

    +

    Prerequisites

    This book is not a tutorial on UNIX or Linux administration. UNIX and Linux training is best obtained from books dedicated to the subject. This book assumes that you have at least the basic skill necessary to use these operating @@ -139,7 +139,7 @@ find yourself at times intimidated by assumptions made. In this situation, you may need to refer to administrative guides or manuals for your operating system platform to find what is the best method to achieve what the text of this book describes. -

    Approach

    +

    Approach

    The first chapter deals with some rather thorny network analysis issues. Do not be put off by this. The information you glean, even without a detailed understanding of network protocol analysis, can help you understand how Windows networking functions. @@ -167,7 +167,7 @@

    Each chapter has a set of questions and answers to help you to to understand and digest key attributes of the solutions presented. -

    Summary of Topics

    +

    Summary of Topics

    The contents of this second edition of Samba-3 by Example have been rearranged based on feedback from purchasers of the first edition.

    @@ -364,7 +364,7 @@ have seen some of the information a Windows client sends to a file and print server to create a connection over which file and print operations may take place. -

    Conventions Used

    +

    Conventions Used

    The following notation conventions are used throughout this book:

    • TOSHARG2 is used as an abbreviation for the book, “The Official Samba-3 diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/primer.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/primer.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/primer.html 2005-08-19 12:59:38.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/primer.html 2005-12-19 10:19:31.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 16. Networking Primer

      Chapter 16. Networking Primer
      Prev Part III. Reference Section Next

      Chapter 16. Networking Primer

      Table of Contents

      Requirements and Notes
      Introduction
      Assignment Tasks
      Exercises
      Single-Machine Broadcast Activity
      Second Machine Startup Broadcast Interaction
      Simple Windows Client Connection Characteristics
      Windows 200x/XP Client Interaction with Samba-3
      Conclusions to Exercises
      Dissection and Discussion
      Technical Issues
      Questions and Answers

      +Chapter 16. Networking Primer

      Chapter 16. Networking Primer
      Prev Part III. Reference Section Next

      Chapter 16. Networking Primer

      Table of Contents

      Requirements and Notes
      Introduction
      Assignment Tasks
      Exercises
      Single-Machine Broadcast Activity
      Second Machine Startup Broadcast Interaction
      Simple Windows Client Connection Characteristics
      Windows 200x/XP Client Interaction with Samba-3
      Conclusions to Exercises
      Dissection and Discussion
      Technical Issues
      Questions and Answers

      You are about to use the equivalent of a microscope to look at the information that runs through the veins of a Windows network. We do more to observe the information than to interrogate it. When you are done with this primer, you should have a good understanding @@ -8,7 +8,7 @@

      Samba can be configured with a minimum of complexity. Simplicity should be mastered before you get too deeply into complexities. Let's get moving: we have work to do. -

      Requirements and Notes

      +

      Requirements and Notes

      Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet card connected using a hub. Also required is one additional server (either Windows @@ -16,7 +16,7 @@ sniffer and analysis application (ethereal is a good choice). All work should be undertaken on a quiet network where there is no other traffic. It is best to use a dedicated hub with only the machines under test connected at the time of the exercises. -

      +

      Ethereal has become the network protocol analyzer of choice for many network administrators. You may find more information regarding this tool from the Ethereal Web site. Ethereal installation @@ -36,11 +36,11 @@ filter. Ethernet switches may filter out traffic that is not directed at the machine that is used to monitor traffic; this would not allow you to complete the projects.

      - + Do not worry too much if you do not have access to all this equipment; network captures from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly into the analytical part of the exercises if you so desire. -

      +

      Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this primer. We expose you only to a minimum of detail necessary to complete the exercises. If you choose to use any other network sniffer and protocol @@ -54,11 +54,11 @@

      ??? also provides useful information that may help you to avoid significantly time-consuming networking problems. -

      Introduction

      +

      Introduction

      The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows network computing. If you want a solid technical grounding, do not gloss over these exercises. The points covered are recurrent issues on the Samba mailing lists. -

      +

      You can see from these exercises that Windows networking involves quite a lot of network broadcast traffic. You can look into the contents of some packets, but only to see some particular information that the Windows client sends to a server in the course of @@ -74,18 +74,18 @@ Recommended preparatory reading: The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 9, “Network Browsing,” and Chapter 3, “Server Types and Security Modes.” -

      Assignment Tasks

      +

      Assignment Tasks

      You are about to witness how Microsoft Windows computer networking functions. The exercises step through identification of how a client machine establishes a connection to a remote Windows server. You observe how Windows machines find each other (i.e., how browsing works) and how the two key types of user identification (share mode security and user mode security) are affected. -

      +

      The networking protocols used by MS Windows networking when working with Samba use TCP/IP as the transport protocol. The protocols that are specific to Windows networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal) is able to show you the contents of the TCP/IP packets (or messages). -

      Procedure 16.1. Diagnostic Tasks

      1. +

        Procedure 16.1. Diagnostic Tasks

        1. Examine network traces to witness SMB broadcasts, host announcements, and name resolution processes.

        2. @@ -95,8 +95,8 @@

        3. Review traces of network logons for a Windows 9x/Me client as well as a domain logon for a Windows XP Professional client. -

      Exercises

      - +

    Exercises

    + You are embarking on a course of discovery. The first part of the exercise requires two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98. Each needs an IP address; we used 10.1.1.10 @@ -111,7 +111,7 @@

    • Windows 98 name: MILGATE98

    • Windows Me name: WINEPRESSME

    • Windows XP Professional name: LightrayXP

    • Samba-3.0.20 running on a SUSE Enterprise Linux 9

    Choose a workgroup name (MIDEARTH) for each exercise.

    - + The network captures provided on the CD-ROM included with this book were captured using Ethereal version 0.10.6. A later version suffices without problems, but an earlier version may not expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all @@ -119,9 +119,9 @@ perform the time-consuming equipment configuration and test work. This is a good time to point out that the value that can be derived from this book really does warrant your taking sufficient time to practice each exercise with care and attention to detail. -

    Single-Machine Broadcast Activity

    +

    Single-Machine Broadcast Activity

    In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. -

    Procedure 16.2. Monitoring Windows 9x Steps

    1. +

      Procedure 16.2. Monitoring Windows 9x Steps

      1. Start the machine from which network activity will be monitored (using ethereal). Launch ethereal, click Capture->Start. @@ -138,28 +138,28 @@

      2. Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol was used. Identify the timing between messages of identical types. -

      Findings

      +

    Findings

    The summary of the first 10 minutes of the packet capture should look like ???. A screenshot of a later stage of the same capture is shown in ???. -

    Figure 16.1. Windows Me Broadcasts The First 10 Minutes

    Windows Me Broadcasts The First 10 Minutes

    Figure 16.2. Windows Me Later Broadcast Sample

    Windows Me Later Broadcast Sample

    +

    Figure 16.1. Windows Me Broadcasts The First 10 Minutes

    Windows Me Broadcasts The First 10 Minutes

    Figure 16.2. Windows Me Later Broadcast Sample

    Windows Me Later Broadcast Sample

    Broadcast messages observed are shown in ???. Actual observations vary a little, but not by much. Early in the startup process, the Windows Me machine broadcasts its name for two reasons: first to ensure that its name would not result in a name clash, and second to establish its presence with the Local Master Browser (LMB). -

    Table 16.1. Windows Me Startup Broadcast Capture Statistics

    MessageTypeNumNotes
    WINEPRESSME<00>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<03>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry84300 sec apart at stable operation
    __MSBROWSE__Reg8Registered after winning election to Browse Master
    JHT<03>Reg84 x 2. This is the name of the user that logged onto Windows
    Host Announcement WINEPRESSMEAnn2Observed at 10 sec
    Domain/Workgroup Announcement MIDEARTHAnn18300 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn18300 sec apart at stable operation
    Get Backup List RequestQry126 x 2 early in startup, 0.5 sec apart
    Browser Election RequestAnn105 x 2 early in startup
    Request Announcement WINEPRESSMEAnn4Early in startup

    +

    Table 16.1. Windows Me Startup Broadcast Capture Statistics

    MessageTypeNumNotes
    WINEPRESSME<00>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<03>Reg84 lots of 2, 0.6 sec apart
    WINEPRESSME<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry84300 sec apart at stable operation
    __MSBROWSE__Reg8Registered after winning election to Browse Master
    JHT<03>Reg84 x 2. This is the name of the user that logged onto Windows
    Host Announcement WINEPRESSMEAnn2Observed at 10 sec
    Domain/Workgroup Announcement MIDEARTHAnn18300 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn18300 sec apart at stable operation
    Get Backup List RequestQry126 x 2 early in startup, 0.5 sec apart
    Browser Election RequestAnn105 x 2 early in startup
    Request Announcement WINEPRESSMEAnn4Early in startup

    From the packet trace, it should be noted that no messages were propagated over TCP/IP; all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle of various announcements, re-election of a browse master, and name queries. These create the symphony of announcements by which network browsing is made possible. -

    +

    For detailed information regarding the precise behavior of the CIFS/SMB protocols, refer to the book “Implementing CIFS: The Common Internet File System,” by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).

    Second Machine Startup Broadcast Interaction

    At this time, the machine you used to capture the single-system startup trace should still be running. The objective of this task is to identify the interaction of two machines in respect to broadcast activity. -

    Procedure 16.3. Monitoring of Second Machine Activity

    1. +

      Procedure 16.3. Monitoring of Second Machine Activity

      1. On the machine from which network activity will be monitored (using ethereal), launch ethereal and click Capture->Start. @@ -176,7 +176,7 @@

      2. Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, and what interaction took place between the two machines. Leave both machines running for the next task. -

      Findings

      +

    Findings

    ??? summarizes capture statistics observed. As in the previous case, all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash @@ -184,18 +184,18 @@ to explore the inner details of the precise mechanism of how this functions should refer to “Implementing CIFS: The Common Internet File System.

    Table 16.2. Second Machine (Windows 98) Capture Statistics

    MessageTypeNumNotes
    MILGATE98<00>Reg84 lots of 2, 0.6 sec apart
    MILGATE98<03>Reg84 lots of 2, 0.6 sec apart
    MILGATE98<20>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<00>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1d>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1e>Reg84 lots of 2, 0.75 sec apart
    MIDEARTH<1b>Qry18900 sec apart at stable operation
    JHT<03>Reg2This is the name of the user that logged onto Windows
    Host Announcement MILGATE98Ann14Every 120 sec
    Domain/Workgroup Announcement MIDEARTHAnn6900 sec apart at stable operation
    Local Master Announcement WINEPRESSMEAnn6Insufficient detail to determine frequency

    - - - + + + Observation of the contents of Host Announcements, Domain/Workgroup Announcements, and Local Master Announcements is instructive. These messages convey a significant level of detail regarding the nature of each machine that is on the network. An example dissection of a Host Announcement is given in ???. -

    Figure 16.3. Typical Windows 9x/Me Host Announcement

    Typical Windows 9x/Me Host Announcement

    Simple Windows Client Connection Characteristics

    +

    Figure 16.3. Typical Windows 9x/Me Host Announcement

    Typical Windows 9x/Me Host Announcement

    Simple Windows Client Connection Characteristics

    The purpose of this exercise is to discover how Microsoft Windows clients create (establish) connections with remote servers. The methodology involves analysis of a key aspect of how Windows clients access remote servers: the session setup protocol. -

    Procedure 16.4. Client Connection Exploration Steps

    1. +

      Procedure 16.4. Client Connection Exploration Steps

      1. Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. Create a Full Access control password on this share.

      2. @@ -216,11 +216,11 @@ When the share called Stuff is being displayed, stop the capture. Save the captured data in case it is needed for later analysis.

      3. - + From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX, Path: \\MILGATE98\IPC$. -

      4. +

      5. In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request, and Tree Connect AndX Request. Examine both operations. Identify the name of the user Account and what password was used. The Account name should be empty. @@ -230,40 +230,40 @@ decoded of the type Session Setup AndX. Locate the last such packet that was targeted at the \\MILGATE98\IPC$ service.

      6. - - + + Dissect this packet as per the previous one. This packet should have a password length of 24 (characters) and should have a password field, the contents of which is a long hexadecimal number. Observe the name in the Account field. This is a User Mode session setup packet. -

      Findings and Comments

      - - The IPC$ share serves a vital purpose[15] +

    Findings and Comments

    + + The IPC$ share serves a vital purpose[15] in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of resources that are available on the server. The server responds with the shares and print queues that are available. In most but not all cases, the connection is made with a NULL username and a NULL password.

    - + The two packets examined are material evidence of how Windows clients may interoperate with Samba. Samba requires every connection setup to be authenticated using valid UNIX account credentials (UID/GID). This means that even a NULL session setup can be established only by automatically mapping it to a valid UNIX account.

    - - + + Samba has a special name for the NULL, or empty, user account: - it calls it the guest account. The + it calls it the guest account. The default value of this parameter is nobody; however, this can be changed to map the function of the guest account to any other UNIX identity. Some UNIX administrators prefer to map this account to the system default anonymous FTP account. A sample NULL Session Setup AndX packet dissection is shown in ???.

    Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request

    Typical Windows 9x/Me NULL SessionSetUp AndX Request

    - - - + + + When a UNIX/Linux system does not have a nobody user account (/etc/passwd), the operation of the NULL account cannot validate and thus connections that utilize the guest account @@ -271,11 +271,11 @@ problem reported on the Samba mailing list. A sample User Mode session setup AndX is shown in ???.

    Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request

    Typical Windows 9x/Me User SessionSetUp AndX Request

    - + The User Mode connection packet contains the account name and the domain name. The password is provided in Microsoft encrypted form, and its length is shown as 24 characters. This is the length of Microsoft encrypted passwords. -

    Windows 200x/XP Client Interaction with Samba-3

    +

    Windows 200x/XP Client Interaction with Samba-3

    By now you may be asking, “Why did you choose to work with Windows 9x/Me?

    First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise @@ -290,7 +290,7 @@ To complete this exercise, you need a Windows XP Professional client that has been configured as a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. -

    Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up

    1. +

      Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up

      1. Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal, and then wait for the next step to complete.

      2. @@ -319,14 +319,14 @@ If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises in this chapter.

      3. - - + + From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX Request, NTLMSSP_AUTH.

      4. - - - + + + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP @@ -338,7 +338,7 @@ decoded of the type Session Setup AndX Request. Click the last such packet that has been decoded as Session Setup AndX Request, NTLMSSP_AUTH.

      5. - + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP @@ -349,18 +349,18 @@ The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan password and then the NT (case-preserving) password hash.

      6. - - + + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode session setup packet. -

      Figure 16.6. Typical Windows XP NULL Session Setup AndX Request

      Typical Windows XP NULL Session Setup AndX Request

      Figure 16.7. Typical Windows XP User Session Setup AndX Request

      Typical Windows XP User Session Setup AndX Request

      Discussion

      +

    Figure 16.6. Typical Windows XP NULL Session Setup AndX Request

    Typical Windows XP NULL Session Setup AndX Request

    Figure 16.7. Typical Windows XP User Session Setup AndX Request

    Typical Windows XP User Session Setup AndX Request

    Discussion

    This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a NULL-Session connection to query and locate resources on an advanced network technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated connection must be made before resources can be used. -

    Conclusions to Exercises

    +

    Conclusions to Exercises

    In summary, the following points have been established in this chapter:

    • When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. @@ -379,7 +379,7 @@ file or in an LDAP database. Samba-3 permits use of multiple passdb backend databases in concurrent deployment. Refer to TOSHARG2, Chapter 10, “Account Information Databases.

    Dissection and Discussion

    - + The exercises demonstrate the use of the guest account, the way that MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections between a client and a server are established. @@ -387,8 +387,8 @@ Those wishing background information regarding NetBIOS name types should refer to the Microsoft knowledgebase article Q102878. -

    Technical Issues

    - +

    Technical Issues

    + Network browsing involves SMB broadcast announcements, SMB enumeration requests, connections to the IPC$ share, share enumerations, and SMB connection setup processes. The use of anonymous connections to a Samba server involve the use of @@ -396,44 +396,44 @@

    Questions and Answers

    The questions and answers given in this section are designed to highlight important aspects of Microsoft Windows networking. -

    +

    What is the significance of the MIDEARTH<1b> type query? -
    +
    What is the significance of the MIDEARTH<1d> type name registration? -
    +
    What is the role and significance of the <01><02>__MSBROWSE__<02><01> name registration? -
    +
    What is the significance of the MIDEARTH<1e> type name registration? -
    +
    guest account What is the significance of the guest account in smb.conf? -
    +
    Is it possible to reduce network broadcast activity with Samba-3? -
    +
    Can I just use plain-text passwords with Samba? -
    +
    What parameter in the smb.conf file is used to enable the use of encrypted passwords? -
    +
    Is it necessary to specify encrypt passwordsencrypt passwords = Yes when Samba-3 is configured as a domain member? -
    +
    Is it necessary to specify a guest account when Samba-3 is configured as a domain member server? -

    +

    What is the significance of the MIDEARTH<1b> type query?

    - - + + This is a broadcast announcement by which the Windows machine is attempting to locate a Domain Master Browser (DMB) in the event that it might exist on the network. Refer to TOSHARG2, Chapter 9, Section 9.7, “Technical Overview of Browsing,” for details regarding the function of the DMB and its role in network browsing. -

    +

    What is the significance of the MIDEARTH<1d> type name registration?

    - - + + This name registration records the machine IP addresses of the LMBs. Network clients can query this name type to obtain a list of browser servers from the master browser. @@ -451,25 +451,25 @@ The IP address of the DMB (if one exists)

  • The IP address of the LMB on the local segment -

    • +

    What is the role and significance of the <01><02>__MSBROWSE__<02><01> name registration?

    - + This name is registered by the browse master to broadcast and receive domain announcements. Its scope is limited to the local network segment, or subnet. By querying this name type, master browsers on networks that have multiple domains can find the names of master browsers for each domain. -

    +

    What is the significance of the MIDEARTH<1e> type name registration?

    - + This name is registered by all browse masters in a domain or workgroup. The registration name type is known as the Browser Election Service. Master browsers register themselves with this name type so that DMBs can locate them to perform cross-subnet browse list updates. This name type is also used to initiate elections for Master Browsers. -

    - +

    + What is the significance of the guest account in smb.conf?

    This parameter specifies the default UNIX account to which MS Windows networking @@ -481,28 +481,28 @@ It should be noted that the guest account is essential to Samba operation. Either the operating system must have an account called nobody or there must be an entry in the smb.conf file with a valid UNIX account, such as - guest account = ftp. -

    + guest account = ftp. +

    Is it possible to reduce network broadcast activity with Samba-3?

    - - + + Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG2, Chapter 9, Section 9.5, “WINS The Windows Inter-networking Name Server”); the alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires a correctly configured DNS server (see TOSHARG2, Chapter 9, Section 9.3, “Discussion”).

    - - - + + + The use of WINS reduces network broadcast traffic. The reduction is greatest when all network clients are configured to operate in Hybrid Mode. This can be effected through use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is - beneficial to configure Samba to use name resolve order = wins host cast. + beneficial to configure Samba to use name resolve order = wins host cast.

    Note

    Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as well as with Samba-3. -

    +

    Can I just use plain-text passwords with Samba?

    Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. @@ -525,22 +525,22 @@ a UNIX system account for that user. On systems that run winbindd to access the Samba PDC/BDC to provide Windows user and group accounts, the idmap uid, idmap gid ranges set in the smb.conf file provide the local UID/GIDs needed for local identity management purposes. -

    +

    What parameter in the smb.conf file is used to enable the use of encrypted passwords?

    The parameter in the smb.conf file that controls this behavior is known as encrypt passwords. The default setting for this in Samba-3 is Yes (Enabled). -

    - Is it necessary to specify encrypt passwords = Yes +

    + Is it necessary to specify encrypt passwords = Yes when Samba-3 is configured as a domain member?

    No. This is the default behavior. -

    +

    Is it necessary to specify a guest account when Samba-3 is configured as a domain member server?

    Yes. This is a local function on the server. The default setting is to use the UNIX account nobody. If this account does not exist on the UNIX server, then it is - necessary to provide a guest account = an_account, + necessary to provide a guest account = an_account, where an_account is a valid local UNIX user account. -


    [15] TOSHARG2, Sect 4.5.1

    Prev Up Next
    Chapter 15. A Collection of Useful Tidbits Home Appendix A. GNU General Public License
    +


    [15] TOSHARG2, Sect 4.5.1

    Prev Up Next
    Chapter 15. A Collection of Useful Tidbits Home Appendix A. GNU General Public License
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/RefSection.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/RefSection.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/RefSection.html 2005-08-19 12:59:38.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/RefSection.html 2005-12-19 10:19:32.000000000 -0600 @@ -1,9 +1,9 @@ -Part III. Reference Section
    Part III. Reference Section
    Prev   Next

    Reference Section

    Reference Section

    +Part III. Reference Section

    Part III. Reference Section
    Prev   Next

    Reference Section

    Reference Section

    This section Samba-3 by Example provides important reference material that may help you to solve network performance issues, to answer some of the critiques published regarding Samba, or just to gain a more broad understanding of how Samba can play in a Windows networking world. -

    Table of Contents

    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License
    Preamble
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    Section 0
    Section 1
    Section 2
    Section 3 +

    Table of Contents

    11. Active Directory, Kerberos, and Security
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Implementation
    Share Access Controls
    Share Definition Controls
    Share Point Directory and File Permissions
    Managing Windows 200x ACLs
    Key Points Learned
    Questions and Answers
    12. Integrating Additional Services
    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Removal of Pre-Existing Conflicting RPMs
    Key Points Learned
    Questions and Answers
    13. Performance, Reliability, and Availability
    Introduction
    Dissection and Discussion
    Guidelines for Reliable Samba Operation
    Name Resolution
    Samba Configuration
    Use and Location of BDCs
    Use One Consistent Version of MS Windows Client
    For Scalability, Use SAN-Based Storage on Samba Servers
    Distribute Network Load with MSDFS
    Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
    Hardware Problems
    Large Directories
    Key Points Learned
    14. Samba Support
    Free Support
    Commercial Support
    15. A Collection of Useful Tidbits
    Joining a Domain: Windows 200x/XP Professional
    Samba System File Location
    Starting Samba
    DNS Configuration Files
    The Forward Zone File for the Loopback Adaptor
    The Reverse Zone File for the Loopback Adaptor
    DNS Root Server Hint File
    Alternative LDAP Database Initialization
    Initialization of the LDAP Database
    The LDAP Account Manager
    IDEALX Management Console
    Effect of Setting File and Directory SUID/SGID Permissions Explained
    Shared Data Integrity
    Microsoft Access
    Act! Database Sharing
    Opportunistic Locking Controls
    16. Networking Primer
    Requirements and Notes
    Introduction
    Assignment Tasks
    Exercises
    Single-Machine Broadcast Activity
    Second Machine Startup Broadcast Interaction
    Simple Windows Client Connection Characteristics
    Windows 200x/XP Client Interaction with Samba-3
    Conclusions to Exercises
    Dissection and Discussion
    Technical Issues
    Questions and Answers
    A. GNU General Public License
    Preamble
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    Section 0
    Section 1
    Section 2
    Section 3
    Section 4
    Section 5
    Section 6 diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/secure.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/secure.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/secure.html 2005-08-19 12:59:22.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/secure.html 2005-12-19 10:19:06.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 3. Secure Office Networking
    Chapter 3. Secure Office Networking
    Prev Part I. Example Network Configurations Next

    Chapter 3. Secure Office Networking

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers

    +Chapter 3. Secure Office Networking

    Chapter 3. Secure Office Networking
    Prev Part I. Example Network Configurations Next

    Chapter 3. Secure Office Networking

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Basic System Configuration
    Samba Configuration
    Configuration of DHCP and DNS Servers
    Printer Configuration
    Process Startup Configuration
    Validation
    Application Share Configuration
    Windows Client Configuration
    Key Points Learned
    Questions and Answers

    Congratulations, your Samba networking skills are developing nicely. You started out with three simple networks in ???, and then in ??? you designed and built a network that provides a high degree of flexibility, integrity, @@ -11,7 +11,7 @@ so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. To avoid confusion, this book is all about Samba-3. Let's get the exercises in this chapter underway. -

    Introduction

    +

    Introduction

    You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work well done. It is one year since the last network upgrade. You have been quite busy. Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over @@ -40,7 +40,7 @@ Occasionally she wants to work with you on a challenging problem. When you told her about your move, she almost resigned, although she was reassured that a new manager would be hired to run Information Technology, and she would be responsible only for operations. -

    Assignment Tasks

    +

    Assignment Tasks

    You promised the staff Internet services including Web browsing, electronic mail, virus protection, and a company Web site. Christine is eager to help turn the vision into reality. Let's see how close you can get to the promises made. @@ -83,13 +83,13 @@ of users had to share a PC while waiting for new machines to arrive. This presented some problems with desktop computers and software installation into the new users' desktop profiles. -

    Dissection and Discussion

    +

    Dissection and Discussion

    Many of the conclusions you draw here are obvious. Some requirements are not very clear or may simply be your means of drawing the most out of Samba-3. Much can be done more simply than you will demonstrate here, but keep in mind that the network must scale to at least 500 users. This means that some functionality will be overdesigned for the current 130-user environment. -

    Technical Issues

    +

    Technical Issues

    In this exercise we use a 24-bit subnet mask for the two local networks. This, of course, limits our network to a maximum of 253 usable IP addresses. The network address range chosen is one assigned by RFC1918 for private networks. @@ -97,14 +97,14 @@ addresses, it is a good idea to switch to a network address specified in RFC1918 in the 172.16.0.0/16 range. This is done in subsequent chapters.

    - - + + The high growth rates projected are a good reason to use the tdbsam passdb backend. The use of smbpasswd for the backend may result in performance problems. The tdbsam passdb backend offers features that are not available with the older, flat ASCII-based smbpasswd database.

    - + The proposed network design uses a single server to act as an Internet services host for electronic mail, Web serving, remote administrative access via SSH, Samba-based file and print services. This design is often chosen by sites that feel @@ -117,10 +117,10 @@ Samba will be configured to specifically not operate on the Ethernet interface that is directly connected to the Internet.

    - - - - + + + + You know that your ISP is providing full firewall services, but you cannot rely on that. Always assume that human error will occur, so be prepared by using Linux firewall facilities based on iptables to effect NAT. Block all @@ -131,7 +131,7 @@ generic antivirus handling are beyond the scope of this book and therefore are not covered except insofar as this affects Samba-3.

    - + Notebook computers are configured to use a network login when in the office and a local account to log in while away from the office. Users store all work done in transit (away from the office) by using a local share for work files. Standard procedures @@ -141,26 +141,26 @@ This is a preventative measure to protect client information as well as private business records.

    - + All applications are served from the central server from a share called apps. Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network (or administrative) installation. Accounting and financial management software can also be run only from the central application server. Notebook users are provided with locally installed applications on a need-to-have basis only.

    - + The introduction of roaming profiles support means that users can move between desktop computer systems without constraint while retaining full access to their data. The desktop travels with them as they move.

    - + The DNS server implementation must now address both internal and external needs. You forward DNS lookups to your ISP-provided server as well as the abmas.us external secondary DNS server.

    - - - + + + Compared with the DHCP server configuration in ???, ???, the configuration used in this example has to deal with the presence of an Internet connection. The scope set for it ensures that no DHCP services will be offered on the external @@ -184,8 +184,8 @@ a problem because Christine is to install and configure one single workstation and then clone that configuration, using Norton Ghost, to all workstations. Each machine is identical, so this should pose no problem. -

    Hardware Requirements

    - +

    Hardware Requirements

    + This server runs a considerable number of services. From similarly configured Linux installations, the approximate calculated memory requirements are as shown in ???. @@ -213,7 +213,7 @@ as the system load builds up. Given the low cost of memory, it does not make sense to compromise in this area.

    - + Aggregate input/output loads should be considered for sizing network configuration as well as disk subsystems. For network bandwidth calculations, one would typically use an estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) @@ -222,8 +222,8 @@ to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T switched ports.

    - - + + Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O demand that would require a fast disk storage I/O capability. Peak disk throughput is @@ -255,10 +255,10 @@ Add 50% buffer 303 GBytes Recommended Storage: 908 GBytes

    - + The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. -

    Political Issues

    +

    Political Issues

    Your industry is coming under increasing accountability pressures. Increased paranoia is necessary so you can demonstrate that you have acted with due diligence. You must not trust your Internet connection. @@ -267,12 +267,12 @@ an application server, your primary reason for the decision to implement this is that it gives you greater control over software licensing.

    - + You are well aware that the current configuration results in some performance issues as the size of the desktop profile grows. Given that users use Microsoft Outlook Express, you know that the storage implications of the .PST file is something that needs to be addressed later. -

    Implementation

    +

    Implementation

    ??? demonstrates the overall design of the network that you will implement.

    The information presented here assumes that you are already familiar with many basic steps. @@ -288,9 +288,9 @@

  • The Domain name is set to PROMISES.

  • - - - + + + Ethernet interface eth0 is attached to the Internet connection and is externally exposed. This interface is explicitly not available for Samba to use. Samba listens on this interface for broadcast messages but does not broadcast any @@ -298,34 +298,34 @@ This is achieved by way of the interfaces parameter and the bind interfaces only entry.

  • - - - + + + The passdb backend parameter specifies the creation and use of the tdbsam password backend. This is a binary database that has excellent scalability for a large number of user account entries.

  • - - - - WINS serving is enabled by the wins support = Yes, + + + + WINS serving is enabled by the wins support = Yes, and name resolution is set to use it by means of the - name resolve order = wins bcast hosts entry. + name resolve order = wins bcast hosts entry.

  • - + The Samba server is configured for use by Windows clients as a time server.

  • - - - + + + Samba is configured to directly interface with CUPS via the direct internal interface that is provided by CUPS libraries. This is achieved with the - printing = CUPS as well as the - printcap name = CUPS entries. + printing = CUPS as well as the + printcap name = CUPS entries.

  • - - - + + + External interface scripts are provided to enable Samba to interface smoothly to essential operating system functions for user and group management. This is important to enable workstations to join the Domain and is also important so that you can use @@ -334,21 +334,21 @@ downloaded from the Microsoft FTP site.

  • - + The smb.conf file specifies that the Samba server will operate in (default) - security = user mode[5] + security = user mode[5] (User Mode).

  • - - + + Domain logon services as well as a Domain logon script are specified. The logon script will be used to add robustness to the overall network configuration.

  • - - - + + + Roaming profiles are enabled through the specification of the parameter, - logon path = \\%L\profiles\%U. The value of this parameter translates the + logon path = \\%L\profiles\%U. The value of this parameter translates the %L to the name by which the Samba server is called by the client (for this configuration, it translates to the name DIAMOND), and the %U will translate to the name of the user within the context of the connection made to the profile share. @@ -356,8 +356,8 @@ profile share for each user. This directory must be owned by the user also. An exception to this requirement is when a profile is created for group use.

  • - - + + Precautionary veto is effected for particular Windows file names that have been targeted by virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking controls. This should help to prevent lock contention-related file access problems. @@ -385,12 +385,12 @@

    • The following sections cover each step in logical and defined detail.

    Basic System Configuration

    - + The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been freshly installed. It prepares basic files so that the system is ready for comprehensive operation in line with the network diagram shown in ???. -

    Procedure 3.1. Server Configuration Steps

    1. - +

      Procedure 3.1. Server Configuration Steps

      1. + Using the UNIX/Linux system tools, name the server server.abmas.us. Verify that your hostname is correctly set by running: 

        @@ -403,8 +403,8 @@
 server.abmas.us

      2. - - + + Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system can resolve all its own names to the IP address prior to @@ -425,15 +425,15 @@ 192.168.2.20 qmsf.abmas.biz qmsf 192.168.2.30 hplj6f.abmas.biz hplj6f

        - - - + + + The printer entries are not necessary if named is started prior to startup of cupsd, the CUPS daemon.

      3. - - - + + + The host server is acting as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: @@ -442,10 +442,10 @@

        To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute that command manually also. This setting permits the Linux system to - act as a router.[6] + act as a router.[6]

      4. - - + + Installation of a basic firewall and NAT facility is necessary. The following script can be installed in the /usr/local/sbin directory. It is executed from the /etc/rc.d/boot.local startup @@ -524,15 +524,15 @@ /usr/local/sbin/abmas-natfw.sh

      - + The server is now ready for Samba configuration. During the validation step, you remove the entry for the Samba server diamond from the /etc/hosts file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. -

    Samba Configuration

    +

    Samba Configuration

    When you have completed this section, the Samba server is ready for testing and validation; however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have been configured. -

    Procedure 3.2. Samba Configuration Steps

    1. +

      Procedure 3.2. Samba Configuration Steps

      1. Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary RPM file is called samba-3.0.20-1.i386.rpm, one way to install this file is as follows: @@ -547,13 +547,13 @@ and ???. Concatenate (join) all three files to make a single smb.conf file. The final, fully qualified path for this file should be /etc/samba/smb.conf. -

        Example 3.4. 130 User Network with tdbsam [globals] Section

        # Global parameters
        [global]
        workgroup = PROMISES
        netbios name = DIAMOND
        interfaces = eth1, eth2, lo
        bind interfaces only = Yes
        passdb backend = tdbsam
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*
        username map = /etc/samba/smbusers
        unix password sync = Yes
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No
        add user script = /usr/sbin/useradd -m '%u'
        delete user script = /usr/sbin/userdel -r '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/usermod -G '%g' '%u'
        add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
        shutdown script = /var/lib/samba/scripts/shutdown.sh
        abort shutdown script = /sbin/shutdown -c
        logon script = scripts\logon.bat
        logon path = \\%L\profiles\%U
        logon drive = X:
        logon home = \\%L\%U
        domain logons = Yes
        preferred master = Yes
        wins support = Yes
        utmp = Yes
        map acl inherit = Yes
        printing = cups
        cups options = Raw
        veto files = /*.eml/*.nws/*.{*}/
        veto oplock files = /*.doc/*.xls/*.mdb/

        +

        Example 3.4. 130 User Network with tdbsam [globals] Section

        # Global parameters
        [global]
        workgroup = PROMISES
        netbios name = DIAMOND
        interfaces = eth1, eth2, lo
        bind interfaces only = Yes
        passdb backend = tdbsam
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*
        username map = /etc/samba/smbusers
        unix password sync = Yes
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        smb ports = 139
        name resolve order = wins bcast hosts
        time server = Yes
        printcap name = CUPS
        show add printer wizard = No
        add user script = /usr/sbin/useradd -m '%u'
        delete user script = /usr/sbin/userdel -r '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/usermod -G '%g' '%u'
        add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
        shutdown script = /var/lib/samba/scripts/shutdown.sh
        abort shutdown script = /sbin/shutdown -c
        logon script = scripts\logon.bat
        logon path = \\%L\profiles\%U
        logon drive = X:
        logon home = \\%L\%U
        domain logons = Yes
        preferred master = Yes
        wins support = Yes
        utmp = Yes
        map acl inherit = Yes
        printing = cups
        cups options = Raw
        veto files = /*.eml/*.nws/*.{*}/
        veto oplock files = /*.doc/*.xls/*.mdb/

        -

        Example 3.5. 130 User Network with tdbsam Services Section Part A

        [homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        [printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        use client driver = Yes
        default devmode = Yes
        browseable = No
        [netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        locking = No
        [profiles]
        comment = Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes
        [accounts]
        comment = Accounting Files
        path = /data/accounts
        read only = No

        +

        Example 3.5. 130 User Network with tdbsam Services Section Part A

        [homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        [printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        use client driver = Yes
        default devmode = Yes
        browseable = No
        [netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        locking = No
        [profiles]
        comment = Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes
        [accounts]
        comment = Accounting Files
        path = /data/accounts
        read only = No

        -

        Example 3.6. 130 User Network with tdbsam Services Section Part B

        [service]
        comment = Financial Services Files
        path = /data/service
        read only = No
        [pidata]
        comment = Property Insurance Files
        path = /data/pidata
        read only = No
        [apps]
        comment = Application Files
        path = /apps
        read only = Yes
        admin users = bjordan

        +

        Example 3.6. 130 User Network with tdbsam Services Section Part B

        [service]
        comment = Financial Services Files
        path = /data/service
        read only = No
        [pidata]
        comment = Property Insurance Files
        path = /data/pidata
        read only = No
        [apps]
        comment = Application Files
        path = /apps
        read only = Yes
        admin users = bjordan

      2. - + Add the root user to the password backend as follows: 

         root#  smbpasswd -a root
@@ -566,7 +566,7 @@
 		deleted. If for any reason the account is deleted, you may not be able to recreate this account
 		without considerable trouble.

      3. - + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -593,16 +593,16 @@ ####

      4. - - - - + + + + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in ???, ???. Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows: -

        Example 3.7. Script to Map Windows NT Groups to UNIX Groups

        +
        Example 3.7. Script to Map Windows NT Groups to UNIX Groups
         #!/bin/bash
 #
 # initGrps.sh
@@ -655,13 +655,13 @@
 Users (S-1-5-32-545) -> -1

      5. - - - - - - - + + + + + + + There is one preparatory step without which you will not have a working Samba network environment. You must add an account for each network user. For each user who needs to be given a Windows Domain account, make an entry in the @@ -686,9 +686,9 @@

        You do of course use a valid user login ID in place of username.

      6. - - - + + + Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously as necessary. File system access control will be based on UNIX group membership.

      7. @@ -697,7 +697,7 @@ file is /data. Format the file system as required, and mount the formatted file system partition using appropriate system tools.

      8. - + Create the top-level file storage directories for data and applications as follows: 

         root#  mkdir -p /data/{accounts,finsvcs}
@@ -736,9 +736,9 @@
 root#  chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'

      9. - - - + + + Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unix2dos and dos2unix) are installed. @@ -758,8 +758,8 @@ DHCP services are a basic component of the entire network client installation. DNS operation is foundational to Internet access as well as to trouble-free operation of local networking. When you have completed this section, the server should be ready for solid duty operation. -

        Procedure 3.3. DHCP and DNS Server Configuration Steps

        1. - +

          Procedure 3.3. DHCP and DNS Server Configuration Steps

          1. + Create a file called /etc/dhcpd.conf with the contents as shown in ???. @@ -810,7 +810,7 @@ }

        2. - + Create a file called /etc/named.conf that has the combined contents of the ???, ???, and ??? files that are concatenated (merged) in this @@ -821,7 +821,7 @@

          Table 3.2. DNS (named) Resource Files

          ReferenceFile Location
          ???/var/lib/named/localhost.zone
          ???/var/lib/named/127.0.0.zone
          ???/var/lib/named/root.hint
          ???/var/lib/named/master/abmas.biz.hosts
          ???/var/lib/named/abmas.us.hosts
          ???/var/lib/named/192.168.1.0.rev
          ???/var/lib/named/192.168.2.0.rev

          -

          Example 3.9. DNS Master Configuration File /etc/named.conf Master Section

          +
          Example 3.9. DNS Master Configuration File  /etc/named.conf Master Section
           ###
 # Abmas Biz DNS Control File
 ###
@@ -1006,7 +1006,7 @@

        3. - + All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf to have the following content: @@ -1015,13 +1015,13 @@ nameserver 127.0.0.1 nameserver 123.45.54.23

          - + This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses. In the event that the local name server is not available, ask the name server provided by the ISP. The latter, of course, does not resolve purely local names to IP addresses.

        4. - + The final step is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -1040,17 +1040,17 @@ transparent print queue that performs no filtering, and only minimal handling of each print job that is submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that the correct printer driver must be installed on all clients. -

          Procedure 3.4. Printer Configuration Steps

          1. +

            Procedure 3.4. Printer Configuration Steps

            1. Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines.

            2. Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the port as necessary in the following example commands. This allows the CUPS spooler to print using raw mode protocols. - - + +

            3. - + Configure the CUPS Print Queues as follows: 

               root#  lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
@@ -1058,9 +1058,9 @@
 root#  lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
 root#  lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E

              - + This creates the necessary print queues with no assigned print filter. -

            4. +

            5. Print queues may not be enabled at creation. Use lpc stat to check the status of the print queues and, if necessary, make certain that the queues you have just created are enabled by executing the following: @@ -1070,7 +1070,7 @@ root# /usr/bin/enable qmsf root# /usr/bin/enable hplj6f

              -

            6. +

            7. Even though your print queues may be enabled, it is still possible that they are not accepting print jobs. A print queue services incoming printing requests only when configured to do so. Ensure that your print queues are @@ -1082,15 +1082,15 @@ root# /usr/bin/accept hplj6f

            8. - - - + + + Edit the file /etc/cups/mime.convs to uncomment the line: 

               application/octet-stream     application/vnd.cups-raw      0     -

            9. - + Edit the file /etc/cups/mime.types to uncomment the line: 

               application/octet-stream
@@ -1103,7 +1103,7 @@
 	
              
 	The UNIX system print queues have been configured and are ready for validation testing.

            Process Startup Configuration

            - + There are two essential steps to process startup configuration. First, the process must be configured so that it automatically restarts each time the server is rebooted. This step involves use of the chkconfig tool that @@ -1112,11 +1112,11 @@ directories. Links are created so that when the system run level is changed, the necessary start or kill script is run.

            - - - - - + + + + + In the event that a service is not run as a daemon, but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory @@ -1127,7 +1127,7 @@

            1. Use the standard system tool to configure each service to restart automatically at every system reboot. For example, - + 

               root#  chkconfig dhpc on
 root#  chkconfig named on
@@ -1135,9 +1135,9 @@
 root#  chkconfig smb on

            2. - - - + + + Now start each service to permit the system to be validated. Execute each of the following in the sequence shown: @@ -1148,7 +1148,7 @@ root# /etc/rc.d/init.d/smb restart

            Validation

            - + Complex networking problems are most often caused by simple things that are poorly or incorrectly configured. The validation process adopted here should be followed carefully; it is the result of the experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should @@ -1158,8 +1158,8 @@ days. A well debugged network is a foundation for happy network users and network administrators. Later in this book you learn how to make users happier. For now, it is enough to learn to validate. Let's get on with it. -

            Procedure 3.6. Server Validation Steps

            1. - +

              Procedure 3.6. Server Validation Steps

              1. + One of the most important facets of Samba configuration is to ensure that name resolution functions correctly. You can check name resolution with a few simple tests. The most basic name resolution is provided from the @@ -1185,7 +1185,7 @@ This proves that name resolution via the /etc/hosts file is working.

              2. - + So far, your installation is going particularly well. In this step we validate DNS server and name resolution operation. Using your favorite UNIX system editor, change the /etc/nsswitch.conf file so that the @@ -1194,7 +1194,7 @@ hosts: dns

              3. - + Before you test DNS operation, it is a good idea to verify that the DNS server is running by executing the following: 

                @@ -1208,7 +1208,7 @@
  2552 pts/2    S      0:00 grep named

                This means that we are ready to check DNS operation. Do so by executing: - + 

                 root#  ping diamond
 PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
@@ -1224,12 +1224,12 @@
 root#  host -f diamond.abmas.biz
 sleeth1.abmas.biz has address 192.168.1.1

                - + You may now remove the entry called diamond from the /etc/hosts file. It does not hurt to leave it there, but its removal reduces the number of administrative steps for this name.

              4. - + WINS is a great way to resolve NetBIOS names to their IP address. You can test the operation of WINS by starting nmbd (manually or by way of the Samba startup method shown in ???). You must edit @@ -1238,14 +1238,17 @@ 

                 hosts:        wins

                - The next step is to make certain that Samba is running using ps ax|grep mbd, and then execute the following: + The next step is to make certain that Samba is running using ps ax | grep mbd. + The nmbd daemon will provide the WINS name resolution service when the + smb.conf file parameter wins support = Yes has been specified. Having validated that Samba is operational, + excute the following: 

                 root#  ping diamond
 PING diamond (192.168.1.1) 56(84) bytes of data.
 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms

                - + Now that you can relax with the knowledge that all three major forms of name resolution to IP address resolution are working, edit the /etc/nsswitch.conf again. This time you add all three forms of name resolution to this file. @@ -1266,7 +1269,7 @@ This shows that the server is running. The proof of whether or not it is working comes when you try to add the first DHCP client to the network.

              5. - + This is a good point at which to start validating Samba operation. You are content that name resolution is working for basic TCP/IP needs. Let's move on. If your smb.conf file has bogus options or parameters, this may cause Samba @@ -1338,10 +1341,10 @@

                Clear away all errors before proceeding.

              6. - - - - + + + + Check that the Samba server is running: 

                 root#  ps ax | grep mbd
@@ -1354,10 +1357,10 @@
 14295 ?        S     0:00 /usr/sbin/winbindd -B

                The winbindd daemon is running in split mode (normal), so there are also - two instances[7] of it. + two instances[7] of it.

              7. - - + + Check that an anonymous connection can be made to the Samba server: 

                 root#  smbclient -L localhost -U%
@@ -1389,9 +1392,9 @@
 			The -U% argument means to send a NULL username and
 			a NULL password.

              8. - - - + + + Verify that each printer has the IP address assigned in the DHCP server configuration file. The easiest way to do this is to ping the printer name. Immediately after the ping response has been received, execute arp -a to find the MAC address of the printer @@ -1406,12 +1409,12 @@ root# arp -a hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0

                - + The MAC address 00:03:47:CB:81:E0 matches that specified for the IP address from which the printer has responded and with the entry for it in the /etc/dhcpd.conf file. Repeat this for each printer configured.

              9. - + Make an authenticated connection to the server using the smbclient tool: 

                 root#  smbclient //diamond/accounts -U gholmes
@@ -1430,7 +1433,7 @@
 smb: \> q

              10. - + Your new server is connected to an Internet-accessible connection. Before you start your firewall, you should run a port scanner against your system. You should repeat that after the firewall has been started. This helps you understand to what extent the @@ -1505,8 +1508,8 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds

            Application Share Configuration

            - - + + The use of an application server is a key mechanism by which desktop administration overheads can be reduced. Check the application manual for your software to identify how best to create an administrative installation. @@ -1527,7 +1530,7 @@ on a central network share. This type of installation often prevents storage of work files on the local workstation.

          - + A common application deployed in this environment is an office suite. Enterprise editions of Microsoft Office XP Professional can be administratively installed by launching the installation from a command shell. The command that achieves this is @@ -1544,8 +1547,8 @@ A network workstation (minimum) installation requires typically 10 MB to 15 MB of local disk space. In the latter case, when the applications are used, they load over the network.

          - - + + Microsoft Office Service Packs can be unpacked to update an administrative share. This makes it possible to update MS Office XP Professional for all users from a single installation of the service pack and generally circumvents the need to run updates on each network @@ -1554,7 +1557,7 @@ The default location for MS Office XP Professional data files can be set through registry editing or by way of configuration options inside each Office XP Professional application.

          - + OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also be installed to run off a network share. The latter is a most desirable solution for office-bound network users and for administrative staff alike. It permits quick and easy updates @@ -1567,7 +1570,7 @@ prompted on screen for the target installation location. This is the administrative share point. The full administrative OpenOffice share takes approximately 150 MB of disk space. -

          Comments Regarding Software Terms of Use

          +

          Comments Regarding Software Terms of Use

          Many single-user products can be installed into an administrative share, but personal versions of products such as Microsoft Office XP Professional do not permit this. Many people do not like terms of use typical with commercial products, so a few comments @@ -1591,7 +1594,7 @@ also. Whatever the licensing terms may be, if you do not approve of the terms of use, please do not use the software.

          - + Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided with the source code.

          Windows Client Configuration

          @@ -1602,8 +1605,8 @@ Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can be done with notebook computers as long as they are identical or sufficiently similar.

          Procedure 3.7. Windows Client Configuration Procedure

          1. - - + + Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet. @@ -1636,7 +1639,7 @@ Install printers on each machine following the steps shown in the Windows client printer preparation procedure below.

          2. - + When you are satisfied that the staging systems are complete, use the appropriate procedure to remove the client from the domain. Reboot the system and then log on as the local administrator and clean out all temporary files stored on the system. Before shutting down, use the disk @@ -1645,8 +1648,8 @@ Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the machine to a network share on the server.

          3. - - + + You may now replicate the image to the target machines using the appropriate Norton Ghost procedure. Make sure to use the procedure that ensures each machine has a unique Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. @@ -1681,7 +1684,7 @@

          4. Repeat the printer installation steps above for both HP LaserJet 6 printers as well as for both QMS Magicolor laser printers. -

          Key Points Learned

          +

      Key Points Learned

      How do you feel? You have built a capable network, a truly ambitious project. Future network updates can be handled by your staff. You must be a satisfied manager. Let's review the achievements. @@ -1704,29 +1707,29 @@ You introduced an application server as well as the concept of cloning a Windows client in order to effect improved standardization of desktops and to reduce the costs of network management. -

    Questions and Answers

    -

    1. +

    Questions and Answers

    +

    1. What is the maximum number of account entries that the tdbsam passdb backend can handle? -
    2. +
    2. Would Samba operate any better if the OS level is set to a value higher than 35? -
    3. +
    3. Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? -
    4. +
    4. Why has a path been specified in the IPC$ share? -
    5. +
    5. Why does the smb.conf file in this exercise include an entry for smb portssmb ports? -
    6. +
    6. What is the difference between a print queue and a printer? -
    7. +
    7. Can all MS Windows application software be installed onto an application server share? -
    8. +
    8. Why use dynamic DNS (DDNS)? -
    9. +
    9. Why would you use WINS as well as DNS-based name resolution? -
    10. +
    10. What are the major benefits of using an application server? -
    1.

    +
    1.

    What is the maximum number of account entries that the tdbsam passdb backend can handle?

    @@ -1752,27 +1755,27 @@ at which most networks tend to want backup domain controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication, - not on the limits[8] of the tdbsam backend itself. -

    2.

    + not on the limits[8] of the tdbsam backend itself. +

    2.

    Would Samba operate any better if the OS level is set to a value higher than 35?

    No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value of 35 already assures Samba of precedence over MS Windows products in browser elections. There is no gain to be had from setting this higher. -

    3.

    +

    3.

    Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?

    At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. -

    4.

    +

    4.

    Why has a path been specified in the IPC$ share?

    This is done so that in the event that a software bug may permit a client connection to the IPC$ share to obtain access to the file system, it does so at a location that presents least risk. Under normal operation this type of paranoid step should not be necessary. The use of this parameter should not be necessary. -

    5.

    - Why does the smb.conf file in this exercise include an entry for smb ports? +

    5.

    + Why does the smb.conf file in this exercise include an entry for smb ports?

    The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS @@ -1780,7 +1783,7 @@ specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain member, the default behavior is highly beneficial and should not be changed. -

    6.

    +

    6.

    What is the difference between a print queue and a printer?

    A printer is a physical device that is connected either directly to the network or to a computer @@ -1794,7 +1797,7 @@ print requests. When the data stream has been fully received, the input stream is closed, and the job is then submitted to a sequential print queue where the job is stored until the printer is ready to receive the job. -

    7.

    +

    7.

    Can all MS Windows application software be installed onto an application server share?

    Much older Windows software is not compatible with installation to and execution from @@ -1802,13 +1805,13 @@ be installed to an application server. Retail consumer versions of Microsoft Office XP Professional do not permit installation to an application server share and can be installed and used only to/from a local workstation hard disk. -

    8.

    +

    8.

    Why use dynamic DNS (DDNS)?

    When DDNS records are updated directly from the DHCP server, it is possible for network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate Windows clients via DNS. -

    9.

    +

    9.

    Why would you use WINS as well as DNS-based name resolution?

    WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is @@ -1816,7 +1819,7 @@ means top-level domain. A FQDN is a longhand but easy-to-remember expression that may be up to 1024 characters in length and that represents an IP address. A NetBIOS name is always 16 characters long. The 16th character - is a name type indicator. A specific name type is registered[9] for each + is a name type indicator. A specific name type is registered[9] for each type of service that is provided by the Windows server or client and that may be registered where a WINS server is in use.

    @@ -1831,24 +1834,24 @@ which it has control.

    Windows 200x Active Directory requires the registration in the DNS zone for the domain it - controls of service locator[10] records + controls of service locator[10] records that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also requires the registration of special records that are called global catalog (GC) entries and site entries by which domain controllers and other essential ADS servers may be located. -

    10.

    +

    10.

    What are the major benefits of using an application server?

    The use of an application server can significantly reduce application update maintenance. By providing a centralized application share, software updates need be applied to only one location for all major applications used. This results in faster update roll-outs and significantly better application usage control. -


    [5] See TOSHARG2, Chapter 3. +


    [5] See TOSHARG2, Chapter 3. This is necessary so that Samba can act as a Domain Controller (PDC); see - TOSHARG2, Chapter 4, for additional information.

    [6] You may want to do the echo command last and include - "0" in the init scripts, since it opens up your network for a short time.

    [7] For more information regarding winbindd, see TOSHARG2, + TOSHARG2, Chapter 4, for additional information.

    [6] You may want to do the echo command last and include + "0" in the init scripts, since it opens up your network for a short time.

    [7] For more information regarding winbindd, see TOSHARG2, Chapter 23, Section 23.3. The single instance of smbd is normal. One additional smbd slave process is spawned for each SMB/CIFS client - connection.

    [8] Bench tests have shown that tdbsam is a very + connection.

    [8] Bench tests have shown that tdbsam is a very effective database technology. There is surprisingly little performance loss even - with over 4000 users.

    [9] - See TOSHARG2, Chapter 9, for more information.

    [10] See TOSHARG2, Chapter 9, Section 9.3.3.

    Prev Up Next
    Chapter 2. Small Office Networking Home Chapter 4. The 500-User Office
    + with over 4000 users.

    [9] + See TOSHARG2, Chapter 9, for more information.

    [10] See TOSHARG2, Chapter 9, Section 9.3.3.

    Prev Up Next
    Chapter 2. Small Office Networking Home Chapter 4. The 500-User Office
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/simple.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/simple.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/simple.html 2005-08-19 12:59:18.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/simple.html 2005-12-19 10:19:03.000000000 -0600 @@ -1,13 +1,13 @@ -Chapter 1. No-Frills Samba Servers
    Chapter 1. No-Frills Samba Servers
    Prev Part I. Example Network Configurations Next

    Chapter 1. No-Frills Samba Servers

    Table of Contents

    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers

    +Chapter 1. No-Frills Samba Servers

    Chapter 1. No-Frills Samba Servers
    Prev Part I. Example Network Configurations Next

    Chapter 1. No-Frills Samba Servers

    Table of Contents

    Introduction
    Assignment Tasks
    Drafting Office
    Charity Administration Office
    Accounting Office
    Questions and Answers

    This is the start of the real journey toward the successful deployment of Samba. For some this chapter is the end of the road because their needs will have been adequately met. For others, this chapter is the beginning of a journey that will take them well past the contents of this book. This book provides example configurations of, for the greater part, complete networking solutions. The intent of this book is to help you to get your Samba installation working with the least amount of pain and aggravation. -

    Introduction

    +

    Introduction

    This chapter lays the groundwork for understanding the basics of Samba operation. Instead of a bland technical discussion, each principle is demonstrated by way of a - real-world scenario for which a working solution[1] is fully described. + real-world scenario for which a working solution[1] is fully described.

    The practical exercises take you on a journey through a drafting office, a charity administration office, and an accounting office. You may choose to apply any or all of these exercises to your own environment. @@ -17,7 +17,7 @@ find much improved solutions compared with those presented here. By the time you complete this book, you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your way through the examples. -

    Assignment Tasks

    +

    Assignment Tasks

    Each case presented highlights different aspects of Windows networking for which a simple Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases. The cases are briefly reviewed to cover important points. Instructions are based @@ -28,7 +28,7 @@

    • A drafting office

    • A charity administration office

    • An accounting office

    Let's get started. -

    Drafting Office

    +

    Drafting Office

    Our fictitious company is called Abmas Design, Inc. This is a three-person computer-aided design (CAD) business that often has more work than can be handled. The business owner hires contract draftspeople from wherever he can. They bring their own @@ -38,15 +38,15 @@ plans that are stored on a central server one day per month. She knows how to upload plans from each machine. The files available from the server must remain read-only. Anyone should be able to access the plans at any time and without barriers or difficulty. -

    - +

    + Mr. Bob Jordan has asked you to install the new server as economically as possible. The central server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora CoreX and have upgraded Samba to version 3.0.20 using the RPM package that is provided from the Samba FTP sites. (Note: Fedora CoreX indicates your favorite version.) -

    +

    The four permanent drafting machines (Microsoft Windows workstations) have attached printers and plotters that are shared on a peer-to-peer basis by any and all network users. The intent is to continue to share printers in this manner. The three permanent staff work together with @@ -55,15 +55,15 @@ area is copied to the central server and the files are removed from the main weekly storage machine. The office works best with this arrangement and does not want to change anything. Old habits are too ingrained. -

    Dissection and Discussion

    - +

    Dissection and Discussion

    + The requirements for this server installation demand simplicity. An anonymous read-only file server adequately meets all needs. The network consultant determines how to upload all files from the weekly storage area to the server. This installation should focus only on critical aspects of the installation.

    It is not necessary to have specific users on the server. The site has a method for storing - all design files (plans). Each plan is stored in a directory that is named YYYYWW,[2] where + all design files (plans). Each plan is stored in a directory that is named YYYYWW,[2] where YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored by week of year to preserve the filing technique the site is familiar with. There is also a customer directory that is alphabetically listed. At the top level are 26 @@ -73,18 +73,18 @@ plans to be located both by customer name and by the date the work was performed, without demanding the disk space that would be needed if a duplicate file copy were to be stored. The share containing the plans is called Plans. -

    Implementation

    +

    Implementation

    It is assumed that the server is fully installed and ready for installation and configuration of Samba 3.0.20 and any support files needed. All TCP/IP addresses have been hard-coded. In our case the IP address of the Samba server is 192.168.1.1 and the netmask is 255.255.255.0. The hostname of the server used is server. -

    Procedure 1.1. Samba Server Configuration

    1. +

      Procedure 1.1. Samba Server Configuration

      1. Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba FTP servers.

      2. - - + + Install the RPM package using either the Red Hat Linux preferred GUI tool or the rpm: 

        @@ -100,7 +100,7 @@
 			The 755 permissions on this directory (mount point) permit the owner to read, write,
 			and execute, and the group and everyone else to read and execute only.
 			
        
-			
+			
 			Use Red Hat Linux system tools (refer to Red Hat instructions)
 			to format the 160GB hard drive with a suitable file system. An Ext3 file system
 			is suitable. Configure this drive to automatically mount using the /plans
@@ -109,35 +109,35 @@
 			Install the smb.conf file shown in ??? in the
 			/etc/samba directory.
 
-
        Example 1.1. Drafting Office smb.conf File
        # Global Parameters
         
        [global]
        workgroup = MIDEARTH
        security = SHARE
         
        [Plans]
        path = /plans
        read only = Yes
        guest ok = Yes
        
+
        Example 1.1. Drafting Office smb.conf File
        # Global Parameters
         
        [global]
        workgroup = MIDEARTH
        security = SHARE
         
        [Plans]
        path = /plans
        read only = Yes
        guest ok = Yes

      3. - + Verify that the /etc/hosts file contains the following entry: 

         192.168.1.1	server

      4. - - - + + + Use the standard system tool to start Samba and to configure it to restart automatically at every system reboot. For example, 

         root#  chkconfig smb on
 root#  /etc/rc.d/init.d/smb restart

        -

      Procedure 1.2. Windows Client Configuration

      1. +

      Procedure 1.2. Windows Client Configuration

      1. Make certain that all clients are set to the same network address range as used for the Samba server. For example, one client might have an IP address 192.168.1.10.

      2. - + Ensure that the netmask used on the Windows clients matches that used for the Samba server. All clients must have the same netmask, such as 255.255.255.0.

      3. - + Set the workgroup name on all clients to MIDEARTH.

      4. Verify on each client that the machine called SERVER @@ -145,15 +145,15 @@ possible to connect to it and see the share Plans, and that it is possible to open that share to reveal its contents.

    Validation

    - + The first priority in validating the new Samba configuration should be to check that Samba answers on the loop-back interface. Then it is time to check that Samba answers its own name correctly. Last, check that a client can connect to the Samba server.

    1. - - - + + + To check the ability to access the smbd daemon services, execute the following: 

      @@ -172,8 +172,8 @@
         ---------          --------
         MIDEARTH           SERVER

      - - + + This indicates that Samba is able to respond on the loopback interface to a NULL connection. The -U% means send an empty username and an empty password. This command should be repeated after @@ -188,12 +188,12 @@ configured to ignore all usernames given; instead it uses the guest account for all connections.

    2. - - + + From the Windows 9x/Me client, launch Windows Explorer: [Desktop: right-click] Network Neighborhood+Explore->[Left Panel] [+] Entire Network->[Left Panel] [+] Server->[Left Panel] [+] Plans. In the right panel you should see the files and directories (folders) that are in the Plans share. -

    Charity Administration Office

    +

    Charity Administration Office

    The fictitious charity organization is called Abmas Vision NL. This office has five networked computers. Staff are all volunteers, staff changes are frequent. Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to @@ -216,8 +216,8 @@ that if the share name is not in lowercase, the application claims it cannot find the file share.

    - - + + Printer handling in Samba results in a significant level of confusion. Samba presents to the MS Windows client only a print queue. The Samba smbd process passes a print job sent to it from the Windows client to the native UNIX printing system. The native @@ -231,7 +231,7 @@ to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are used on this network.

    - + The central server was donated by a local computer store. It is a dual processor Pentium-III server, has 1GB RAM, a 3-Ware IDE RAID Controller that has four 200GB IDE hard drives, and a 100-base-T network card. The office has 100-base-T permanent network connections that go to @@ -242,11 +242,11 @@ office and letter printing. Your recommendation to allow only the Linux server to print directly to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and have upgraded Samba to version 3.0.20. -

    Dissection and Discussion

    - - - - +

    Dissection and Discussion

    + + + + This installation demands simplicity. Frequent turnover of volunteer staff indicates that a network environment that requires users to logon might be problematic. It is suggested that the best solution for this office would be one where the user can log onto any PC with any username @@ -258,26 +258,26 @@ access control lists (Posix type) cannot be written to any file or directory. This prevents an inadvertent ACL from overriding actual file permissions.

    - - - + + + This organization is a prime candidate for Share Mode security. The force user allows all files to be owned by the same user and group. In addition, it would not hurt to set SUID and set SGID shared directories. This means that all new files that are created, no matter who creates it, are owned by the owner or group of the directory in which they are created. For further information regarding the significance of the SUID/SGID settings, see ???, ???.

    - - - - + + + + All client workstations print to a print queue on the server. This ensures that print jobs continue to print in the event that a user shuts down the workstation immediately after sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing. Older Linux systems offered a choice between the LPRng printing system or CUPS. It appears, however, that CUPS has become the leading UNIX printing technology.

    - + The print queues are set up as Raw devices, which means that CUPS will not do intelligent print processing, and vendor-supplied drivers must be installed locally on the Windows clients. @@ -297,21 +297,21 @@ printer. In this example, therefore, the resource called PRINTQ really is just a print queue. The name of the print queue is representative of the device to which the print spooler delivers print jobs. -

    Implementation

    +

    Implementation

    It is assumed that the server is fully installed and ready for configuration of Samba 3.0.20 and for necessary support files. All TCP/IP addresses should be hard-coded. In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is 255.255.255.0. The hostname of the server used is server. The office network is built as shown in ???. -

    Figure 1.1. Charity Administration Office Network

    Charity Administration Office Network

    Procedure 1.4. Samba Server Configuration

    1. - +

      Figure 1.1. Charity Administration Office Network

      Charity Administration Office Network

      Procedure 1.4. Samba Server Configuration

      1. + Create a group account for office file storage: 

         root#  groupadd office

      2. - - + + Create a user account for office file storage: 

         root#  useradd -m abmas 
@@ -328,7 +328,7 @@
 				(Refer to the 3-Ware RAID Controller Manual for the manufacturer's preferred procedure.)
 				The resulting drive has a capacity of approximately 500GB of usable space.

      3. - + Create a mount point for the file system that can be used to store all data files. Create a directory called /data: 

        @@ -360,7 +360,7 @@
 /data/officefiles/invitations
 /data/officefiles/misc

        - + The chown operation sets the owner to the user abmas and the group to office on all directories just created. It recursively sets the permissions so that the owner and group have SUID/SGID with read, write, and execute @@ -368,7 +368,7 @@ directories are created with the same owner and group as the directory in which they are created. Any new directories created still have the same owner, group, and permissions as the directory they are in. This should eliminate all permissions-based file access problems. For - more information on this subject, refer to TOSHARG2[3] or refer + more information on this subject, refer to TOSHARG2[3] or refer to the UNIX man page for the chmod and the chown commands.

      4. Install the smb.conf file shown in ??? in the @@ -380,7 +380,7 @@ can install the file shown in ??? in the /etc/samba directory.

      5. - + We must ensure that the smbd can resolve the name of the Samba server to its IP address. Verify that the /etc/hosts file contains the following entry: @@ -392,7 +392,7 @@ Follow the instructions in the manufacturer's manual to permit printing to port 9100 so that the CUPS spooler can print using raw mode protocols.

      6. - + Configure the CUPS Print Queues: 

         root#  lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
@@ -400,61 +400,61 @@

        This creates the necessary print queues with no assigned print filter.

      7. - - - + + + Edit the file /etc/cups/mime.convs to uncomment the line: 

         application/octet-stream     application/vnd.cups-raw      0     -

      8. - + Edit the file /etc/cups/mime.types to uncomment the line: 

         application/octet-stream

      9. - + Use the standard system tool to start Samba and CUPS to configure them to restart automatically at every system reboot. For example,

        - - - + + + 

         root#  chkconfig smb on
 root#  chkconfig cups on
 root#  /etc/rc.d/init.d/smb restart
 root#  /etc/rc.d/init.d/cups restart

        -

      Example 1.2. Charity Administration Office smb.conf New-style File

      # Global Parameters - Newer Configuration
      [global]
      workgroup = MIDEARTH
      printing = CUPS
      printcap name = CUPS
      map to guest = Bad User
      show add printer wizard = No
      wins support = yes
      [FTMFILES]
      comment = Funds Tracking & Management Files
      path = /data/ftmfiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [office]
      comment = General Office Files
      path = /data/officefiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [printers]
      comment = Print Temporary Spool Configuration
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No

      Example 1.3. Charity Administration Office smb.conf Old-style File

      # Global Parameters - Older Style Configuration
      [global]
      workgroup = MIDEARTH
      security = SHARE
      printing = CUPS
      printcap name = CUPS
      disable spoolss = Yes
      show add printer wizard = No
      wins support = yes
      [FTMFILES]
      comment = Funds Tracking & Management Files
      path = /data/ftmfiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [office]
      comment = General Office Files
      path = /data/officefiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [printers]
      comment = Print Temporary Spool Configuration
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No

      Procedure 1.5. Windows Client Configuration

      1. +

      Example 1.2. Charity Administration Office smb.conf New-style File

      # Global Parameters - Newer Configuration
      [global]
      workgroup = MIDEARTH
      printing = CUPS
      printcap name = CUPS
      map to guest = Bad User
      show add printer wizard = No
      wins support = yes
      [FTMFILES]
      comment = Funds Tracking & Management Files
      path = /data/ftmfiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [office]
      comment = General Office Files
      path = /data/officefiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [printers]
      comment = Print Temporary Spool Configuration
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No

      Example 1.3. Charity Administration Office smb.conf Old-style File

      # Global Parameters - Older Style Configuration
      [global]
      workgroup = MIDEARTH
      security = SHARE
      printing = CUPS
      printcap name = CUPS
      disable spoolss = Yes
      show add printer wizard = No
      wins support = yes
      [FTMFILES]
      comment = Funds Tracking & Management Files
      path = /data/ftmfiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [office]
      comment = General Office Files
      path = /data/officefiles
      read only = No
      force user = abmas
      force group = office
      guest ok = Yes
      nt acl support = No
      [printers]
      comment = Print Temporary Spool Configuration
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No

      Procedure 1.5. Windows Client Configuration

      1. Configure clients to the network settings shown in ???.

      2. Ensure that the netmask used on the Windows clients matches that used for the Samba server. All clients must have the same netmask, such as 255.255.255.0.

      3. - + On all Windows clients, set the WINS Server address to 192.168.1.1, the IP address of the server.

      4. Set the workgroup name on all clients to MIDEARTH.

      5. - + Install the “Client for Microsoft Networks.” Ensure that the only option enabled in its properties is the option “Logon and restore network connections.

      6. Click OK when you are prompted to reboot the system. Reboot the system, then log on using any username and password you choose.

      7. - + Verify on each client that the machine called SERVER is visible in My Network Places, that it is possible to connect to it and see the share office, and that it is possible to open that share to reveal its contents.

      8. - - + + Disable password caching on all Windows 9x/Me machines using the registry change file shown in ???. Be sure to remove all files that have the PWL extension that are in the C:\WINDOWS @@ -532,7 +532,7 @@ It is a good idea to test the functionality of the complete installation before handing the newly configured network over to the Charity Administration Office for production use. -

    Validation

    +

    Validation

    Use the same validation process as was followed in ???.

    Accounting Office

    Abmas Accounting is a 40-year-old family-run business. There are nine permanent @@ -551,7 +551,7 @@ and enter an assigned password; they do not need to enter a password when accessing their files on the server.

    - + The new server will run Red Hat Fedora Core2. You should install Samba-3.0.20 and copy all files from the old system to the new one. The existing Windows NT4 server has a parallel port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each @@ -561,8 +561,8 @@ You have tried to educate Mr. Meany and found that he has no desire to understand networking. He believes that Windows for Workgroups 3.11 was “the best server Microsoft ever sold ” and that Windows NT and 2000 are “too fang-dangled complex!” -

    Dissection and Discussion

    - +

    Dissection and Discussion

    + The requirements of this network installation are not unusual. The staff are not interested in the details of networking. Passwords are never changed. In this example solution, we demonstrate the use of User Mode security in a simple context. Directories should be set SGID to ensure that members @@ -582,7 +582,7 @@ share name is given in ???. The overall network topology is shown in ???. All machines have been configured as indicated prior to the start of Samba configuration. The following prescriptive steps may now commence. -

    Figure 1.2. Accounting Office Network Topology

    Accounting Office Network Topology

    Table 1.1. Accounting Office Network Information

    UserLogin-IDPasswordShare NameDirectoryWkst
    Alan Meanyalanalm1961alan/dataPC1
    James Meanyjamesjimm1962james/data/jamesPC2
    Jeannie Meanyjeanniejema1965jeannie/data/jeanniePC3
    Suzy Millicentsuzysuzy1967suzy/data/suzyPC4
    Ursula Jenningujenujen1974ursula/data/ursulaPC5
    Peter Panpeterpete1984peter/data/peterPC6
    Dale Rolanddaledale1986dale/data/dalePC7
    Bertrand E Paolettiericeric1993eric/data/ericPC8
    Russell Lewisrussruss2001russell/data/russellPC9

    Procedure 1.9. Migration from Windows NT4 Workstation System to Samba-3

    1. +

      Figure 1.2. Accounting Office Network Topology

      Accounting Office Network Topology

      Table 1.1. Accounting Office Network Information

      UserLogin-IDPasswordShare NameDirectoryWkst
      Alan Meanyalanalm1961alan/dataPC1
      James Meanyjamesjimm1962james/data/jamesPC2
      Jeannie Meanyjeanniejema1965jeannie/data/jeanniePC3
      Suzy Millicentsuzysuzy1967suzy/data/suzyPC4
      Ursula Jenningujenujen1974ursula/data/ursulaPC5
      Peter Panpeterpete1984peter/data/peterPC6
      Dale Rolanddaledale1986dale/data/dalePC7
      Bertrand E Paolettiericeric1993eric/data/ericPC8
      Russell Lewisrussruss2001russell/data/russellPC9

      Procedure 1.9. Migration from Windows NT4 Workstation System to Samba-3

      1. Rename the old server from CASHPOOL to STABLE by logging onto the console as the Administrator. Restart the machine following system prompts. @@ -593,19 +593,19 @@ Install the latest Samba-3 binary Red Hat Linux RPM that is available from the Samba FTP site.

      2. - - + + Add a group account for the office to use. Execute the following: 

         root#  groupadd accts

      3. - Install the smb.conf file shown[4] + Install the smb.conf file shown[4] in ???.

      4. - - - + + + For each user who uses this system (see ???), execute the following: 

        @@ -620,7 +620,7 @@
 Added user "LoginID"

      5. - + Create the directory structure for the file shares by executing the following: 

         root#  mkdir -p /data
@@ -635,34 +635,34 @@

        The data storage structure is now prepared for use.

      6. - + Configure the CUPS Print Queues: 

         root#  lpadmin -p hplj -v parallel:/dev/lp0 -E

        This creates the necessary print queues with no assigned print filter.

      7. - - + + Edit the file /etc/cups/mime.convs to uncomment the line: 

         application/octet-stream     application/vnd.cups-raw      0     -

      8. - - + + Edit the file /etc/cups/mime.types to uncomment the line: 

         application/octet-stream

      9. - + Use the standard system tool to start Samba and CUPS to configure them to restart automatically at every system reboot. For example,

        - - - + + + 

         root#  chkconfig smb on
 root#  chkconfig cups on
@@ -707,40 +707,40 @@
 			The migration of all data should now be complete. It is time to validate the installation.
 			For this, you should make sure all applications, including printing, work before asking the
 			customer to test drive the new network.
-

      Example 1.5. Accounting Office Network smb.conf Old Style Configuration File

      # Global parameters
      [global]
      workgroup = BILLMORE
      printcap name = CUPS
      disable spoolss = Yes
      show add printer wizard = No
      printing = cups
      [files]
      comment = Work area files
      path = /data/%U
      read only = No
      [master]
      comment = Master work area files
      path = /data
      valid users = alan
      read only = No
      [printers]
      comment = Print Temporary Spool Configuration
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No

    Questions and Answers

    +

    Example 1.5. Accounting Office Network smb.conf Old Style Configuration File

    # Global parameters
    [global]
    workgroup = BILLMORE
    printcap name = CUPS
    disable spoolss = Yes
    show add printer wizard = No
    printing = cups
    [files]
    comment = Work area files
    path = /data/%U
    read only = No
    [master]
    comment = Master work area files
    path = /data
    valid users = alan
    read only = No
    [printers]
    comment = Print Temporary Spool Configuration
    path = /var/spool/samba
    printable = Yes
    guest ok = Yes
    use client driver = Yes
    browseable = No

    Questions and Answers

    The following questions and answers draw from the examples in this chapter. Many design decisions are impacted by the configurations chosen. The intent is to expose some of the hidden implications. -

    +

    What makes an anonymous Samba server more simple than a non-anonymous Samba server? -
    +
    How is the operation of the parameter force user different from setting the root directory of the share SUID? -
    +
    When would you both use the per share parameter force user and set the share root directory SUID? -
    +
    What is better about CUPS printing than LPRng printing? -
    +
    When should Windows client IP addresses be hard-coded? -
    +
    Under what circumstances is it best to use a DHCP server? -
    +
    What is the purpose of setting the parameter guest ok on a share? -
    +
    When would you set the global parameter disable spoolss? -
    +
    Why would you disable password caching on Windows 9x/Me clients? -
    +
    The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? -

    +

    What makes an anonymous Samba server more simple than a non-anonymous Samba server?

    In the anonymous server, the only account used is the guest account. In a non-anonymous configuration, it is necessary to add real user accounts to both the UNIX system and to the Samba configuration. Non-anonymous servers require additional administration. -

    +

    How is the operation of the parameter force user different from setting the root directory of the share SUID?

    @@ -754,14 +754,14 @@

    The parameter force user has potential security implications that go beyond the actual share root directory. Be careful and wary of using this parameter. -

    +

    When would you both use the per share parameter force user and set the share root directory SUID?

    You would use both parameters when it is necessary to guarantee that all share handling operations are conducted as the forced user, while all file and directory creation are done as the SUID directory owner. -

    +

    What is better about CUPS printing than LPRng printing?

    CUPS is a print spooling system that has integrated remote management facilities, provides completely @@ -779,7 +779,7 @@

    Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to do it and manage it. Most modern Linux systems ship with CUPS as the default print management system. -

    +

    When should Windows client IP addresses be hard-coded?

    When there are few MS Windows clients, little client change, no mobile users, and users are not @@ -788,7 +788,7 @@ user ability to access network configuration controls, fixed configuration eliminates the need for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network failure. -

    +

    Under what circumstances is it best to use a DHCP server?

    In network configurations where there are mobile users, or where Windows client PCs move around @@ -804,12 +804,12 @@ Another benefit of modern DHCP servers is their ability to register dynamically assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in a large Windows network environment. -

    +

    What is the purpose of setting the parameter guest ok on a share?

    If this parameter is set to yes for a service, then no password is required to connect to the service. Privileges are those of the guest account. -

    +

    When would you set the global parameter disable spoolss?

    Setting this parameter to Yes disables Samba's support for the SPOOLSS set of @@ -833,14 +833,14 @@ that the client now displays an “Access Denied; Unable to connect” message in the printer queue window (even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid print driver installed on the Samba server. -

    +

    Why would you disable password caching on Windows 9x/Me clients?

    Windows 9x/Me workstations that are set at default (password caching enabled) store the username and password in files located in the Windows master directory. Such files can be scavenged (read off a client machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled. -

    +

    The example of Abmas Accounting uses User Mode security. How does this provide anonymous access?

    The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, @@ -848,14 +848,14 @@ a remote server using currently logged in user credentials. By ensuring that the user's login ID and password are the same as those set on the Samba server, access is transparent and does not require separate user authentication. -


    [1] The examples given mirror those documented +


    [1] The examples given mirror those documented in The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 2, Section 2.3.1. You may gain additional insight from the standalone server configurations covered in TOSHARG2, sections 2.3.1.2 through 2.3.1.4. -

    [2] +

    [2] This information is given purely as an example of how data may be stored in such a way that it will be easy to locate records at a later date. The example is not meant to imply any instructions that may be construed as essential to the design of the solution; this is something you will almost - certainly want to determine for yourself.

    [4] This example uses the + certainly want to determine for yourself.

    [4] This example uses the smbpasswd file in an obtuse way, since the use of the passdb backend has not been specified in the smb.conf file. This means that you are depending on correct default behavior.

    Prev Up Next
    Part I. Example Network Configurations Home Chapter 2. Small Office Networking
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/small.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/small.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/small.html 2005-08-19 12:59:19.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/small.html 2005-12-19 10:19:04.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 2. Small Office Networking
    Chapter 2. Small Office Networking
    Prev Part I. Example Network Configurations Next

    Chapter 2. Small Office Networking

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers

    +Chapter 2. Small Office Networking

    Chapter 2. Small Office Networking
    Prev Part I. Example Network Configurations Next

    Chapter 2. Small Office Networking

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Validation
    Notebook Computers: A Special Case
    Key Points Learned
    Questions and Answers

    ??? focused on the basics of simple yet effective network solutions. Network administrators who take pride in their work (that's most of us, right?) take care to deliver what our users want, @@ -8,7 +8,7 @@ operates. Some creativity is helpful, but keep it under control good advice that the following two scenarios illustrate.

    - + In one case the network administrator of a mid-sized company spent three months building a new network to replace an old Netware server. What he delivered had all the bells and whistles he could muster. There were a @@ -36,7 +36,7 @@ and got it. He often told me, “Always keep a few new tricks up your sleeves for when you need them.” Was he smart? You decide. Let's get on with our next exercise. -

    Introduction

    +

    Introduction

    Abmas Accounting has grown. Mr. Meany likes you and says he knew you were the right person for the job. That's why he asked you to install the new server. The past few months have been hard work. You advised Mr. Meany @@ -48,8 +48,8 @@ You found damaged and unusable software on some of the workstations that came with the acquired business and found some machines in need of both hardware and software maintenance. -

    Assignment Tasks

    - +

    Assignment Tasks

    + Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure that the business is running efficiently. Many of the new staff want notebook computers. They visit customer business premises and need to use local network @@ -81,14 +81,14 @@ Mr. Meany also asked if it would be possible for one of the staff to manage user accounts from the Windows desktop. That person will be responsible for basic operations. -

    Dissection and Discussion

    +

    Dissection and Discussion

    What are the key requirements in this business example? A quick review indicates a need for

    • Scalability, from 52 to over 100 users in 12 months

    • Mobile computing capability - +

    • Improved reliability and usability

    • @@ -97,12 +97,12 @@ In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server (as in ???). -

      Technical Issues

      - - - - - +

      Technical Issues

      + + + + + It is time to implement a domain security environment. You will use the smbpasswd (default) backend. You should implement a DHCP server. There is no need to run DNS at this time, but the system will use WINS. The domain name will be @@ -123,7 +123,7 @@ Later on, when the Internet connection is implemented, you will add DNS as well as other enhancements. It is important that you plan accordingly.

      - + You have split the network into two separate areas. Each has its own Ethernet switch. There are 20 users on the accounting network and 32 users on the financial services network. The server has two network interfaces, one serving each network. The @@ -138,8 +138,8 @@ Given that DNS will not be used, you will configure WINS name resolution for UNIX hostname name resolution.

      - - + + It is necessary to map Windows Domain Groups to UNIX groups. It is advisable to also map Windows Local Groups to UNIX groups. Additionally, the two key staff groups in the firm are accounting staff and financial services staff. @@ -156,10 +156,10 @@ TOSHARG2, Chapter 11, Section 11.3.1, Example 11.1, for more information.

      - + Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler on the UNIX host will be operated in raw mode. -

      Political Issues

      +

      Political Issues

      Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. He is willing to spend money on things he believes are of value. You need more time to convince him of real priorities. @@ -167,8 +167,8 @@ Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be supplied with antivirus software? Above all, demonstrate good purchase value and remember to make your users happy. -

      Implementation

      - +

    Implementation

    + In this example, the assumption is made that this server is being configured from a clean start. The alternate approach could be to demonstrate the migration of the system that is documented in ??? to meet the new requirements. The decision to treat this case, as with @@ -176,23 +176,23 @@ the migration steps from the information provided in ???. Additionally, a fresh installation makes the example easier to follow.

    - + Each user will be given a home directory on the UNIX system, which will be available as a private share. Two additional shares will be created, one for the accounting department and the other for the financial services department. Network users will be given access to these shares by way of group membership.

    - + UNIX group membership is the primary mechanism by which Windows Domain users will be granted rights and privileges within the Windows environment.

    - + The user alanm will be made the owner of all files. This will be preserved by setting the sticky bit (set UID/GID) on the top-level directories. -

    Figure 2.1. Abmas Accounting 52-User Network Topology

    Abmas Accounting 52-User Network Topology

    Procedure 2.1. Server Installation Steps

    1. +

      Figure 2.1. Abmas Accounting 52-User Network Topology

      Abmas Accounting 52-User Network Topology

      Procedure 2.1. Server Installation Steps

      1. Using UNIX/Linux system tools, name the server sleeth.

      2. - + Place an entry for the machine sleeth in the /etc/hosts. The printers are network attached, so there should be entries for the network printers also. An example /etc/hosts file is shown here: @@ -208,10 +208,10 @@

      3. Install the ISC DHCP server using the UNIX/Linux system tools available to you.

      4. - - - - + + + + Because Samba will be operating over two network interfaces and clients on each side may want to be able to reach clients on the other side, it is imperative that IP forwarding is enabled. Use the system tool of your choice to enable IP forwarding. In the @@ -226,7 +226,7 @@ ???. Combine these two examples to form a single /etc/samba/smb.conf file.

      5. - + Add the user root to the Samba password backend: 

         root#  smbpasswd -a root
@@ -234,13 +234,13 @@
 Retype new SMB password: XXXXXXX
 root#

        - + This is the Windows Domain Administrator password. Never delete this account from the password backend after Windows Domain Groups have been initialized. If you delete this account, your system is crippled. You cannot restore this account, and your Samba server can no longer be administered.

      6. - + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -267,13 +267,13 @@ ####

      7. - + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in ???. Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows: -

        Example 2.1. Script to Map Windows NT Groups to UNIX Groups

        +
        Example 2.1. Script to Map Windows NT Groups to UNIX Groups
         #!/bin/bash
 #
 # initGrps.sh
@@ -323,17 +323,17 @@
 Users (S-1-5-32-545) -> -1

      8. - - - + + + For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system accounts, and use the Samba smbpasswd program to create the Domain user accounts.

        - - - + + + There are a number of tools for user management under UNIX, such as useradd and adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user. @@ -362,38 +362,38 @@ Configure the printers with the IP addresses as shown in ???. Follow the instructions in the manufacturers' manuals to permit printing to port 9100. This allows the CUPS spooler to print using raw mode protocols. - - + +

      9. - - + + Configure the CUPS Print Queues as follows: 

         root#  lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
 root#  lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
 root#  lpadmin -p qms -v socket://192.168.2.10:9100 -E

        - + This creates the necessary print queues with no assigned print filter.

      10. - - - + + + Edit the file /etc/cups/mime.convs to uncomment the line: 

         application/octet-stream     application/vnd.cups-raw      0     -

      11. - + Edit the file /etc/cups/mime.types to uncomment the line: 

         application/octet-stream

      12. - + Using your favorite system editor, create an /etc/dhcpd.conf with the contents as shown in ???. -

        Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf

        +
        Example 2.2. Abmas Accounting DHCP Server Configuration File  /etc/dhcpd.conf
         default-lease-time 86400;
 max-lease-time 172800;
 default-lease-time 86400;
@@ -441,11 +441,11 @@
 		Use the standard system tool to start Samba and CUPS and configure them to start
 		automatically at every system reboot. For example,
 		
        
-		
-		
-		
-		
-		
+		
+		
+		
+		
+		
 
         root#  chkconfig dhcp on
 root#  chkconfig smb on
@@ -455,12 +455,12 @@
 root#  /etc/rc.d/init.d/cups restart

      13. - - - - - - + + + + + + Configure the name service switch (NSS) to handle WINS-based name resolution. Since this system does not use a DNS server, it is safe to remove this option from the NSS configuration. Edit the /etc/nsswitch.conf file so that @@ -468,11 +468,11 @@ 

         hosts:	files wins

        -

      Example 2.3. Accounting Office Network smb.conf File [globals] Section

      # Global parameters
      [global]
      workgroup = BILLMORE
      passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*
      username map = /etc/samba/smbusers
      syslog = 0
      name resolve order = wins bcast hosts
      printcap name = CUPS
      show add printer wizard = No
      add user script = /usr/sbin/useradd -m '%u'
      delete user script = /usr/sbin/userdel -r '%u'
      add group script = /usr/sbin/groupadd '%g'
      delete group script = /usr/sbin/groupdel '%g'
      add user to group script = /usr/sbin/usermod -G '%g' '%u'
      add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
      logon script = scripts\login.bat
      logon path =
      logon drive = X:
      domain logons = Yes
      preferred master = Yes
      wins support = Yes
      printing = CUPS

      Example 2.4. Accounting Office Network smb.conf File Services and Shares Section

      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      printable = Yes
      guest ok = Yes
      use client driver = Yes
      browseable = No
      [netlogon]
      comment = Network Logon Service
      path = /data/%U
      valid users = %S
      read only = No
      [accounts]
      comment = Accounting Files
      path = /data/accounts
      valid users = %G
      read only = No
      [finsvcs]
      comment = Financial Service Files
      path = /data/finsvcs
      valid users = %G
      read only = No

      Validation

      +

    Example 2.3. Accounting Office Network smb.conf File [globals] Section

    # Global parameters
    [global]
    workgroup = BILLMORE
    passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*
    username map = /etc/samba/smbusers
    syslog = 0
    name resolve order = wins bcast hosts
    printcap name = CUPS
    show add printer wizard = No
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
    logon script = scripts\login.bat
    logon path =
    logon drive = X:
    domain logons = Yes
    preferred master = Yes
    wins support = Yes
    printing = CUPS

    Example 2.4. Accounting Office Network smb.conf File Services and Shares Section

    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    printable = Yes
    guest ok = Yes
    use client driver = Yes
    browseable = No
    [netlogon]
    comment = Network Logon Service
    path = /data/%U
    valid users = %S
    read only = No
    [accounts]
    comment = Accounting Files
    path = /data/accounts
    valid users = %G
    read only = No
    [finsvcs]
    comment = Financial Service Files
    path = /data/finsvcs
    valid users = %G
    read only = No

    Validation

    Does everything function as it ought? That is the key question at this point. Here are some simple steps to validate your Samba server configuration. -

    Procedure 2.2. Validation Steps

    1. - +

      Procedure 2.2. Validation Steps

      1. + If your smb.conf file has bogus options or parameters, this may cause Samba to refuse to start. The first step should always be to validate the contents of this file by running: @@ -519,10 +519,10 @@

        Clear away all errors before proceeding, and start or restart samba as necessary.

      2. - - - - + + + + Check that the Samba server is running: 

         root#  ps ax | grep mbd
@@ -539,7 +539,7 @@
 			TOSHARG2, Chapter 23, Section 23.3. The single instance of
 			smbd is normal.

      3. - + Check that an anonymous connection can be made to the Samba server: 

         root#  smbclient -L localhost -U%
@@ -568,9 +568,9 @@
 			The -U% argument means to send a NULL username and
 			a NULL password.

      4. - - - + + + Verify that the printers have the IP addresses assigned in the DHCP server configuration file. The easiest way to do this is to ping the printer name. Immediately after the ping response has been received, execute arp -a to find the MAC address of the printer @@ -589,7 +589,7 @@ IP address from which the printer has responded and the entry for it in the /etc/dhcpd.conf file.

      5. - + Make an authenticated connection to the server using the smbclient tool: 

         root#  smbclient //sleeth/accounts -U alanm
@@ -606,11 +606,11 @@
            65387 blocks of size 65536. 28590 blocks available
 smb: \> q

        -

    Procedure 2.3. Windows XP Professional Client Configuration

    1. +

    Procedure 2.3. Windows XP Professional Client Configuration

    1. Configure clients to the network settings shown in ???. All clients use DHCP for TCP/IP protocol stack configuration. - - + + DHCP configures all Windows clients to use the WINS Server address 192.168.1.1.

    2. Join the Windows Domain called BILLMORE. Use the Domain Administrator @@ -652,7 +652,7 @@

    3. Repeat the printer installation steps above for the HP LaserJet 6 printer as well as for the QMS Magicolor XXXX laser printer. -

    Notebook Computers: A Special Case

    +

    Notebook Computers: A Special Case

    As a network administrator, you already know how to create local machine accounts for Windows 200x/XP Professional systems. This is the preferred solution to provide continuity of work for notebook users so that absence from the office network environment does not become a barrier to productivity. @@ -662,21 +662,21 @@ transparently access network resources as if logged onto the domain itself. There are some trade-offs that mean that as the network is more tightly secured, it becomes necessary to modify Windows client configuration somewhat. -

    Key Points Learned

    +

    Key Points Learned

    In this network design and implementation exercise, you created a Windows NT4-style Domain Controller using Samba-3.0.20. Following these guidelines, you experienced and implemented several important aspects of Windows networking. In the next chapter, you build on the experience. These are the highlights from this chapter:

    • - + You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary network configuration settings from this server.

    • - + You created a Windows Domain Controller. You were able to use the network logon service and successfully joined Windows 200x/XP Professional clients to the Domain.

    • - + You created raw print queues in the CUPS printing system. You maintained a simple printing system so that all users can share centrally managed printers. You installed native printer drivers on the Windows clients. @@ -685,33 +685,33 @@

    • You offered Mobile notebook users a solution that allows them to continue to work while away from the office and not connected to the corporate network. -

    Questions and Answers

    +

    Questions and Answers

    Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that may help. -

    1. +

    1. What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? -
    2. +
    2. Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that should be noted in particular? -
    3. +
    3. Is it possible to create a Windows Domain account that is specifically called Administrator? -
    4. +
    4. Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0? -
    5. +
    5. One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this? -
    6. +
    6. Why must I map Windows Domain Groups to UNIX groups? -
    7. +
    7. I deleted my root account and now I cannot add it back! What can I do? -
    8. +
    8. When I run net groupmap list, it reports a group called Administrators as well as Domain Admins. What is the difference between them? -
    9. +
    9. What is the effect of changing the name of a Samba server or of changing the Domain name? -
    10. +
    10. How can I manage user accounts from my Windows XP Professional workstation? -
    1.

    +
    1.

    What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?

    First and foremost, portability. It means that notebook users can move between @@ -720,7 +720,7 @@ either using DHCP assigned addressing or when using dial-up networking, settings such as default routes and DNS server addresses that apply only to the Abmas office environment do not interfere with remote operations. This is an extremely important feature of DHCP. -

    2.

    +

    2.

    Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that should be noted in particular?

    @@ -729,14 +729,14 @@ with the WINS server, and then instructs the client to first query the WINS server when a NetBIOS machine name needs to be resolved to an IP Address. This configuration results in far lower UDP broadcast traffic than would be the case if WINS was not used. -

    3.

    +

    3.

    Is it possible to create a Windows Domain account that is specifically called Administrator?

    You can surely create a Windows Domain account called Administrator. It is also possible to map that account so that it has the effective UNIX UID of 0. This way it isn't necessary to use the username map facility to map this account to the UNIX account called root. -

    4.

    +

    4.

    Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?

    The Windows Domain Administrator account is the most privileged account that @@ -746,7 +746,7 @@ Administrator to manage accounts as well as permissions, privileges, and security settings within the Domain and on the Samba server, equivalent rights must be assigned. This is achieved with the root UID equal to 0. -

    5.

    +

    5.

    One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this?

    @@ -755,13 +755,13 @@ (or the equivalent wheel on some UNIX systems) that has a GID of 0. This must be the primary GID of the account of the user who is a member of the Windows Domain Admins account. -

    6.

    +

    6.

    Why must I map Windows Domain Groups to UNIX groups?

    Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are Domain Guests, Domain Users, and Domain Admins. -

    7.

    +

    7.

    I deleted my root account and now I cannot add it back! What can I do?

    This is a nasty problem. Fortunately, there is a solution. @@ -773,7 +773,7 @@ Use the smbpasswd to add the root account.

  • Restore the group_mapping.tdb file. -

    • 8.

    +

    8.

    When I run net groupmap list, it reports a group called Administrators as well as Domain Admins. What is the difference between them?

    @@ -781,7 +781,7 @@ present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This may change at some later date. These accounts are provided only so that security objects are correctly shown. -

    9.

    +

    9.

    What is the effect of changing the name of a Samba server or of changing the Domain name?

    If you elect to change the name of the Samba server, on restarting smbd, @@ -793,7 +793,7 @@ SID before the change is made. You can back up the SID using the net getlocalsid (Samba-3) or the smbpasswd (Samba-2.2.x). To change the SID, you use the same tool. Be sure to check the man page for this command for detailed instructions regarding the steps involved. -

    10.

    +

    10.

    How can I manage user accounts from my Windows XP Professional workstation?

    Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/unixclients.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/unixclients.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/unixclients.html 2005-08-19 12:59:30.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/unixclients.html 2005-12-19 10:19:19.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 7. Adding Domain Member Servers and Clients

    Chapter 7. Adding Domain Member Servers and Clients
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 7. Adding Domain Member Servers and Clients

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers

    +Chapter 7. Adding Domain Member Servers and Clients

    Chapter 7. Adding Domain Member Servers and Clients
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 7. Adding Domain Member Servers and Clients

    Table of Contents

    Introduction
    Assignment Tasks
    Dissection and Discussion
    Technical Issues
    Political Issues
    Implementation
    Samba Domain with Samba Domain Member Server Using NSS LDAP
    NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
    NT4/Samba Domain with Samba Domain Member Server without NSS Support
    Active Directory Domain with Samba Domain Member Server
    UNIX/Linux Client Domain Member
    Key Points Learned
    Questions and Answers

    The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. It is well known that Samba is a file and print server. A recent survey conducted by Open Magazine found that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the @@ -11,16 +11,16 @@ exciting aspects of Samba deployment. This chapter directs your attention to provide important information on the addition of Samba servers into your present Windows network whatever the controlling technology may be. So let's get back to our good friends at Abmas. -

    Introduction

    +

    Introduction

    Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward with not too many distractions or problems. Your team is doing well, but a number of employees are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's get on with this; Christine and Stan are ready to go. -

    +

    Stan is firmly in control of the department of the future, while Christine is enjoying a stable and predictable network environment. It is time to add more servers and to add Linux desktops. It is time to meet the demands of future growth and endure trial by fire. -

    Assignment Tasks

    +

    Assignment Tasks

    You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use @@ -30,8 +30,8 @@ these systems to make sure that Abmas is not building islands of technology. You ask Christine to do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make the right decision, don't you? -

    Dissection and Discussion

    - +

    Dissection and Discussion

    + Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning an inability to achieve identical user and group IDs between Windows and UNIX environments. @@ -39,28 +39,28 @@ You provide step-by-step implementations of the various tools that can be used for identity resolution. You also provide working examples of solutions for integrated authentication for both UNIX/Linux and Windows environments. -

    Technical Issues

    +

    Technical Issues

    One of the great challenges we face when people ask us, “What is the best way to solve this problem?” is to get beyond the facts so we not only can clearly comprehend the immediate technical problem, but also can understand how needs may change.

    - + There are a few facts we should note when dealing with the question of how best to integrate UNIX/Linux clients and servers into a Windows networking environment:

    • - - - - - + + + + + A domain controller (PDC or BDC) is always authoritative for all accounts in its domain. This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs to the same values that the PDC resolved them to.

    • - - - - + + + + A domain member can be authoritative for local accounts, but is never authoritative for domain accounts. If a user is accessing a domain member server and that user's account is not known locally, the domain member server must resolve the identity of that user @@ -70,26 +70,26 @@ Samba, when running on a domain member server, can resolve user identities from a number of sources:

      • - - - - - + + + + + By executing a system getpwnam() or getgrnam() call. On systems that support it, this utilizes the name service switch (NSS) facility to resolve names according to the configuration of the /etc/nsswitch.conf file. NSS can be configured to use LDAP, winbind, NIS, or local files.

      • - - - + + + Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured). This requires the use of the PADL nss_ldap tool (or equivalent).

      • - - - - + + + + Directly by querying winbindd. The winbindd contacts a domain controller to attempt to resolve the identity of the user or group. It receives the Windows networking security identifier (SID) for that appropriate @@ -97,9 +97,9 @@ creates an entry in its winbindd_idmap.tdb and winbindd_cache.tdb files.

        - - - If the parameter idmap backend = ldap:ldap://myserver.domain + + + If the parameter idmap backend = ldap:ldap://myserver.domain was specified and the LDAP server has been configured with a container in which it may store the IDMAP entries, all domain members may share a common mapping.

      @@ -111,48 +111,48 @@ in the smb.conf file. Some of the configuration options are rather less than obvious to the casual user.

    • - - - + + + If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable of being resolved using) the NSS facility, it is possible to use the - winbind trusted domains only = Yes + winbind trusted domains only = Yes in the smb.conf file. This parameter specifically applies to domain controllers, and to domain member servers.

    - - - + + + For many administrators, it should be plain that the use of an LDAP-based repository for all network accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and controllable facility. You eventually appreciate the decision to use LDAP.

    - - - + + + If your network account information resides in an LDAP repository, you should use it ahead of any alternative method. This means that if it is humanly possible to use the nss_ldap tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides a more readily controllable method for asserting the exact same user and group identifiers throughout the network.

    - - - - - - + + + + + + In the situation where UNIX accounts are held on the domain member server itself, the only effective way to use them involves the smb.conf entry - winbind trusted domains only = Yes. This forces + winbind trusted domains only = Yes. This forces Samba (smbd) to perform a getpwnam() system call that can then be controlled via /etc/nsswitch.conf file settings. The use of this parameter disables the use of Samba with trusted domains (i.e., external domains).

    - - - - + + + + Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd is configured to automatically allocate UIDs/GIDs from numeric ranges set in the smb.conf file. The allocation is made for all accounts that connect to that domain member server, whether within its own domain or from @@ -161,16 +161,16 @@ same UID/GID on both servers however, this is transparent to the Windows network user. This data is stored in the winbindd_idmap.tdb and winbindd_cache.tdb files.

    - + The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member servers so configured. This solves one of the major headaches for network administrators who need to copy files between or across network file servers. -

    Political Issues

    - - - - +

    Political Issues

    + + + + One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP is different and requires a new approach to the need for a better identity management solution. The more @@ -182,23 +182,23 @@ you can't use Windows Active Directory in a heterogenous environment it can be done, it just requires commercial integration products. But it's not what Active Directory was designed for.

    - - + + A number of long-term UNIX devotees have recently commented in various communications that the Samba Team is the first application group to almost force network administrators to use LDAP. It should be pointed out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total organizational directory needs. -

    Implementation

    - - - +

    Implementation

    + + + The domain member server and the domain member client are at the center of focus in this chapter. Configuration of Samba-3 domain controller is covered in earlier chapters, so if your interest is in domain controller configuration, you will not find that here. You will find good oil that helps you to add domain member servers and clients.

    - + In practice, domain member servers and domain member workstations are very different entities, but in terms of technology they share similar core infrastructure. A technologist would argue that servers and workstations are identical. Many users would argue otherwise, given that in a well-disciplined @@ -206,15 +206,15 @@ are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item, but a server is viewed as a core component of the business.

    - + We can look at this another way. If a workstation breaks down, one user is affected, but if a server breaks down, hundreds of users may not be able to work. The services that a workstation must provide are document- and file-production oriented; a server provides information storage and is distribution oriented.

    - - - + + + Why is this important? For starters, we must identify what components of the operating system and its environment must be configured. Also, it is necessary to recognize where the interdependencies between the various services to be used are. @@ -226,12 +226,12 @@ So, in this chapter we demonstrate how to implement the technology. It is done within a context of what type of service need must be fulfilled.

    Samba Domain with Samba Domain Member Server Using NSS LDAP

    - - - - - - + + + + + + In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) containers for use by the IDMAP facility. This makes it possible to have globally consistent @@ -247,9 +247,9 @@ idmap gid ranges. Where LDAP is used, the mappings can be stored in LDAP so that all domain member servers can use a consistent mapping.

    - - - + + + If your installation is accessed only from clients that are members of your own domain, and all user accounts are present in a local passdb backend then it is not necessary to run winbindd. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. @@ -259,19 +259,19 @@ getpwnam() system call. On NSS-enabled systems, the actual POSIX account source can be provided from

    • - - + + Accounts in /etc/passwd or in /etc/group.

    • - - - - - - - - - + + + + + + + + + Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs via multiple methods. The methods typically include files, compat, db, ldap, @@ -283,13 +283,13 @@ the user account backend is not shared by any other Samba server instead, it is used only locally on the Samba domain member server under discussion.

    - + The diagram in ??? demonstrates the relationship of Samba and system components that are involved in the identity resolution process where Samba is used as a domain member server within a Samba domain control network.

    Figure 7.2. Samba Domain: Samba Member Server

    Samba Domain: Samba Member Server

    - - + + In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam to obtain authentication and user identity information. The IDMAP information is stored in the LDAP backend so that it can be shared by all domain member servers so that every user will have a @@ -300,11 +300,11 @@ The instructions given here apply to the Samba environment shown in ??? and ???. If the network does not have an LDAP slave server (i.e., ??? configuration), change the target LDAP server from lapdc to massive. -

    Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution

    1. +

      Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution

      1. Create the smb.conf file as shown in ???. Locate this file in the directory /etc/samba.

      2. - + Configure the file that will be used by nss_ldap to locate and communicate with the LDAP server. This file is called ldap.conf. If your implementation of nss_ldap is consistent with @@ -326,8 +326,8 @@ Configure the NSS control file so it matches the one shown in ???.

      3. - - + + Before proceeding to configure Samba, validate the operation of the NSS identity resolution via LDAP by executing: 

        @@ -362,9 +362,9 @@
 PIOps:x:1002:
 sammy:x:4321:

        - - - + + + This shows that all is working as it should be. Notice that in the LDAP database the users' primary and secondary group memberships are identical. It is not necessary to add secondary group memberships (in the group database) if the @@ -374,7 +374,7 @@ conditions. It is intended that these limitations with winbind will be resolved soon after Samba-3.0.20 has been released.

      4. - + The LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -383,7 +383,7 @@ dn: ou=Idmap,dc=abmas,dc=biz ou: idmap

        - + If the execution of this command does not return IDMAP entries, you need to create an LDIF template file (see ???). You can add the required entries using the following command: @@ -399,8 +399,8 @@ root# smbpasswd -w not24get

      5. - - + + The system is ready to join the domain. Execute the following: 

         root#  net rpc join -U root%not24get
@@ -418,10 +418,10 @@
 
         root#  net rpc join -S 'pdc-name' -U administrator%password -d 5
 
        
-		
-		
-		
-		
+		
+		
+		
+		
 		Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
 		the failure appears to be related to a rejected or failed NT_SESSION_SETUP*  or an error message that
 		says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
@@ -449,7 +449,7 @@
 Join to 'MEGANET2' failed.

      6. - + Just joining the domain is not quite enough; you must now provide a privileged set of credentials through which winbindd can interact with the domain servers. Execute the following to implant the necessary credentials: @@ -460,7 +460,7 @@

      7. You may now start Samba in the usual manner, and your Samba domain member server is ready for use. Just add shares as required. -

      Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      security = DOMAIN
      username map = /etc/samba/smbusers
      log level = 10
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 50
      smb ports = 139
      name resolve order = wins bcast hosts
      printcap name = CUPS
      wins server = 192.168.2.1
      ldap suffix = dc=abmas,dc=biz
      ldap machine suffix = ou=People
      ldap user suffix = ou=People
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap admin dn = cn=Manager,dc=abmas,dc=biz
      idmap backend = ldap:ldap://lapdc.abmas.biz
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      winbind trusted domains only = Yes
      printer admin = root
      printing = cups
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No
      [print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      admin users = root, Administrator
      write list = root

      Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF

      +

    Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    security = DOMAIN
    username map = /etc/samba/smbusers
    log level = 10
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    wins server = 192.168.2.1
    ldap suffix = dc=abmas,dc=biz
    ldap machine suffix = ou=People
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=Manager,dc=abmas,dc=biz
    idmap backend = ldap:ldap://lapdc.abmas.biz
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind trusted domains only = Yes
    printer admin = root
    printing = cups
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    admin users = root, Administrator
    write list = root

    Example 7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF

     dn: ou=Idmap,dc=abmas,dc=biz
 objectClass: organizationalUnit
 ou: idmap
@@ -507,18 +507,18 @@
 		
  • 
 		The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.

    • - - - + + + Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style domain and/or does not use LDAP.

    Note

    - + If you use winbind for identity resolution, make sure that there are no duplicate accounts.

    - + For example, do not have more than one account that has UID=0 in the password database. If there is an account called root in the /etc/passwd database, it is okay to have an account called root in the LDAP ldapsam or in the @@ -526,32 +526,32 @@ break. This means that the Administrator account must be called root.

    - - - + + + Winbind will break if there is an account in /etc/passwd that has the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.

    - - - - - + + + + + The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. The winbind information is locally cached in the winbindd_cache.tdb winbindd_idmap.tdb files. This provides considerable performance benefits compared with the LDAP solution, particularly where the LDAP lookups must traverse WAN links. You may examine the contents of these files using the tool tdbdump, though you may have to build this from the Samba source code if it has not been supplied as part of a binary package distribution that you may be using. -

    Procedure 7.2. Configuration of Winbind-Based Identity Resolution

    1. +

      Procedure 7.2. Configuration of Winbind-Based Identity Resolution

      1. Using your favorite text editor, create the smb.conf file so it has the contents shown in ???.

      2. - + Edit the /etc/nsswitch.conf so it has the entries shown in ???.

      3. - + The system is ready to join the domain. Execute the following: 

         net rpc join -U root%not2g4et
@@ -560,8 +560,8 @@
 		This indicates that the domain join succeed.

      4. - - + + Validate operation of winbind using the wbinfo tool as follows: 

        @@ -588,9 +588,9 @@

        This shows that domain groups have been correctly obtained also.

      5. - - - + + + The next step verifies that NSS is able to obtain this information correctly from winbind also. 

        @@ -631,7 +631,7 @@

      6. The Samba member server of a Windows NT4 domain is ready for use. -

      Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET2
      security = DOMAIN
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      log file = /var/log/samba/%m
      max log size = 0
      smb ports = 139
      name resolve order = wins bcast hosts
      printcap name = CUPS
      wins server = 192.168.2.1
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      template primary group = "Domain Users"
      template shell = /bin/bash
      winbind separator = +
      printer admin = root
      hosts allow = 192.168.2., 192.168.3., 127.
      printing = cups
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No
      [print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      admin users = root, Administrator
      write list = root

    NT4/Samba Domain with Samba Domain Member Server without NSS Support

    +

    Example 7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET2
    security = DOMAIN
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 0
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    wins server = 192.168.2.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template primary group = "Domain Users"
    template shell = /bin/bash
    winbind separator = +
    printer admin = root
    hosts allow = 192.168.2., 192.168.3., 127.
    printing = cups
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    admin users = root, Administrator
    write list = root

    NT4/Samba Domain with Samba Domain Member Server without NSS Support

    No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating system that does not have NSS and PAM support to be outdated, the fact is there are still many such systems in use today. Samba can be used without NSS support, but this @@ -642,10 +642,10 @@ to the Samba server will cause the look-up of the incoming username. If the account is found, it is used. If the account is not found, one will be automatically created on the local machine so that it can then be used for all access controls. -

    Procedure 7.3. Configuration Using Local Accounts Only

    1. +

      Procedure 7.3. Configuration Using Local Accounts Only

      1. Using your favorite text editor, create the smb.conf file so it has the contents shown in ???. -

      2. +

      3. The system is ready to join the domain. Execute the following: 

         net rpc join -U root%not24get
@@ -656,10 +656,10 @@
 		Be sure to run all three Samba daemons: smbd, nmbd, winbindd.

      4. The Samba member server of a Windows NT4 domain is ready for use. -

      Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain

      # Global parameters
      [global]
      unix charset = LOCALE
      workgroup = MEGANET3
      netbios name = BSDBOX
      security = DOMAIN
      username map = /etc/samba/smbusers
      log level = 1
      syslog = 0
      add user script = /usr/sbin/useradd -m '%u'
      add machine script = /usr/sbin/useradd -M '%u'
      add group script = /usr/sbin/groupadd '%g'
      winbind enable local accounts = Yes
      log file = /var/log/samba/%m
      max log size = 0
      smb ports = 139
      name resolve order = wins bcast hosts
      printcap name = CUPS
      wins server = 192.168.2.1
      printer admin = root
      hosts allow = 192.168.2., 192.168.3., 127.
      printing = cups
      [homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
      [printers]
      comment = SMB Print Spool
      path = /var/spool/samba
      guest ok = Yes
      printable = Yes
      browseable = No
      [print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      admin users = root, Administrator
      write list = root

    Active Directory Domain with Samba Domain Member Server

    - - - +

    Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = MEGANET3
    netbios name = BSDBOX
    security = DOMAIN
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    add user script = /usr/sbin/useradd -m '%u'
    add machine script = /usr/sbin/useradd -M '%u'
    add group script = /usr/sbin/groupadd '%g'
    winbind enable local accounts = Yes
    log file = /var/log/samba/%m
    max log size = 0
    smb ports = 139
    name resolve order = wins bcast hosts
    printcap name = CUPS
    wins server = 192.168.2.1
    printer admin = root
    hosts allow = 192.168.2., 192.168.3., 127.
    printing = cups
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    admin users = root, Administrator
    write list = root

    Active Directory Domain with Samba Domain Member Server

    + + + One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory domain using Kerberos protocols. This makes it possible to operate an entire Windows network without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An @@ -667,10 +667,10 @@ later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate in. For now, we simply focus on how a Samba-3 server can be made a domain member server.

    - - - - + + + + The diagram in ??? demonstrates how Samba-3 interfaces with Microsoft Active Directory components. It should be noted that if Microsoft Windows Services for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP @@ -694,8 +694,8 @@ name of the server is W2K3S. In ADS realm terms, the domain controller is known as w2k3s.london.abmas.biz. In NetBIOS nomenclature, the domain name is LONDON and the server name is W2K3S. -

    Figure 7.3. Active Directory Domain: Samba Member Server

    Active Directory Domain: Samba Member Server

    Procedure 7.4. Joining a Samba Server as an ADS Domain Member

    1. - +

      Figure 7.3. Active Directory Domain: Samba Member Server

      Active Directory Domain: Samba Member Server

      Procedure 7.4. Joining a Samba Server as an ADS Domain Member

      1. + Before you try to use Samba-3, you want to know for certain that your executables have support for Kerberos and for LDAP. Execute the following to identify whether or not this build is perhaps suitable for use: @@ -762,15 +762,15 @@ This does look promising; smbd has been built with Kerberos and LDAP support. You are relieved to know that it is safe to progress.

      2. - - - - - - - - - + + + + + + + + + The next step is to identify which version of the Kerberos libraries have been used. In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is essential that it has been linked with either MIT Kerberos version 1.3.1 or later, @@ -798,7 +798,7 @@

      3. Edit or create the NSS control file so it has the contents shown in ???.

      4. - + Delete the file /etc/samba/secrets.tdb if it exists. Of course, you do keep a backup, don't you?

      5. @@ -809,7 +809,7 @@ root# rm /var/lib/samba/*tdb

      6. - + Validate your smb.conf file using testparm (as you have done previously). Correct all errors reported before proceeding. The command you execute is: @@ -819,8 +819,8 @@ Now that you are satisfied that your Samba server is ready to join the Windows ADS domain, let's move on.

      7. - - + + This is a good time to double-check everything and then execute the following command when everything you have done has checked out okay: 

        @@ -831,17 +831,17 @@
 		You have successfully made your Samba-3 server a member of the ADS domain
 		using Kerberos protocols.
 		
        
-		
-		
+		
+		
 		In the event that you receive no output messages, a silent return means that the
 		domain join failed. You should use ethereal to identify what
 		may be failing. Common causes of a failed join include:
 
 		
        • 
-			
+			
 			Defective or misconfigured DNS name resolution.
 			
        • 
-			
+			
 			Restrictive security settings on the Windows 200x ADS domain controller
 			preventing needed communications protocols. You can check this by searching
 			the Windows Server 200x Event Viewer.
@@ -853,16 +853,16 @@
 			functionality.
 			
        
 
-		
-		
-		
+		
+		
+		
 		In any case, never execute the net rpc join command in an attempt
 		to join the Samba server to the domain, unless you wish not to use the Kerberos
 		security protocols. Use of the older RPC-based domain join facility requires that
 		Windows Server 200x ADS has been configured appropriately for mixed mode operation.

      8. - - + + If the tdbdump is installed on your system (not essential), you can look inside the /etc/samba/secrets.tdb file. If you wish to do this, execute: @@ -893,7 +893,7 @@ It is now time to start Samba in the usual way (as has been done many time before in this book).

      9. - + This is a good time to verify that everything is working. First, check that winbind is able to obtain the list of users and groups from the ADS domain controller. Execute the following: @@ -919,7 +919,7 @@ LONDON+DnsUpdateProxy

        Excellent. That worked also, as expected. -

      10. +

      11. Now repeat this via NSS to validate that full identity resolution is functional as required. Execute: 

        @@ -952,9 +952,9 @@

        This is very pleasing. Everything works as expected.

      12. - - - + + + You may now perform final verification that communications between Samba-3 winbind and the Active Directory server is using Kerberos protocols. Execute the following: 

        @@ -972,7 +972,7 @@
 		keep all server time clocks synchronized using the network time protocol (NTP).
 		In any case, the output we obtained confirms that all systems are operational.

      13. - + There is one more action you elect to take, just because you are paranoid and disbelieving, so you execute the following command: 

        @@ -1142,21 +1142,21 @@

        Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. May this server serve well all who happen upon it. -

        Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership

        # Global parameters
        [global]
        unix charset = LOCALE
        workgroup = LONDON
        realm = LONDON.ABMAS.BIZ
        server string = Samba 3.0.20
        security = ADS
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = CUPS
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "Domain Users"
        template shell = /bin/bash
        winbind separator = +
        printing = cups
        [homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        [printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No
        [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        admin users = root, Administrator
        write list = root

        IDMAP_RID with Winbind

        - - - - +

        Example 7.7. Samba Domain Member smb.conf File for Active Directory Membership

        # Global parameters
        [global]
        unix charset = LOCALE
        workgroup = LONDON
        realm = LONDON.ABMAS.BIZ
        server string = Samba 3.0.20
        security = ADS
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = CUPS
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "Domain Users"
        template shell = /bin/bash
        winbind separator = +
        printing = cups
        [homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        [printers]
        comment = SMB Print Spool
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No
        [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        admin users = root, Administrator
        write list = root

        IDMAP_RID with Winbind

        + + + + The idmap_rid facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data in a central place. The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations.

        - - - - + + + + This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter @@ -1164,18 +1164,18 @@ with multiple domain environments. The idmap uid and idmap gid ranges must be specified.

        - - + + The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. To use this with an NT4 domain, the realm is not used. Additionally the method used to join the domain uses the net rpc join process.

        An example smb.conf file for an ADS domain environment is shown in ???. -

        Example 7.8. Example smb.conf File Using idmap_rid

        # Global parameters
        [global]
        workgroup = KPAK
        netbios name = BIGJOE
        realm = CORP.KPAK.COM
        server string = Office Server
        security = ADS
        allow trusted domains = No
        idmap backend = idmap_rid:KPAK=500-100000000
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind enum users = No
        winbind enum groups = No
        winbind nested groups = Yes
        printer admin = "KPAK\Domain Admins"

        - - - - +

        Example 7.8. Example smb.conf File Using idmap_rid

        # Global parameters
        [global]
        workgroup = KPAK
        netbios name = BIGJOE
        realm = CORP.KPAK.COM
        server string = Office Server
        security = ADS
        allow trusted domains = No
        idmap backend = idmap_rid:KPAK=500-100000000
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind enum users = No
        winbind enum groups = No
        winbind nested groups = Yes
        printer admin = "KPAK\Domain Admins"

        + + + + In a large domain with many users, it is imperative to disable enumeration of users and groups. For example, at a site that has 22,000 users in Active Directory the winbind-based user and group resolution is unavailable for nearly 12 minutes following first start-up of @@ -1185,8 +1185,8 @@ commands. It will be possible to perform the lookup for individual users, as shown in the procedure below.

        - - + + The use of this tool requires configuration of NSS as per the native use of winbind. Edit the /etc/nsswitch.conf so it has the following parameters: 

        @@ -1212,7 +1212,7 @@
 Joined 'BIGJOE' to realm 'CORP.KPAK.COM'

        - + An invalid or failed join can be detected by executing: 

         root#  net ads testjoin
@@ -1228,30 +1228,30 @@
                 Start the nmbd, winbind, and smbd daemons in the order shown.

      14. Validate the operation of this configuration by executing: - + 

         root#  getent passwd administrator
 administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash

        -

    IDMAP Storage in LDAP using Winbind

    - - +

    IDMAP Storage in LDAP using Winbind

    + + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on.

    The example in ??? is for an ADS-style domain. -

    Example 7.9. Typical ADS Style Domain smb.conf File

    # Global parameters
    [global]
    workgroup = SNOWSHOW
    netbios name = GOODELF
    realm = SNOWSHOW.COM
    server string = Samba Server
    security = ADS
    log level = 1 ads:10 auth:10 sam:10 rpc:10
    ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM
    ldap idmap suffix = ou=Idmap
    ldap suffix = dc=SNOWSHOW,dc=COM
    idmap backend = ldap:ldap://ldap.snowshow.com
    idmap uid = 150000-550000
    idmap gid = 150000-550000
    template shell = /bin/bash
    winbind use default domain = Yes

    - +

    Example 7.9. Typical ADS Style Domain smb.conf File

    # Global parameters
    [global]
    workgroup = SNOWSHOW
    netbios name = GOODELF
    realm = SNOWSHOW.COM
    server string = Samba Server
    security = ADS
    log level = 1 ads:10 auth:10 sam:10 rpc:10
    ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM
    ldap idmap suffix = ou=Idmap
    ldap suffix = dc=SNOWSHOW,dc=COM
    idmap backend = ldap:ldap://ldap.snowshow.com
    idmap uid = 150000-550000
    idmap gid = 150000-550000
    template shell = /bin/bash
    winbind use default domain = Yes

    + In the case of an NT4 or Samba-3-style domain the realm is not used, and the command used to join the domain is net rpc join. The above example also demonstrates advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in “The Official Samba-3 HOWTO and Reference Guide, Second Edition” (TOSHARG2).

    - - - + + + Where MIT kerberos is installed (version 1.3.4 or later), edit the /etc/krb5.conf file so it has the following contents: 

    @@ -1306,8 +1306,8 @@
 ...

    - - + + You will need the PADL nss_ldap tool set for this solution. Configure the /etc/ldap.conf file so it has the information needed. The following is an example of a working file: @@ -1370,20 +1370,20 @@

  • Start the nmbd, winbind, and smbd daemons in the order shown.

    • - + Follow the diagnostic procedures shown earlier in this chapter to identify success or failure of the join. In many cases a failure is indicated by a silent return to the command prompt with no indication of the reason for failure. -

    IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

    - - +

    IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension

    + + The use of this method is messy. The information provided in this section is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance.

    An example smb.conf file is shown in ???. -

    Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File

    # Global parameters
    [global]
    workgroup = BUBBAH
    netbios name = MADMAX
    realm = BUBBAH.COM
    server string = Samba Server
    security = ADS
    idmap uid = 150000-550000
    idmap gid = 150000-550000
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind trusted domains only = Yes
    winbind nested groups = Yes

    - +

    Example 7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File

    # Global parameters
    [global]
    workgroup = BUBBAH
    netbios name = MADMAX
    realm = BUBBAH.COM
    server string = Samba Server
    security = ADS
    idmap uid = 150000-550000
    idmap gid = 150000-550000
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind trusted domains only = Yes
    winbind nested groups = Yes

    + The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary to build and install the PADL nss_ldap tool set. Be sure to build this tool set with the following: @@ -1392,7 +1392,7 @@ make install

    - + The following /etc/nsswitch.conf file contents are required: 

     ...
@@ -1404,30 +1404,30 @@
 ...

    - - + + The /etc/ldap.conf file must be configured also. Refer to the PADL documentation and source code for nss_ldap instructions.

    The next step involves preparation on the ADS schema. This is briefly discussed in the remaining part of this chapter. -

    IDMAP, Active Directory, and MS Services for UNIX 3.5

    - +

    IDMAP, Active Directory, and MS Services for UNIX 3.5

    + The Microsoft Windows Service for UNIX version 3.5 is available for free download from the Microsoft Web site. You will need to download this tool and install it following Microsoft instructions. -

    IDMAP, Active Directory, and AD4UNIX

    +

    IDMAP, Active Directory, and AD4UNIX

    Instructions for obtaining and installing the AD4UNIX tool set can be found from the Geekcomix Web site. -

    UNIX/Linux Client Domain Member

    +

    UNIX/Linux Client Domain Member

    So far this chapter has been mainly concerned with the provision of file and print services for domain member servers. However, an increasing number of UNIX/Linux workstations are being installed that do not act as file or print servers to anyone other than a single desktop user. The key demand for desktop systems is to be able to log onto any UNIX/Linux or Windows desktop using the same network user credentials. -

    +

    The ability to use a common set of user credential across a variety of network systems is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a large number of vendors and include a range of technologies such as: @@ -1439,15 +1439,21 @@ Metadirectory server solutions

  • Replacement authentication systems -

    • - There are really only three solutions that provide integrated authentication and +

    + There are really four solutions that provide integrated authentication and user identity management facilities:

    • - Samba winbind (free) + Samba winbind (free). Samba-3.0.20 introduced a complete replacement for Winbind that now + provides a greater level of scalability in large ADS environments.

    • - PADL PAM and LDAP tools (free) + PADL PAM and LDAP tools (free).

    • - Vintela Authentication Services (commercial) + Vintela Authentication Services (commercial). +

    • + Centrify DirectControl (commercial). + Centrify's commercial product allows UNIX and Linux systems to use Active Directory + security, directory and policy services. Enhancements include a centralized ID mapping that + allows Samba, DirectControl and Active Directory to seamlessly work together.

    The following guidelines are pertinent to the deployment of winbind-based authentication and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops @@ -1458,22 +1464,22 @@ provides logon services for UNIX/Linux users, while Windows users obtain their sign-on support via Samba-3.

    - + On the other hand, if the authentication and identity resolution backend must be provided by a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these situations now follows.

    - - - + + + To permit users to log on to a Linux system using Windows network credentials, you need to configure identity resolution (NSS) and PAM. This means that the basic steps include those outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) usually do not need to provide file and print services to a group of users, the configuration of shares and printers is generally less important. Often this allows the share specifications to be entirely removed from the smb.conf file. That is obviously an administrator decision. -

    NT4 Domain Member

    +

    NT4 Domain Member

    The following steps provide a Linux system that users can log onto using Windows NT4 (or Samba-3) domain network credentials:

    1. @@ -1501,7 +1507,7 @@

    2. Edit only one file at a time. Carefully validate its operation before attempting to reboot the machine. -

    ADS Domain Member

    +

    ADS Domain Member

    This procedure should be followed to permit a Linux network client (workstation/desktop) to permit users to log on using Microsoft Active Directory-based user credentials.

    1. @@ -1581,7 +1587,7 @@ session required /lib/security/$ISA/pam_limits.so session sufficient /lib/security/$ISA/pam_unix.so session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass -

    Key Points Learned

    +

    Key Points Learned

    The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you learned how to integrate such servers so that the UID/GID mappings they use can be consistent across all domain member servers. You also discovered how to implement the ability to use Samba @@ -1601,59 +1607,59 @@

  • On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management and PAM is responsible for authentication of logon credentials (username and password). -

    • Questions and Answers

    +

    Questions and Answers

    The following questions were obtained from the mailing list and also from private discussions with Windows network administrators. -

    +

    We use NIS for all UNIX accounts. Why do we need winbind? -
    +
    Our IT management people do not like LDAP but are looking at Microsoft Active Directory. Which is better?Active Directory -
    +
    We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible to use NIS in place of LDAP? -
    +
    Are you suggesting that users should not log on to a domain member server? If so, why? -
    winbind enable local accounts/etc/passwdoptions listACLshare +
    winbind enable local accounts/etc/passwdoptions listACLshare In my smb.conf file, I enabled the parameter winbind enable local accounts on all domain member servers, but it does not work. The accounts I put in /etc/passwd do not show up in the options list when I try to set an ACL on a share. What have I done wrong? -
    trusted domainsdomaintrustedwinbind trusted domains onlydomain members +
    trusted domainsdomaintrustedwinbind trusted domains onlydomain members We want to ensure that only users from our own domain plus from trusted domains can use our Samba servers. In the smb.conf file on all servers, we have enabled the winbind trusted domains only parameter. We now find that users from trusted domains cannot access our servers, and users from Windows clients that are not domain members can also access our servers. Is this a Samba bug? -
    +
    What are the benefits of using LDAP for my domain member servers? -
    +
    Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into my DNS configuration? -
    +
    Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we use Samba-3 with that configuration? -
    netadsjoinnetrpcjoin +
    netadsjoinnetrpcjoin When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it? -

    +

    We use NIS for all UNIX accounts. Why do we need winbind?

    - - - - - - + + + + + + You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted passwords that need to be stored in one of the acceptable passdb backends. Your choice of backend is limited to smbpasswd or tdbsam. Winbind is needed to handle the resolution of SIDs from trusted domains to local UID/GID values.

    - - + + On a domain member server, you effectively map Windows domain users to local users that are in your NIS database by specifying the winbind trusted domains only. This causes user and group account lookups to be routed via @@ -1661,17 +1667,17 @@ this pushes the resolution of users and groups out through NIS.

    As a general rule, it is always a good idea to run winbind on all Samba servers. -

    +

    Our IT management people do not like LDAP but are looking at Microsoft Active Directory. - Which is better? -

    + Which is better? +

    Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos infrastructure. Most IT managers who object to LDAP do so because an LDAP server is most often supplied as a raw tool that needs to be configured and for which the administrator must create the schema, create the administration tools, and devise the backup and recovery facilities in a site-dependent manner. LDAP servers in general are seen as a high-energy, high-risk facility. -

    +

    Microsoft Active Directory by comparison is easy to install and configure and is supplied with all tools necessary to implement and manage the directory. For sites that lack a lot of technical competence, Active Directory is a good choice. For sites @@ -1680,28 +1686,28 @@ the site want? If management wants a choice to use an alternative, they may want to consider the options. On the other hand, if management just wants a solution that works, Microsoft Active Directory is a good solution. -

    +

    We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible to use NIS in place of LDAP? -

    +

    Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping the Windows (SMB) encrypted passwords database correctly synchronized across the entire network. Workstations (Windows client machines) periodically change their domain membership secure account password. How can you keep changes that are on remote BDCs synchronized on the PDC? -

    +

    LDAP is a more elegant solution because it permits centralized storage and management of all network identities (user, group, and machine accounts) together with all information Samba needs to provide to network clients and their users. -

    +

    Are you suggesting that users should not log on to a domain member server? If so, why? -

    +

    Many UNIX administrators mock the model that the personal computer industry has adopted as normative since the early days of Novell NetWare. The old perception of the necessity to keep users off file and print servers was a result of fears concerning the security and integrity of data. It was a simple and generally effective measure to keep users away from servers, except through mapped drives. -

    +

    UNIX administrators are fully correct in asserting that UNIX servers and workstations are identical in terms of the software that is installed. They correctly assert that in a well-secured environment it is safe to store files on a system that has hundreds @@ -1710,16 +1716,16 @@ server the risk to operations through simple user errors. Only then can one begin to appraise the best strategy and adopt a site-specific policy that best protects the needs of users and of the organization alike. -

    +

    From experience, it is my recommendation to keep general system-level logins to a practical minimum and to eliminate them if possible. This should not be taken as a hard rule, though. The better question is, what works best for the site? -

    +

    In my smb.conf file, I enabled the parameter winbind enable local accounts on all domain member servers, but it does not work. The accounts I put in /etc/passwd do not show up in the options list when I try to set an ACL on a share. What have I done wrong? -

    +

    The manual page for this smb.conf file parameter clearly says, “This parameter controls whether or not winbindd will act as a stand-in replacement for the various account management hooks in smb.conf (for example, add user script). If enabled, winbindd @@ -1727,18 +1733,18 @@ information available via getpwnam() or getgrgid(), etc....” By default this parameter is already enabled; therefore, the action you are seeing is a result of a failure of identity resolution in the domain. -

    +

    These are the accounts that are available for Windows network domain logons. Providing identity resolution has been correctly configured on the domain controllers as well as on domain member servers. The domain user and group identities automatically map to a valid local UID and GID pair. -

    +

    We want to ensure that only users from our own domain plus from trusted domains can use our Samba servers. In the smb.conf file on all servers, we have enabled the winbind trusted domains only parameter. We now find that users from trusted domains cannot access our servers, and users from Windows clients that are not domain members can also access our servers. Is this a Samba bug? -

    +

    The manual page for this winbind trusted domains only parameter says, “This parameter is designed to allow Samba servers that are members of a Samba-controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users @@ -1746,7 +1752,7 @@ mapped to the account user1 in /etc/passwd instead of allocating a new UID for him or her.” This clearly suggests that you are trying to use this parameter inappropriately. -

    +

    A far better solution is to use the valid users by specifying precisely the domain users and groups that should be permitted access to the shares. You could, for example, set the following parameters: @@ -1755,24 +1761,24 @@ path = /export/demodata valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"

    -

    +

    What are the benefits of using LDAP for my domain member servers? -

    +

    The key benefit of using LDAP is that the UID of all users and the GID of all groups are globally consistent on domain controllers as well as on domain member servers. This means that it is possible to copy/replicate files across servers without loss of identity. -

    +

    When use is made of account identity resolution via winbind, even when an IDMAP backend is stored in LDAP, the UID/GID on domain member servers is consistent, but differs from the ID that the user/group has on domain controllers. The winbind allocated UID/GID that is stored in LDAP (or locally) will be in the numeric range specified in the idmap uid/gid in the smb.conf file. On domain controllers, the UID/GID is that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. -

    +

    Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into my DNS configuration? -

    +

    Samba depends on correctly functioning resolution of hostnames to their IP address. Samba makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the getXXXbyXXX() function calls. The configuration of the hosts @@ -1785,23 +1791,23 @@ this means that a hostname lookup first tries the /etc/hosts. If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a WINS lookup. -

    +

    The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS is the preferred name resolution technology. This usually makes most sense when Samba is a client of an Active Directory domain, where NetBIOS use has been disabled. In this case, the Windows 200x autoregisters all locator records it needs with its own DNS server or servers. -

    +

    Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we use Samba-3 with that configuration?

    Yes. -

    +

    When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it? -

    +

    No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.

    Prev Up Next
    Part II. Domain Members, Updating Samba and Migration Home Chapter 8. Updating Samba-3
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-ByExample/upgrades.html samba-3.0.21/docs/htmldocs/Samba3-ByExample/upgrades.html --- samba-3.0.20b/docs/htmldocs/Samba3-ByExample/upgrades.html 2005-08-19 12:59:31.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-ByExample/upgrades.html 2005-12-19 10:19:21.000000000 -0600 @@ -1,14 +1,14 @@ -Chapter 8. Updating Samba-3
    Chapter 8. Updating Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 8. Updating Samba-3

    Table of Contents

    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory

    - - +Chapter 8. Updating Samba-3

    Chapter 8. Updating Samba-3
    Prev Part II. Domain Members, Updating Samba and Migration Next

    Chapter 8. Updating Samba-3

    Table of Contents

    Introduction
    Cautions and Notes
    Upgrading from Samba 1.x and 2.x to Samba-3
    Samba 1.9.x and 2.x Versions Without LDAP
    Applicable to All Samba 2.x to Samba-3 Upgrades
    Samba-2.x with LDAP Support
    Updating a Samba-3 Installation
    Samba-3 to Samba-3 Updates on the Same Server
    Migrating Samba-3 to a New Server
    Migration of Samba Accounts to Active Directory

    + + It was a little difficult to select an appropriate title for this chapter. From email messages on the Samba mailing lists it is clear that many people consider the updating and upgrading of Samba to be a migration matter. Others talk about migrating Samba servers when in fact the issue at hand is one of installing a new Samba server to replace an older existing Samba server.

    - - + + There has also been much talk about migration of Samba-3 from an smbpasswd passdb backend to the use of the tdbsam or ldapsam facilities that are new to Samba-3. @@ -17,19 +17,19 @@ people apply to these modes by which Samba servers are updated. This is further highlighted by an email posting that included the following neat remark:

    - + I like the “net rpc vampire” on NT4, but that to my surprise does not seem to work against a Samba PDC and, if addressed in the Samba to Samba context in either book, I could not find it.

    - + So in response to the significant request for these situations to be better documented, this chapter has now been added. User contributions and documentation of real-world experiences are a most welcome addition to this chapter. -

    Introduction

    - - - +

    Introduction

    + + + A Windows network administrator explained in an email what changes he was planning to make and followed with the question: “Anyone done this before?” Many of us have upgraded and updated Samba without incident. @@ -44,28 +44,28 @@ fails to take adequate steps to avoid situations that may inflict lost productivity on them.

    Warning

    - - + + Samba makes it possible to upgrade and update configuration files, but it is not possible to downgrade the configuration files. Please ensure that all configuration and control files are backed up to permit a down-grade in the rare event that this may be necessary.

    - - + + It is prudent also to backup all data files on the server before attempting to perform a major upgrade. Many administrators have experienced the consequences of failure to take adequate precautions. So what is adequate? That is simple! If data is lost during an upgrade or update and it can not be restored, the precautions taken were inadequate. If a backup was not needed, but was available, caution was on the side of the victor. -

    Cautions and Notes

    +

    Cautions and Notes

    Someone once said, “It is good to be sorry, but better never to need to be!” These are wise words of advice to those contemplating a Samba upgrade or update.

    - - - + + + This is as good a time as any to define the terms upgrade and update. The term upgrade refers to the installation of a version of Samba that is a whole generation or more ahead of @@ -73,12 +73,12 @@ number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0 is in development.

    - + The term update refers to a minor version number installation in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14 is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade.

    - + While the use of these terms is an exercise in semantics, what needs to be realized is that there are major functional differences between a Samba 2.x release and a Samba 3.0.x release. Such differences may require a significantly different approach to @@ -90,13 +90,13 @@ the greater the risk that noone will read it, but where there is no documentation, noone can read it!” While true, some documentation is an evil necessity. It is hoped that this update to the documentation will avoid both extremes. -

    Security Identifiers (SIDs)

    - - - - - - +

    Security Identifiers (SIDs)

    + + + + + + Before the days of Windows NT and OS/2, every Windows and DOS networking client that used the SMB protocols was an entirely autonomous entity. There was no concept of a security identifier for a machine or a user outside of the username, the @@ -104,46 +104,46 @@ in the same context as the way that the SID is used since the development of Windows NT 3.10.

    - - - - - - + + + + + + Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use of the username that is embedded in the SessionSetUpAndX component of the connection setup process between a Windows client and an SMB/CIFS server.

    - - - + + + Around November 1997 support was added to Samba-1.9 to handle the Windows security RPC-based protocols that implemented support for Samba to store a machine SID. This information was stored in a file called MACHINE.SID.

    - - - + + + Within the lifetime of the early Samba 2.x series, the machine SID information was relocated into a tdb file called secrets.tdb, which is where it is still located in Samba 3.0.x along with other information that pertains to the local machine and its role within a domain security context.

    - - - - + + + + There are two types of SID, those pertaining to the machine itself and the domain to which it may belong, and those pertaining to users and groups within the security context of the local machine, in the case of standalone servers (SAS) and domain member servers (DMS).

    - - - - - - + + + + + + When the Samba smbd daemon is first started, if the secrets.tdb file does not exist, it is created at the first client connection attempt. If this file does exist, smbd checks that there is a machine SID (if it is a domain controller, @@ -153,7 +153,7 @@ manner. This means that each time it is generated for a particular combination of machine name (hostname) and domain name (workgroup), it will be different.

    - + The SID is the key used by MS Windows networking for all networking operations. This means that when the machine or domain SID changes, all security-encoded objects such as profiles and ACLs may become unusable. @@ -162,22 +162,22 @@ the event of a change of hostname (machine name) or domain name (workgroup) the SID can be restored to its previous value.

    - - - - - - - - - - + + + + + + + + + + In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled the SID. On a standalone server the hostname still controls the SID.

    - - + + The local machine SID can be backed up using this procedure (Samba-3): 

     root#  net getlocalsid > /etc/samba/my-local-SID
@@ -200,7 +200,7 @@
 	ability to read the older tdb file and to perform an in-situ update to the latest tdb format.
 	This is not a reversible process  it is a one-way upgrade.
 	
    
-	
+	
 	In the course of the Samba 2.0.x series the smbpasswd was modified to
 	permit the domain SID to be captured to the secrets.tdb file by executing:
 
    @@ -217,8 +217,8 @@
 root#  smbpasswd -W S-1-5-21-726309263-4128913605-1168186429
 
    
 	
    
-	
-	
+	
+	
 	Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x
 	systems by executing:
 
    @@ -237,9 +237,9 @@
 	It is a very good practice to store this SID information in a safely kept file, just in
 	case it is ever needed at a later date.
 	
    
-	
-	
-	
+	
+	
+	
 	Take note that the domain SID is used extensively in Samba. Where LDAP is used for the
 	passdb backend, all user, group, and trust accounts are encoded
 	with the domain SID. This means that if the domain SID changes for any reason, the entire
@@ -250,9 +250,9 @@
 root#  slapcat -v -l filename.ldif
 
    
 	
    
-	
-	
-	
+	
+	
+	
 	When the domain SID has changed, roaming profiles cease to be functional. The recovery
 	of roaming profiles necessitates resetting of the domain portion of the user SID
 	that owns the profile. This is encoded in the NTUser.DAT and can be
@@ -261,9 +261,9 @@
 	complain to the Samba Team if this utility is missing; that issue that must be
 	addressed to the creator of the RPM package. The Samba Team do their best to make
 	available all the tools needed to manage a Samba-based Windows networking environment.
-

    Change of hostname

    - - +

    Change of hostname

    + + Samba uses two methods by which the primary NetBIOS machine name (also known as a computer name or the hostname) may be determined: If the smb.conf file contains a netbios name entry, its value will be used directly. In the absence @@ -277,13 +277,13 @@ Do NOT change the hostname or the netbios name. If this is changed, be sure to reset the machine SID to the original setting. Otherwise there may be serious interoperability and/or operational problems. -

    Change of Workgroup (Domain) Name

    - +

    Change of Workgroup (Domain) Name

    + The domain name of a Samba server is identical to the workgroup name and is set in the smb.conf file using the workgroup parameter. This has been consistent throughout the history of Samba and across all versions.

    - + Be aware that when the workgroup name is changed, a new SID will be generated. The old domain SID can be reset using the procedure outlined earlier in this chapter.

    Location of config files

    @@ -292,7 +292,7 @@ have varied the location of the Samba control files. This has led to some confusion for network administrators.

    - + The Samba 1.9.x smb.conf file may be found either in the /etc directory or in /usr/local/samba/lib.

    @@ -300,12 +300,12 @@ on Linux systems to the /etc/samba directory where it remains located also for Samba 3.0.x installations.

    - + Samba 2.x introduced the secrets.tdb file that is also stored in the /etc/samba directory, or in the /usr/local/samba/lib directory subsystem.

    - + The location at which smbd expects to find all configuration and control files is determined at the time of compilation of Samba. For versions of Samba prior to 3.0, one way to find the expected location of these files is to execute: @@ -317,7 +317,7 @@ Note: The smbd executable may be located in the path /usr/local/samba/sbin.

    - + Samba-3 provides a neat new way to track the location of all control files as well as to find the compile-time options used as the Samba package was built. Here is how the dark secrets of the internals of the location of control files within Samba executables can @@ -348,37 +348,37 @@ ...

    - + It is important that both the smb.conf file and the secrets.tdb be backed up before attempting any upgrade. The secrets.tdb file is version-encoded, and therefore a newer version may not work with an older version of Samba. A backup means that it is always possible to revert a failed or problematic upgrade. -

    International Language Support

    - - - - +

    International Language Support

    + + + + Samba-2.x had no support for Unicode; instead, all national language character-set support in file names was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus providing true internationalization support.

    - + Non-English users whose national language character set has special characters and who upgrade naively will find that many files that have the special characters in the file name will see them garbled and jumbled up. This typically happens with umlauts and accents because these characters were particular to the codepage that was in use with Samba-2.x using an 8-bit encoding scheme.

    - + Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some effort to set straight.

    - + A very helpful tool is available from Bjorn Jacke's convmv work. Convmv is a tool that can be used to convert file and directory names from one encoding method to another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding. -

    Updates and Changes in Idealx smbldap-tools

    +

    Updates and Changes in Idealx smbldap-tools

    The smbldap-tools have been maturing rapidly over the past year. With maturation comes change. The location of the smbldap.conf and the smbldap_bind.conf configuration files have been moved from the directory /etc/smbldap-tools to @@ -392,7 +392,7 @@ sambaDomainName. Anyone who updates from an older version to the current release should note that the information stored under NextFreeUnixId must now be relocated to the DIT object sambaDomainName. -

    Upgrading from Samba 1.x and 2.x to Samba-3

    +

    Upgrading from Samba 1.x and 2.x to Samba-3

    Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 may experience little difficulty or may require a lot of effort, depending on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will @@ -405,10 +405,10 @@

    Samba 1.9.x and 2.x Versions Without LDAP

    Where it is necessary to upgrade an old Samba installation to Samba-3, the following procedure can be followed: -

    Procedure 8.1. Upgrading from a Pre-Samba-3 Version

    1. - - - +

      Procedure 8.1. Upgrading from a Pre-Samba-3 Version

      1. + + + Stop Samba. This can be done using the appropriate system tool that is particular for each operating system or by executing the kill command on smbd, @@ -423,10 +423,10 @@ Find the location of the secrets.tdb file and back it up to a safe location.

      2. - - - - + + + + Find the location of the lock directory. This is the directory in which Samba stores all its tdb control files. The default location used by the Samba Team is in @@ -437,7 +437,7 @@ /var/lib/samba directory. Copy all the tdb files to a safe location.

      3. - + It is now safe to upgrade the Samba installation. On Linux systems it is not necessary to remove the Samba RPMs because a simple upgrade installation will automatically remove the old files. @@ -456,7 +456,7 @@

      4. Do not change the workgroup name.

      5. - + Execute the testparm to validate the smb.conf file. This process will flag any parameters that are no longer supported. It will also flag configuration settings that may be in conflict. @@ -468,67 +468,67 @@ root# cd /etc/samba root# testparm -s smb.conf.master > smb.conf

        - + The resulting smb.conf file will be stripped of all comments and of all nonconforming configuration settings.

      6. - + It is now safe to start Samba using the appropriate system tool. Alternately, it is possible to just execute nmbd, smbd, and winbindd for the command line while logged in as the root user. -

    Applicable to All Samba 2.x to Samba-3 Upgrades

    - - - +

    Applicable to All Samba 2.x to Samba-3 Upgrades

    + + + Samba 2.x servers that were running as a domain controller (PDC) require changes to the configuration of the scripting interface tools that Samba uses to perform OS updates for users, groups, and trust accounts (machines and interdomain).

    - + The following parameters are new to Samba-3 and should be correctly configured. Please refer to ??? through ??? in this book for examples of use of the new parameters shown here: - - - - - - - + + + + + + +

    add group script

    add machine script

    add user to group script

    delete group script

    delete user from group script

    passdb backend

    set primary group script

    - - + + The add machine script functionality was previously handled by the add user script, which in Samba-3 is used exclusively to add user accounts.

    - - - - - - - - - + + + + + + + + + Where the passdb backend used is either smbpasswd (the default) or the new tdbsam, the system interface scripts are typically used. These involve use of OS tools such as useradd, usermod, userdel, groupadd, groupmod, groupdel, and so on.

    - - - + + + Where the passdb backend makes use of an LDAP directory, it is necessary either to use the smbldap-tools provided by Idealx or to use an alternate toolset provided by a third party or else home-crafted to manage the LDAP directory accounts. -

    Samba-2.x with LDAP Support

    +

    Samba-2.x with LDAP Support

    Samba version 2.x could be compiled for use either with or without LDAP. The LDAP control settings in the smb.conf file in this old version are completely different (and less complete) than they are with Samba-3. This @@ -538,8 +538,8 @@ Follow the procedure outlined in ??? to affect a migration of all files to the correct locations.

    - - + + The Samba SAM schema required for Samba-3 is significantly different from that used with Samba 2.x. This means that the LDAP directory must be updated using the procedure outlined in the Samba WHATSNEW.txt file that accompanies @@ -694,19 +694,19 @@ Due to a limitation in Samba's smb.conf parsing, you should not surround the DN's with quotation marks.

    -

    Updating a Samba-3 Installation

    +

    Updating a Samba-3 Installation

    The key concern in this section is to deal with the changes that have been affected in Samba-3 between the Samba-3.0.0 release and the current update. Network administrators have expressed concerns over the steps that should be taken to update Samba-3 versions.

    - + The information in ??? would not be necessary if every person who has ever produced Samba executable (binary) files could agree on the preferred location of the smb.conf file and other Samba control files. Clearly, such agreement is further away than a pipedream.

    - + Vendors and packagers who produce Samba binary installable packages do not, as a rule, use the default paths used by the Samba-Team for the location of the binary files, the smb.conf file, and the Samba control files (tdb's @@ -719,54 +719,54 @@ uninformed administrator deals with apparent failure of the update to take effect.

    - + The best advice for those lacking in code compilation experience is to use only vendor (or Samba-Team) provided binary packages. The Samba packages that are provided by the Samba-Team are generally built to use file paths that are compatible with the original OS vendor's practices.

    - - + + If you are not sure whether a binary package complies with the OS vendor's practices, it is better to ask the package maintainer via email than to waste much time dealing with the nuances. Alternately, just diagnose the paths specified by the binary files following the procedure outlined above. -

    Samba-3 to Samba-3 Updates on the Same Server

    +

    Samba-3 to Samba-3 Updates on the Same Server

    The guidance in this section deals with updates to an existing Samba-3 server installation. -

    Updating from Samba Versions Earlier than 3.0.5

    +

    Updating from Samba Versions Earlier than 3.0.5

    With the provision that the binary Samba-3 package has been built with the same path and feature settings as the existing Samba-3 package that is being updated, an update of Samba-3 versions 3.0.0 through 3.0.4 can be updated to 3.0.5 without loss of functionality and without need to change either the smb.conf file or, where used, the LDAP schema. -

    Updating from Samba Versions between 3.0.6 and 3.0.10

    - - +

    Updating from Samba Versions between 3.0.6 and 3.0.10

    + + When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10, it is necessary only to update the LDAP schema (where LDAP is used). Always use the LDAP schema file that is shipped with the latest Samba-3 update.

    - - - + + + Samba-3.0.6 introduced the ability to remember the last n number of passwords a user has used. This information will work only with the tdbsam and ldapsam passdb backend facilities.

    After updating the LDAP schema, do not forget to re-index the LDAP database. -

    Updating from Samba Versions after 3.0.6 to a Current Release

    - +

    Updating from Samba Versions after 3.0.6 to a Current Release

    + Samba-3.0.8 introduced changes in how the username map behaves. It also included a change in behavior of winbindd. Please refer to the man page for smb.conf before implementing any update from versions prior to 3.0.8 to a current version.

    - + In Samba-3.0.11 a new privileges interface was implemented. Please refer to ??? for information regarding this new feature. It is not necessary to implement the privileges interface, but it @@ -788,12 +788,12 @@ below the machine suffix. Previous Samba releases would fall back to searching the 'ldap suffix' in some cases.

    -

    Migrating Samba-3 to a New Server

    +

    Migrating Samba-3 to a New Server

    The two most likely candidates for replacement of a server are domain member servers and domain controllers. Each needs to be handled slightly differently. -

    Replacing a Domain Member Server

    - +

    Replacing a Domain Member Server

    + Replacement of a domain member server should be done using the same procedure as outlined in ???.

    @@ -802,12 +802,12 @@ that the new server be renamed to that of the old server. This will change its SID and will necessitate rejoining to the domain.

    - - - - - - + + + + + + Following a change of hostname (NetBIOS name) it is a good idea on all servers to shut down the Samba smbd, nmbd, and winbindd services, delete the wins.dat @@ -817,10 +817,10 @@ resolution problems. These problems usually clear within 45 minutes of a name change, but can persist for a longer period of time.

    - - - - + + + + If the old domain member server had local accounts, it is necessary to create on the new domain member server the same accounts with the same UID and GID for each account. Where the passdb backend database @@ -831,13 +831,13 @@ /etc/group files. In this case, be sure to copy these account entries to the new target server.

    - + Where the user accounts for both UNIX and Samba are stored in LDAP, the new target server must be configured to use the nss_ldap tool set. This will automatically ensure that the appropriate user entities are available on the new server. -

    Replacing a Domain Controller

    - +

    Replacing a Domain Controller

    + In the past, people who replaced a Windows NT4 domain controller typically installed a new server, created printers and file shares on it, then migrate across all data that was destined to reside on it. The same can of course be done with @@ -890,10 +890,10 @@ or the netbios name is set to the original server name, Samba should correctly pick up the original SID and preserve all other settings. It is sound advice to validate this before turning the system over to users. -

    Migration of Samba Accounts to Active Directory

    +

    Migration of Samba Accounts to Active Directory

    Yes, it works. The Windows ADMT tool can be used to migrate Samba accounts to MS Active Directory. There are a few pitfalls to be aware of: -

    Procedure 8.2. Migration to Active Directory

    1. +

      Procedure 8.2. Migration to Active Directory

      1. Administrator password must be THE SAME on the Samba server, the 2003 ADS, and the local Administrator account on the workstations. Perhaps this goes without saying, but there needs to be an account @@ -914,7 +914,7 @@ Disable the Windows Firewall on all workstations. Otherwise, workstations won't be migrated to the new domain.

      2. - + When migrating machines, always test first (using ADMT's test mode) and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually @@ -922,7 +922,7 @@ failure was due to a problem or simply to the fact that it was just a test.

      - + There are some significant benefits of using the ADMT, besides just migrating user accounts. ADMT can be found on the Windows 2003 CD.

      • diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/architecture.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/architecture.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/architecture.html 2005-08-19 13:01:23.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/architecture.html 2005-12-19 10:21:15.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 3. Samba Architecture

        Chapter 3. Samba Architecture
        Prev Part II. Samba Basics Next

        Chapter 3. Samba Architecture

        Dan Shearer

        November 1997

        Table of Contents

        Introduction
        Multithreading and Samba
        Threading smbd
        Threading nmbd
        nbmd Design

        Introduction

        +Chapter 3. Samba Architecture

        Chapter 3. Samba Architecture
        Prev Part II. Samba Basics Next

        Chapter 3. Samba Architecture

        Dan Shearer

        November 1997

        Table of Contents

        Introduction
        Multithreading and Samba
        Threading smbd
        Threading nmbd
        nbmd Design

        Introduction

        This document gives a general overview of how Samba works internally. The Samba Team has tried to come up with a model which is the best possible compromise between elegance, portability, security @@ -9,7 +9,7 @@

        1. Is Samba secure when running on Unix? The xyz platform? What about the root priveliges issue? -

        2. Pros and cons of multithreading in various parts of Samba

        3. Why not have a separate process for name resolution, WINS, and browsing?

        Multithreading and Samba

        +

      • Pros and cons of multithreading in various parts of Samba

      • Why not have a separate process for name resolution, WINS, and browsing?

    Multithreading and Samba

    People sometimes tout threads as a uniformly good thing. They are very nice in their place but are quite inappropriate for smbd. nmbd is another matter, and multi-threading it would be very nice. @@ -26,7 +26,7 @@ slower, less scalable, less portable and much less robust. The fact that we use a separate process for each connection is one of Samba's biggest advantages. -

    Threading smbd

    +

    Threading smbd

    A few problems that would arise from a threaded smbd are:

    1. It's not only to create threads instead of processes, but you @@ -51,7 +51,7 @@

    2. we couldn't use the system locking calls as the locking context of fcntl() is a process, not a thread. -

    Threading nmbd

    +

    Threading nmbd

    This would be ideal, but gets sunk by portability requirements.

    Andrew tried to write a test threads library for nmbd that used only @@ -78,7 +78,7 @@ nasty to program cleanly due to the enormous amount of shared data (in complex structures) between the processes. We can't rely on each platform having a shared memory system. -

    nbmd Design

    +

    nbmd Design

    Originally Andrew used recursion to simulate a multi-threaded environment, which use the stack enormously and made for really confusing debugging sessions. Luke Leighton rewrote it to use a diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/debug.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/debug.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/debug.html 2005-08-19 13:01:24.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/debug.html 2005-12-19 10:21:15.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 4. The samba DEBUG system

    Chapter 4. The samba DEBUG system
    Prev Part II. Samba Basics Next

    Chapter 4. The samba DEBUG system

    Chris Hertel

    July 1998

    Table of Contents

    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()

    New Output Syntax

    +Chapter 4. The samba DEBUG system

    Chapter 4. The samba DEBUG system
    Prev Part II. Samba Basics Next

    Chapter 4. The samba DEBUG system

    Chris Hertel

    July 1998

    Table of Contents

    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()

    New Output Syntax

    The syntax of a debugging log file is represented as: 

       >debugfile< :== { >debugmsg< }
@@ -51,7 +51,7 @@
 Note that in the above example the function names are not listed on
 the header line. That's because the example above was generated on an
 SGI Indy, and the SGI compiler doesn't support the __FUNCTION__ macro.
-

    The DEBUG() Macro

    +

    The DEBUG() Macro

    Use of the DEBUG() macro is unchanged. DEBUG() takes two parameters. The first is the message level, the second is the body of a function call to the Debug1() function. @@ -102,7 +102,7 @@ [1998/07/30 16:00:51, 0] file.c:function(261) .

    Which isn't much use. The format buffer kludge fixes this problem. -

    The DEBUGADD() Macro

    +

    The DEBUGADD() Macro

    In addition to the kludgey solution to the broken line problem described above, there is a clean solution. The DEBUGADD() macro never generates a header. It will append new text to the current debug @@ -116,7 +116,7 @@ This is the first line. This is the second line. This is the third line. -

    The DEBUGLVL() Macro

    +

    The DEBUGLVL() Macro

    One of the problems with the DEBUG() macro was that DEBUG() lines tended to get a bit long. Consider this example from nmbd_sendannounce.c: @@ -151,7 +151,7 @@

  • Processing that is only relevant to debug output can be contained within the DEBUGLVL() block. -

    • New Functions

    dbgtext()

    +

    New Functions

    dbgtext()

    This function prints debug message text to the debug file (and possibly to syslog) via the format buffer. The function uses a variable argument list just like printf() or Debug1(). The @@ -160,7 +160,7 @@ If you use DEBUGLVL() you will probably print the body of the message using dbgtext(). -

    dbghdr()

    +

    dbghdr()

    This is the function that writes a debug message header. Headers are not processed via the format buffer. Also note that if the format buffer is not empty, a call to dbghdr() will not @@ -168,7 +168,7 @@

    It is not likely that this function will be called directly. It is used by DEBUG() and DEBUGADD(). -

    format_debug_text()

    +

    format_debug_text()

    This is a static function in debug.c. It stores the output text for the body of the message in a buffer until it encounters a newline. When the newline character is found, the buffer is diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/devprinting.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/devprinting.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/devprinting.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/devprinting.html 2005-12-19 10:21:17.000000000 -0600 @@ -1,16 +1,16 @@ -Chapter 15. Samba Printing Internals

    Chapter 15. Samba Printing Internals
    Prev Part IV. Debugging and tracing Next

    Chapter 15. Samba Printing Internals

    Gerald Carter

    October 2002

    Table of Contents

    Abstract
    +Chapter 15. Samba Printing Internals
    Chapter 15. Samba Printing Internals
    Prev Part IV. Debugging and tracing Next

    Chapter 15. Samba Printing Internals

    Gerald Carter

    October 2002

    Table of Contents

    Abstract
    Printing Interface to Various Back ends -
    +
    Print Queue TDB's -
    +
    ChangeID and Client Caching of Printer Information -
    +
    Windows NT/2K Printer Change Notify -

    Abstract

    +

    Abstract

    The purpose of this document is to provide some insight into Samba's printing functionality and also to describe the semantics of certain features of Windows client printing. -

    +

    Printing Interface to Various Back ends

    Samba uses a table of function pointers to seven functions. The @@ -21,7 +21,7 @@ defined.

    • a generic set of functions for working with standard UNIX printing subsystems

    • a set of CUPS specific functions (this is only enabled if - the CUPS libraries were located at compile time).

    + the CUPS libraries were located at compile time).

    Print Queue TDB's

    Samba provides periodic caching of the output from the "lpq command" @@ -110,11 +110,11 @@ Only non-default Device Mode are stored with print jobs in the print queue TDB. Otherwise, the Device Mode is obtained from the printer object when the client issues a GetJob(level == 2) request. -

    +

    ChangeID and Client Caching of Printer Information

    [To be filled in later] -

    +

    Windows NT/2K Printer Change Notify

    When working with Windows NT+ clients, it is possible for a diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/index.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/index.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/index.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/index.html 2005-12-19 10:21:17.000000000 -0600 @@ -26,12 +26,12 @@ version 2. A copy of the license is included with the Samba source distribution. A copy can be found on-line at http://www.fsf.org/licenses/gpl.txt

    Warning

    This document is incomplete and unmaintained. It is merely a - collection of development-related notes.

    Table of Contents

    I. The protocol
    1. NetBIOS in a Unix World
    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity
    2. NT Domain RPC's
    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS
    II. Samba Basics
    3. Samba Architecture
    Introduction
    Multithreading and Samba
    Threading smbd
    Threading nmbd
    nbmd Design
    4. The samba DEBUG system
    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()
    5. Samba Internals
    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table
    6. Coding Suggestions
    7. Contributing code
    8. Modules
    Advantages
    Loading modules
    Static modules
    Shared modules
    Writing modules
    Static/Shared selection in configure.in
    III. Samba Subsystems
    9. RPC Pluggable Modules
    About
    General Overview
    10. VFS Modules
    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions
    11. The smb.conf file
    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c
    12. Samba WINS Internals
    WINS Failover
    13. LanMan and NT Password Encryption
    Introduction
    How does it work?
    The smbpasswd file
    IV. Debugging and tracing
    14. Tracing samba system calls
    15. Samba Printing Internals
    Abstract
    + collection of development-related notes.

    Table of Contents

    I. The protocol
    1. NetBIOS in a Unix World
    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity
    2. NT Domain RPC's
    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS
    II. Samba Basics
    3. Samba Architecture
    Introduction
    Multithreading and Samba
    Threading smbd
    Threading nmbd
    nbmd Design
    4. The samba DEBUG system
    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()
    5. Samba Internals
    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table
    6. Coding Suggestions
    7. Contributing code
    8. Modules
    Advantages
    Loading modules
    Static modules
    Shared modules
    Writing modules
    Static/Shared selection in configure.in
    III. Samba Subsystems
    9. RPC Pluggable Modules
    About
    General Overview
    10. VFS Modules
    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions
    11. The smb.conf file
    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c
    12. Samba WINS Internals
    WINS Failover
    13. LanMan and NT Password Encryption
    Introduction
    How does it work?
    The smbpasswd file
    IV. Debugging and tracing
    14. Tracing samba system calls
    15. Samba Printing Internals
    Abstract
    Printing Interface to Various Back ends -
    +
    Print Queue TDB's -
    +
    ChangeID and Client Caching of Printer Information -
    +
    Windows NT/2K Printer Change Notify -
    V. Appendices
    16. Notes to packagers
    Versioning
    Modules
       Next
       Part I. The protocol
    +
    V. Appendices
    16. Notes to packagers
    Versioning
    Modules
       Next
       Part I. The protocol
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/internals.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/internals.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/internals.html 2005-08-19 13:01:24.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/internals.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 5. Samba Internals
    Chapter 5. Samba Internals
    Prev Part II. Samba Basics Next

    Chapter 5. Samba Internals

    8 May 1996

    Table of Contents

    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table

    Character Handling

    +Chapter 5. Samba Internals

    Chapter 5. Samba Internals
    Prev Part II. Samba Basics Next

    Chapter 5. Samba Internals

    8 May 1996

    Table of Contents

    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table

    Character Handling

    This section describes character set handling in Samba, as implemented in Samba 3.0 and above

    @@ -8,7 +8,7 @@ telling if a particular char* is in dos codepage or unix codepage. This led to a nightmare of code that tried to cope with particular cases without handlingt the general case. -

    The new functions

    +

    The new functions

    The new system works like this:

    1. all char* strings inside Samba are "unix" strings. These are @@ -70,28 +70,28 @@ parameters is gone.

    2. all vfs functions take unix strings. Don't convert when passing to them -

    Macros in byteorder.h

    +

    Macros in byteorder.h

    This section describes the macros defined in byteorder.h. These macros are used extensively in the Samba code. -

    CVAL(buf,pos)

    +

    CVAL(buf,pos)

    returns the byte at offset pos within buffer buf as an unsigned character. -

    PVAL(buf,pos)

    returns the value of CVAL(buf,pos) cast to type unsigned integer.

    SCVAL(buf,pos,val)

    sets the byte at offset pos within buffer buf to value val.

    SVAL(buf,pos)

    +

    PVAL(buf,pos)

    returns the value of CVAL(buf,pos) cast to type unsigned integer.

    SCVAL(buf,pos,val)

    sets the byte at offset pos within buffer buf to value val.

    SVAL(buf,pos)

    returns the value of the unsigned short (16 bit) little-endian integer at offset pos within buffer buf. An integer of this type is sometimes refered to as "USHORT". -

    IVAL(buf,pos)

    returns the value of the unsigned 32 bit little-endian integer at offset -pos within buffer buf.

    SVALS(buf,pos)

    returns the value of the signed short (16 bit) little-endian integer at -offset pos within buffer buf.

    IVALS(buf,pos)

    returns the value of the signed 32 bit little-endian integer at offset pos -within buffer buf.

    SSVAL(buf,pos,val)

    sets the unsigned short (16 bit) little-endian integer at offset pos within -buffer buf to value val.

    SIVAL(buf,pos,val)

    sets the unsigned 32 bit little-endian integer at offset pos within buffer -buf to the value val.

    SSVALS(buf,pos,val)

    sets the short (16 bit) signed little-endian integer at offset pos within -buffer buf to the value val.

    SIVALS(buf,pos,val)

    sets the signed 32 bit little-endian integer at offset pos withing buffer -buf to the value val.

    RSVAL(buf,pos)

    returns the value of the unsigned short (16 bit) big-endian integer at -offset pos within buffer buf.

    RIVAL(buf,pos)

    returns the value of the unsigned 32 bit big-endian integer at offset -pos within buffer buf.

    RSSVAL(buf,pos,val)

    sets the value of the unsigned short (16 bit) big-endian integer at +

    IVAL(buf,pos)

    returns the value of the unsigned 32 bit little-endian integer at offset +pos within buffer buf.

    SVALS(buf,pos)

    returns the value of the signed short (16 bit) little-endian integer at +offset pos within buffer buf.

    IVALS(buf,pos)

    returns the value of the signed 32 bit little-endian integer at offset pos +within buffer buf.

    SSVAL(buf,pos,val)

    sets the unsigned short (16 bit) little-endian integer at offset pos within +buffer buf to value val.

    SIVAL(buf,pos,val)

    sets the unsigned 32 bit little-endian integer at offset pos within buffer +buf to the value val.

    SSVALS(buf,pos,val)

    sets the short (16 bit) signed little-endian integer at offset pos within +buffer buf to the value val.

    SIVALS(buf,pos,val)

    sets the signed 32 bit little-endian integer at offset pos withing buffer +buf to the value val.

    RSVAL(buf,pos)

    returns the value of the unsigned short (16 bit) big-endian integer at +offset pos within buffer buf.

    RIVAL(buf,pos)

    returns the value of the unsigned 32 bit big-endian integer at offset +pos within buffer buf.

    RSSVAL(buf,pos,val)

    sets the value of the unsigned short (16 bit) big-endian integer at offset pos within buffer buf to value val. -refered to as "USHORT".

    RSIVAL(buf,pos,val)

    sets the value of the unsigned 32 bit big-endian integer at offset -pos within buffer buf to value val.

    LAN Manager Samba API

    +refered to as "USHORT".

    RSIVAL(buf,pos,val)

    sets the value of the unsigned 32 bit big-endian integer at offset +pos within buffer buf to value val.

    LAN Manager Samba API

    This section describes the functions need to make a LAN Manager RPC call. This information had been obtained by examining the Samba code and the LAN Manager 2.0 API documentation. It should not be considered entirely @@ -104,7 +104,7 @@

    This function is defined in client.c. It uses an SMB transaction to call a remote api. -

    Parameters

    The parameters are as follows:

    1. +

      Parameters

      The parameters are as follows:

      1. prcnt: the number of bytes of parameters begin sent.

      2. drcnt: the number of bytes of data begin sent. @@ -149,7 +149,7 @@

      The code in client.c always calls call_api() with no data. It is unclear when a non-zero length data buffer would be sent. -

      Return value

      +

      Return value

      The returned parameters (pointed to by rparam), in their order of appearance are:

      1. An unsigned 16 bit integer which contains the API function's return code. @@ -180,7 +180,7 @@ The third parameter (which may be read as "SVAL(rparam,4)") has something to do with indicating the amount of data returned or possibly the amount of data which can be returned if enough buffer space is allowed. -

      Code character table

      +

    Code character table

    Certain data structures are described by means of ASCIIz strings containing code characters. These are the code characters:

    1. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/modules.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/modules.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/modules.html 2005-08-19 13:01:25.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/modules.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,7 +1,7 @@ -Chapter 8. Modules

      Chapter 8. Modules
      Prev Part II. Samba Basics Next

      Chapter 8. Modules

      Jelmer Vernooij

      Samba Team

      19 March 2003

      Table of Contents

      Advantages
      Loading modules
      Static modules
      Shared modules
      Writing modules
      Static/Shared selection in configure.in

      Advantages

      +Chapter 8. Modules

      Chapter 8. Modules
      Prev Part II. Samba Basics Next

      Chapter 8. Modules

      Jelmer Vernooij

      Samba Team

      19 March 2003

      Table of Contents

      Advantages
      Loading modules
      Static modules
      Shared modules
      Writing modules
      Static/Shared selection in configure.in

      Advantages

      The new modules system has the following advantages:

      Transparent loading of static and shared modules (no need -for a subsystem to know about modules)
      Simple selection between shared and static modules at configure time
      "preload modules" option for increasing performance for stable modules
      No nasty #define stuff anymore
      All backends are available as plugin now (including pdb_ldap and pdb_tdb)

      Loading modules

      +for a subsystem to know about modules)

    Simple selection between shared and static modules at configure time
    "preload modules" option for increasing performance for stable modules
    No nasty #define stuff anymore
    All backends are available as plugin now (including pdb_ldap and pdb_tdb)

    Loading modules

    Some subsystems in samba use different backends. These backends can be either statically linked in to samba or available as a plugin. A subsystem should have a function that allows a module to register itself. For example, @@ -11,7 +11,7 @@

    This function will be called by the initialisation function of the module to register itself. -

    Static modules

    +

    Static modules

    The modules system compiles a list of initialisation functions for the static modules of each subsystem. This is a define. For example, it is here currently (from include/config.h): @@ -21,7 +21,7 @@

    These functions should be called before the subsystem is used. That should be done when the subsystem is initialised or first used. -

    Shared modules

    +

    Shared modules

    If a subsystem needs a certain backend, it should check if it has already been registered. If the backend hasn't been registered already, the subsystem should call smb_probe_module(char *subsystem, char *backend). @@ -31,7 +31,7 @@ absolute path specified in 'backend'.

    After smb_probe_module() has been executed, the subsystem should check again if the module has been registered. -

    Writing modules

    +

    Writing modules

    Each module has an initialisation function. For modules that are included with samba this name is 'subsystem_backend_init'. For external modules (that will never be built-in, but only available as a module) this name is always 'init_module'. (In the case of modules included with samba, the configure system will add a #define subsystem_backend_init() init_module()). The prototype for these functions is: @@ -46,7 +46,7 @@ smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_nua", pdb_init_ldapsam_nua); return NT_STATUS_OK; } -

    Static/Shared selection in configure.in

    +

    Static/Shared selection in configure.in

    Some macros in configure.in generate the various defines and substs that are necessary for the system to work correct. All modules that should be built by default have to be added to the variable 'default_modules'. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html 2005-08-19 13:01:23.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/ntdomain.html 2005-12-19 10:21:15.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 2. NT Domain RPC's

    Chapter 2. NT Domain RPC's
    Prev Part I. The protocol Next

    Chapter 2. NT Domain RPC's

    Luke Leighton

    Duncan Stansfield

    01 November 97(version 0.0.24)

    Table of Contents

    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS

    Introduction

    +Chapter 2. NT Domain RPC's

    Chapter 2. NT Domain RPC's
    Prev Part I. The protocol Next

    Chapter 2. NT Domain RPC's

    Luke Leighton

    Duncan Stansfield

    01 November 97(version 0.0.24)

    Table of Contents

    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS

    Introduction

    This document contains information to provide an NT workstation with login services, without the need for an NT server. It is the sgml version of http://mailhost.cb1.com/~lkcl/cifsntdomain.txt, controlled by Luke.

    @@ -44,7 +44,7 @@ that it is already a member of the domain.

  • the cryptographic side of the NetrServerPasswordSet command, which would allow the workstation to change its password. This password is used to generate the long-term session key. [It is possible to reject this -command, and keep the default workstation password].

    • Sources

    cket Traces from Netmonitor (Service Pack 1 and above)
    ul Ashton and Luke Leighton's other "NT Domain" doc.
    FS documentation - cifs6.txt
    FS documentation - cifsrap2.txt

    Credits

    Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based.
    Duncan Stansfield: low-level analysis of MSRPC Pipes.
    Linus Nordberg: producing c-code from Paul's crypto spec.
    Windows Sourcer development team

    Notes and Structures

    Notes

    1. +command, and keep the default workstation password].

    Sources

    cket Traces from Netmonitor (Service Pack 1 and above)
    ul Ashton and Luke Leighton's other "NT Domain" doc.
    FS documentation - cifs6.txt
    FS documentation - cifsrap2.txt

    Credits

    Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based.
    Duncan Stansfield: low-level analysis of MSRPC Pipes.
    Linus Nordberg: producing c-code from Paul's crypto spec.
    Windows Sourcer development team

    Notes and Structures

    Notes

    1. In the SMB Transact pipes, some "Structures", described here, appear to be 4-byte aligned with the SMB header, at their start. Exactly which "Structures" need aligning is not precisely known or documented. @@ -72,15 +72,15 @@ the pointer is also non-zero. immediately following the pointer is the count again, followed by an array of container sub-structures. the count appears a third time after the last sub-structure. -

    Enumerations

    MSRPC Header type

    command number in the msrpc packet header

    MSRPC_Request:

    0x00

    MSRPC_Response:

    0x02

    MSRPC_Bind:

    0x0B

    MSRPC_BindAck:

    0x0C

    MSRPC Packet info

    The meaning of these flags is undocumented

    FirstFrag:

    0x01

    LastFrag:

    0x02

    NotaFrag:

    0x04

    RecRespond:

    0x08

    NoMultiplex:

    0x10

    NotForIdemp:

    0x20

    NotforBcast:

    0x40

    NoUuid:

    0x80

    Structures

    VOID *

    sizeof VOID* is 32 bits.

    char

    sizeof char is 8 bits.

    UTIME

    UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30).

    NTTIME

    NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).

    DOM_SID (domain SID structure)

    UINT32

    num of sub-authorities in domain SID

    UINT8

    SID revision number

    UINT8

    num of sub-authorities in domain SID

    UINT8[6]

    6 bytes for domain SID - Identifier Authority.

    UINT16[n_subauths]

    domain SID sub-authorities

    Note: the domain SID is documented elsewhere. -

    STR (string)

    STR (string) is a char[] : a null-terminated string of ascii characters.

    UNIHDR (unicode string header)

    UINT16

    length of unicode string

    UINT16

    max length of unicode string

    UINT32

    4 - undocumented.

    UNIHDR2 (unicode string header plus buffer pointer)

    UNIHDR

    unicode string header

    VOID*

    undocumented buffer pointer

    UNISTR (unicode string)

    UINT16[]

    null-terminated string of unicode characters.

    NAME (length-indicated unicode string)

    UINT32

    length of unicode string

    UINT16[]

    null-terminated string of unicode characters.

    UNISTR2 (aligned unicode string)

    UINT8[]

    padding to get unicode string 4-byte aligned with the start of the SMB header.

    UINT32

    max length of unicode string

    UINT32

    0 - undocumented

    UINT32

    length of unicode string

    UINT16[]

    string of uncode characters

    OBJ_ATTR (object attributes)

    UINT32

    0x18 - length (in bytes) including the length field.

    VOID*

    0 - root directory (pointer)

    VOID*

    0 - object name (pointer)

    UINT32

    0 - attributes (undocumented)

    VOID*

    0 - security descriptior (pointer)

    UINT32

    0 - security quality of service

    POL_HND (LSA policy handle)

    char[20]

    policy handle

    DOM_SID2 (domain SID structure, SIDS stored in unicode)

    UINT32

    5 - SID type

    UINT32

    0 - undocumented

    UNIHDR2

    domain SID unicode string header

    UNISTR

    domain SID unicode string

    Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved.

    Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere.

    DOM_RID (domain RID structure)

    UINT32

    5 - well-known SID. 1 - user SID (see ShowACLs)

    UINT32

    5 - undocumented

    UINT32

    domain RID

    UINT32

    0 - domain index out of above reference domains

    LOG_INFO (server, account, client structure)

    Note: logon server name starts with two '\' characters and is upper case.

    Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case.

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    UNISTR2

    account name unicode string

    UINT16

    sec_chan - security channel type

    UNISTR2

    logon client machine unicode string

    CLNT_SRV (server, client names structure)

    Note: logon server name starts with two '\' characters and is upper case.

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon client machine unicode string

    CREDS (credentials + time stamp)

    char[8]

    credentials

    UTIME

    time stamp

    CLNT_INFO2 (server, client structure, client credentials)

    Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to - maintain an authenticated request/response trail.

    CLNT_SRV

    client and server names

    UINT8[]

    ???? padding, for 4-byte alignment with SMB header.

    VOID*

    pointer to client credentials.

    CREDS

    client-calculated credentials + client time

    CLNT_INFO (server, account, client structure, client credentials)

    Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail.

    LOG_INFO

    logon account info

    CREDS

    client-calculated credentials + client time

    ID_INFO_1 (id info structure, auth level 1)

    VOID*

    ptr_id_info_1

    UNIHDR

    domain name unicode header

    UINT32

    param control

    UINT64

    logon ID

    UNIHDR

    user name unicode header

    UNIHDR

    workgroup name unicode header

    char[16]

    arc4 LM OWF Password

    char[16]

    arc4 NT OWF Password

    UNISTR2

    domain name unicode string

    UNISTR2

    user name unicode string

    UNISTR2

    workstation name unicode string

    SAM_INFO (sam logon/logoff id info structure)

    Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised.

    CLNT_INFO2

    client identification/authentication info

    VOID*

    pointer to return credentials.

    CRED

    return credentials - ignored.

    UINT16

    logon level

    UINT16

    switch value

    +

    Enumerations

    MSRPC Header type

    command number in the msrpc packet header

    MSRPC_Request:

    0x00

    MSRPC_Response:

    0x02

    MSRPC_Bind:

    0x0B

    MSRPC_BindAck:

    0x0C

    MSRPC Packet info

    The meaning of these flags is undocumented

    FirstFrag:

    0x01

    LastFrag:

    0x02

    NotaFrag:

    0x04

    RecRespond:

    0x08

    NoMultiplex:

    0x10

    NotForIdemp:

    0x20

    NotforBcast:

    0x40

    NoUuid:

    0x80

    Structures

    VOID *

    sizeof VOID* is 32 bits.

    char

    sizeof char is 8 bits.

    UTIME

    UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30).

    NTTIME

    NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).

    DOM_SID (domain SID structure)

    UINT32

    num of sub-authorities in domain SID

    UINT8

    SID revision number

    UINT8

    num of sub-authorities in domain SID

    UINT8[6]

    6 bytes for domain SID - Identifier Authority.

    UINT16[n_subauths]

    domain SID sub-authorities

    Note: the domain SID is documented elsewhere. +

    STR (string)

    STR (string) is a char[] : a null-terminated string of ascii characters.

    UNIHDR (unicode string header)

    UINT16

    length of unicode string

    UINT16

    max length of unicode string

    UINT32

    4 - undocumented.

    UNIHDR2 (unicode string header plus buffer pointer)

    UNIHDR

    unicode string header

    VOID*

    undocumented buffer pointer

    UNISTR (unicode string)

    UINT16[]

    null-terminated string of unicode characters.

    NAME (length-indicated unicode string)

    UINT32

    length of unicode string

    UINT16[]

    null-terminated string of unicode characters.

    UNISTR2 (aligned unicode string)

    UINT8[]

    padding to get unicode string 4-byte aligned with the start of the SMB header.

    UINT32

    max length of unicode string

    UINT32

    0 - undocumented

    UINT32

    length of unicode string

    UINT16[]

    string of uncode characters

    OBJ_ATTR (object attributes)

    UINT32

    0x18 - length (in bytes) including the length field.

    VOID*

    0 - root directory (pointer)

    VOID*

    0 - object name (pointer)

    UINT32

    0 - attributes (undocumented)

    VOID*

    0 - security descriptior (pointer)

    UINT32

    0 - security quality of service

    POL_HND (LSA policy handle)

    char[20]

    policy handle

    DOM_SID2 (domain SID structure, SIDS stored in unicode)

    UINT32

    5 - SID type

    UINT32

    0 - undocumented

    UNIHDR2

    domain SID unicode string header

    UNISTR

    domain SID unicode string

    Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved.

    Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere.

    DOM_RID (domain RID structure)

    UINT32

    5 - well-known SID. 1 - user SID (see ShowACLs)

    UINT32

    5 - undocumented

    UINT32

    domain RID

    UINT32

    0 - domain index out of above reference domains

    LOG_INFO (server, account, client structure)

    Note: logon server name starts with two '\' characters and is upper case.

    Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case.

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    UNISTR2

    account name unicode string

    UINT16

    sec_chan - security channel type

    UNISTR2

    logon client machine unicode string

    CLNT_SRV (server, client names structure)

    Note: logon server name starts with two '\' characters and is upper case.

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon client machine unicode string

    CREDS (credentials + time stamp)

    char[8]

    credentials

    UTIME

    time stamp

    CLNT_INFO2 (server, client structure, client credentials)

    Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to + maintain an authenticated request/response trail.

    CLNT_SRV

    client and server names

    UINT8[]

    ???? padding, for 4-byte alignment with SMB header.

    VOID*

    pointer to client credentials.

    CREDS

    client-calculated credentials + client time

    CLNT_INFO (server, account, client structure, client credentials)

    Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail.

    LOG_INFO

    logon account info

    CREDS

    client-calculated credentials + client time

    ID_INFO_1 (id info structure, auth level 1)

    VOID*

    ptr_id_info_1

    UNIHDR

    domain name unicode header

    UINT32

    param control

    UINT64

    logon ID

    UNIHDR

    user name unicode header

    UNIHDR

    workgroup name unicode header

    char[16]

    arc4 LM OWF Password

    char[16]

    arc4 NT OWF Password

    UNISTR2

    domain name unicode string

    UNISTR2

    user name unicode string

    UNISTR2

    workstation name unicode string

    SAM_INFO (sam logon/logoff id info structure)

    Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised.

    CLNT_INFO2

    client identification/authentication info

    VOID*

    pointer to return credentials.

    CRED

    return credentials - ignored.

    UINT16

    logon level

    UINT16

    switch value

             switch (switch_value)
         case 1:
         {
             ID_INFO_1     id_info_1;
         }
-

    GID (group id info)

    UINT32

    group id

    UINT32

    user attributes (only used by NT 3.1 and 3.51)

    DOM_REF (domain reference info)

    VOID*

    undocumented buffer pointer.

    UINT32

    num referenced domains?

    VOID*

    undocumented domain name buffer pointer.

    UINT32

    32 - max number of entries

    UINT32

    4 - num referenced domains?

    UNIHDR2

    domain name unicode string header

    UNIHDR2[num_ref_doms-1]

    referenced domain unicode string headers

    UNISTR

    domain name unicode string

    DOM_SID[num_ref_doms]

    referenced domain SIDs

    DOM_INFO (domain info, levels 3 and 5 are the same))

    UINT8[]

    ??? padding to get 4-byte alignment with start of SMB header

    UINT16

    domain name string length * 2

    UINT16

    domain name string length * 2

    VOID*

    undocumented domain name string buffer pointer

    VOID*

    undocumented domain SID string buffer pointer

    UNISTR2

    domain name (unicode string)

    DOM_SID

    domain SID

    USER_INFO (user logon info)

    Note: it would be nice to know what the 16 byte user session key is for.

    NTTIME

    logon time

    NTTIME

    logoff time

    NTTIME

    kickoff time

    NTTIME

    password last set time

    NTTIME

    password can change time

    NTTIME

    password must change time

    UNIHDR

    username unicode string header

    UNIHDR

    user's full name unicode string header

    UNIHDR

    logon script unicode string header

    UNIHDR

    profile path unicode string header

    UNIHDR

    home directory unicode string header

    UNIHDR

    home directory drive unicode string header

    UINT16

    logon count

    UINT16

    bad password count

    UINT32

    User ID

    UINT32

    Group ID

    UINT32

    num groups

    VOID*

    undocumented buffer pointer to groups.

    UINT32

    user flags

    char[16]

    user session key

    UNIHDR

    logon server unicode string header

    UNIHDR

    logon domain unicode string header

    VOID*

    undocumented logon domain id pointer

    char[40]

    40 undocumented padding bytes. future expansion?

    UINT32

    0 - num_other_sids?

    VOID*

    NULL - undocumented pointer to other domain SIDs.

    UNISTR2

    username unicode string

    UNISTR2

    user's full name unicode string

    UNISTR2

    logon script unicode string

    UNISTR2

    profile path unicode string

    UNISTR2

    home directory unicode string

    UNISTR2

    home directory drive unicode string

    UINT32

    num groups

    GID[num_groups]

    group info

    UNISTR2

    logon server unicode string

    UNISTR2

    logon domain unicode string

    DOM_SID

    domain SID

    DOM_SID[num_sids]

    other domain SIDs?

    SH_INFO_1_PTR (pointers to level 1 share info strings)

    Note: see cifsrap2.txt section5, page 10.

    0 for shi1_type indicates a Disk.
    1 for shi1_type indicates a Print Queue.
    2 for shi1_type indicates a Device.
    3 for shi1_type indicates an IPC pipe.
    0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
    VOID*

    shi1_netname - pointer to net name

    UINT32

    shi1_type - type of share. 0 - undocumented.

    VOID*

    shi1_remark - pointer to comment.

    SH_INFO_1_STR (level 1 share info strings)

    UNISTR2

    shi1_netname - unicode string of net name

    UNISTR2

    shi1_remark - unicode string of comment.

    SHARE_INFO_1_CTR

    share container with 0 entries:

    UINT32

    0 - EntriesRead

    UINT32

    0 - Buffer

    share container with > 0 entries:

    UINT32

    EntriesRead

    UINT32

    non-zero - Buffer

    UINT32

    EntriesRead

    SH_INFO_1_PTR[EntriesRead]

    share entry pointers

    SH_INFO_1_STR[EntriesRead]

    share entry strings

    UINT8[]

    padding to get unicode string 4-byte aligned with start of the SMB header.

    UINT32

    EntriesRead

    UINT32

    0 - padding

    SERVER_INFO_101

    Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1.

    SV_TYPE_WORKSTATION

    0x00000001 All workstations

    SV_TYPE_SERVER

    0x00000002 All servers

    SV_TYPE_SQLSERVER

    0x00000004 Any server running with SQL server

    SV_TYPE_DOMAIN_CTRL

    0x00000008 Primary domain controller

    SV_TYPE_DOMAIN_BAKCTRL

    0x00000010 Backup domain controller

    SV_TYPE_TIME_SOURCE

    0x00000020 Server running the timesource service

    SV_TYPE_AFP

    0x00000040 Apple File Protocol servers

    SV_TYPE_NOVELL

    0x00000080 Novell servers

    SV_TYPE_DOMAIN_MEMBER

    0x00000100 Domain Member

    SV_TYPE_PRINTQ_SERVER

    0x00000200 Server sharing print queue

    SV_TYPE_DIALIN_SERVER

    0x00000400 Server running dialin service.

    SV_TYPE_XENIX_SERVER

    0x00000800 Xenix server

    SV_TYPE_NT

    0x00001000 NT server

    SV_TYPE_WFW

    0x00002000 Server running Windows for

    SV_TYPE_SERVER_NT

    0x00008000 Windows NT non DC server

    SV_TYPE_POTENTIAL_BROWSER

    0x00010000 Server that can run the browser service

    SV_TYPE_BACKUP_BROWSER

    0x00020000 Backup browser server

    SV_TYPE_MASTER_BROWSER

    0x00040000 Master browser server

    SV_TYPE_DOMAIN_MASTER

    0x00080000 Domain Master Browser server

    SV_TYPE_LOCAL_LIST_ONLY

    0x40000000 Enumerate only entries marked "local"

    SV_TYPE_DOMAIN_ENUM

    0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL.

    UINT32

    500 - platform_id

    VOID*

    pointer to name

    UINT32

    5 - major version

    UINT32

    4 - minor version

    UINT32

    type (SV_TYPE_... bit field)

    VOID*

    pointer to comment

    UNISTR2

    sv101_name - unicode string of server name

    UNISTR2

    sv_101_comment - unicode string of server comment.

    UINT8[]

    padding to get unicode string 4-byte aligned with start of the SMB header.

    MSRPC over Transact Named Pipe

    For details on the SMB Transact Named Pipe, see cifs6.txt

    MSRPC Pipes

    +

    GID (group id info)

    UINT32

    group id

    UINT32

    user attributes (only used by NT 3.1 and 3.51)

    DOM_REF (domain reference info)

    VOID*

    undocumented buffer pointer.

    UINT32

    num referenced domains?

    VOID*

    undocumented domain name buffer pointer.

    UINT32

    32 - max number of entries

    UINT32

    4 - num referenced domains?

    UNIHDR2

    domain name unicode string header

    UNIHDR2[num_ref_doms-1]

    referenced domain unicode string headers

    UNISTR

    domain name unicode string

    DOM_SID[num_ref_doms]

    referenced domain SIDs

    DOM_INFO (domain info, levels 3 and 5 are the same))

    UINT8[]

    ??? padding to get 4-byte alignment with start of SMB header

    UINT16

    domain name string length * 2

    UINT16

    domain name string length * 2

    VOID*

    undocumented domain name string buffer pointer

    VOID*

    undocumented domain SID string buffer pointer

    UNISTR2

    domain name (unicode string)

    DOM_SID

    domain SID

    USER_INFO (user logon info)

    Note: it would be nice to know what the 16 byte user session key is for.

    NTTIME

    logon time

    NTTIME

    logoff time

    NTTIME

    kickoff time

    NTTIME

    password last set time

    NTTIME

    password can change time

    NTTIME

    password must change time

    UNIHDR

    username unicode string header

    UNIHDR

    user's full name unicode string header

    UNIHDR

    logon script unicode string header

    UNIHDR

    profile path unicode string header

    UNIHDR

    home directory unicode string header

    UNIHDR

    home directory drive unicode string header

    UINT16

    logon count

    UINT16

    bad password count

    UINT32

    User ID

    UINT32

    Group ID

    UINT32

    num groups

    VOID*

    undocumented buffer pointer to groups.

    UINT32

    user flags

    char[16]

    user session key

    UNIHDR

    logon server unicode string header

    UNIHDR

    logon domain unicode string header

    VOID*

    undocumented logon domain id pointer

    char[40]

    40 undocumented padding bytes. future expansion?

    UINT32

    0 - num_other_sids?

    VOID*

    NULL - undocumented pointer to other domain SIDs.

    UNISTR2

    username unicode string

    UNISTR2

    user's full name unicode string

    UNISTR2

    logon script unicode string

    UNISTR2

    profile path unicode string

    UNISTR2

    home directory unicode string

    UNISTR2

    home directory drive unicode string

    UINT32

    num groups

    GID[num_groups]

    group info

    UNISTR2

    logon server unicode string

    UNISTR2

    logon domain unicode string

    DOM_SID

    domain SID

    DOM_SID[num_sids]

    other domain SIDs?

    SH_INFO_1_PTR (pointers to level 1 share info strings)

    Note: see cifsrap2.txt section5, page 10.

    0 for shi1_type indicates a Disk.
    1 for shi1_type indicates a Print Queue.
    2 for shi1_type indicates a Device.
    3 for shi1_type indicates an IPC pipe.
    0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
    VOID*

    shi1_netname - pointer to net name

    UINT32

    shi1_type - type of share. 0 - undocumented.

    VOID*

    shi1_remark - pointer to comment.

    SH_INFO_1_STR (level 1 share info strings)

    UNISTR2

    shi1_netname - unicode string of net name

    UNISTR2

    shi1_remark - unicode string of comment.

    SHARE_INFO_1_CTR

    share container with 0 entries:

    UINT32

    0 - EntriesRead

    UINT32

    0 - Buffer

    share container with > 0 entries:

    UINT32

    EntriesRead

    UINT32

    non-zero - Buffer

    UINT32

    EntriesRead

    SH_INFO_1_PTR[EntriesRead]

    share entry pointers

    SH_INFO_1_STR[EntriesRead]

    share entry strings

    UINT8[]

    padding to get unicode string 4-byte aligned with start of the SMB header.

    UINT32

    EntriesRead

    UINT32

    0 - padding

    SERVER_INFO_101

    Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1.

    SV_TYPE_WORKSTATION

    0x00000001 All workstations

    SV_TYPE_SERVER

    0x00000002 All servers

    SV_TYPE_SQLSERVER

    0x00000004 Any server running with SQL server

    SV_TYPE_DOMAIN_CTRL

    0x00000008 Primary domain controller

    SV_TYPE_DOMAIN_BAKCTRL

    0x00000010 Backup domain controller

    SV_TYPE_TIME_SOURCE

    0x00000020 Server running the timesource service

    SV_TYPE_AFP

    0x00000040 Apple File Protocol servers

    SV_TYPE_NOVELL

    0x00000080 Novell servers

    SV_TYPE_DOMAIN_MEMBER

    0x00000100 Domain Member

    SV_TYPE_PRINTQ_SERVER

    0x00000200 Server sharing print queue

    SV_TYPE_DIALIN_SERVER

    0x00000400 Server running dialin service.

    SV_TYPE_XENIX_SERVER

    0x00000800 Xenix server

    SV_TYPE_NT

    0x00001000 NT server

    SV_TYPE_WFW

    0x00002000 Server running Windows for

    SV_TYPE_SERVER_NT

    0x00008000 Windows NT non DC server

    SV_TYPE_POTENTIAL_BROWSER

    0x00010000 Server that can run the browser service

    SV_TYPE_BACKUP_BROWSER

    0x00020000 Backup browser server

    SV_TYPE_MASTER_BROWSER

    0x00040000 Master browser server

    SV_TYPE_DOMAIN_MASTER

    0x00080000 Domain Master Browser server

    SV_TYPE_LOCAL_LIST_ONLY

    0x40000000 Enumerate only entries marked "local"

    SV_TYPE_DOMAIN_ENUM

    0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL.

    UINT32

    500 - platform_id

    VOID*

    pointer to name

    UINT32

    5 - major version

    UINT32

    4 - minor version

    UINT32

    type (SV_TYPE_... bit field)

    VOID*

    pointer to comment

    UNISTR2

    sv101_name - unicode string of server name

    UNISTR2

    sv_101_comment - unicode string of server comment.

    UINT8[]

    padding to get unicode string 4-byte aligned with start of the SMB header.

    MSRPC over Transact Named Pipe

    For details on the SMB Transact Named Pipe, see cifs6.txt

    MSRPC Pipes

    The MSRPC is conducted over an SMB Transact Pipe with a name of \PIPE\. You must first obtain a 16 bit file handle, by sending a SMBopenX with the pipe name \PIPE\srvsvc for @@ -121,11 +121,11 @@ initial SMBopenX request: RPC API command 0x26 params: "\\PIPE\\lsarpc" 0x65 0x63; 0x72 0x70; 0x44 0x65; "\\PIPE\\srvsvc" 0x73 0x76; 0x4E 0x00; 0x5C 0x43; -

    Header

    [section to be rewritten, following receipt of work by Duncan Stansfield]

    Interesting note: if you set packed data representation to 0x0100 0000 -then all 4-byte and 2-byte word ordering is turned around!

    The start of each of the NTLSA and NETLOGON named pipes begins with:

    offset: 00
    Variable type: UINT8
    Variable data: 5 - RPC major version
    offset: 01
    Variable type: UINT8
    Variable data: 0 - RPC minor version
    offset: 02
    Variable type: UINT8
    Variable data: 2 - RPC response packet
    offset: 03
    Variable type: UINT8
    Variable data: 3 - (FirstFrag bit-wise or with LastFrag)
    offset: 04
    Variable type: UINT32
    Variable data: 0x1000 0000 - packed data representation
    offset: 08
    Variable type: UINT16
    Variable data: fragment length - data size (bytes) inc header and tail.
    offset: 0A
    Variable type: UINT16
    Variable data: 0 - authentication length
    offset: 0C
    Variable type: UINT32
    Variable data: call identifier. matches 12th UINT32 of incoming RPC data.
    offset: 10
    Variable type: UINT32
    Variable data: allocation hint - data size (bytes) minus header and tail.
    offset: 14
    Variable type: UINT16
    Variable data: 0 - presentation context identifier
    offset: 16
    Variable type: UINT8
    Variable data: 0 - cancel count
    offset: 17
    Variable type: UINT8
    Variable data: in replies: 0 - reserved; in requests: opnum - see #defines.
    offset: 18
    Variable type: ......
    Variable data: start of data (goes on for allocation_hint bytes)

    RPC_Packet for request, response, bind and bind acknowledgement

    UINT8 versionmaj

    reply same as request (0x05)

    UINT8 versionmin

    reply same as request (0x00)

    UINT8 type

    one of the MSRPC_Type enums

    UINT8 flags

    reply same as request (0x00 for Bind, 0x03 for Request)

    UINT32 representation

    reply same as request (0x00000010)

    UINT16 fraglength

    the length of the data section of the SMB trans packet

    UINT16 authlength

    UINT32 callid

    call identifier. (e.g. 0x00149594)

    * stub USE TvPacket

    the remainder of the packet depending on the "type"

    Interface identification

    the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc

    +

    Header

    [section to be rewritten, following receipt of work by Duncan Stansfield]

    Interesting note: if you set packed data representation to 0x0100 0000 +then all 4-byte and 2-byte word ordering is turned around!

    The start of each of the NTLSA and NETLOGON named pipes begins with:

    offset: 00
    Variable type: UINT8
    Variable data: 5 - RPC major version
    offset: 01
    Variable type: UINT8
    Variable data: 0 - RPC minor version
    offset: 02
    Variable type: UINT8
    Variable data: 2 - RPC response packet
    offset: 03
    Variable type: UINT8
    Variable data: 3 - (FirstFrag bit-wise or with LastFrag)
    offset: 04
    Variable type: UINT32
    Variable data: 0x1000 0000 - packed data representation
    offset: 08
    Variable type: UINT16
    Variable data: fragment length - data size (bytes) inc header and tail.
    offset: 0A
    Variable type: UINT16
    Variable data: 0 - authentication length
    offset: 0C
    Variable type: UINT32
    Variable data: call identifier. matches 12th UINT32 of incoming RPC data.
    offset: 10
    Variable type: UINT32
    Variable data: allocation hint - data size (bytes) minus header and tail.
    offset: 14
    Variable type: UINT16
    Variable data: 0 - presentation context identifier
    offset: 16
    Variable type: UINT8
    Variable data: 0 - cancel count
    offset: 17
    Variable type: UINT8
    Variable data: in replies: 0 - reserved; in requests: opnum - see #defines.
    offset: 18
    Variable type: ......
    Variable data: start of data (goes on for allocation_hint bytes)

    RPC_Packet for request, response, bind and bind acknowledgement

    UINT8 versionmaj

    reply same as request (0x05)

    UINT8 versionmin

    reply same as request (0x00)

    UINT8 type

    one of the MSRPC_Type enums

    UINT8 flags

    reply same as request (0x00 for Bind, 0x03 for Request)

    UINT32 representation

    reply same as request (0x00000010)

    UINT16 fraglength

    the length of the data section of the SMB trans packet

    UINT16 authlength

    UINT32 callid

    call identifier. (e.g. 0x00149594)

    * stub USE TvPacket

    the remainder of the packet depending on the "type"

    Interface identification

    the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc

     abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003)
 transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002)
-

    RPC_Iface RW

    UINT8 byte[16]

    16 bytes of number

    UINT32 version

    the interface number

    RPC_ReqBind RW

    the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck

    UINT16 maxtsize

    maximum transmission fragment size (0x1630)

    UINT16 maxrsize

    max receive fragment size (0x1630)

    UINT32 assocgid

    associated group id (0x0)

    UINT32 numelements

    the number of elements (0x1)

    UINT16 contextid

    presentation context identifier (0x0)

    UINT8 numsyntaxes

    the number of syntaxes (has always been 1?)(0x1)

    UINT8[]

    4-byte alignment padding, against SMB header

    * abstractint USE RPC_Iface

    num and vers. of interface client is using

    * transferint USE RPC_Iface

    num and vers. of interface to use for replies

    RPC_Address RW

    UINT16 length

    length of the string including null terminator

    * port USE string

    the string above in single byte, null terminated form

    RPC_ResBind RW

    the response to place after the header in the reply packet

    UINT16 maxtsize

    same as request

    UINT16 maxrsize

    same as request

    UINT32 assocgid

    zero

    * secondaddr USE RPC_Address

    the address string, as described earlier

    UINT8[]

    4-byte alignment padding, against SMB header

    UINT8 numresults

    the number of results (0x01)

    UINT8[]

    4-byte alignment padding, against SMB header

    UINT16 result

    result (0x00 = accept)

    UINT16 reason

    reason (0x00 = no reason specified)

    * transfersyntax USE RPC_Iface

    the transfer syntax from the request

    RPC_ReqNorm RW

    the remainder of the packet after the header for every other other request

    UINT32 allochint

    the size of the stub data in bytes

    UINT16 prescontext

    presentation context identifier (0x0)

    UINT16 opnum

    operation number (0x15)

    * stub USE TvPacket

    a packet dependent on the pipe name (probably the interface) and the op number)

    RPC_ResNorm RW

    UINT32 allochint

    # size of the stub data in bytes

    UINT16 prescontext

    # presentation context identifier (same as request)

    UINT8 cancelcount

    # cancel count? (0x0)

    UINT8 reserved

    # 0 - one byte padding

    * stub USE TvPacket

    # the remainder of the reply

    Tail

    The end of each of the NTLSA and NETLOGON named pipes ends with:

    ......

    end of data

    UINT32

    return code

    RPC Bind / Bind Ack

    +

    RPC_Iface RW

    UINT8 byte[16]

    16 bytes of number

    UINT32 version

    the interface number

    RPC_ReqBind RW

    the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck

    UINT16 maxtsize

    maximum transmission fragment size (0x1630)

    UINT16 maxrsize

    max receive fragment size (0x1630)

    UINT32 assocgid

    associated group id (0x0)

    UINT32 numelements

    the number of elements (0x1)

    UINT16 contextid

    presentation context identifier (0x0)

    UINT8 numsyntaxes

    the number of syntaxes (has always been 1?)(0x1)

    UINT8[]

    4-byte alignment padding, against SMB header

    * abstractint USE RPC_Iface

    num and vers. of interface client is using

    * transferint USE RPC_Iface

    num and vers. of interface to use for replies

    RPC_Address RW

    UINT16 length

    length of the string including null terminator

    * port USE string

    the string above in single byte, null terminated form

    RPC_ResBind RW

    the response to place after the header in the reply packet

    UINT16 maxtsize

    same as request

    UINT16 maxrsize

    same as request

    UINT32 assocgid

    zero

    * secondaddr USE RPC_Address

    the address string, as described earlier

    UINT8[]

    4-byte alignment padding, against SMB header

    UINT8 numresults

    the number of results (0x01)

    UINT8[]

    4-byte alignment padding, against SMB header

    UINT16 result

    result (0x00 = accept)

    UINT16 reason

    reason (0x00 = no reason specified)

    * transfersyntax USE RPC_Iface

    the transfer syntax from the request

    RPC_ReqNorm RW

    the remainder of the packet after the header for every other other request

    UINT32 allochint

    the size of the stub data in bytes

    UINT16 prescontext

    presentation context identifier (0x0)

    UINT16 opnum

    operation number (0x15)

    * stub USE TvPacket

    a packet dependent on the pipe name (probably the interface) and the op number)

    RPC_ResNorm RW

    UINT32 allochint

    # size of the stub data in bytes

    UINT16 prescontext

    # presentation context identifier (same as request)

    UINT8 cancelcount

    # cancel count? (0x0)

    UINT8 reserved

    # 0 - one byte padding

    * stub USE TvPacket

    # the remainder of the reply

    Tail

    The end of each of the NTLSA and NETLOGON named pipes ends with:

    ......

    end of data

    UINT32

    return code

    RPC Bind / Bind Ack

    RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc) with a "transfer syntax" (see RPC_Iface structure). The purpose for doing this is unknown. @@ -133,7 +133,7 @@ returned by the SMBopenX Transact response.

    Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the same in the response as the same members in the RPC_ReqBind. The RPC_ResBind member transfersyntax is the same in the response as the

    Note: The RPC_ResBind response member secondaddr contains the name of what is presumed to be the service behind the RPC pipe. The - mapping identified so far is:

    initial SMBopenX request:

    RPC_ResBind response:

    "\\PIPE\\srvsvc"

    "\\PIPE\\ntsvcs"

    "\\PIPE\\samr"

    "\\PIPE\\lsass"

    "\\PIPE\\lsarpc"

    "\\PIPE\\lsass"

    "\\PIPE\\wkssvc"

    "\\PIPE\\wksvcs"

    "\\PIPE\\NETLOGON"

    "\\PIPE\\NETLOGON"

    Note: The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header.

    Request:

    RPC_Packet
    RPC_ReqBind

    Response:

    RPC_Packet
    RPC_ResBind

    NTLSA Transact Named Pipe

    The sequence of actions taken on this pipe are:

    Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords.
    Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle.
    Using the file handle, send a Set Named Pipe Handle state to 0x4300.
    Send an LSA Open Policy request. Store the Policy Handle.
    Using the Policy Handle, send LSA Query Info Policy requests, etc.
    Using the Policy Handle, send an LSA Close.
    Close the IPC$ share.

    Defines for this pipe, identifying the query are:

    LSA Open Policy:

    0x2c

    LSA Query Info Policy:

    0x07

    LSA Enumerate Trusted Domains:

    0x0d

    LSA Open Secret:

    0xff

    LSA Lookup SIDs:

    0xfe

    LSA Lookup Names:

    0xfd

    LSA Close:

    0x00

    LSA Open Policy

    Note: The policy handle can be anything you like.

    Request

    VOID*

    buffer pointer

    UNISTR2

    server name - unicode string starting with two '\'s

    OBJ_ATTR

    object attributes

    UINT32

    1 - desired access

    Response

    POL_HND

    LSA policy handle

    return

    0 - indicates success

    LSA Query Info Policy

    Note: The info class in response must be the same as that in the request.

    Request

    POL_HND

    LSA policy handle

    UINT16

    info class (also a policy handle?)

    Response

    VOID*

    undocumented buffer pointer

    UINT16

    info class (same as info class in request).

    +	mapping identified so far is:
    initial SMBopenX request:
    RPC_ResBind response:
    "\\PIPE\\srvsvc"
    "\\PIPE\\ntsvcs"
    "\\PIPE\\samr"
    "\\PIPE\\lsass"
    "\\PIPE\\lsarpc"
    "\\PIPE\\lsass"
    "\\PIPE\\wkssvc"
    "\\PIPE\\wksvcs"
    "\\PIPE\\NETLOGON"
    "\\PIPE\\NETLOGON"
    Note:	The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header.
    Request:
    RPC_Packet
    RPC_ReqBind
    Response:
    RPC_Packet
    RPC_ResBind

    NTLSA Transact Named Pipe

    The sequence of actions taken on this pipe are:

    Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords.
    Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle.
    Using the file handle, send a Set Named Pipe Handle state to 0x4300.
    Send an LSA Open Policy request. Store the Policy Handle.
    Using the Policy Handle, send LSA Query Info Policy requests, etc.
    Using the Policy Handle, send an LSA Close.
    Close the IPC$ share.

    Defines for this pipe, identifying the query are:

    LSA Open Policy:

    0x2c

    LSA Query Info Policy:

    0x07

    LSA Enumerate Trusted Domains:

    0x0d

    LSA Open Secret:

    0xff

    LSA Lookup SIDs:

    0xfe

    LSA Lookup Names:

    0xfd

    LSA Close:

    0x00

    LSA Open Policy

    Note: The policy handle can be anything you like.

    Request

    VOID*

    buffer pointer

    UNISTR2

    server name - unicode string starting with two '\'s

    OBJ_ATTR

    object attributes

    UINT32

    1 - desired access

    Response

    POL_HND

    LSA policy handle

    return

    0 - indicates success

    LSA Query Info Policy

    Note: The info class in response must be the same as that in the request.

    Request

    POL_HND

    LSA policy handle

    UINT16

    info class (also a policy handle?)

    Response

    VOID*

    undocumented buffer pointer

    UINT16

    info class (same as info class in request).

     switch (info class)
 case 3:
 case 5:
@@ -142,11 +142,11 @@
 }
 
 return    0 - indicates success
-

    LSA Enumerate Trusted Domains

    Request

    no extra data

    Response

    UINT32

    0 - enumeration context

    UINT32

    0 - entries read

    UINT32

    0 - trust information

    return

    0x8000 001a - "no trusted domains" success code

    LSA Open Secret

    Request

    no extra data

    Response

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    return 0x0C00 0034 - "no such secret" success code

    LSA Close

    Request

    POL_HND

    policy handle to be closed

    Response

    POL_HND

    0s - closed policy handle (all zeros)

    return 0 - indicates success

    LSA Lookup SIDS

    Note: num_entries in response must be same as num_entries in request.

    Request

    POL_HND

    LSA policy handle

    UINT32

    num_entries

    VOID*

    undocumented domain SID buffer pointer

    VOID*

    undocumented domain name buffer pointer

    VOID*[num_entries] undocumented domain SID pointers to be looked up. -

    DOM_SID[num_entries] domain SIDs to be looked up.

    char[16]

    completely undocumented 16 bytes.

    Response

    DOM_REF

    domain reference response

    UINT32

    num_entries (listed above)

    VOID*

    undocumented buffer pointer

    UINT32

    num_entries (listed above)

    DOM_SID2[num_entries]

    domain SIDs (from Request, listed above).

    UINT32

    num_entries (listed above)

    return 0 - indicates success

    LSA Lookup Names

    Note: num_entries in response must be same as num_entries in request.

    Request

    POL_HND

    LSA policy handle

    UINT32

    num_entries

    UINT32

    num_entries

    VOID*

    undocumented domain SID buffer pointer

    VOID*

    undocumented domain name buffer pointer

    NAME[num_entries]

    names to be looked up.

    char[]

    undocumented bytes - falsely translated SID structure?

    Response

    DOM_REF

    domain reference response

    UINT32

    num_entries (listed above)

    VOID*

    undocumented buffer pointer

    UINT32

    num_entries (listed above)

    DOM_RID[num_entries]

    domain SIDs (from Request, listed above).

    UINT32

    num_entries (listed above)

    return 0 - indicates success

    NETLOGON rpc Transact Named Pipe

    The sequence of actions taken on this pipe are:

    tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords.
    en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle.
    ing the file handle, send a Set Named Pipe Handle state to 0x4300.
    eate Client Challenge. Send LSA Request Challenge. Store Server Challenge.
    lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge.
    lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds.
    lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds.
    lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds.
    ose the IPC$ share.

    Defines for this pipe, identifying the query are

    LSA Request Challenge:

    0x04

    LSA Server Password Set:

    0x06

    LSA SAM Logon:

    0x02

    LSA SAM Logoff:

    0x03

    LSA Auth 2:

    0x0f

    LSA Logon Control:

    0x0e

    LSA Request Challenge

    Note: logon server name starts with two '\' characters and is upper case.

    Note: logon client is the machine, not the user.

    Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case).

    Request

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    UNISTR2

    logon client unicode string

    char[8]

    client challenge

    Response

    char[8]

    server challenge

    return 0 - indicates success

    LSA Authenticate 2

    Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).

    Note: neg_flags in the response is the same as that in the request.

    Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.

    Request

    LOG_INFO

    client identification info

    char[8]

    client-calculated credentials

    UINT8[]

    padding to 4-byte align with start of SMB header.

    UINT32

    neg_flags - negotiated flags (usual value is 0x0000 01ff)

    Response

    char[8]

    server credentials.

    UINT32

    neg_flags - same as neg_flags in request.

    return 0 - indicates success. failure value unknown.

    LSA Server Password Set

    Note: the new password is suspected to be a DES encryption using the old password to generate the key.

    Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).

    Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second.

    Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.

    Request

    CLNT_INFO

    client identification/authentication info

    char[]

    new password - undocumented.

    Response

    CREDS

    server credentials. server time stamp appears to be ignored.

    return 0 - indicates success; 0xC000 006a indicates failure

    LSA SAM Logon

    +

    LSA Enumerate Trusted Domains

    Request

    no extra data

    Response

    UINT32

    0 - enumeration context

    UINT32

    0 - entries read

    UINT32

    0 - trust information

    return

    0x8000 001a - "no trusted domains" success code

    LSA Open Secret

    Request

    no extra data

    Response

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    UINT32

    0 - undocumented

    return 0x0C00 0034 - "no such secret" success code

    LSA Close

    Request

    POL_HND

    policy handle to be closed

    Response

    POL_HND

    0s - closed policy handle (all zeros)

    return 0 - indicates success

    LSA Lookup SIDS

    Note: num_entries in response must be same as num_entries in request.

    Request

    POL_HND

    LSA policy handle

    UINT32

    num_entries

    VOID*

    undocumented domain SID buffer pointer

    VOID*

    undocumented domain name buffer pointer

    VOID*[num_entries] undocumented domain SID pointers to be looked up. +

    DOM_SID[num_entries] domain SIDs to be looked up.

    char[16]

    completely undocumented 16 bytes.

    Response

    DOM_REF

    domain reference response

    UINT32

    num_entries (listed above)

    VOID*

    undocumented buffer pointer

    UINT32

    num_entries (listed above)

    DOM_SID2[num_entries]

    domain SIDs (from Request, listed above).

    UINT32

    num_entries (listed above)

    return 0 - indicates success

    LSA Lookup Names

    Note: num_entries in response must be same as num_entries in request.

    Request

    POL_HND

    LSA policy handle

    UINT32

    num_entries

    UINT32

    num_entries

    VOID*

    undocumented domain SID buffer pointer

    VOID*

    undocumented domain name buffer pointer

    NAME[num_entries]

    names to be looked up.

    char[]

    undocumented bytes - falsely translated SID structure?

    Response

    DOM_REF

    domain reference response

    UINT32

    num_entries (listed above)

    VOID*

    undocumented buffer pointer

    UINT32

    num_entries (listed above)

    DOM_RID[num_entries]

    domain SIDs (from Request, listed above).

    UINT32

    num_entries (listed above)

    return 0 - indicates success

    NETLOGON rpc Transact Named Pipe

    The sequence of actions taken on this pipe are:

    tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords.
    en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle.
    ing the file handle, send a Set Named Pipe Handle state to 0x4300.
    eate Client Challenge. Send LSA Request Challenge. Store Server Challenge.
    lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge.
    lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds.
    lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds.
    lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds.
    ose the IPC$ share.

    Defines for this pipe, identifying the query are

    LSA Request Challenge:

    0x04

    LSA Server Password Set:

    0x06

    LSA SAM Logon:

    0x02

    LSA SAM Logoff:

    0x03

    LSA Auth 2:

    0x0f

    LSA Logon Control:

    0x0e

    LSA Request Challenge

    Note: logon server name starts with two '\' characters and is upper case.

    Note: logon client is the machine, not the user.

    Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case).

    Request

    VOID*

    undocumented buffer pointer

    UNISTR2

    logon server unicode string

    UNISTR2

    logon client unicode string

    char[8]

    client challenge

    Response

    char[8]

    server challenge

    return 0 - indicates success

    LSA Authenticate 2

    Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).

    Note: neg_flags in the response is the same as that in the request.

    Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.

    Request

    LOG_INFO

    client identification info

    char[8]

    client-calculated credentials

    UINT8[]

    padding to 4-byte align with start of SMB header.

    UINT32

    neg_flags - negotiated flags (usual value is 0x0000 01ff)

    Response

    char[8]

    server credentials.

    UINT32

    neg_flags - same as neg_flags in request.

    return 0 - indicates success. failure value unknown.

    LSA Server Password Set

    Note: the new password is suspected to be a DES encryption using the old password to generate the key.

    Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).

    Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second.

    Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.

    Request

    CLNT_INFO

    client identification/authentication info

    char[]

    new password - undocumented.

    Response

    CREDS

    server credentials. server time stamp appears to be ignored.

    return 0 - indicates success; 0xC000 006a indicates failure

    LSA SAM Logon

    Note: valid_user is True iff the username and password hash are valid for the requested domain. -

    Request

    SAM_INFO

    sam_id structure

    Response

    VOID*

    undocumented buffer pointer

    CREDS

    server credentials. server time stamp appears to be ignored.

    +
    Request
    SAM_INFO
    sam_id structure
    Response
    VOID*
    undocumented buffer pointer
    CREDS
    server credentials.  server time stamp appears to be ignored.
     if (valid_user)
 {
 	UINT16      3 - switch value indicating USER_INFO structure.
@@ -166,16 +166,16 @@
 
     return    0xC000 0064 - NT_STATUS_NO_SUCH_USER.
 }
-

    LSA SAM Logoff

    +

    LSA SAM Logoff

    Note: presumably, the SAM_INFO structure is validated, and a (currently undocumented) error code returned if the Logoff is invalid. -

    Request

    SAM_INFO

    sam_id structure

    Response

    VOID*

    undocumented buffer pointer

    CREDS

    server credentials. server time stamp appears to be ignored.

    return 0 - indicates success. undocumented failure indication.

    \\MAILSLOT\NET\NTLOGON

    +

    Request

    SAM_INFO

    sam_id structure

    Response

    VOID*

    undocumented buffer pointer

    CREDS

    server credentials. server time stamp appears to be ignored.

    return 0 - indicates success. undocumented failure indication.

    \\MAILSLOT\NET\NTLOGON

    Note: mailslots will contain a response mailslot, to which the response should be sent. the target NetBIOS name is REQUEST_NAME<20>, where REQUEST_NAME is the name of the machine that sent the request. -

    Query for PDC

    Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.

    Request

    UINT16

    0x0007 - Query for PDC

    STR

    machine name

    STR

    response mailslot

    UINT8[]

    padding to 2-byte align with start of mailslot.

    UNISTR

    machine name

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    Response

    UINT16

    0x000A - Respose to Query for PDC

    STR

    machine name (in uppercase)

    UINT8[]

    padding to 2-byte align with start of mailslot.

    UNISTR

    machine name

    UNISTR

    domain name

    UINT32

    NTversion (same as received in request)

    UINT16

    LMNTtoken (same as received in request)

    UINT16

    LM20token (same as received in request)

    SAM Logon

    Note: machine name in response is preceded by two '\' characters.

    Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.

    Note: user name in the response is presumably the same as that in the request.

    Request

    UINT16

    0x0012 - SAM Logon

    UINT16

    request count

    UNISTR

    machine name

    UNISTR

    user name

    STR

    response mailslot

    UINT32

    alloweable account

    UINT32

    domain SID size

    char[sid_size]

    domain SID, of sid_size bytes.

    UINT8[]

    ???? padding to 4? 2? -byte align with start of mailslot.

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    Response

    UINT16

    0x0013 - Response to SAM Logon

    UNISTR

    machine name

    UNISTR

    user name - workstation trust account

    UNISTR

    domain name

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    SRVSVC Transact Named Pipe

    Defines for this pipe, identifying the query are:

    Net Share Enum

    0x0f

    Net Server Get Info

    0x15

    Net Share Enum

    Note: share level and switch value in the response are presumably the same as those in the request.

    Note: cifsrap2.txt (section 5) may be of limited assistance here.

    Request

    VOID*

    pointer (to server name?)

    UNISTR2

    server name

    UINT8[]

    padding to get unicode string 4-byte aligned with the start of the SMB header.

    UINT32

    share level

    UINT32

    switch value

    VOID*

    pointer to SHARE_INFO_1_CTR

    SHARE_INFO_1_CTR

    share info with 0 entries

    UINT32

    preferred maximum length (0xffff ffff)

    Response

    UINT32

    share level

    UINT32

    switch value

    VOID*

    pointer to SHARE_INFO_1_CTR

    SHARE_INFO_1_CTR

    share info (only added if share info ptr is non-zero)

    return 0 - indicates success

    Net Server Get Info

    Note: level is the same value as in the request.

    Request

    UNISTR2

    server name

    UINT32

    switch level

    Response

    UINT32

    switch level

    VOID*

    pointer to SERVER_INFO_101

    SERVER_INFO_101

    server info (only added if server info ptr is non-zero)

    return 0 - indicates success

    Cryptographic side of NT Domain Authentication

    Definitions

    Add(A1,A2)

    Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2

    E(K,D)

    DES ECB encryption of 8 byte data D using 7 byte key K

    lmowf()

    Lan man hash

    ntowf()

    NT hash

    PW

    md4(machine_password) == md4(lsadump $machine.acc) == +

    Query for PDC

    Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.

    Request

    UINT16

    0x0007 - Query for PDC

    STR

    machine name

    STR

    response mailslot

    UINT8[]

    padding to 2-byte align with start of mailslot.

    UNISTR

    machine name

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    Response

    UINT16

    0x000A - Respose to Query for PDC

    STR

    machine name (in uppercase)

    UINT8[]

    padding to 2-byte align with start of mailslot.

    UNISTR

    machine name

    UNISTR

    domain name

    UINT32

    NTversion (same as received in request)

    UINT16

    LMNTtoken (same as received in request)

    UINT16

    LM20token (same as received in request)

    SAM Logon

    Note: machine name in response is preceded by two '\' characters.

    Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.

    Note: user name in the response is presumably the same as that in the request.

    Request

    UINT16

    0x0012 - SAM Logon

    UINT16

    request count

    UNISTR

    machine name

    UNISTR

    user name

    STR

    response mailslot

    UINT32

    alloweable account

    UINT32

    domain SID size

    char[sid_size]

    domain SID, of sid_size bytes.

    UINT8[]

    ???? padding to 4? 2? -byte align with start of mailslot.

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    Response

    UINT16

    0x0013 - Response to SAM Logon

    UNISTR

    machine name

    UNISTR

    user name - workstation trust account

    UNISTR

    domain name

    UINT32

    NTversion

    UINT16

    LMNTtoken

    UINT16

    LM20token

    SRVSVC Transact Named Pipe

    Defines for this pipe, identifying the query are:

    Net Share Enum

    0x0f

    Net Server Get Info

    0x15

    Net Share Enum

    Note: share level and switch value in the response are presumably the same as those in the request.

    Note: cifsrap2.txt (section 5) may be of limited assistance here.

    Request

    VOID*

    pointer (to server name?)

    UNISTR2

    server name

    UINT8[]

    padding to get unicode string 4-byte aligned with the start of the SMB header.

    UINT32

    share level

    UINT32

    switch value

    VOID*

    pointer to SHARE_INFO_1_CTR

    SHARE_INFO_1_CTR

    share info with 0 entries

    UINT32

    preferred maximum length (0xffff ffff)

    Response

    UINT32

    share level

    UINT32

    switch value

    VOID*

    pointer to SHARE_INFO_1_CTR

    SHARE_INFO_1_CTR

    share info (only added if share info ptr is non-zero)

    return 0 - indicates success

    Net Server Get Info

    Note: level is the same value as in the request.

    Request

    UNISTR2

    server name

    UINT32

    switch level

    Response

    UINT32

    switch level

    VOID*

    pointer to SERVER_INFO_101

    SERVER_INFO_101

    server info (only added if server info ptr is non-zero)

    return 0 - indicates success

    Cryptographic side of NT Domain Authentication

    Definitions

    Add(A1,A2)

    Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2

    E(K,D)

    DES ECB encryption of 8 byte data D using 7 byte key K

    lmowf()

    Lan man hash

    ntowf()

    NT hash

    PW

    md4(machine_password) == md4(lsadump $machine.acc) == pwdump(machine$) (initially) == md4(lmowf(unicode(machine))) -

    ARC4(K,Lk,D,Ld)

    ARC4 encryption of data D of length Ld with key K of length Lk

    v[m..n(,l)]

    subset of v from bytes m to n, optionally padded with zeroes to length l

    Cred(K,D)

    E(K[7..7,7],E(K[0..6],D)) computes a credential

    Time()

    4 byte current time

    Cc,Cs

    8 byte client and server challenges Rc,Rs: 8 byte client and server credentials

    Protocol

    +
    ARC4(K,Lk,D,Ld)
    ARC4 encryption of data D of length Ld with key K of length Lk
    v[m..n(,l)]
    subset of v from bytes m to n, optionally padded with zeroes to length l
    Cred(K,D)
    E(K[7..7,7],E(K[0..6],D)) computes a credential
    Time()
    4 byte current time
    Cc,Cs
    8 byte client and server challenges Rc,Rs: 8 byte client and server credentials

    Protocol

     C->S ReqChal,Cc
 S->C Cs
 
    @@ -211,7 +211,7 @@
 S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc)
 C: assert(Rs == Cred(Ks,Cred(Rc+Tc+1))
 C: Rc = Cred(Ks,Rc+Tc+1)
-

    Comments

    +

    Comments

    On first joining the domain the session key could be computed by anyone listening in on the network as the machine password has a well known value. Until the machine is rebooted it will use this session @@ -232,15 +232,15 @@ The password OWFs should NOT be sent over the network reversibly encrypted. They should be sent using ARC4(Ks,md4(owf)) with the server computing the same function using the owf values in the SAM. -

    SIDs and RIDs

    +

    SIDs and RIDs

    SIDs and RIDs are well documented elsewhere.

    A SID is an NT Security ID (see DOM_SID structure). They are of the form:

    revision-NN-SubAuth1-SubAuth2-SubAuth3...
    revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...

    currently, the SID revision is 1. The Sub-Authorities are known as Relative IDs (RIDs). -

    Well-known SIDs

    Universal well-known SIDs

    Null SID

    S-1-0-0

    World

    S-1-1-0

    Local

    S-1-2-0

    Creator Owner ID

    S-1-3-0

    Creator Group ID

    S-1-3-1

    Creator Owner Server ID

    S-1-3-2

    Creator Group Server ID

    S-1-3-3

    (Non-unique IDs)

    S-1-4

    NT well-known SIDs

    NT Authority

    S-1-5

    Dialup

    S-1-5-1

    Network

    S-1-5-2

    Batch

    S-1-5-3

    Interactive

    S-1-5-4

    Service

    S-1-5-6

    AnonymousLogon(aka null logon session)

    S-1-5-7

    Proxy

    S-1-5-8

    ServerLogon(aka domain controller account)

    S-1-5-8

    (Logon IDs)

    S-1-5-5-X-Y

    (NT non-unique IDs)

    S-1-5-0x15-...

    (Built-in domain)

    s-1-5-0x20

    Well-known RIDS

    +

    Well-known SIDs

    Universal well-known SIDs

    Null SID

    S-1-0-0

    World

    S-1-1-0

    Local

    S-1-2-0

    Creator Owner ID

    S-1-3-0

    Creator Group ID

    S-1-3-1

    Creator Owner Server ID

    S-1-3-2

    Creator Group Server ID

    S-1-3-3

    (Non-unique IDs)

    S-1-4

    NT well-known SIDs

    NT Authority

    S-1-5

    Dialup

    S-1-5-1

    Network

    S-1-5-2

    Batch

    S-1-5-3

    Interactive

    S-1-5-4

    Service

    S-1-5-6

    AnonymousLogon(aka null logon session)

    S-1-5-7

    Proxy

    S-1-5-8

    ServerLogon(aka domain controller account)

    S-1-5-8

    (Logon IDs)

    S-1-5-5-X-Y

    (NT non-unique IDs)

    S-1-5-0x15-...

    (Built-in domain)

    s-1-5-0x20

    Well-known RIDS

    A RID is a sub-authority value, as part of either a SID, or in the case of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1 structure, in the LSA SAM Logon response. -

    Well-known RID users

    Groupname: DOMAIN_USER_RID_ADMIN
    ????: 0x0000
    RID: 01F4
    Groupname: DOMAIN_USER_RID_GUEST
    ????: 0x0000
    RID: 01F5

    Well-known RID groups

    Groupname: DOMAIN_GROUP_RID_ADMINS
    ????: 0x0000
    RID: 0200
    Groupname: DOMAIN_GROUP_RID_USERS
    ????: 0x0000
    RID: 0201
    Groupname: DOMAIN_GROUP_RID_GUESTS
    ????: 0x0000
    RID: 0202

    Well-known RID aliases

    Groupname: DOMAIN_ALIAS_RID_ADMINS
    ????: 0x0000
    RID: 0220
    Groupname: DOMAIN_ALIAS_RID_USERS
    ????: 0x0000
    RID: 0221
    Groupname: DOMAIN_ALIAS_RID_GUESTS
    ????: 0x0000
    RID: 0222
    Groupname: DOMAIN_ALIAS_RID_POWER_USERS
    ????: 0x0000
    RID: 0223
    Groupname: DOMAIN_ALIAS_RID_ACCOUNT_OPS
    ????: 0x0000
    RID: 0224
    Groupname: DOMAIN_ALIAS_RID_SYSTEM_OPS
    ????: 0x0000
    RID: 0225
    Groupname: DOMAIN_ALIAS_RID_PRINT_OPS
    ????: 0x0000
    RID: 0226
    Groupname: DOMAIN_ALIAS_RID_BACKUP_OPS
    ????: 0x0000
    RID: 0227
    Groupname: DOMAIN_ALIAS_RID_REPLICATOR
    ????: 0x0000
    RID: 0228
    Prev Up Next
    Chapter 1. NetBIOS in a Unix World Home Part II. Samba Basics
    +

    Well-known RID users

    Groupname: DOMAIN_USER_RID_ADMIN
    ????: 0x0000
    RID: 01F4
    Groupname: DOMAIN_USER_RID_GUEST
    ????: 0x0000
    RID: 01F5

    Well-known RID groups

    Groupname: DOMAIN_GROUP_RID_ADMINS
    ????: 0x0000
    RID: 0200
    Groupname: DOMAIN_GROUP_RID_USERS
    ????: 0x0000
    RID: 0201
    Groupname: DOMAIN_GROUP_RID_GUESTS
    ????: 0x0000
    RID: 0202

    Well-known RID aliases

    Groupname: DOMAIN_ALIAS_RID_ADMINS
    ????: 0x0000
    RID: 0220
    Groupname: DOMAIN_ALIAS_RID_USERS
    ????: 0x0000
    RID: 0221
    Groupname: DOMAIN_ALIAS_RID_GUESTS
    ????: 0x0000
    RID: 0222
    Groupname: DOMAIN_ALIAS_RID_POWER_USERS
    ????: 0x0000
    RID: 0223
    Groupname: DOMAIN_ALIAS_RID_ACCOUNT_OPS
    ????: 0x0000
    RID: 0224
    Groupname: DOMAIN_ALIAS_RID_SYSTEM_OPS
    ????: 0x0000
    RID: 0225
    Groupname: DOMAIN_ALIAS_RID_PRINT_OPS
    ????: 0x0000
    RID: 0226
    Groupname: DOMAIN_ALIAS_RID_BACKUP_OPS
    ????: 0x0000
    RID: 0227
    Groupname: DOMAIN_ALIAS_RID_REPLICATOR
    ????: 0x0000
    RID: 0228
    Prev Up Next
    Chapter 1. NetBIOS in a Unix World Home Part II. Samba Basics
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/Packaging.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/Packaging.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/Packaging.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/Packaging.html 2005-12-19 10:21:17.000000000 -0600 @@ -1,9 +1,9 @@ -Chapter 16. Notes to packagers
    Chapter 16. Notes to packagers
    Prev Part V. Appendices 

    Chapter 16. Notes to packagers

    Jelmer Vernooij

    Table of Contents

    Versioning
    Modules

    Versioning

    Please, please update the version number in +Chapter 16. Notes to packagers

    Chapter 16. Notes to packagers
    Prev Part V. Appendices 

    Chapter 16. Notes to packagers

    Jelmer Vernooij

    Table of Contents

    Versioning
    Modules

    Versioning

    Please, please update the version number in source/include/version.h to include the versioning of your package. This makes it easier to distinguish standard samba builds from custom-build samba builds (distributions often patch packages). For example, a good version would be: 

     Version 2.999+3.0.alpha21-5 for Debian
-

    Modules

    Samba now has support for building parts of samba as plugins. This +

    Modules

    Samba now has support for building parts of samba as plugins. This makes it possible to, for example, put ldap or mysql support in a separate package, thus making it possible to have a normal samba package not depending on ldap or mysql. To build as much parts of samba diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/parsing.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/parsing.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/parsing.html 2005-08-19 13:01:27.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/parsing.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 11. The smb.conf file

    Chapter 11. The smb.conf file
    Prev Part III. Samba Subsystems Next

    Chapter 11. The smb.conf file

    Chris Hertel

    November 1997

    Table of Contents

    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c

    Lexical Analysis

    +Chapter 11. The smb.conf file

    Chapter 11. The smb.conf file
    Prev Part III. Samba Subsystems Next

    Chapter 11. The smb.conf file

    Chris Hertel

    November 1997

    Table of Contents

    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c

    Lexical Analysis

    Basically, the file is processed on a line by line basis. There are four types of lines that are recognized by the lexical analyzer (params.c): @@ -25,7 +25,7 @@ These are the only tokens passed to the parameter loader (loadparm.c). Parameter names and values are divided from one another by an equal sign: '='. -

    Handling of Whitespace

    +

    Handling of Whitespace

    Whitespace is defined as all characters recognized by the isspace() function (see ctype(3C)) except for the newline character ('\n') The newline is excluded because it identifies the end of the line. @@ -40,7 +40,7 @@ are removed.

  • Leading and trailing whitespace is removed from names and values. -

    • Handling of Line Continuation

    +

    Handling of Line Continuation

    Long section header and parameter lines may be extended across multiple lines by use of the backslash character ('\\'). Line continuation is ignored for blank and comment lines. @@ -63,7 +63,7 @@ Line continuation characters are ignored on blank lines and at the end of comments. They are *only* recognized within section and parameter lines. -

    Line Continuation Quirks

    Note the following example:

    +

    Line Continuation Quirks

    Note the following example:

     	param name = parameter value string \
     \
     with line continuation.
@@ -87,7 +87,7 @@

    are read as

     	[section name]
     param name = value
-

    Syntax

    The syntax of the smb.conf file is as follows:

    +

    Syntax

    The syntax of the smb.conf file is as follows:

       <file>            :==  { <section> } EOF
   <section>         :==  <section header> { <parameter line> }
   <section header>  :==  '[' NAME ']'
@@ -106,7 +106,7 @@
 	A parameter line is divided into a NAME and a VALUE.  The *first*
 	equal sign on the line separates the NAME from the VALUE.  The
 	VALUE is terminated by a newline character (NL = '\n').
-

    About params.c

    +

    About params.c

    The parsing of the config file is a bit unusual if you are used to lex, yacc, bison, etc. Both lexical analysis (scanning) and parsing are performed by params.c. Values are loaded via callbacks to diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt01.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt01.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt01.html 2005-08-19 13:01:23.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt01.html 2005-12-19 10:21:15.000000000 -0600 @@ -1 +1 @@ -Part I. The protocol

    Part I. The protocol
    Prev   Next

    The protocol

    Table of Contents

    1. NetBIOS in a Unix World
    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity
    2. NT Domain RPC's
    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS
    Prev   Next
    SAMBA Developers Guide Home Chapter 1. NetBIOS in a Unix World
    +Part I. The protocol
    Part I. The protocol
    Prev   Next

    The protocol

    Table of Contents

    1. NetBIOS in a Unix World
    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity
    2. NT Domain RPC's
    Introduction
    Sources
    Credits
    Notes and Structures
    Notes
    Enumerations
    Structures
    MSRPC over Transact Named Pipe
    MSRPC Pipes
    Header
    Tail
    RPC Bind / Bind Ack
    NTLSA Transact Named Pipe
    LSA Open Policy
    LSA Query Info Policy
    LSA Enumerate Trusted Domains
    LSA Open Secret
    LSA Close
    LSA Lookup SIDS
    LSA Lookup Names
    NETLOGON rpc Transact Named Pipe
    LSA Request Challenge
    LSA Authenticate 2
    LSA Server Password Set
    LSA SAM Logon
    LSA SAM Logoff
    \\MAILSLOT\NET\NTLOGON
    Query for PDC
    SAM Logon
    SRVSVC Transact Named Pipe
    Net Share Enum
    Net Server Get Info
    Cryptographic side of NT Domain Authentication
    Definitions
    Protocol
    Comments
    SIDs and RIDs
    Well-known SIDs
    Well-known RIDS
    Prev   Next
    SAMBA Developers Guide Home Chapter 1. NetBIOS in a Unix World
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt02.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt02.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt02.html 2005-08-19 13:01:25.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt02.html 2005-12-19 10:21:16.000000000 -0600 @@ -1 +1 @@ -Part II. Samba Basics
    Part II. Samba Basics
    Prev   Next

    Samba Basics

    Table of Contents

    3. Samba Architecture
    Introduction
    Multithreading and Samba
    Threading smbd
    Threading nmbd
    nbmd Design
    4. The samba DEBUG system
    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()
    5. Samba Internals
    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table
    6. Coding Suggestions
    7. Contributing code
    8. Modules
    Advantages
    Loading modules
    Static modules
    Shared modules
    Writing modules
    Static/Shared selection in configure.in
    Prev   Next
    Chapter 2. NT Domain RPC's Home Chapter 3. Samba Architecture
    +Part II. Samba Basics
    Part II. Samba Basics
    Prev   Next

    Samba Basics

    Table of Contents

    3. Samba Architecture
    Introduction
    Multithreading and Samba
    Threading smbd
    Threading nmbd
    nbmd Design
    4. The samba DEBUG system
    New Output Syntax
    The DEBUG() Macro
    The DEBUGADD() Macro
    The DEBUGLVL() Macro
    New Functions
    dbgtext()
    dbghdr()
    format_debug_text()
    5. Samba Internals
    Character Handling
    The new functions
    Macros in byteorder.h
    CVAL(buf,pos)
    PVAL(buf,pos)
    SCVAL(buf,pos,val)
    SVAL(buf,pos)
    IVAL(buf,pos)
    SVALS(buf,pos)
    IVALS(buf,pos)
    SSVAL(buf,pos,val)
    SIVAL(buf,pos,val)
    SSVALS(buf,pos,val)
    SIVALS(buf,pos,val)
    RSVAL(buf,pos)
    RIVAL(buf,pos)
    RSSVAL(buf,pos,val)
    RSIVAL(buf,pos,val)
    LAN Manager Samba API
    Parameters
    Return value
    Code character table
    6. Coding Suggestions
    7. Contributing code
    8. Modules
    Advantages
    Loading modules
    Static modules
    Shared modules
    Writing modules
    Static/Shared selection in configure.in
    Prev   Next
    Chapter 2. NT Domain RPC's Home Chapter 3. Samba Architecture
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt03.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt03.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt03.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt03.html 2005-12-19 10:21:16.000000000 -0600 @@ -1 +1 @@ -Part III. Samba Subsystems
    Part III. Samba Subsystems
    Prev   Next

    Samba Subsystems

    Table of Contents

    9. RPC Pluggable Modules
    About
    General Overview
    10. VFS Modules
    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions
    11. The smb.conf file
    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c
    12. Samba WINS Internals
    WINS Failover
    13. LanMan and NT Password Encryption
    Introduction
    How does it work?
    The smbpasswd file
    Prev   Next
    Chapter 8. Modules Home Chapter 9. RPC Pluggable Modules
    +Part III. Samba Subsystems
    Part III. Samba Subsystems
    Prev   Next

    Samba Subsystems

    Table of Contents

    9. RPC Pluggable Modules
    About
    General Overview
    10. VFS Modules
    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions
    11. The smb.conf file
    Lexical Analysis
    Handling of Whitespace
    Handling of Line Continuation
    Line Continuation Quirks
    Syntax
    About params.c
    12. Samba WINS Internals
    WINS Failover
    13. LanMan and NT Password Encryption
    Introduction
    How does it work?
    The smbpasswd file
    Prev   Next
    Chapter 8. Modules Home Chapter 9. RPC Pluggable Modules
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt04.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt04.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt04.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt04.html 2005-12-19 10:21:17.000000000 -0600 @@ -1,9 +1,9 @@ -Part IV. Debugging and tracing
    Part IV. Debugging and tracing
    Prev   Next

    Debugging and tracing

    Table of Contents

    14. Tracing samba system calls
    15. Samba Printing Internals
    Abstract
    +Part IV. Debugging and tracing
    Part IV. Debugging and tracing
    Prev   Next

    Debugging and tracing

    Table of Contents

    14. Tracing samba system calls
    15. Samba Printing Internals
    Abstract
    Printing Interface to Various Back ends -
    +
    Print Queue TDB's -
    +
    ChangeID and Client Caching of Printer Information -
    +
    Windows NT/2K Printer Change Notify
    Prev   Next
    Chapter 13. LanMan and NT Password Encryption Home Chapter 14. Tracing samba system calls
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt05.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt05.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pt05.html 2005-08-19 13:01:28.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pt05.html 2005-12-19 10:21:17.000000000 -0600 @@ -1 +1 @@ -Part V. Appendices
    Part V. Appendices
    Prev   Next

    Appendices

    Table of Contents

    16. Notes to packagers
    Versioning
    Modules
    Prev   Next
    Chapter 15. Samba Printing Internals Home Chapter 16. Notes to packagers
    +Part V. Appendices
    Part V. Appendices
    Prev   Next

    Appendices

    Table of Contents

    16. Notes to packagers
    Versioning
    Modules
    Prev   Next
    Chapter 15. Samba Printing Internals Home Chapter 16. Notes to packagers
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html 2005-08-19 13:01:27.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,12 +1,12 @@ Chapter 13. LanMan and NT Password Encryption
    Chapter 13. LanMan and NT Password Encryption
    Prev Part III. Samba Subsystems Next

    Chapter 13. LanMan and NT Password Encryption

    Jeremy Allison

    Samba Team



    -

    19 Apr 1999

    Table of Contents

    Introduction
    How does it work?
    The smbpasswd file

    Introduction

    With the development of LanManager and Windows NT +

    19 Apr 1999

    Table of Contents

    Introduction
    How does it work?
    The smbpasswd file

    Introduction

    With the development of LanManager and Windows NT compatible password encryption for Samba, it is now able to validate user connections in exactly the same way as a LanManager or Windows NT server.

    This document describes how the SMB password encryption algorithm works and what issues there are in choosing whether you want to use it. You should read it carefully, especially - the part about security and the "PROS and CONS" section.

    How does it work?

    LanManager encryption is somewhat similar to UNIX + the part about security and the "PROS and CONS" section.

    How does it work?

    LanManager encryption is somewhat similar to UNIX password encryption. The server uses a file containing a hashed value of a user's password. This is created by taking the user's plaintext password, capitalising it, and either @@ -43,7 +43,7 @@ know the correct password and is denied access.

    Note that the Samba server never knows or stores the cleartext of the user's password - just the 16 byte hashed values derived from it. Also note that the cleartext password or 16 byte hashed values - are never transmitted over the network - thus increasing security.

    The smbpasswd file

    In order for Samba to participate in the above protocol + are never transmitted over the network - thus increasing security.

    The smbpasswd file

    In order for Samba to participate in the above protocol it must be able to look up the 16 byte hashed values given a user name. Unfortunately, as the UNIX password value is also a one way hash function (ie. it is impossible to retrieve the cleartext of the user's diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html 2005-08-19 13:01:26.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,10 +1,10 @@ -Chapter 9. RPC Pluggable Modules

    Chapter 9. RPC Pluggable Modules
    Prev Part III. Samba Subsystems Next

    Chapter 9. RPC Pluggable Modules

    Anthony Liguori

    IBM

    Jelmer Vernooij

    Samba Team

    January 2003

    Table of Contents

    About
    General Overview

    About

    +Chapter 9. RPC Pluggable Modules

    Chapter 9. RPC Pluggable Modules
    Prev Part III. Samba Subsystems Next

    Chapter 9. RPC Pluggable Modules

    Anthony Liguori

    IBM

    Jelmer Vernooij

    Samba Team

    January 2003

    Table of Contents

    About
    General Overview

    About

    This document describes how to make use the new RPC Pluggable Modules features of Samba 3.0. This architecture was added to increase the maintainability of Samba allowing RPC Pipes to be worked on separately from the main CVS branch. The RPM architecture will also allow third-party vendors to add functionality to Samba through plug-ins. -

    General Overview

    +

    General Overview

    When an RPC call is sent to smbd, smbd tries to load a shared library by the name librpc_<pipename>.so to handle the call if it doesn't know how to handle the call internally. For instance, LSA calls diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html 2005-08-19 13:01:19.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/unix-smb.html 2005-12-19 10:21:14.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 1. NetBIOS in a Unix World

    Chapter 1. NetBIOS in a Unix World
    Prev Part I. The protocol Next

    Chapter 1. NetBIOS in a Unix World

    Andrew Tridgell

    April 1995

    Table of Contents

    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity

    Introduction

    +Chapter 1. NetBIOS in a Unix World

    Chapter 1. NetBIOS in a Unix World
    Prev Part I. The protocol Next

    Chapter 1. NetBIOS in a Unix World

    Andrew Tridgell

    April 1995

    Table of Contents

    Introduction
    Usernames
    File Ownership
    Passwords
    Locking
    Deny Modes
    Trapdoor UIDs
    Port numbers
    Protocol Complexity

    Introduction

    This is a short document that describes some of the issues that confront a SMB implementation on unix, and how Samba copes with them. They may help people who are looking at unix<->PC @@ -6,7 +6,7 @@

    It was written to help out a person who was writing a paper on unix to PC connectivity. -

    Usernames

    +

    Usernames

    The SMB protocol has only a loose username concept. Early SMB protocols (such as CORE and COREPLUS) have no username concept at all. Even in later protocols clients often attempt operations @@ -43,7 +43,7 @@ service%user syntax, the saving of session setup usernames for later validation and the derivation of the username from the service name (either directly or via the user= option). -

    File Ownership

    +

    File Ownership

    The commonly used SMB protocols have no way of saying "you can't do that because you don't own the file". They have, in fact, no concept of file ownership at all. @@ -61,7 +61,7 @@ There are several possible solutions to this problem, including username mapping, and forcing a specific username for particular shares. -

    Passwords

    +

    Passwords

    Many SMB clients uppercase passwords before sending them. I have no idea why they do this. Interestingly WfWg uppercases the password only if the server is running a protocol greater than COREPLUS, so @@ -83,7 +83,7 @@ smbpasswd file containing these password hashes is only readable by the root user. See the documentation ENCRYPTION.txt for more details. -

    Locking

    +

    Locking

    Since samba 2.2, samba supports other types of locking as well. This section is outdated.

    @@ -114,7 +114,7 @@ the same file, at which time the client will say if it is willing to give up its lock. Unix has no simple way of implementing opportunistic locking, and currently Samba has no support for it. -

    Deny Modes

    +

    Deny Modes

    When a SMB client opens a file it asks for a particular "deny mode" to be placed on the file. These modes (DENY_NONE, DENY_READ, DENY_WRITE, DENY_ALL, DENY_FCB and DENY_DOS) specify what actions should be @@ -128,7 +128,7 @@ is clumsy and consumes processing and file resources, the shared memory implementation is vastly prefered and is turned on by default for those systems that support it. -

    Trapdoor UIDs

    +

    Trapdoor UIDs

    A SMB session can run with several uids on the one socket. This happens when a user connects to two shares with different usernames. To cope with this the unix server needs to switch uids @@ -138,7 +138,7 @@

    Note that you can also get the "trapdoor uid" message for other reasons. Please see the FAQ for details. -

    Port numbers

    +

    Port numbers

    There is a convention that clients on sockets use high "unprivileged" port numbers (>1000) and connect to servers on low "privilegedg" port numbers. This is enforced in Unix as non-root users can't open a @@ -161,7 +161,7 @@ back, but it goes to port 137 which the unix user can't listen on. Interestingly WinNT3.1 got this right - it sends node status responses back to the source port in the request. -

    Protocol Complexity

    +

    Protocol Complexity

    There are many "protocol levels" in the SMB protocol. It seems that each time new functionality was added to a Microsoft operating system, they added the equivalent functions in a new protocol level of the SMB diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/vfs.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/vfs.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/vfs.html 2005-08-19 13:01:26.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/vfs.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 10. VFS Modules

    Chapter 10. VFS Modules
    Prev Part III. Samba Subsystems Next

    Chapter 10. VFS Modules

    Alexander Bokovoy

    Stefan Metzmacher

    27 May 2003

    Table of Contents

    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions

    The Samba (Posix) VFS layer

    The general interface

    +Chapter 10. VFS Modules

    Chapter 10. VFS Modules
    Prev Part III. Samba Subsystems Next

    Chapter 10. VFS Modules

    Alexander Bokovoy

    Stefan Metzmacher

    27 May 2003

    Table of Contents

    The Samba (Posix) VFS layer
    The general interface
    Possible VFS operation layers
    The Interaction between the Samba VFS subsystem and the modules
    Initialization and registration
    How the Modules handle per connection data
    Upgrading to the New VFS Interface
    Upgrading from 2.2.* and 3.0aplha modules
    Some Notes
    Implement TRANSPARENT functions
    Implement OPAQUE functions

    The Samba (Posix) VFS layer

    The general interface

    Each VFS operation has a vfs_op_type, a function pointer and a handle pointer in the struct vfs_ops and tree macros to make it easier to call the operations. (Take a look at include/vfs.h and include/vfs_macros.h.) @@ -94,7 +94,7 @@ (tofd), (fsp), (fromfd), (header), (offset), (count))) ... -

    Possible VFS operation layers

    +

    Possible VFS operation layers

    These values are used by the VFS subsystem when building the conn->vfs and conn->vfs_opaque structs for a connection with multiple VFS modules. Internally, Samba differentiates only opaque and transparent layers at this process. @@ -123,7 +123,7 @@ SMB_VFS_LAYER_SCANNER /* - Checks data and possibly initiates additional */ /* file activity like logging to files _inside_ samba VFS */ } vfs_op_layer; -

    The Interaction between the Samba VFS subsystem and the modules

    Initialization and registration

    +

    The Interaction between the Samba VFS subsystem and the modules

    Initialization and registration

    As each Samba module a VFS module should have a 

    NTSTATUS vfs_example_init(void);

    function if it's staticly linked to samba or 

    NTSTATUS init_module(void);

    function if it's a shared module. @@ -163,7 +163,7 @@ { return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "example", example_op_tuples); } -

    How the Modules handle per connection data

    Each VFS function has as first parameter a pointer to the modules vfs_handle_struct. +

    How the Modules handle per connection data

    Each VFS function has as first parameter a pointer to the modules vfs_handle_struct. 

     typedef struct vfs_handle_struct {
 	struct vfs_handle_struct  *next, *prev;
@@ -264,7 +264,7 @@
 	(handle)->vfs_next.handles.sendfile,\
 	 (tofd), (fsp), (fromfd), (header), (offset), (count)))
 ...
-

    Upgrading to the New VFS Interface

    Upgrading from 2.2.* and 3.0aplha modules

    1. +

    Upgrading to the New VFS Interface

    Upgrading from 2.2.* and 3.0aplha modules

    1. Add "vfs_handle_struct *handle, " as first parameter to all vfs operation functions. e.g. example_connect(connection_struct *conn, const char *service, const char *user); -> example_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user); @@ -527,7 +527,7 @@

    2. Compiling & Testing...

      ./configure --enable-developer ...
      make
      Try to fix all compiler warnings
      make
      Testing, Testing, Testing ...

      -

    Some Notes

    Implement TRANSPARENT functions

    +

    Some Notes

    Implement TRANSPARENT functions

    Avoid writing functions like this: 

    @@ -538,7 +538,7 @@

    Overload only the functions you really need to! -

    Implement OPAQUE functions

    +

    Implement OPAQUE functions

    If you want to just implement a better version of a default samba opaque function (e.g. like a disk_free() function for a special filesystem) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/wins.html samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/wins.html --- samba-3.0.20b/docs/htmldocs/Samba3-Developers-Guide/wins.html 2005-08-19 13:01:27.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-Developers-Guide/wins.html 2005-12-19 10:21:16.000000000 -0600 @@ -1,4 +1,4 @@ -Chapter 12. Samba WINS Internals

    Chapter 12. Samba WINS Internals
    Prev Part III. Samba Subsystems Next

    Chapter 12. Samba WINS Internals

    Gerald Carter

    October 2002

    Table of Contents

    WINS Failover

    WINS Failover

    +Chapter 12. Samba WINS Internals

    Chapter 12. Samba WINS Internals
    Prev Part III. Samba Subsystems Next

    Chapter 12. Samba WINS Internals

    Gerald Carter

    October 2002

    Table of Contents

    WINS Failover

    WINS Failover

    The current Samba codebase possesses the capability to use groups of WINS servers that share a common namespace for NetBIOS name registration and resolution. The formal parameter syntax is diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/AccessControls.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/AccessControls.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/AccessControls.html 2005-08-19 13:03:31.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/AccessControls.html 2005-12-19 10:22:38.000000000 -0600 @@ -1,59 +1,59 @@ -Chapter 15. File, Directory, and Share Access Controls

    Chapter 15. File, Directory, and Share Access Controls
    Prev Part III. Advanced Configuration Next

    Chapter 15. File, Directory, and Share Access Controls

    John H. Terpstra

    Samba Team

    Jeremy Allison

    Samba Team

    Jelmer R. Vernooij

    drawing
    The Samba Team

    May 10, 2003

    Table of Contents

    Features and Benefits
    File System Access Controls
    MS Windows NTFS Comparison with UNIX File Systems
    Managing Directories
    File and Directory Access Control
    Share Definition Access Controls
    User- and Group-Based Controls
    File and Directory Permissions-Based Controls
    Miscellaneous Controls
    Access Controls on Shares
    Share Permissions Management
    MS Windows Access Control Lists and UNIX Interoperability
    Managing UNIX Permissions Using NT Security Dialogs
    Viewing File Security on a Samba Share
    Viewing File Ownership
    Viewing File or Directory Permissions
    Modifying File or Directory Permissions
    Interaction with the Standard Samba “create mask” Parameters
    Interaction with the Standard Samba File Attribute Mapping
    Windows NT/200X ACLs and POSIX ACLs Limitations
    Common Errors
    Users Cannot Write to a Public Share
    File Operations Done as root with force user Set
    MS Word with Samba Changes Owner of File

    - - - - +Chapter 15. File, Directory, and Share Access Controls

    Chapter 15. File, Directory, and Share Access Controls
    Prev Part III. Advanced Configuration Next

    Chapter 15. File, Directory, and Share Access Controls

    John H. Terpstra

    Samba Team

    Jeremy Allison

    Samba Team

    Jelmer R. Vernooij

    drawing
    The Samba Team

    May 10, 2003

    Table of Contents

    Features and Benefits
    File System Access Controls
    MS Windows NTFS Comparison with UNIX File Systems
    Managing Directories
    File and Directory Access Control
    Share Definition Access Controls
    User- and Group-Based Controls
    File and Directory Permissions-Based Controls
    Miscellaneous Controls
    Access Controls on Shares
    Share Permissions Management
    MS Windows Access Control Lists and UNIX Interoperability
    Managing UNIX Permissions Using NT Security Dialogs
    Viewing File Security on a Samba Share
    Viewing File Ownership
    Viewing File or Directory Permissions
    Modifying File or Directory Permissions
    Interaction with the Standard Samba “create mask” Parameters
    Interaction with the Standard Samba File Attribute Mapping
    Windows NT/200X ACLs and POSIX ACLs Limitations
    Common Errors
    Users Cannot Write to a Public Share
    File Operations Done as root with force user Set
    MS Word with Samba Changes Owner of File

    + + + + Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of resources shared via Samba do not behave in the manner they might expect. MS Windows network administrators are often confused regarding network access controls and how to provide users with the access they need while protecting resources from unauthorized access.

    - - + + Many UNIX administrators are unfamiliar with the MS Windows environment and in particular have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file and directory access permissions.

    - - - - + + + + The problem lies in the differences in how file and directory permissions and controls work between the two environments. This difference is one that Samba cannot completely hide, even though it does try to bridge the chasm to a degree.

    - - - - + + + + POSIX Access Control List technology has been available (along with extended attributes) for UNIX for many years, yet there is little evidence today of any significant use. This explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows administrators are astounded at this, given that ACLs were a foundational capability of the now decade-old MS Windows NT operating system.

    - + The purpose of this chapter is to present each of the points of control that are possible with Samba-3 in the hope that this will help the network administrator to find the optimum method for delivering the best environment for MS Windows desktop users.

    - - + + This is an opportune point to mention that Samba was created to provide a means of interoperability and interchange of data between differing operating environments. Samba has no intent to change UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient level of exchange of data between the two environments. What is available today extends well beyond early plans and expectations, yet the gap continues to shrink. -

    Features and Benefits

    +

    Features and Benefits

    Samba offers much flexibility in file system access management. These are the key access control facilities present in Samba today:

    Samba Access Control Facilities

    • - + UNIX File and Directory Permissions

      - - - + + + Samba honors and implements UNIX file system access controls. Users who access a Samba server will do so as a particular MS Windows user. This information is passed to the Samba server as part of the logon or @@ -64,7 +64,7 @@

    • Samba Share Definitions

      - + In configuring share settings and controls in the smb.conf file, the network administrator can exercise overrides to native file system permissions and behaviors. This can be handy and convenient @@ -73,20 +73,20 @@ The basic options and techniques are described herein.

    • Samba Share ACLs - +

      - + Just as it is possible in MS Windows NT to set ACLs on shares themselves, so it is possible to do in Samba. Few people make use of this facility, yet it remains one of the easiest ways to affect access controls (restrictions) and can often do so with minimum invasiveness compared with other methods.

    • - - + + MS Windows ACLs through UNIX POSIX ACLs

      - + The use of POSIX ACLs on UNIX/Linux is possible only if the underlying operating system supports them. If not, then this option will not be available to you. Current UNIX technology platforms have native support @@ -94,16 +94,16 @@ this support. Sadly, few Linux platforms ship today with native ACLs and extended attributes enabled. This chapter has pertinent information for users of platforms that support them. -

    File System Access Controls

    +

    File System Access Controls

    Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP implement a totally divergent file system technology from what is provided in the UNIX operating system environment. First we consider what the most significant differences are, then we look at how Samba helps to bridge the differences. -

    MS Windows NTFS Comparison with UNIX File Systems

    - - - - +

    MS Windows NTFS Comparison with UNIX File Systems

    + + + + Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions and permissions. It also means that if the MS Windows networking environment requires file system behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating @@ -114,7 +114,7 @@ but for the greater part we stay within the bounds of default behavior. Those wishing to explore the depths of control ability should review the smb.conf man page.

    The following compares file system features for UNIX with those of MS Windows NT/200x: - +

    Name Space

    MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names @@ -123,8 +123,8 @@

    What MS Windows calls a folder, UNIX calls a directory.

    Case Sensitivity

    - - + + MS Windows file names are generally uppercase if made up of 8.3 (8-character file name and 3 character extension. File names that are longer than 8.3 are case preserving and case insensitive. @@ -151,26 +151,26 @@ event that the UNIX directory contains multiple files that would match a case insensitive file listing.

    Directory Separators

    - + MS Windows and DOS use the backslash \ as a directory delimiter, and UNIX uses the forward-slash / as its directory delimiter. This is handled transparently by Samba.

    Drive Identification

    - + MS Windows products support a notion of drive letters, like C:, to represent disk partitions. UNIX has no concept of separate identifiers for file partitions; each such file system is mounted to become part of the overall directory tree. The UNIX directory tree begins at / just as the root of a DOS drive is specified as C:\.

    File Naming Conventions

    - + MS Windows generally never experiences file names that begin with a dot (.), while in UNIX these are commonly found in a user's home directory. Files that begin with a dot (.) are typically startup files for various UNIX applications, or they may be files that contain startup configuration data.

    Links and Short-Cuts

    - - - + + + MS Windows make use of links and shortcuts that are actually special types of files that will redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory links, but they are entirely different from what MS Windows users are used to. @@ -183,17 +183,17 @@ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the purpose of UNIX/Linux training and education. -

    Managing Directories

    - - - +

    Managing Directories

    + + + There are three basic operations for managing directories: create, delete, rename. Managing Directories with UNIX and Windows compares the commands in Windows and UNIX that implement these operations. -

    Table 15.1. Managing Directories with UNIX and Windows

    ActionMS Windows CommandUNIX Command
    createmd foldermkdir folder
    deleterd folderrmdir folder
    renamerename oldname newnamemv oldname newname

    File and Directory Access Control

    - - - +

    Table 15.1. Managing Directories with UNIX and Windows

    ActionMS Windows CommandUNIX Command
    createmd foldermkdir folder
    deleterd folderrmdir folder
    renamerename oldname newnamemv oldname newname

    File and Directory Access Control

    + + + The network administrator is strongly advised to read basic UNIX training manuals and reference materials regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). @@ -226,47 +226,47 @@

    Figure 15.1. Overview of UNIX permissions field.

    Overview of UNIX permissions field.

    Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented as a “-” character (see ???) - - - - - - + + + + + +

    Example 15.1. Example File

     -rwxr-x---   Means: 
  ^^^                The owner (user) can read, write, execute
     ^^^             the group can read and execute
        ^^^          everyone else cannot do anything with it.

    - - - - + + + + Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.

    - - - - - + + + + + The letters rwxXst set permissions for the user, group, and others as read (r), write (w), execute (or access for directories) (x), execute only if the file is a directory or already has execute permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t).

    - - - - + + + + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.

    - - - - - + + + + + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file @@ -276,11 +276,11 @@ the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then group members will be able to write to (or delete) them. -

    Protecting Directories and Files from Deletion

    - - - - +

    Protecting Directories and Files from Deletion

    + + + + People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to @@ -288,27 +288,27 @@ anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it.

    - - - + + + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on the directory that the file is in. In other words, a user can delete a file in a directory to which that user has write access, even if that user does not own the file.

    - - - - + + + + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known as extended attributes. Only the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute.

    - - - - + + + + The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory or file from being deleted. The extended attribute that may achieve this is called the immutible bit. @@ -322,7 +322,7 @@

    A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host server. -

    Procedure 15.1. Test for File Immutibility Support

    1. +

      Procedure 15.1. Test for File Immutibility Support

      1. Create a file called filename.

      2. Login as the root user, then set the immutibile flag on a test file as follows: @@ -340,17 +340,17 @@ that cannot be deleted. Check the man page on your particular host system to determine whether or not immutable directories are writable. If they are not, then the entire directory and its contents will effectively be protected from writing (file creation also) and deletion. -

    Share Definition Access Controls

    - +

    Share Definition Access Controls

    + The following parameters in the smb.conf file sections define a share control or affect access controls. Before using any of the following options, please refer to the man page for smb.conf. -

    User- and Group-Based Controls

    +

    User- and Group-Based Controls

    User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the - force user and force group behavior will achieve this. + force user and force group behavior will achieve this. In other situations it may be necessary to use a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the - valid users or the invalid users parameter may be useful. + valid users or the invalid users parameter may be useful.

    As always, it is highly advisable to use the easiest to maintain and the least ambiguous method for controlling access. Remember, when you leave the scene, someone else will need to provide assistance, and @@ -358,34 +358,34 @@ Samba being removed and an alternative solution being adopted.

    User and Group Based Controls enumerates these controls. -

    Table 15.2. User- and Group-Based Controls

    Control ParameterDescription, Action, Notes
    admin users

    +

    Table 15.2. User- and Group-Based Controls

    Control ParameterDescription, Action, Notes
    admin users

    List of users who will be granted administrative privileges on the share. They will do all file operations as the superuser (root). Users in this list will be able to do anything they like on the share, irrespective of file permissions. -

    force group

    +

    force group

    Specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. -

    force user

    +

    force user

    Specifies a UNIX username that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. Incorrect use can cause security problems. -

    guest ok

    +

    guest ok

    If this parameter is set for a service, then no password is required to connect to the service. Privileges will be those of the guest account. -

    invalid users

    +

    invalid users

    List of users that should not be allowed to login to this service. -

    only user

    +

    only user

    Controls whether connections with usernames not in the user list will be allowed. -

    read list

    +

    read list

    List of users that are given read-only access to a service. Users in this list will not be given write access, no matter what the read-only option is set to. -

    username

    +

    username

    Refer to the smb.conf man page for more information; this is a complex and potentially misused parameter. -

    valid users

    +

    valid users

    List of users that should be allowed to login to this service. -

    write list

    +

    write list

    List of users that are given read-write access to a service. -

    File and Directory Permissions-Based Controls

    +

    File and Directory Permissions-Based Controls

    Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce @@ -393,126 +393,126 @@

    Refer to File and Directory Permission Based Controls for information regarding the parameters that may be used to set file and directory permission-based access controls. -

    Table 15.3. File and Directory Permission-Based Controls

    Control ParameterDescription, Action, Notes
    create mask

    +

    Table 15.3. File and Directory Permission-Based Controls

    Control ParameterDescription, Action, Notes
    create mask

    Refer to the smb.conf man page. -

    directory mask

    +

    directory mask

    The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. See also directory security mask. -

    dos filemode

    +

    dos filemode

    Enabling this parameter allows a user who has write access to the file to modify the permissions on it. -

    force create mode

    +

    force create mode

    This parameter specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba. -

    force directory mode

    +

    force directory mode

    This parameter specifies a set of UNIX-mode bit permissions that will always be set on a directory created by Samba. -

    force directory security mode

    +

    force directory security mode

    Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. -

    force security mode

    +

    force security mode

    Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. -

    hide unreadable

    +

    hide unreadable

    Prevents clients from seeing the existence of files that cannot be read. -

    hide unwriteable files

    +

    hide unwriteable files

    Prevents clients from seeing the existence of files that cannot be written to. Unwritable directories are shown as usual. -

    nt acl support

    +

    nt acl support

    This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs. -

    security mask

    +

    security mask

    Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. -

    Miscellaneous Controls

    +

    Miscellaneous Controls

    The parameter documented in Other Controls are often used by administrators in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the full implications of smb.conf file settings.

    Table 15.4. Other Controls

    Control ParameterDescription, Action, Notes
    - case sensitive, - default case, - short preserve case + case sensitive, + default case, + short preserve case

    This means that all file name lookup will be done in a case-sensitive manner. Files will be created with the precise file name Samba received from the MS Windows client. -

    csc policy

    +

    csc policy

    Client-side caching policy parallels MS Windows client-side file caching capabilities. -

    dont descend

    +

    dont descend

    Allows specifying a comma-delimited list of directories that the server should always show as empty. -

    dos filetime resolution

    +

    dos filetime resolution

    This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. -

    dos filetimes

    +

    dos filetimes

    DOS and Windows allow users to change file timestamps if they can write to the file. POSIX semantics prevent this. This option allows DOS and Windows behavior. -

    fake oplocks

    +

    fake oplocks

    Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock, the client is free to assume that it is the only one accessing the file, and it will aggressively cache file data.

    - hide dot files, - hide files, - veto files + hide dot files, + hide files, + veto files

    Note: MS Windows Explorer allows override of files marked as hidden so they will still be visible. -

    read only

    +

    read only

    If this parameter is yes, then users of a service may not create or modify files in the service's directory. -

    veto files

    +

    veto files

    List of files and directories that are neither visible nor accessible. -

    Access Controls on Shares

    - - - - - +

    Access Controls on Shares

    + + + + + This section deals with how to configure Samba per-share access control restrictions. By default, Samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can connect to a share. In the absence of specific restrictions, the default setting is to allow the global user Everyone - Full Control (full control, change and read).

    - - - + + + At this time Samba does not provide a tool for configuring access control settings on the share itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide this capability in the Samba command-line tool set.

    - - - - + + + + Samba stores the per-share access control settings in a file called share_info.tdb. The location of this file on your system will depend on how Samba was compiled. The default location for Samba's tdb files is under /usr/local/samba/var. If the tdbdump utility has been compiled and installed on your system, then you can examine the contents of this file by executing tdbdump share_info.tdb in the directory containing the tdb files. -

    Share Permissions Management

    +

    Share Permissions Management

    The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. -

    Windows NT4 Workstation/Server

    - - - - +

    Windows NT4 Workstation/Server

    + + + + The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft web site support section. -

    Procedure 15.2. Instructions

    1. +

      Procedure 15.2. Instructions

      1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.

      2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish. -

    Windows 200x/XP

    - - - - +

    Windows 200x/XP

    + + + + On MS Windows NT4/200x/XP system, ACLs on the share itself are set using native tools, usually from File Manager. For example, in Windows 200x, right-click on the shared folder, then select Sharing, then click on Permissions. The default Windows NT4/200x permission allows "Everyone" full control on the share.

    - - - + + + MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the MMC. This tool is located by clicking on Control Panel -> Administrative Tools -> Computer Management. -

    Procedure 15.3. Instructions

    1. +

      Procedure 15.3. Instructions

      1. After launching the MMC with the Computer Management snap-in, click the menu item Action and select Connect to another computer. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. @@ -523,7 +523,7 @@ System Tools, then on the [+] next to Shared Folders in the left panel.

      2. - + In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you @@ -534,8 +534,8 @@ ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access. -

    MS Windows Access Control Lists and UNIX Interoperability

    Managing UNIX Permissions Using NT Security Dialogs

    - +

    MS Windows Access Control Lists and UNIX Interoperability

    Managing UNIX Permissions Using NT Security Dialogs

    + Windows NT clients can use their native security settings dialog box to view and modify the underlying UNIX permissions.

    @@ -549,7 +549,7 @@ When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files. -

    Viewing File Security on a Samba Share

    +

    Viewing File Security on a Samba Share

    From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter or UNC path. When the menu pops up, click on the Properties entry at the bottom of the menu. This brings up the file Properties dialog box. Click on the @@ -560,7 +560,7 @@ to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is nonfunctional with a Samba share at this time, because the only useful button, the Add button, will not currently allow a list of users to be seen. -

    Viewing File Ownership

    +

    Viewing File Ownership

    Clicking on the Ownership button brings up a dialog box telling you who owns the given file. The owner name will be displayed like this: 

    @@ -571,10 +571,10 @@
 		descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).
 		Click on the Close button to remove this dialog.
 		
    
-		If the parameter nt acl support is set to false,
+		If the parameter nt acl support is set to false,
 		the file owner will be shown as the NT user Everyone.
 		
    
-
+
 		The Take Ownership button will not allow you to change the ownership of this file to
 		yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto
 		the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
@@ -582,14 +582,14 @@
 		NT to attempt to change the ownership of a file to the current user logged into the NT client, this will
 		not work with Samba at this time.
 		
    
-
-
-
+
+
+
 		There is an NT chown command that will work with Samba and allow a user with administrator
 		privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system
 		or remote mounted NTFS or Samba drive. This is available as part of the Seclib NT
 		security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site.
-

    Viewing File or Directory Permissions

    +

    Viewing File or Directory Permissions

    The third button is the Permissions button. Clicking on it brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:

    SERVER\ @@ -598,12 +598,12 @@ user is the username of the UNIX user who owns the file, and (Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).

    - If the parameter nt acl support is set to false, + If the parameter nt acl support is set to false, the file owner will be shown as the NT user Everyone, and the permissions will be shown as NT Full Control.

    The permissions field is displayed differently for files and directories. Both are discussed next. -

    File Permissions

    +

    File Permissions

    The standard UNIX user/group/world triplet and the corresponding read, write, execute permissions triplets are mapped by Samba into a three-element NT ACL with the “r”, “w”, and “x” bits mapped into the corresponding NT @@ -621,7 +621,7 @@ Take Ownership ACL attribute (which has no meaning in UNIX) and reports a component with no permissions as having the NT O bit set. This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this action are given below. -

    Directory Permissions

    +

    Directory Permissions

    Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the directory itself, which is usually displayed in the first set of parentheses in the normal RW NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described @@ -632,13 +632,13 @@

    Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file created by Samba on this share would receive. -

    Modifying File or Directory Permissions

    +

    Modifying File or Directory Permissions

    Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box and clicking on OK. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to be taken into account.

    - If the parameter nt acl support is set to false, any attempt to + If the parameter nt acl support is set to false, any attempt to set security permissions will fail with an "Access Denied" message.

    The first thing to note is that the Add button will not return a list of users in Samba @@ -665,39 +665,39 @@ If you wish to remove all permissions from a user/group/world component, you may either highlight the component and click on the Remove button or set the component to only have the special Take Ownership permission (displayed as O) highlighted. -

    Interaction with the Standard Samba “create mask” Parameters

    There are four parameters that control interaction with the standard Samba create mask parameters: +

    Interaction with the Standard Samba “create mask” Parameters

    There are four parameters that control interaction with the standard Samba create mask parameters: -

    • security mask

    • force security mode

    • directory security mask

    • force directory security mode

    +

    • security mask

    • force security mode

    • directory security mask

    • force directory security mode

    When a user clicks on OK to apply the permissions, Samba maps the given permissions into a user/group/world r/w/x triplet set, and then checks the changed permissions for a file against the bits set in the - security mask parameter. Any bits that + security mask parameter. Any bits that were changed that are not set to 1 in this parameter are left alone in the file permissions.

    - Essentially, zero bits in the security mask + Essentially, zero bits in the security mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.

    If not explicitly set, this parameter defaults to the same value as - the create mask parameter. To allow a user to modify all the + the create mask parameter. To allow a user to modify all the user/group/world permissions on a file, set this parameter to 0777.

    Next Samba checks the changed permissions for a file against the bits set in the - force security mode parameter. Any bits + force security mode parameter. Any bits that were changed that correspond to bits set to 1 in this parameter are forced to be set.

    Essentially, bits set in the force security mode parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be on.

    If not explicitly set, this parameter defaults to the same value - as the force create mode parameter. + as the force create mode parameter. To allow a user to modify all the user/group/world permissions on a file with no restrictions, set this parameter to 000. The - security mask and force + security mask and force security mode parameters are applied to the change request in that order.

    For a directory, Samba performs the same operations as @@ -706,11 +706,11 @@ mask, and force directory security mode parameter instead of force security mode .

    - The directory security mask parameter + The directory security mask parameter by default is set to the same value as the directory mask parameter and the force directory security mode parameter by default is set to the same value as - the force directory mode parameter. + the force directory mode parameter. In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, while still allowing users to modify the permission bits within that restriction.

    @@ -719,7 +719,7 @@ does not force any particular bits to be set on, then set the following parameters in the smb.conf file in that share-specific section: -

    security mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0

    Interaction with the Standard Samba File Attribute Mapping

    Note

    +

    security mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0

    Interaction with the Standard Samba File Attribute Mapping

    Note

    Samba maps some of the DOS attribute bits (such as “read-only”) into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security @@ -740,7 +740,7 @@ attributes dialog, you should always press Cancel rather than OK to ensure that your changes are not overridden. -

    Windows NT/200X ACLs and POSIX ACLs Limitations

    +

    Windows NT/200X ACLs and POSIX ACLs Limitations

    Windows administrators are familiar with simple ACL controls, and they typically consider that UNIX user/group/other (ugo) permissions are inadequate and not sufficiently fine-grained. @@ -768,7 +768,7 @@ ACLs as implemented in UNIX file systems. Samba provides support for masks that permit normal ugo and ACLs functionality to be overrided. This further complicates the way in which Windows ACLs must be implemented. -

    UNIX POSIX ACL Overview

    +

    UNIX POSIX ACL Overview

    In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance: 

    @@ -797,7 +797,7 @@
 default:mask:rwx      <-- inherited default mask
 default:other:---     <-- inherited permissions for everyone (other)

    -

    Mapping of Windows File ACLs to UNIX POSIX ACLs

    +

    Mapping of Windows File ACLs to UNIX POSIX ACLs

    Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. The mappings for file permissions are shown in How Windows File ACLs Map to UNIX POSIX File ACLs. @@ -816,7 +816,7 @@ The UNIX administrator can set any directory permission from within the UNIX environment. The Windows administrator is more restricted in that it is not possible from within Windows Explorer to remove read permission for the file owner. -

    Mapping of Windows Directory ACLs to UNIX POSIX ACLs

    +

    Mapping of Windows Directory ACLs to UNIX POSIX ACLs

    Interesting things happen in the mapping of UNIX POSIX directory permissions and UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of an ACL) are mapped to Windows directory ACLs. @@ -824,10 +824,10 @@ Directory permissions function in much the same way as shown for file permissions, but there are some notable exceptions and a few peculiarities that the astute administrator will want to take into account in the setting up of directory permissions. -

    Common Errors

    +

    Common Errors

    File, directory, and share access problems are common topics on the mailing list. The following are examples recently taken from the mailing list. -

    Users Cannot Write to a Public Share

    +

    Users Cannot Write to a Public Share

    We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), and there's a public share on which everyone needs to have permission to create/modify files, but only @@ -885,17 +885,17 @@

  • Now in your smb.conf for the share add: -

    force create mode = 0775
    force directory mode = 6775

    +

    force create mode = 0775
    force directory mode = 6775

    Note

    These procedures are needed only if your users are not members of the group you have used that is, if within the OS they do not have write permission on the directory.

    An alternative is to set in the smb.conf entry for the share: -

    force user = jack
    force group = engr

    -

    • File Operations Done as root with force user Set

    - When you have a user in admin users, Samba will always do file operations for - this user as root, even if force user has been set. -

    MS Word with Samba Changes Owner of File

    +

    force user = jack
    force group = engr

    +

    File Operations Done as root with force user Set

    + When you have a user in admin users, Samba will always do file operations for + this user as root, even if force user has been set. +

    MS Word with Samba Changes Owner of File

    Question:When user B saves a word document that is owned by user A, the updated file is now owned by user B. Why is Samba doing this? How do I fix this?

    @@ -910,7 +910,7 @@ in which you are changing Word documents: chmod g+s `directory_name'. This ensures that all files will be created with the group that owns the directory. In smb.conf share declaration section set:

    -

    force create mode = 0660
    force directory mode = 0770

    +

    force create mode = 0660
    force directory mode = 0770

    These two settings will ensure that all directories and files that get created in the share will be readable/writable by the owner and group set on the directory itself. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2005-08-19 13:03:41.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2005-12-19 10:22:58.000000000 -0600 @@ -1,9 +1,9 @@ -Chapter 24. Advanced Network Management

    Chapter 24. Advanced Network Management
    Prev Part III. Advanced Configuration Next

    Chapter 24. Advanced Network Management

    John H. Terpstra

    Samba Team

    June 15 2005

    Table of Contents

    Features and Benefits
    Remote Server Administration
    Remote Desktop Management
    Remote Management from NoMachine.Com
    Network Logon Script Magic
    Adding Printers without User Intervention
    Limiting Logon Connections

    - +Chapter 24. Advanced Network Management

    Chapter 24. Advanced Network Management
    Prev Part III. Advanced Configuration Next

    Chapter 24. Advanced Network Management

    John H. Terpstra

    Samba Team

    June 15 2005

    Table of Contents

    Features and Benefits
    Remote Server Administration
    Remote Desktop Management
    Remote Management from NoMachine.Com
    Network Logon Script Magic
    Adding Printers without User Intervention
    Limiting Logon Connections

    + This section documents peripheral issues that are of great importance to network administrators who want to improve network resource access control, to automate the user environment, and to make their lives a little easier. -

    Features and Benefits

    +

    Features and Benefits

    Often the difference between a working network environment and a well-appreciated one can best be measured by the little things that make everything work more harmoniously. A key part of every network environment solution is the ability to remotely @@ -13,48 +13,48 @@

    This chapter presents information on each of these areas. They are placed here, and not in other chapters, for ease of reference. -

    Remote Server Administration

    How do I get User Manager and Server Manager?

    - - - +

    Remote Server Administration

    How do I get User Manager and Server Manager?

    + + + Since I do not need to buy an NT4 server, how do I get the User Manager for Domains and the Server Manager?

    - - + + Microsoft distributes a version of these tools called Nexus.exe for installation on Windows 9x/Me systems. The tools set includes:

    • Server Manager

    • User Manager for Domains

    • Event Viewer

    Download the archived file at the Microsoft Nexus link.

    - - - + + + The Windows NT 4.0 version of the User Manager for Domains and Server Manager are available from Microsoft via ftp. -

    Remote Desktop Management

    - - +

    Remote Desktop Management

    + + There are a number of possible remote desktop management solutions that range from free through costly. Do not let that put you off. Sometimes the most costly solution is the most cost effective. In any case, you will need to draw your own conclusions as to which is the best tool in your network environment. -

    Remote Management from NoMachine.Com

    - +

    Remote Management from NoMachine.Com

    + The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. It is presented in slightly edited form (with author details omitted for privacy reasons). The entire answer is reproduced below with some comments removed.

    - + I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote desktop capabilities so users outside could login to the system and get their desktop up from home or another country.

    - - - - + + + + Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login even if the computer is in a domain? @@ -62,22 +62,22 @@ Answer provided: Check out the new offer of “NX” software from NoMachine.

    - - - + + + It implements an easy-to-use interface to the Remote X protocol as well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed performance much better than anything you may have ever seen.

    - + Remote X is not new at all, but what they did achieve successfully is a new way of compression and caching technologies that makes the thing fast enough to run even over slow modem/ISDN connections.

    - - - - + + + + I test drove their (public) Red Hat machine in Italy, over a loaded Internet connection, with enabled thumbnail previews in KDE konqueror, which popped up immediately on “mouse-over”. From inside that (remote X) @@ -85,18 +85,18 @@ To test the performance, I played Pinball. I am proud to announce that my score was 631,750 points at first try.

    - - - - + + + + NX performs better on my local LAN than any of the other “pure” connection methods I use from time to time: TightVNC, rdesktop or Remote X. It is even faster than a direct crosslink connection between two nodes.

    - - - + + + I even got sound playing from the Remote X app to my local boxes, and had a working “copy'n'paste” from an NX window (running a KDE session in Italy) to my Mozilla mailing agent. These guys are certainly doing @@ -118,7 +118,7 @@ full-screen, and after a short time you forget that it is a remote session at all).

    - + Now the best thing for last: All the core compression and caching technologies are released under the GPL and available as source code to anybody who wants to build on it! These technologies are working, @@ -140,15 +140,15 @@ you can now use a (very inconvenient) command line at no cost, but you can buy a comfortable (proprietary) NX GUI front end for money.

  • - - - - - + + + + + NoMachine is encouraging and offering help to OSS/Free Software implementations for such a front-end too, even if it means competition to them (they have written to this effect even to the LTSP, KDE, and GNOME developer mailing lists). -

    • Network Logon Script Magic

    +

    Network Logon Script Magic

    There are several opportunities for creating a custom network startup configuration environment.

    • No Logon Script.

    • Simple universal Logon Script that applies to all users.

    • Use of a conditional Logon Script that applies per-user or per-group attributes.

    • Use of Samba's preexec and postexec functions on access to the NETLOGON share to create a custom logon script and then execute it.

    • User of a tool such as KixStart.

    @@ -158,7 +158,7 @@

    The following listings are from the genlogon directory.

    - + This is the genlogon.pl file: 

    @@ -237,15 +237,15 @@

    Those wishing to use a more elaborate or capable logon processing system should check out these sites: -

    Adding Printers without User Intervention

    - +

    Adding Printers without User Intervention

    + Printers may be added automatically during logon script processing through the use of: 

     C:\> rundll32 printui.dll,PrintUIEntry /?

    See the documentation in the Microsoft Knowledge Base article 189105. -

    Limiting Logon Connections

    +

    Limiting Logon Connections

    Sometimes it is necessary to limit the number of concurrent connections to a Samba shared resource. For example, a site may wish to permit only one network logon per user. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/Appendix.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/Appendix.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/Appendix.html 2005-08-19 13:03:50.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/Appendix.html 2005-12-19 10:23:08.000000000 -0600 @@ -1 +1 @@ -Part VI. Reference Section

    Part VI. Reference Section
    Prev   Next

    Reference Section

    Table of Contents

    40. How to Compile Samba
    Access Samba Source Code via Subversion
    Introduction
    Subversion Access to samba.org
    Accessing the Samba Sources via rsync and ftp
    Verifying Samba's PGP Signature
    Building the Binaries
    Compiling Samba with Active Directory Support
    Starting the smbd nmbd and winbindd
    Starting from inetd.conf
    Alternative: Starting smbd as a Daemon
    41. Portability
    HPUX
    SCO UNIX
    DNIX
    Red Hat Linux
    AIX: Sequential Read Ahead
    Solaris
    Locking Improvements
    Winbind on Solaris 9
    42. Samba and Other CIFS Clients
    Macintosh Clients
    OS2 Client
    Configuring OS/2 Warp Connect or OS/2 Warp 4
    Configuring Other Versions of OS/2
    Printer Driver Download for OS/2 Clients
    Windows for Workgroups
    Latest TCP/IP Stack from Microsoft
    Delete .pwl Files After Password Change
    Configuring Windows for Workgroups Password Handling
    Password Case Sensitivity
    Use TCP/IP as Default Protocol
    Speed Improvement
    Windows 95/98
    Speed Improvement
    Windows 2000 Service Pack 2
    Windows NT 3.1
    43. Samba Performance Tuning
    Comparisons
    Socket Options
    Read Size
    Max Xmit
    Log Level
    Read Raw
    Write Raw
    Slow Logins
    Client Tuning
    Samba Performance Problem Due to Changing Linux Kernel
    Corrupt tdb Files
    Samba Performance is Very Slow
    44. LDAP and Transport Layer Security
    Introduction
    Configuring
    Generating the Certificate Authority
    Generating the Server Certificate
    Installing the Certificates
    Testing
    Troubleshooting
    45. Samba Support
    Free Support
    Commercial Support
    46. DNS and DHCP Configuration Guide
    Features and Benefits
    Example Configuration
    Dynamic DNS
    DHCP Server
    Prev   Next
    Chapter 39. Reporting Bugs Home Chapter 40. How to Compile Samba
    +Part VI. Reference Section
    Part VI. Reference Section
    Prev   Next

    Reference Section

    Table of Contents

    40. How to Compile Samba
    Access Samba Source Code via Subversion
    Introduction
    Subversion Access to samba.org
    Accessing the Samba Sources via rsync and ftp
    Verifying Samba's PGP Signature
    Building the Binaries
    Compiling Samba with Active Directory Support
    Starting the smbd nmbd and winbindd
    Starting from inetd.conf
    Alternative: Starting smbd as a Daemon
    41. Portability
    HPUX
    SCO UNIX
    DNIX
    Red Hat Linux
    AIX: Sequential Read Ahead
    Solaris
    Locking Improvements
    Winbind on Solaris 9
    42. Samba and Other CIFS Clients
    Macintosh Clients
    OS2 Client
    Configuring OS/2 Warp Connect or OS/2 Warp 4
    Configuring Other Versions of OS/2
    Printer Driver Download for OS/2 Clients
    Windows for Workgroups
    Latest TCP/IP Stack from Microsoft
    Delete .pwl Files After Password Change
    Configuring Windows for Workgroups Password Handling
    Password Case Sensitivity
    Use TCP/IP as Default Protocol
    Speed Improvement
    Windows 95/98
    Speed Improvement
    Windows 2000 Service Pack 2
    Windows NT 3.1
    43. Samba Performance Tuning
    Comparisons
    Socket Options
    Read Size
    Max Xmit
    Log Level
    Read Raw
    Write Raw
    Slow Logins
    Client Tuning
    Samba Performance Problem Due to Changing Linux Kernel
    Corrupt tdb Files
    Samba Performance is Very Slow
    44. LDAP and Transport Layer Security
    Introduction
    Configuring
    Generating the Certificate Authority
    Generating the Server Certificate
    Installing the Certificates
    Testing
    Troubleshooting
    45. Samba Support
    Free Support
    Commercial Support
    46. DNS and DHCP Configuration Guide
    Features and Benefits
    Example Configuration
    Dynamic DNS
    DHCP Server
    Prev   Next
    Chapter 39. Reporting Bugs Home Chapter 40. How to Compile Samba
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/Backup.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/Backup.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/Backup.html 2005-08-19 13:03:44.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/Backup.html 2005-12-19 10:23:01.000000000 -0600 @@ -1,33 +1,33 @@ -Chapter 30. Backup Techniques
    Chapter 30. Backup Techniques
    Prev Part III. Advanced Configuration Next

    Chapter 30. Backup Techniques

    John H. Terpstra

    Samba Team

    Table of Contents

    Features and Benefits
    Discussion of Backup Solutions
    BackupPC
    Rsync
    Amanda
    BOBS: Browseable Online Backup System

    Features and Benefits

    - - - - +Chapter 30. Backup Techniques

    Chapter 30. Backup Techniques
    Prev Part III. Advanced Configuration Next

    Chapter 30. Backup Techniques

    John H. Terpstra

    Samba Team

    Table of Contents

    Features and Benefits
    Discussion of Backup Solutions
    BackupPC
    Rsync
    Amanda
    BOBS: Browseable Online Backup System

    Features and Benefits

    + + + + The Samba project is over 10 years old. During the early history of Samba, UNIX administrators were its key implementors. UNIX administrators use UNIX system tools to backup UNIX system files. Over the past 4 years, an increasing number of Microsoft network administrators have taken an interest in Samba. This is reflected in the questions about backup in general on the Samba mailing lists. -

    Discussion of Backup Solutions

    - - +

    Discussion of Backup Solutions

    + + During discussions at a Microsoft Windows training course, one of the pro-UNIX delegates stunned the class when he pointed out that Windows NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set that has an unlimited number of tools that are simple, efficient, and, in combination, capable of achieving any desired outcome.

    - - + + One of the Windows networking advocates retorted that if she wanted a Meccano set, she would buy one. She made it clear that a complex single tool that does more than is needed but does it with a clear purpose and intent is preferred by some like her.

    - - - + + + Please note that all information here is provided as is and without recommendation of fitness or suitability. The network administrator is strongly encouraged to perform due diligence research before implementing any backup solution, whether free @@ -38,31 +38,31 @@ www.allmerchants.com.

    The following three free software projects might also merit consideration. -

    BackupPC

    - - - +

    BackupPC

    + + + BackupPC version 2.0.0 has been released on SourceForge. New features include support for rsync/rsyncd and internationalization of the CGI interface (including English, French, Spanish, and German).

    - - - - - - - - + + + + + + + + BackupPC is a high-performance Perl-based package for backing up Linux, UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly configurable and easy to install and maintain. SMB (via smbclient), tar over rsh/ssh, or rsync/rsyncd are used to extract client data.

    - - - + + + Given the ever-decreasing cost of disks and RAID systems, it is now practical and cost effective to backup a large number of machines onto a server's local disk or network storage. This is what BackupPC does. @@ -71,24 +71,24 @@ space), compression, and a comprehensive CGI interface that allows users to browse backups and restore files.

    - + BackupPC is free software distributed under a GNU GPL license. BackupPC runs on Linux/UNIX/freenix servers and has been tested on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients. -

    Rsync

    - - - - - - +

    Rsync

    + + + + + + rsync is a flexible program for efficiently copying files or directory trees.

    rsync has many options to select which files will be copied and how they are to be transferred. It may be used as an alternative to ftp, http, scp, or rcp.

    - - - + + + The rsync remote-update protocol allows rsync to transfer just the differences between two sets of files across the network link, using an efficient checksum-search algorithm described in the @@ -107,10 +107,10 @@

  • Support for anonymous or authenticated rsync servers (ideal for mirroring). -

    • Amanda

    - - - +

    Amanda

    + + + Amanda, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape drive. Amanda uses native dump and/or @@ -119,8 +119,8 @@

    For more information regarding Amanda, please check the www.amanda.org/ site. -

    BOBS: Browseable Online Backup System

    - +

    BOBS: Browseable Online Backup System

    + Browseable Online Backup System (BOBS) is a complete online backup system. Uses large disks for storing backups and lets users browse the files using a Web browser. Handles some special files like AppleDouble and icon files. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/bugreport.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/bugreport.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/bugreport.html 2005-08-19 13:03:48.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/bugreport.html 2005-12-19 10:23:05.000000000 -0600 @@ -1,6 +1,6 @@ -Chapter 39. Reporting Bugs

    Chapter 39. Reporting Bugs
    Prev Part V. Troubleshooting Next

    Chapter 39. Reporting Bugs

    John H. Terpstra

    Samba Team

    Jelmer R. Vernooij

    The Samba Team

    Andrew Tridgell

    Samba Team

    27 June 1997

    Table of Contents

    Introduction
    General Information
    Debug Levels
    Debugging-Specific Operations
    Internal Errors
    Attaching to a Running Process
    Patches

    Introduction

    - - +Chapter 39. Reporting Bugs

    Chapter 39. Reporting Bugs
    Prev Part V. Troubleshooting Next

    Chapter 39. Reporting Bugs

    John H. Terpstra

    Samba Team

    Jelmer R. Vernooij

    The Samba Team

    Andrew Tridgell

    Samba Team

    27 June 1997

    Table of Contents

    Introduction
    General Information
    Debug Levels
    Debugging-Specific Operations
    Internal Errors
    Attaching to a Running Process
    Patches

    Introduction

    + + Please report bugs using Samba's Bugzilla facilities and take the time to read this file before you submit a bug report. Also, check to see if it has changed between releases, as we may be changing the bug reporting mechanism at some point. @@ -12,9 +12,9 @@ and a fix if you send us a “developer-friendly” bug report that lets us fix it fast.

    - - - + + + If you post the bug to the comp.protocols.smb newsgroup or the mailing list, do not assume that we will read it. If you suspect that your problem is not a bug but a configuration problem, it is better to send @@ -24,7 +24,7 @@ You may also like to look though the recent mailing list archives, which are conveniently accessible on the Samba Web pages at http://samba.org/samba/. -

    General Information

    +

    General Information

    Before submitting a bug report, check your config for silly errors. Look in your log files for obvious messages that tell you've misconfigured something. Run testparm to check your config @@ -42,42 +42,42 @@ 10 showing the problem may be appropriate. A higher level gives more detail but may use too much disk space.

    - - -To set the debug level, use the log level in your + + +To set the debug level, use the log level in your smb.conf. You may also find it useful to set the log level higher for just one machine and keep separate logs for each machine. To do this, add the following lines to your main smb.conf file: -

    log level = 10
    log file = /usr/local/samba/lib/log.%m
    include = /usr/local/samba/lib/smb.conf.%m

    +

    log level = 10
    log file = /usr/local/samba/lib/log.%m
    include = /usr/local/samba/lib/smb.conf.%m

    and create a file /usr/local/samba/lib/smb.conf.machine where machine is the name of the client you wish to debug. In that file put any -smb.conf commands you want; for example, log level may be useful. This also allows +smb.conf commands you want; for example, log level may be useful. This also allows you to experiment with different security systems, protocol levels, and so on, on just one machine.

    -The smb.conf entry log level is synonymous with the parameter debuglevel that has been used in older versions of Samba and is being retained for backward +The smb.conf entry log level is synonymous with the parameter debuglevel that has been used in older versions of Samba and is being retained for backward compatibility of smb.conf files.

    -As the log level value is increased, you will record a significantly greater level of +As the log level value is increased, you will record a significantly greater level of debugging information. For most debugging operations, you may not need a setting higher than 3. Nearly all bugs can be tracked at a setting of 10, but be prepared for a large volume of log data. -

    Debugging-Specific Operations

    - - - - +

    Debugging-Specific Operations

    + + + + Samba-3.x permits debugging (logging) of specific functional components without unnecessarily cluttering the log files with detailed logs for all operations. An example configuration to achieve this is shown in:

    -

    log level = 0 tdb:3 passdb:5 auth:4 vfs:2
    max log size = 0
    log file = /var/log/samba/%U.%m.log

    +

    log level = 0 tdb:3 passdb:5 auth:4 vfs:2
    max log size = 0
    log file = /var/log/samba/%U.%m.log

    This will cause the level of detail to be expanded to the debug class (log level) passed to each functional area per the value shown above. The first value passed to the log level of 0 means turn off all unnecessary debugging except the debug classes set for the functional areas as specified. The table shown in Debuggable Functions may be used to attain very precise analysis of each SMB operation Samba is conducting. -

    Table 39.1. Debuggable Functions

    Function NameFunction Name
    allpassdb
    tdbsam
    printdriversauth
    lanmanwinbind
    smbvfs
    rpc_parseidmap
    rpc_srvquota
    rpc_cliacls

    Internal Errors

    +

    Table 39.1. Debuggable Functions

    Function NameFunction Name
    allpassdb
    tdbsam
    printdriversauth
    lanmanwinbind
    smbvfs
    rpc_parseidmap
    rpc_srvquota
    rpc_cliacls

    Internal Errors

    If you get the message “INTERNAL ERROR” in your log files, it means that Samba got an unexpected signal while running. It is probably a segmentation fault and almost certainly means a bug in Samba (unless @@ -91,35 +91,35 @@ You should also detail how to reproduce the problem, if possible. Please make this reasonably detailed.

    - + You may also find that a core file appeared in a corefiles subdirectory of the directory where you keep your Samba log files. This file is the most useful tool for tracking down the bug. To use it, you do this: - - + + 

     $ gdb smbd core

    - - + + adding appropriate paths to smbd and core so gdb can find them. If you do not have gdb, try dbx. Then within the debugger, use the command where to give a stack trace of where the problem occurred. Include this in your report.

    - + If you know any assembly language, do a disass of the routine where the problem occurred (if it's in a library routine, then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you do not know assembly, including this information in the bug report can be useful. -

    Attaching to a Running Process

    - - - +

    Attaching to a Running Process

    + + + Unfortunately, some UNIXes (in particular some recent Linux kernels) refuse to dump a core file if the task has changed UID (which smbd does often). To debug with this sort of system, you could try to attach @@ -145,12 +145,12 @@ 

     root#  gdb /usr/local/samba/sbin/smbd

    - + then “attach `pid'” (of the spinning process), then type “bt” to get a backtrace to see where the smbd is in the call path. -

    Patches

    - - +

    Patches

    + + The best sort of bug report is one that includes a fix! If you send us patches, please use diff -u format if your version of diff supports it; otherwise, use diff -c4. Make sure diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html 2005-08-19 13:03:45.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html 2005-12-19 10:23:02.000000000 -0600 @@ -1,52 +1,52 @@ -Chapter 33. Advanced Configuration Techniques

    Chapter 33. Advanced Configuration Techniques
    Prev Part III. Advanced Configuration Next

    Chapter 33. Advanced Configuration Techniques

    John H. Terpstra

    Samba Team

    June 30, 2005

    Table of Contents

    Implementation
    Multiple Server Hosting
    Multiple Virtual Server Personalities
    Multiple Virtual Server Hosting

    - - +Chapter 33. Advanced Configuration Techniques

    Chapter 33. Advanced Configuration Techniques
    Prev Part III. Advanced Configuration Next

    Chapter 33. Advanced Configuration Techniques

    John H. Terpstra

    Samba Team

    June 30, 2005

    Table of Contents

    Implementation
    Multiple Server Hosting
    Multiple Virtual Server Personalities
    Multiple Virtual Server Hosting

    + + Since the release of the first edition of this book there have been repeated requests to better document configuration techniques that may help a network administrator to get more out of Samba. Some users have asked -for documentation regarding the use of the include = file-name parameter. +for documentation regarding the use of the include = file-name parameter.

    - - + + Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on one machine. There has also been an interest in the hosting of multiple Samba server personalities on one server.

    - - + + Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an answer the questions that have to date not been adequately addressed. Additional user input is welcome as it will help this chapter to mature. What is presented here is just a small beginning.

    - - - + + + There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server hosting makes it possible to host multiple domain controllers on one machine. Each such machine is independent, and each can be stopped or started without affecting another.

    - - - + + + Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case, only domain member machines and domain users can access the DMS, but even guest users can access the generic print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server is to host a CDROM server.

    - - + + Some environments dictate the need to have separate servers, each with their own resources, each of which are accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba can replace many physical Windows servers in one Samba installation. -

    Implementation

    -

    Multiple Server Hosting

    - - - - - - - +

    Implementation

    +

    Multiple Server Hosting

    + + + + + + + The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own configuration file. This method is complicated by the fact that each instance of nmbd, smbd and winbindd must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by @@ -54,78 +54,78 @@ own default TDB directories, or by configuring these in the smb.conf file, in which case each instance of nmbd, smbd and winbindd must be told to start up with its own smb.conf configuration file.

    - - - - + + + + Each instance should operate on its own IP address (that independent IP address can be an IP Alias). Each instance of nmbd, smbd and winbindd should listen only on its own IP socket. This can be secured -using the socket address parameter. Each instance of the Samba server will have its +using the socket address parameter. Each instance of the Samba server will have its own SID also, this means that the servers are discrete and independent of each other.

    - - - - - - - - - + + + + + + + + + The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of process management and start up. The smb.conf parameters that must be carefully configured includes: -private dir, pid directory,lock directory, interfaces, bind interfaces only, netbios name, workgroup, socket address. +private dir, pid directory,lock directory, interfaces, bind interfaces only, netbios name, workgroup, socket address.

    - - - + + + Those who elect to create multiple Samba servers should have the ability to read and follow the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team. -

    Multiple Virtual Server Personalities

    - - - +

    Multiple Virtual Server Personalities

    + + + Samba has the ability to host multiple virtual servers, each of which have their own personality. This is achieved by configuring an smb.conf file that is common to all personalities hosted. Each server -personality is hosted using its own netbios alias name, and each has its own distinct -[global] section. Each server may have its own stanzas for services and meta-services. +personality is hosted using its own netbios alias name, and each has its own distinct +[global] section. Each server may have its own stanzas for services and meta-services.

    - - - + + + When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup. Only the primary server can be a domain member or a domain controller. The personality is defined by the -combination of the security mode it is operating in, the netbios aliases it has, and the workgroup that is defined for it. +combination of the security mode it is operating in, the netbios aliases it has, and the workgroup that is defined for it.

    - - - - - - + + + + + + This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services. -If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result +If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain the functionality that is specified in the primary smb.conf file. The use of NetBIOS over TCP/IP using only -TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if +TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if the value of this parameter is set at 139 445 then the %L macro is not serviceable.

    - - - - + + + + It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB port), in which case the %i macro can be used to provide separate server identities (by -IP Address). Each can have its own security mode. It will be necessary to use the -interfaces, bind interfaces only and IP aliases in addition to -the netbios name parameters to create the virtual servers. This method is considerably +IP Address). Each can have its own security mode. It will be necessary to use the +interfaces, bind interfaces only and IP aliases in addition to +the netbios name parameters to create the virtual servers. This method is considerably more complex than that using NetBIOS names only using TCP port 139.

    - + Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here @@ -135,46 +135,46 @@ The CDROM server is called CDSERVER and its workgroup is ARTSDEPT. A possible implementation is shown here:

    - - - - + + + + The smb.conf file for the master server is shown in Elastic smb.conf File. This file is placed in the /etc/samba directory. Only the nmbd and the smbd daemons are needed. When started the server will appear in Windows Network Neighborhood as the machine ELASTIC under the workgroup ROBINSNEST. It is helpful if the Windows clients that must access this server are also in the workgroup ROBINSNEST as this will make browsing much more reliable. -

    Example 33.1. Elastic smb.conf File

    # Global parameters
    [global]
    workgroup = ROBINSNEST
    netbios name = ELASTIC
    netbios aliases = CDSERVER
    smb ports = 139
    printcap name = cups
    disable spoolss = Yes
    show add printer wizard = No
    printing = cups
    include = /etc/samba/smb-%L.conf
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [office]
    comment = Data
    path = /data
    read only = No
    [printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0600
    guest ok = Yes
    printable = Yes
    use client driver = Yes
    browseable = No

    - +

    Example 33.1. Elastic smb.conf File

    # Global parameters
    [global]
    workgroup = ROBINSNEST
    netbios name = ELASTIC
    netbios aliases = CDSERVER
    smb ports = 139
    printcap name = cups
    disable spoolss = Yes
    show add printer wizard = No
    printing = cups
    include = /etc/samba/smb-%L.conf
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [office]
    comment = Data
    path = /data
    read only = No
    [printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0600
    guest ok = Yes
    printable = Yes
    use client driver = Yes
    browseable = No

    + The configuration file for the CDROM server is listed in CDROM Server smb-cdserver.conf file. This file is called smb-cdserver.conf and it should be located in the /etc/samba directory. Machines that are in the workgroup ARTSDEPT will be able to browse this server freely. -

    Example 33.2. CDROM Server smb-cdserver.conf file

    # Global parameters
    [global]
    workgroup = ARTSDEPT
    netbios name = CDSERVER
    map to guest = Bad User
    guest ok = Yes
    [carousel]
    comment = CDROM Share
    path = /export/cddata
    read only = Yes
    guest ok = Yes

    - - - - +

    Example 33.2. CDROM Server smb-cdserver.conf file

    # Global parameters
    [global]
    workgroup = ARTSDEPT
    netbios name = CDSERVER
    map to guest = Bad User
    guest ok = Yes
    [carousel]
    comment = CDROM Share
    path = /export/cddata
    read only = Yes
    guest ok = Yes

    + + + + The two servers have different resources and are in separate workgroups. The server ELASTIC can only be accessed by uses who have an appropriate account on the host server. All users will be able to access the CDROM data that is stored in the /export/cddata directory. File system permissions should set so that the others user has read-only access to the directory and its contents. The files can be owned by root (any user other than the nobody account). -

    Multiple Virtual Server Hosting

    - - - +

    Multiple Virtual Server Hosting

    + + + In this example, the requirement is for a primary domain controller for the domain called MIDEARTH. The PDC will be called MERLIN. An extra machine called SAURON is required. Each machine will have only its own shares. Both machines belong to the same domain/workgroup.

    - - - + + + The master smb.conf file is shown in the Master smb.conf File Global Section. The two files that specify the share information for each server are shown in the smb-merlin.conf File Share Section, and the smb-sauron.conf File Share Section. All three files are locate in the /etc/samba directory. -

    Example 33.3. Master smb.conf File Global Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = MERLIN
    netbios aliases = SAURON
    passdb backend = tdbsam
    smb ports = 139
    syslog = 0
    printcap name = CUPS
    show add printer wizard = No
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
    logon script = scripts\login.bat
    logon path =
    logon drive = X:
    domain logons = Yes
    preferred master = Yes
    wins support = Yes
    printing = CUPS
    include = /etc/samba/smb-%L.conf

    Example 33.4. MERLIN smb-merlin.conf File Share Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = MERLIN
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [office]
    comment = Data
    path = /data
    read only = No
    [netlogon]
    comment = NETLOGON
    path = /var/lib/samba/netlogon
    read only = Yes
    browseable = No
    [printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    use client driver = Yes
    browseable = No

    Example 33.5. SAURON smb-sauron.conf File Share Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = SAURON
    [www]
    comment = Web Pages
    path = /srv/www/htdocs
    read only = No
    Prev Up Next
    Chapter 32. Handling Large Directories Home Part IV. Migration and Updating
    +

    Example 33.3. Master smb.conf File Global Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = MERLIN
    netbios aliases = SAURON
    passdb backend = tdbsam
    smb ports = 139
    syslog = 0
    printcap name = CUPS
    show add printer wizard = No
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
    logon script = scripts\login.bat
    logon path =
    logon drive = X:
    domain logons = Yes
    preferred master = Yes
    wins support = Yes
    printing = CUPS
    include = /etc/samba/smb-%L.conf

    Example 33.4. MERLIN smb-merlin.conf File Share Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = MERLIN
    [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
    [office]
    comment = Data
    path = /data
    read only = No
    [netlogon]
    comment = NETLOGON
    path = /var/lib/samba/netlogon
    read only = Yes
    browseable = No
    [printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    use client driver = Yes
    browseable = No

    Example 33.5. SAURON smb-sauron.conf File Share Section

    # Global parameters
    [global]
    workgroup = MIDEARTH
    netbios name = SAURON
    [www]
    comment = Web Pages
    path = /srv/www/htdocs
    read only = No
    Prev Up Next
    Chapter 32. Handling Large Directories Home Part IV. Migration and Updating
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/ch45.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/ch45.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/ch45.html 2005-08-19 13:03:50.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/ch45.html 2005-12-19 10:23:08.000000000 -0600 @@ -1,9 +1,9 @@ -Chapter 45. Samba Support
    Chapter 45. Samba Support
    Prev Part VI. Reference Section Next

    Chapter 45. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    - +Chapter 45. Samba Support

    Chapter 45. Samba Support
    Prev Part VI. Reference Section Next

    Chapter 45. Samba Support

    Table of Contents

    Free Support
    Commercial Support

    + One of the most difficult to answer questions in the information technology industry is, “What is support?”. That question irritates some folks, as much as common answers may annoy others.

    - + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: “Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.

    - - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.

    - - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.

    - - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -

    Free Support

    - - - - - - +

    Free Support

    + + + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.

    - - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.

    - - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.

    - - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.

    - + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -

    Commercial Support

    +

    Commercial Support

    There are six basic support oriented services that are most commonly sought by Samba sites:

    • Assistance with network design

    • Staff Training

    • Assistance with Samba network deployment and installation

    • Priority telephone or email Samba configuration assistance

    • Trouble-shooting and diagnostic assistance

    • Provision of quality assured ready-to-install Samba binary packages

    - - + + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.

    - + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.

    - + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html 2005-08-19 13:03:50.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html 2005-12-19 10:23:07.000000000 -0600 @@ -1,40 +1,40 @@ Chapter 44. LDAP and Transport Layer Security

    Chapter 44. LDAP and Transport Layer Security
    Prev Part VI. Reference Section Next

    Chapter 44. LDAP and Transport Layer Security

    Table of Contents

    Introduction
    Configuring
    Generating the Certificate Authority
    Generating the Server Certificate
    Installing the Certificates
    Testing
    Troubleshooting

    Introduction

    - - + + Up until now, we have discussed the straightforward configuration of OpenLDAP™, with some advanced features such as ACLs. This does not however, deal with the fact that the network transmissions are still in plain text. This is where Transport Layer Security (TLS) comes in.

    - + OpenLDAP™ clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections in accordance with RFC 2830; Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security.

    - + TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates are optional. We will only be discussing server certificates.

    Tip

    - - - + + + The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC2830.

    We will discuss this more in the next sections.

    Configuring

    - + Now on to the good bit.

    Generating the Certificate Authority

    - + In order to create the relevant certificates, we need to become our own Certificate Authority (CA). - [8] This is necessary, so we can sign the server certificate. + [8] This is necessary, so we can sign the server certificate.

    - - We will be using the OpenSSL [9] software for this, which is included with every great Linux® distribution. + + We will be using the OpenSSL [9] software for this, which is included with every great Linux® distribution.

    - TLS is used for many types of servers, but the instructions[10] presented here, are tailored for OpenLDAP. + TLS is used for many types of servers, but the instructions[10] presented here, are tailored for OpenLDAP.

    Note

    The Common Name (CN), in the following example, MUST be the fully qualified domain name (FQDN) of your ldap server. @@ -51,7 +51,7 @@ root# cd myCA

    - Now generate the CA:[11] + Now generate the CA:[11] 

     
 root#  /usr/share/ssl/misc/CA.pl -newca
@@ -209,7 +209,7 @@
 	
    
 	That's all there is to it. Now on to the section called “Testing”

    Testing

    - + This is the easy part. Restart the server: 

     
@@ -220,7 +220,7 @@

    Then, using ldapsearch, test an anonymous search with the - -ZZ[12] option: + -ZZ[12] option: 

     
 root#  ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
@@ -265,7 +265,7 @@

    If you have any problems, please read the section called “Troubleshooting”

    Troubleshooting

    - + The most common error when configuring TLS, as I have already mentioned numerous times, is that the Common Name (CN) you entered in the section called “Generating the Server Certificate” is NOT the Fully Qualified Domain Name (FQDN) of your ldap server. @@ -275,13 +275,13 @@ files. They should be set with chmod 640, as per the section called “Installing the Certificates”.

    For anything else, it's best to read through your ldap logfile or join the OpenLDAP mailing list. -


    [8] We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which +


    [8] We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which you pay for, or the free ones, via CAcert -

    [9] The downside to +

    [9] The downside to making our own CA, is that the certificate is not automatically recognized by clients, like the commercial - ones are.

    [10] For information straight from the + ones are.

    [10] For information straight from the horse's mouth, please visit http://www.openssl.org/docs/HOWTO/; the main OpenSSL - site.

    [11] Your CA.pl or CA.sh might not be + site.

    [11] Your CA.pl or CA.sh might not be in the same location as mine is, you can find it by using the locate command, i.e., locate CA.pl. If the command complains about the database being too old, run - updatedb as root to update it.

    [12] See man ldapsearch

    Prev Up Next
    Chapter 43. Samba Performance Tuning Home Chapter 45. Samba Support
    + updatedb as root to update it.

    [12] See man ldapsearch

    Prev Up Next
    Chapter 43. Samba Performance Tuning Home Chapter 45. Samba Support
    diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/classicalprinting.html samba-3.0.21/docs/htmldocs/Samba3-HOWTO/classicalprinting.html --- samba-3.0.20b/docs/htmldocs/Samba3-HOWTO/classicalprinting.html 2005-08-19 13:03:35.000000000 -0500 +++ samba-3.0.21/docs/htmldocs/Samba3-HOWTO/classicalprinting.html 2005-12-19 10:22:50.000000000 -0600 @@ -1,22 +1,22 @@ -Chapter 20. Classical Printing Support
    Chapter 20. Classical Printing Support
    Prev Part III. Advanced Configuration Next

    Chapter 20. Classical Printing Support

    Kurt Pfeifle

    Danka Deutschland GmbH

    Gerald (Jerry) Carter

    Samba Team

    John H. Terpstra

    Samba Team

    May 31, 2003

    Table of Contents

    Features and Benefits
    Technical Introduction
    Client to Samba Print Job Processing
    Printing-Related Configuration Parameters
    Simple Print Configuration
    Verifying Configuration with testparm
    Rapid Configuration Validation
    Extended Printing Configuration
    Detailed Explanation Settings
    Printing Developments Since Samba-2.2
    Point'n'Print Client Drivers on Samba Servers
    The Obsoleted [printer$] Section
    Creating the [print$] Share
    [print$] Stanza Parameters
    The [print$] Share Directory
    Installing Drivers into [print$]
    Add Printer Wizard Driver Installation
    Installing Print Drivers Using rpcclient
    Client Driver Installation Procedure
    First Client Driver Installation
    Setting Device Modes on New Printers
    Additional Client Driver Installation
    Always Make First Client Connection as root or “printer admin
    Other Gotchas
    Setting Default Print Options for Client Drivers
    Supporting Large Numbers of Printers
    Adding New Printers with the Windows NT APW
    Error Message: “Cannot connect under a different Name
    Take Care When Assembling Driver Files
    Samba and Printer Ports
    Avoiding Common Client Driver Misconfiguration
    The Imprints Toolset
    What Is Imprints?
    Creating Printer Driver Packages
    The Imprints Server
    The Installation Client
    Adding Network Printers without User Interaction
    The addprinter Command
    Migration of Classical Printing to Samba
    Publishing Printer Information in Active Directory or LDAP
    Common Errors
    I Give My Root Password but I Do Not Get Access
    My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost

    Features and Benefits

    - +Chapter 20. Classical Printing Support

    Chapter 20. Classical Printing Support
    Prev Part III. Advanced Configuration Next

    Chapter 20. Classical Printing Support

    Kurt Pfeifle

    Danka Deutschland GmbH

    Gerald (Jerry) Carter

    Samba Team

    John H. Terpstra

    Samba Team

    May 31, 2003

    Table of Contents

    Features and Benefits
    Technical Introduction
    Client to Samba Print Job Processing
    Printing-Related Configuration Parameters
    Simple Print Configuration
    Verifying Configuration with testparm
    Rapid Configuration Validation
    Extended Printing Configuration
    Detailed Explanation Settings
    Printing Developments Since Samba-2.2
    Point'n'Print Client Drivers on Samba Servers
    The Obsoleted [printer$] Section
    Creating the [print$] Share
    [print$] Stanza Parameters
    The [print$] Share Directory
    Installing Drivers into [print$]
    Add Printer Wizard Driver Installation
    Installing Print Drivers Using rpcclient
    Client Driver Installation Procedure
    First Client Driver Installation
    Setting Device Modes on New Printers
    Additional Client Driver Installation
    Always Make First Client Connection as root or “printer admin
    Other Gotchas
    Setting Default Print Options for Client Drivers
    Supporting Large Numbers of Printers
    Adding New Printers with the Windows NT APW
    Error Message: “Cannot connect under a different Name
    Take Care When Assembling Driver Files
    Samba and Printer Ports
    Avoiding Common Client Driver Misconfiguration
    The Imprints Toolset
    What Is Imprints?
    Creating Printer Driver Packages
    The Imprints Server
    The Installation Client
    Adding Network Printers without User Interaction
    The addprinter Command
    Migration of Classical Printing to Samba
    Publishing Printer Information in Active Directory or LDAP
    Common Errors
    I Give My Root Password but I Do Not Get Access
    My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost

    Features and Benefits

    + Printing is often a mission-critical service for the users. Samba can provide this service reliably and seamlessly for a client network consisting of Windows workstations.

    - - - - - - - - - - - - - - + + + + + + + + + + + + + + A Samba print service may be run on a standalone or domain member server, side by side with file serving functions, or on a dedicated print server. It can be made as tightly or as loosely secured as needs dictate. Configurations may be simple or complex. Available authentication schemes are essentially the same as @@ -30,23 +30,23 @@ page and supplying the raw data for all sorts of statistical reports) is required, this function is best supported by the newer Common UNIX Printing System (CUPS) as the print subsystem underneath the Samba hood.

    - - + + This chapter outlines the fundamentals of Samba printing as implemented by the more traditional UNIX BSD- and System V-style printing systems. Much of the information in this chapter applies also to CUPS. If you use CUPS, you may be tempted to jump to the next chapter, but you will certainly miss a few things if you do. For further information refer to CUPS Printing Support.

    Note

    - - - + + + Most of the following examples have been verified on Windows XP Professional clients. Where this document describes the responses to commands given, bear in mind that Windows 200x/XP clients are quite similar but may differ in minor details. Windows NT4 is somewhat different again. -

    Technical Introduction

    - - - +

    Technical Introduction

    + + + Samba's printing support always relies on the installed print subsystem of the UNIX OS it runs on. Samba is a middleman. It takes print files from Windows (or other SMB) clients and passes them to the real printing system for further processing; therefore, it needs to communicate with both sides: the Windows print @@ -54,42 +54,42 @@ of which behave differently, as well as the various UNIX print subsystems, which themselves have different features and are accessed differently.

    - - + + This chapter deals with the traditional way of UNIX printing. The next chapter covers in great detail the more modern CUPS.

    Important

    - + CUPS users, be warned: do not just jump on to the next chapter. You might miss important information only found here!

    - - - - + + + + It is apparent from postings on the Samba mailing list that print configuration is one of the most problematic aspects of Samba administration today. Many new Samba administrators have the impression that Samba performs some sort of print processing. Rest assured, Samba does not perform any type of print processing. It does not do any form of print filtering.

    - - - - + + + + Samba obtains from its clients a data stream (print job) that it spools to a local spool area. When the entire print job has been received, Samba invokes a local UNIX/Linux print command and passes the spooled file to it. It is up to the local system printing subsystems to correctly process the print job and to submit it to the printer. -

    Client to Samba Print Job Processing

    +

    Client to Samba Print Job Processing

    Successful printing from a Windows client via a Samba print server to a UNIX printer involves six (potentially seven) stages:

    1. Windows opens a connection to the printer share.

    2. Samba must authenticate the user.

    3. Windows sends a copy of the print file over the network into Samba's spooling area.

    4. Windows closes the connection.

    5. Samba invokes the print command to hand the file over to the UNIX print subsystem's spooling area.

    6. The UNIX print subsystem processes the print job.

    7. The print file may need to be explicitly deleted from the Samba spooling area. This item depends on your print spooler - configuration settings.

    Printing-Related Configuration Parameters

    - - - + configuration settings.

    Printing-Related Configuration Parameters

    + + + There are a number of configuration parameters to control Samba's printing behavior. Please refer to the man page for smb.conf for an overview of these. As with other parameters, there are global-level (tagged with a G in the listings) and service-level (S) parameters. @@ -103,20 +103,20 @@ or service-level shares (provided they do not have a different setting defined for the same parameter, thus overriding the global default). -

    Simple Print Configuration

    - - - - +

    Simple Print Configuration

    + + + + Simple Configuration with BSD Printing shows a simple printing configuration. If you compare this with your own, you may find additional parameters that have been preconfigured by your OS vendor. Following is a discussion and explanation of the parameters. This example does not use many parameters. However, in many environments these are enough to provide a valid smb.conf file that enables all clients to print. -

    Example 20.1. Simple Configuration with BSD Printing

    [global]
    printing = bsd
    load printers = yes
    [printers]
    path = /var/spool/samba
    printable = yes
    public = yes
    writable = no

    - - - +

    Example 20.1. Simple Configuration with BSD Printing

    [global]
    printing = bsd
    load printers = yes
    [printers]
    path = /var/spool/samba
    printable = yes
    public = yes
    writable = no

    + + + This is only an example configuration. Samba assigns default values to all configuration parameters. The defaults are conservative and sensible. When a parameter is specified in the smb.conf file, this overwrites the default value. The testparm utility when run as root is capable of reporting all @@ -124,26 +124,26 @@ misconfigured settings. The complete output is easily 360 lines and more, so you may want to pipe it through a pager program.

    - - - + + + The syntax for the configuration file is easy to grasp. You should know that is not very picky about its syntax. As has been explained elsewhere in this book, Samba tolerates some spelling errors (such as -browseable instead of browsable), and spelling is +browseable instead of browsable), and spelling is case-insensitive. It is permissible to use Yes/No or True/False for Boolean settings. Lists of names may be separated by commas, spaces, or tabs. -

    Verifying Configuration with testparm

    - - - - - - - - - - - +

    Verifying Configuration with testparm

    + + + + + + + + + + + To see all (or at least most) printing-related settings in Samba, including the implicitly used ones, try the command outlined below. This command greps for all occurrences of lp, print, spool, driver, @@ -194,14 +194,14 @@ The testparm in Samba-3 behaves differently from that in 2.2.x: used without the “-v” switch, it only shows you the settings actually written into! To see the complete configuration used, add the “-v” parameter to testparm. -

    Rapid Configuration Validation

    - - - - +

    Rapid Configuration Validation

    + + + + Should you need to troubleshoot at any stage, please always come back to this point first and verify if testparm shows the parameters you expect. To give you a warning from personal experience, -try to just comment out the load printers parameter. If your 2.2.x system behaves like +try to just comment out the load printers parameter. If your 2.2.x system behaves like mine, you'll see this: 

     root# grep "load printers" /etc/samba/smb.conf
@@ -211,8 +211,8 @@
 root# testparm -v /etc/samba/smb.conf | egrep "(load printers)"
         load printers = Yes

    - - + + I assumed that commenting out of this setting should prevent Samba from publishing my printers, but it still did. It took some time to figure out the reason. But I am no longer fooled ... at least not by this. @@ -226,8 +226,8 @@ root# testparm -s -v smb.conf.simpleprinting | egrep "(load printers)" load printers = No

    - -Only when the parameter is explicitly set to load printers = No would + +Only when the parameter is explicitly set to load printers = No would Samba conform with my intentions. So, my strong advice is:

    • Never rely on commented-out parameters.

    • Always set parameters explicitly as you intend them to behave.

    • Use testparm to uncover hidden @@ -237,8 +237,8 @@ root# cat /etc/samba/smb.conf-minimal [printers]

      - - + + This example should show that you can use testparm to test any Samba configuration file. Actually, we encourage you not to change your working system (unless you know exactly what you are doing). Don't rely on the assumption that changes will only take effect after you restart smbd! @@ -276,10 +276,10 @@

      testparm issued two warnings:

      • We did not specify the [printers] section as printable.

      • We did not tell Samba which spool directory to use.

      - - - - + + + + However, this was not fatal, and Samba will default to values that will work. Please, do not rely on this and do not use this example. This was included to encourage you to be careful to design and specify your setup to do precisely what you require. The outcome on your system may vary for some parameters given, since Samba may @@ -288,15 +288,15 @@ put the comment sign at the front). At first I regarded this as a bug in my Samba versions. But the man page clearly says: Internal whitespace in a parameter value is retained verbatim. This means that a line consisting of, for example, -

      # This defines LPRng as the printing system
      printing = lprng

      +

      # This defines LPRng as the printing system
      printing = lprng

      will regard the whole of the string after the = sign as the value you want to define. This is an invalid value that will be ignored, and a default value will be used in its place. -

    Extended Printing Configuration

    - - - - +

    Extended Printing Configuration

    + + + + Extended BSD Printing Configuration shows a more verbose configuration for print-related settings in a BSD-style printing environment. What follows is a discussion and explanation of the various parameters. We chose to use BSD-style printing here because it is still the most commonly used @@ -304,68 +304,68 @@ separate chapter. The example explicitly names many parameters that do not need to be specified because they are set by default. You could use a much leaner smb.conf file, or you can use testparm or SWAT to optimize the smb.conf file to remove all parameters that are set at default. -

    Example 20.2. Extended BSD Printing Configuration

    [global]
    printing = bsd
    load printers = yes
    show add printer wizard = yes
    printcap name = /etc/printcap
    printer admin = @ntadmin, root
    max print jobs = 100
    lpq cache time = 20
    use client driver = no
    [printers]
    comment = All Printers
    printable = yes
    path = /var/spool/samba
    browseable = no
    guest ok = yes
    public = yes
    read only = yes
    writable = no
    [my_printer_name]
    comment = Printer with Restricted Access
    path = /var/spool/samba_my_printer
    printer admin = kurt
    browseable = yes
    printable = yes
    writable = no
    hosts allow = 0.0.0.0
    hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60
    guest ok = no

    - - - +

    Example 20.2. Extended BSD Printing Configuration

    [global]
    printing = bsd
    load printers = yes
    show add printer wizard = yes
    printcap name = /etc/printcap
    printer admin = @ntadmin, root
    max print jobs = 100
    lpq cache time = 20
    use client driver = no
    [printers]
    comment = All Printers
    printable = yes
    path = /var/spool/samba
    browseable = no
    guest ok = yes
    public = yes
    read only = yes
    writable = no
    [my_printer_name]
    comment = Printer with Restricted Access
    path = /var/spool/samba_my_printer
    printer admin = kurt
    browseable = yes
    printable = yes
    writable = no
    hosts allow = 0.0.0.0
    hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60
    guest ok = no

    + + + This is an example configuration. You may not find all the settings that are in the configuration file that was provided by the OS vendor. Samba configuration parameters, if not explicitly set, default to a sensible value. To see all settings, as root use the testparm utility. testparm gives warnings for misconfigured settings. -

    Detailed Explanation Settings

    +

    Detailed Explanation Settings

    The following is a discussion of the settings from Extended BSD Printing Configuration Extended BSD Printing Configuration. -

    The [global] Section

    - - - - +

    The [global] Section

    + + + + The [global] section is one of four special sections (along with [homes], [printers], and [print$]). The [global] contains all parameters that apply to the server as a whole. It is the place for parameters that have only a global meaning. It may also contain service-level parameters that define default settings for all other sections and shares. This way you can simplify the configuration and avoid setting the same value repeatedly. (Within each individual section or share, you may, however, override these globally set share settings and specify other values). -

    printing = bsd

    - - - - - - - - - - - - +

    printing = bsd

    + + + + + + + + + + + + Causes Samba to use default print commands applicable for the BSD (also known as RFC 1179 style or LPR/LPD) printing system. In general, the printing parameter informs Samba about the print subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, and PLP. Each of these - systems defaults to a different print command (and other queue control commands). + systems defaults to a different print command (and other queue control commands).

    Caution

    - - - The printing parameter is normally a service-level parameter. Since it is included + + + The printing parameter is normally a service-level parameter. Since it is included here in the [global] section, it will take effect for all printer shares that are not defined differently. Samba-3 no longer supports the SOFTQ printing system. -

    load printers = yes

    - - - - +

    load printers = yes

    + + + + Tells Samba to create automatically all available printer shares. Available printer shares are discovered by scanning the printcap file. All created printer shares are also loaded for browsing. If you use this parameter, you do not need to specify separate shares for each printer. Each automatically created printer share will clone the configuration options found in the [printers] section. (The load printers = no setting will allow you to specify each UNIX printer you want to share separately, leaving out some you do not want to be publicly visible and available). -

    show add printer wizard = yes

    - - - - - +

    show add printer wizard = yes

    + + + + + Setting is normally enabled by default (even if the parameter is not specified in smb.conf). It causes the Add Printer Wizard icon to appear in the Printers folder of the Samba host's share listing (as shown in Network Neighborhood or by the net @@ -373,78 +373,78 @@ it out will not suffice). The Add Printer Wizard lets you upload a printer driver to the [print$] share and associate it with a printer (if the respective queue exists before the action), or exchange a printer's driver for any other previously uploaded driver. -

    max print jobs = 100

    - +

    max print jobs = 100

    + Sets the upper limit to 100 print jobs being active on the Samba server at any one time. Should a client submit a job that exceeds this number, a "no more space available on server" type of error message will be returned by Samba to the client. A setting of zero (the default) means there is no limit at all. -

    printcap name = /etc/printcap

    - - - +

    printcap name = /etc/printcap

    + + + Tells Samba where to look for a list of available printer names. Where CUPS is used, make sure that a printcap file is written. This is controlled by the Printcap directive in the cupsd.conf file. -

    printer admin = @ntadmin

    - - - - +

    printer admin = @ntadmin

    + + + + Members of the ntadmin group should be able to add drivers and set printer properties (ntadmin is only an example name; it needs to be a valid UNIX group name); root is - implicitly always a printer admin. The @ sign precedes group names + implicitly always a printer admin. The @ sign precedes group names in the /etc/group. A printer admin can do anything to printers via the remote administration interfaces offered by MS-RPC (see Printing Developments Since - Samba-2.2). In larger installations, the printer admin parameter is normally a + Samba-2.2). In larger installations, the printer admin parameter is normally a per-share parameter. This permits different groups to administer each printer share. -

    lpq cache time = 20

    - - +

    lpq cache time = 20

    + + Controls the cache time for the results of the lpq command. It prevents the lpq command being called too often and reduces the load on a heavily used print server. -

    use client driver = no

    - +

    use client driver = no

    + If set to yes, only takes effect for Windows NT/200x/XP clients (and not for Win 95/98/ME). Its default value is No (or False). It must not be enabled on print shares (with a yes or true setting) that have valid drivers installed on the Samba server. For more detailed explanations, see the smb.conf man page.

    The [printers] Section

    - - + + The printers section is the second special section. If a section with this name appears in the smb.conf, users are able to connect to any printer specified in the Samba host's printcap file, because Samba on startup then creates a printer share for every printer name it finds in the printcap file. You could regard this section as a convenient shortcut to share all printers with minimal configuration. It is also a container for settings that should apply as default to all printers. (For more details, see the smb.conf man page.) Settings inside this container must be share-level parameters. -

    comment = All printers

    - The comment is shown next to the share if +

    comment = All printers

    + The comment is shown next to the share if a client queries the server, either via Network Neighborhood or with the net view command, to list available shares. -

    printable = yes

    +

    printable = yes

    The [printers] service must be declared as printable. If you specify otherwise, smbd will refuse to load at startup. This parameter allows connected clients to open, write to, and submit spool files - into the directory specified with the path + into the directory specified with the path parameter for this service. It is used by Samba to differentiate printer shares from file shares. -

    path = /var/spool/samba

    +

    path = /var/spool/samba

    Must point to a directory used by Samba to spool incoming print files. It must not be the same as the spool directory specified in the configuration of your UNIX print subsystem! The path typically points to a directory that is world writable, with the sticky bit set to it. -

    browseable = no

    +

    browseable = no

    Is always set to no if - printable = yes. It makes + printable = yes. It makes the [printer] share itself invisible in the list of available shares in a net view command or in the Explorer browse list. (You will of course see the individual printers.) -

    guest ok = yes

    +

    guest ok = yes

    If this parameter is set to yes, no password is required to connect to the printer's service. Access will be granted with the privileges of the - guest account. On many systems the guest + guest account. On many systems the guest account will map to a user named "nobody." This user will usually be found in the UNIX passwd file with an empty password, but with no valid UNIX login. On some systems the guest account might not have the privilege to be able to print. Test this @@ -452,65 +452,65 @@ print command like:

    lpr -P printername /etc/motd -

    public = yes

    - Is a synonym for guest ok = yes. - Since we have guest ok = yes, it +

    public = yes

    + Is a synonym for guest ok = yes. + Since we have guest ok = yes, it really does not need to be here. (This leads to the interesting question, “What if I by accident have two contradictory settings for the same share?” The answer is that the last one encountered by Samba wins. testparm does not complain about different settings of the same parameter for the same share. You can test this by setting up multiple lines for the guest account parameter with different usernames, and then run testparm to see which one is actually used by Samba.) -

    read only = yes

    +

    read only = yes

    Normally (for other types of shares) prevents users from creating or modifying files in the service's directory. However, in a printable service, it is always allowed to write to the directory (if user privileges allow the connection), but only via print spooling operations. Normal write operations are not permitted. -

    writable = no

    - Is a synonym for read only = yes. -

    Any [my_printer_name] Section

    - - +

    writable = no

    + Is a synonym for read only = yes. +

    Any [my_printer_name] Section

    + + If a [my_printer_name] section appears in the smb.conf file, which includes the -parameter printable = yes Samba will configure it as a printer share. +parameter printable = yes Samba will configure it as a printer share. Windows 9x/Me clients may have problems with connecting or loading printer drivers if the share name has more than eight characters. Do not name a printer share with a name that may conflict with an existing user or file share name. On client connection requests, Samba always tries to find file shares with that name first. If it finds one, it will connect to this and will not connect to a printer with the same name! -

    comment = Printer with Restricted Access

    +

    comment = Printer with Restricted Access

    The comment says it all. -

    path = /var/spool/samba_my_printer

    +

    path = /var/spool/samba_my_printer

    Sets the spooling area for this printer to a directory other than the default. It is not necessary to set it differently, but the option is available. -

    printer admin = kurt

    +

    printer admin = kurt

    The printer admin definition is different for this explicitly defined printer share from the general [printers] share. It is not a requirement; we did it to show that it is possible. -

    browseable = yes

    +

    browseable = yes

    This makes the printer browseable so the clients may conveniently find it when browsing the Network Neighborhood. -

    printable = yes

    +

    printable = yes

    See Section 20.4.1.2. -

    writable = no

    +

    writable = no

    See Section 20.4.1.2. -

    hosts allow = 10.160.50.,10.160.51.

    - Here we exercise a certain degree of access control by using the hosts allow - and hosts deny parameters. This is not by any means a safe bet. It is not a +

    hosts allow = 10.160.50.,10.160.51.

    + Here we exercise a certain degree of access control by using the hosts allow + and hosts deny parameters. This is not by any means a safe bet. It is not a way to secure your printers. This line accepts all clients from a certain subnet in a first evaluation of access control. -

    hosts deny = turbo_xp,10.160.50.23,10.160.51.60

    +

    hosts deny = turbo_xp,10.160.50.23,10.160.51.60

    All listed hosts are not allowed here (even if they belong to the allowed subnets). As you can see, you could name IP addresses as well as NetBIOS hostnames here. -

    guest ok = no

    +

    guest ok = no

    This printer is not open for the guest account. -

    Print Commands

    - - - - +

    Print Commands

    + + + + In each section defining a printer (or in the [printers] section), a print command parameter may be defined. It sets a command to process the files that have been placed into the Samba print spool directory for that printer. (That spool directory was, -if you remember, set up with the path parameter). Typically, +if you remember, set up with the path parameter). Typically, this command will submit the spool file to the Samba host's print subsystem, using the suitable system print command. But there is no requirement that this needs to be the case. For debugging or some other reason, you may want to do something completely different than print the file. An example is a @@ -518,39 +518,39 @@ to debug printing. If you craft your own print commands (or even develop print command shell scripts), make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise, your hard disk may soon suffer from shortage of free space. -

    Default UNIX System Printing Commands

    - +

    Default UNIX System Printing Commands

    + You learned earlier that Samba, in most cases, uses its built-in settings for many parameters if it cannot -find an explicitly stated one in its configuration file. The same is true for the print command. The default print command varies depending on the printing parameter +find an explicitly stated one in its configuration file. The same is true for the print command. The default print command varies depending on the printing parameter setting. In the commands listed in Default Printing Settings , you will notice some parameters of the form %X where X is p, s, J, and so on. These letters stand for printer name, spool file, and job ID, respectively. They are explained in more detail in Default Printing Settings presents an overview of key printing options but excludes the special case of CUPS, is discussed in CUPS Printing Support. -

    Table 20.1. Default Printing Settings

    SettingDefault Printing Commands
    printing = bsd|aix|lprng|plpprint command is lpr -r -P%p %s
    printing = sysv|hpuxprint command is lp -c -P%p %s; rm %s
    printing = qnxprint command is lp -r -P%p -s %s
    printing = bsd|aix|lprng|plplpq command is lpq -P%p
    printing = sysv|hpuxlpq command is lpstat -o%p
    printing = qnxlpq command is lpq -P%p
    printing = bsd|aix|lprng|plplprm command is lprm -P%p %j
    printing = sysv|hpuxlprm command is cancel %p-%j
    printing = qnxlprm command is cancel %p-%j
    printing = bsd|aix|lprng|plplppause command is lp -i %p-%j -H hold
    printing = sysv|hpuxlppause command (...is empty)
    printing = qnxlppause command (...is empty)
    printing = bsd|aix|lprng|plplpresume command is lp -i %p-%j -H resume
    printing = sysv|hpuxlpresume command (...is empty)
    printing = qnxlpresume command (...is empty)

    - - - - +

    Table 20.1. Default Printing Settings

    SettingDefault Printing Commands
    printing = bsd|aix|lprng|plpprint command is lpr -r -P%p %s
    printing = sysv|hpuxprint command is lp -c -P%p %s; rm %s
    printing = qnxprint command is lp -r -P%p -s %s
    printing = bsd|aix|lprng|plplpq command is lpq -P%p
    printing = sysv|hpuxlpq command is lpstat -o%p
    printing = qnxlpq command is lpq -P%p
    printing = bsd|aix|lprng|plplprm command is lprm -P%p %j
    printing = sysv|hpuxlprm command is cancel %p-%j
    printing = qnxlprm command is cancel %p-%j
    printing = bsd|aix|lprng|plplppause command is lp -i %p-%j -H hold
    printing = sysv|hpuxlppause command (...is empty)
    printing = qnxlppause command (...is empty)
    printing = bsd|aix|lprng|plplpresume command is lp -i %p-%j -H resume
    printing = sysv|hpuxlpresume command (...is empty)
    printing = qnxlpresume command (...is empty)

    + + + + For printing = CUPS, if Samba is compiled against libcups, it uses the CUPS API to -submit jobs. (It is a good idea also to set printcap = cups in case your +submit jobs. (It is a good idea also to set printcap = cups in case your cupsd.conf is set to write its autogenerated printcap file to an unusual place). Otherwise, Samba maps to the System V printing commands with the -oraw option for printing; that is, it uses lp -c -d%p -oraw; rm %s. With printing = cups, and if Samba is compiled against libcups, any manually set print command will be ignored! -

    Custom Print Commands

    - - -After a print job has finished spooling to a service, the print command will be used +

    Custom Print Commands

    + + +After a print job has finished spooling to a service, the print command will be used by Samba via a system() call to process the spool file. Usually the command specified will submit the spool file to the host's printing subsystem. But there is no requirement at all that this must be the case. The print subsystem may not remove the spool file on its own, so whatever command you specify, you should ensure that the spool file is deleted after it has been processed.

    - - - - + + + + There is no difficulty with using your own customized print commands with the traditional printing systems. However, if you do not wish to roll your own, you should be well informed about the default built-in commands that Samba uses for each printing subsystem (see Default Printing @@ -560,44 +560,44 @@ appropriate value automatically. Print commands can handle all Samba macro substitutions. In regard to printing, the following ones do have special relevance:

    - + The print command must contain at least one occurrence of %s or %f. The %p is optional. If no printer name is supplied, the %p will be silently removed from the print command. In this case, the job is sent to the default printer.

    - - + + If specified in the [global] section, the print command given will be used for any printable service that does not have its own print command specified. If there is neither a specified print command for a printable service nor a global print command, spool files will be created but not processed! Most importantly, print files will not be removed, so they will consume disk space.

    - - + + Printing may fail on some UNIX systems when using the nobody account. If this happens, create an alternative guest account and give it the privilege to print. Set up this guest account in the [global] section with the guest account parameter.

    - - - + + + You can form quite complex print commands. You need to realize that print commands are just passed to a UNIX shell. The shell is able to expand the included environment variables as usual. (The syntax to include a UNIX environment variable $variable in the Samba print command is %$variable.) To give you a working -print command example, the following will log a print job +print command example, the following will log a print job to /tmp/print.log, print the file, then remove it. The semicolon (“;” is the usual separator for commands in shell scripts: -

    print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

    +

    print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

    You may have to vary your own command considerably from this example depending on how you normally print -files on your system. The default for the print command -parameter varies depending on the setting of the printing +files on your system. The default for the print command +parameter varies depending on the setting of the printing parameter. Another example is: -

    print command = /usr/local/samba/bin/myprintscript %p %s

    Printing Developments Since Samba-2.2

    - - - +

    print command = /usr/local/samba/bin/myprintscript %p %s

    Printing Developments Since Samba-2.2

    + + + Prior to Samba-2.2.x, print server support for Windows clients was limited to LanMan printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers. Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These @@ -606,67 +606,67 @@

    The additional functionality provided by the new SPOOLSS support includes:

    • - + Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon demand (Point'n'Print).

    • - + Uploading of printer drivers via the Windows NT Add Printer Wizard (APW) or the Imprints tool set.

    • - - - - - + + + + + Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), and so on. (See the MSDN documentation for more information on the Win32 printing API).

    • - - + + Support for NT Access Control Lists (ACL) on printer objects.

    • - + Improved support for printer queue manipulation through the use of internal databases for spooled job information (implemented by various *.tdb files).

    - - + + A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP).

    - + A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT permits the installation of local printers that are not shared. This is an artifact of the fact that any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all printers that are made available, either by default or by specific declaration via printer-specific shares.

    - - - - - + + + + + Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that the client has the necessary privileges on the remote host that serves the printer resource. The default permissions assigned by Windows NT to a printer gives the print permissions to the well-known Everyone group. (The older clients of type Windows 9x/Me can only print to shared printers.) -

    Point'n'Print Client Drivers on Samba Servers

    - +

    Point'n'Print Client Drivers on Samba Servers

    + There is much confusion about what all this means. The question is often asked, “Is it or is it not necessary for printer drivers to be installed on a Samba host in order to support printing from Windows clients?” The answer to this is no, it is not necessary.

    - - + + Windows NT/2000 clients can, of course, also run their APW to install drivers locally (which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me clients. (However, a bug existed in Samba 2.2.0 that made Windows NT/2000 clients require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1).

    - - + + But it is a new capability to install the printer drivers into the [print$] share of the Samba server, and a big convenience, too. Then all clients (including 95/98/ME) get the driver installed when they first connect to this printer share. The @@ -682,16 +682,16 @@

  • Using cupsaddsmb (only works for the CUPS printing system, not for LPR/LPD, LPRng, and so on).

    • - - + + Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized entirely by the clients who download and install them via the “Point'n'Print” mechanism supported by Samba. The clients use these drivers to generate print files in the format the printer (or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing system, which is responsible for all further processing, as needed. -

    The Obsoleted [printer$] Section

    - - +

    The Obsoleted [printer$] Section

    + + Versions of Samba prior to 2.2 made it possible to use a share named [printer$]. This name was taken from the same named service created by Windows 9x/Me clients when a printer was shared by them. Windows 9x/Me printer servers always have a [printer$] service that provides @@ -701,9 +701,9 @@ parameter named printer driver provided a means of defining the printer driver name to be sent to the client.

    - - - + + + These parameters, including the printer driver file parameter, are now removed and cannot be used in installations of Samba-3. The share name [print$] is now used for the location of downloadable printer @@ -713,8 +713,8 @@ of its ACLs) to support printer driver downloads and uploads. This does not mean Windows 9x/Me clients are now thrown aside. They can use Samba's [print$] share support just fine. -

    Creating the [print$] Share

    - +

    Creating the [print$] Share

    + In order to support the uploading and downloading of printer driver files, you must first configure a file share named [print$]. The public name of this share is hard coded in the MS Windows clients. It cannot be renamed, since Windows clients are programmed to search for a @@ -722,27 +722,27 @@

    You should modify the server's file to add the global parameters and create the [print$] file share (of course, some of the parameter values, such -as path, are arbitrary and should be replaced with appropriate values for your +as path, are arbitrary and should be replaced with appropriate values for your site). See [print\$] Example. -

    Example 20.3. [print$] Example

    [global]
    # members of the ntadmin group should be able to add drivers and set
    # printer properties. root is implicitly always a 'printer admin'.
    printer admin = @ntadmin
    # ...
    [printers]
    # ...
    [print$]
    comment = Printer Driver Download Area
    path = /etc/samba/drivers
    browseable = yes
    guest ok = yes
    read only = yes
    write list = @ntadmin, root

    +

    Example 20.3. [print$] Example

    [global]
    # members of the ntadmin group should be able to add drivers and set
    # printer properties. root is implicitly always a 'printer admin'.
    printer admin = @ntadmin
    # ...
    [printers]
    # ...
    [print$]
    comment = Printer Driver Download Area
    path = /etc/samba/drivers
    browseable = yes
    guest ok = yes
    read only = yes
    write list = @ntadmin, root

    Of course, you also need to ensure that the directory named by the -path parameter exists on the UNIX file system. -

    [print$] Stanza Parameters

    - - - - - +path parameter exists on the UNIX file system. +

    [print$] Stanza Parameters

    + + + + + The [print$] is a special section in smb.conf. It contains settings relevant to potential printer driver download and is used by Windows clients for local print driver installation. The following parameters are frequently needed in this share section: -

    comment = Printer Driver Download Area

    +

    comment = Printer Driver Download Area

    The comment appears next to the share name if it is listed in a share list (usually Windows clients will not see it, but it will also appear up in a smbclient -L sambaserver output). -

    path = /etc/samba/printers

    +

    path = /etc/samba/printers

    The path to the location of the Windows driver file deposit from the UNIX point of view. -

    browseable = no

    +

    browseable = no

    Makes the [print$] share invisible to clients from the Network Neighborhood. By excuting from a cmd shell: 

    @@ -750,7 +750,7 @@

    you can still mount it from any client. This can also be done from the Connect network drive menu> from Windows Explorer. -

    guest ok = yes

    +

    guest ok = yes

    Gives read-only access to this share for all guest users. Access may be granted to download and install printer drivers on clients. The requirement for guest ok = yes depends on how your site is configured. If users will be guaranteed @@ -761,13 +761,13 @@ validated by the domain controller in order to log on to the Windows NT session), then guest access is not necessary. Of course, in a workgroup environment where you just want to print without worrying about silly accounts and security, then configure the share for - guest access. You should consider adding map to guest = Bad User + guest access. You should consider adding map to guest = Bad User in the [global] section as well. Make sure you understand what this parameter does before using it. -

    read only = yes

    +

    read only = yes

    Because we do not want everybody to upload driver files (or even change driver settings), we tagged this share as not writable. -

    write list = @ntadmin, root

    +

    write list = @ntadmin, root

    The [print$] was made read-only by the previous setting so we should create a write list entry also. UNIX groups are denoted with a leading “@” character. Users listed here are allowed @@ -775,12 +775,12 @@ update files on the share. Normally, you will want to name only administrative-level user account in this setting. Check the file system permissions to make sure these accounts can copy files to the share. If this is a non-root account, then the account should also - be mentioned in the global printer admin + be mentioned in the global printer admin parameter. See the smb.conf man page for more information on configuring file shares. -

    The [print$] Share Directory

    +

    The [print$] Share Directory

    In order for a Windows NT print server to support the downloading of driver files by multiple client architectures, you must create several subdirectories within the [print$] -service (i.e., the UNIX directory named by the path +service (i.e., the UNIX directory named by the path parameter). These correspond to each of the supported client architectures. Samba follows this model as well. Just like the name of the [print$] share itself, the subdirectories must be exactly the names listed below (you may leave out the subdirectories of architectures you do @@ -812,7 +812,7 @@ Neighborhood or My Network Places and browse for the Samba host. Once you have located the server, navigate to its Printers and Faxes folder. You should see an initial listing of printers that matches the printer shares defined on your Samba host. -

    Installing Drivers into [print$]

    +

    Installing Drivers into [print$]

    Have you successfully created the [print$] share in smb.conf, and have you forced Samba to reread its smb.conf file? Good. But you are not yet ready to use the new facility. The client driver files need to be installed into this share. So far, it is still an empty share. Unfortunately, it is @@ -828,7 +828,7 @@ from any Windows NT/200x/XP client workstation.

    The latter option is probably the easier one (even if the process may seem a little bit weird at first). -

    Add Printer Wizard Driver Installation

    +

    Add Printer Wizard Driver Installation

    The printers initially listed in the Samba host's Printers folder accessed from a client's Explorer will have no real printer driver assigned to them. By default this driver name is set to a null string. This must be changed now. The local Add Printer Wizard (APW), run from @@ -854,13 +854,13 @@

    Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure -your connection is, in fact, set up as a user with printer admin +your connection is, in fact, set up as a user with printer admin privileges (if in doubt, use smbstatus to check for this). If you wish to install printer drivers for client operating systems other than Windows NT x86, you will need to use the Sharing tab of the printer properties dialog.

    Assuming you have connected with an administrative (or root) account (as named by the -printer admin parameter), you will also be able to modify +printer admin parameter), you will also be able to modify other printer properties such as ACLs and default device settings using this dialog. For the default device settings, please consider the advice given further in Installing Print Drivers Using rpcclient. @@ -879,10 +879,10 @@ Run rpcclient a second time with the setdriver subcommand.

    We provide detailed hints for each of these steps in the paragraphs that follow. -

    Identifying Driver Files

    - - - +

    Identifying Driver Files

    + + + To find out about the driver files, you have two options. You can check the contents of the driver CDROM that came with your printer. Study the *.inf files located on the CD-ROM. This may not be possible, since the *.inf file might be missing. Unfortunately, vendors have now started @@ -890,14 +890,14 @@ archive format. Additionally, the files may be re-named during the installation process. This makes it extremely difficult to identify the driver files required.

    - + Then you have the second option. Install the driver locally on a Windows client and investigate which filenames and paths it uses after they are installed. (You need to repeat this procedure for every client platform you want to support. We show it here for the W32X86 platform only, a name used by Microsoft for all Windows NT/200x/XP clients.)

    - + A good method to recognize the driver files is to print the test page from the driver's Properties dialog (General tab). Then look at the list of driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the @@ -905,9 +905,9 @@ Help File, and (optionally) Dependent Driver Files (this may vary slightly for Windows NT). You need to note all filenames for the next steps.

    - - - + + + Another method to quickly test the driver filenames and related paths is provided by the rpcclient utility. Run it with enumdrivers or with the getdriver subcommand, each at the 3 info level. In the following example, @@ -948,10 +948,10 @@ Monitorname: [] Defaultdatatype: []

    - - - - + + + + You may notice that this driver has quite a large number of Dependent files (there are worse cases, however). Also, strangely, the Driver File is tagged here @@ -961,9 +961,9 @@ addition to those for W32X86 (i.e., the Windows NT 2000/XP clients) onto a Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000, or XP.

    - - - + + + Since the [print$] share is usually accessible through the Network Neighborhood, you can also use the UNC notation from Windows Explorer to poke at it. The Windows 9x/Me driver files will end up in subdirectory 0 of the WIN40 @@ -974,7 +974,7 @@ mode. Windows 2000 changed this. While it still can use the kernel mode drivers (if this is enabled by the Admin), its native mode for printer drivers is user mode execution. This requires drivers designed for this purpose. These types of drivers install into the “3” subdirectory. -

    Obtaining Driver Files from Windows Client [print$] Shares

    +

    Obtaining Driver Files from Windows Client [print$] Shares

    Now we need to collect all the driver files we identified in our previous step. Where do we get them from? Well, why not retrieve them from the very PC and the same [print$] share that we investigated in our last step to identify the files? We can use smbclient @@ -999,12 +999,12 @@ This ensures that all commands are executed in sequence on the remote Windows server before smbclient exits again.

    - + Remember to repeat the procedure for the WIN40 architecture should you need to support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the WIN40/0/ subdirectory. Once this is complete, we can run smbclient. . .put to store the collected files on the Samba server's [print$] share. -

    Installing Driver Files into [print$]

    +

    Installing Driver Files into [print$]

    We are now going to locate the driver files into the [print$] share. Remember, the UNIX path to this share has been defined previously in your smb.conf file. You also have created subdirectories for the different Windows client types you want to support. If, for example, your @@ -1017,8 +1017,8 @@ For all Windows 95, 98, and Me clients, /etc/samba/drivers/WIN40/ but not (yet) into the 0 subdirectory.

    - - + + We again use smbclient to transfer the driver files across the network. We specify the same files and paths as were leaked to us by running getdriver against the original Windows install. However, now we are going to store the files into a @@ -1055,18 +1055,18 @@ putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF

    - - - + + + Whew that was a lot of typing! Most drivers are a lot smaller many have only three generic PostScript driver files plus one PPD. While we did retrieve the files from the 2 subdirectory of the W32X86 directory from the Windows box, we do not put them (for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the adddriver command, which we will run shortly (and do not forget to also put the files for the Windows 9x/Me architecture into the WIN40/ subdirectory should you need them). -

    smbclient to Confirm Driver Installation

    - - +

    smbclient to Confirm Driver Installation

    + + For now we verify that our files are there. This can be done with smbclient, too (but, of course, you can log in via SSH also and do this through a standard UNIX shell access): 

    @@ -1107,9 +1107,9 @@
 PDFcreator2.PPD                     A    15746  Sun Apr 20 22:24:07 2003
               40976 blocks of size 262144. 709 blocks available

    - - - + + + Notice that there are already driver files present in the 2 subdirectory (probably from a previous installation). Once the files for the new driver are there too, you are still a few steps away from being able to use them on the clients. The only thing you could do now is retrieve them from a client just @@ -1117,10 +1117,10 @@ install them per Point'n'Print. The reason is that Samba does not yet know that these files are something special, namely printer driver files, and it does not know to which print queue(s) these driver files belong. -

    Running rpcclient with adddriver

    - - - +

    Running rpcclient with adddriver

    + + + Next, you must tell Samba about the special category of the files you just uploaded into the [print$] share. This is done by the adddriver command. It will prompt Samba to register the driver files into its internal TDB database files. The @@ -1144,16 +1144,16 @@ Printer Driver dm9110 successfully installed.

    - - - + + + After this step, the driver should be recognized by Samba on the print server. You need to be very careful when typing the command. Don't exchange the order of the fields. Some changes would lead to an NT_STATUS_UNSUCCESSFUL error message. These become obvious. Other changes might install the driver files successfully but render the driver unworkable. So take care! Hints about the syntax of the adddriver command are in the man page. provides a more detailed description, should you need it. -

    Checking adddriver Completion

    +

    Checking adddriver Completion

    One indication for Samba's recognition of the files as driver files is the successfully installed message. Another one is the fact that our files have been moved by the adddriver command into the 2 subdirectory. You can check this @@ -1198,17 +1198,17 @@

    Another verification is that the timestamp of the printing TDB files is now updated (and possibly their file size has increased). -

    Check Samba for Driver Recognition

    - +

    Check Samba for Driver Recognition

    + Now the driver should be registered with Samba. We can easily verify this and will do so in a moment. However, this driver is not yet associated with a particular printer. We may check the driver status of the files by at least three methods:

    • - - - - - + + + + + From any Windows client browse Network Neighborhood, find the Samba host, and open the Samba Printers and Faxes folder. Select any printer icon, right-click and select the printer Properties. Click the Advanced @@ -1218,7 +1218,7 @@ see only its own architecture's list. If you do not have every driver installed for each platform, the list will differ if you look at it from Windows95/98/ME or Windows NT/2000/XP.)

    • - + From a Windows 200x/XP client (not Windows NT) browse Network Neighborhood, search for the Samba server, open the server's Printers folder, and right-click on the white background (with no printer highlighted). Select Server @@ -1247,8 +1247,8 @@ for Windows NT 4.0 or 2000. To have it present for Windows 95, 98, and Me, you'll have to repeat the whole procedure with the WIN40 architecture and subdirectory. -

    Specific Driver Name Flexibility

    - +

    Specific Driver Name Flexibility

    + You can name the driver as you like. If you repeat the adddriver step with the same files as before but with a different driver name, it will work the same: 

    @@ -1271,18 +1271,18 @@
 
 Printer Driver mydrivername successfully installed.

    - - - + + + You will be able to bind that driver to any print queue (however, you are responsible that you associate drivers to queues that make sense with respect to target printers). You cannot run the rpcclient adddriver command repeatedly. Each run consumes the files you had put into the [print$] share by moving them into the respective subdirectories, so you must execute an smbclient ... put command before each rpcclient ... adddriver command. -

    Running rpcclient with setdriver

    - - +

    Running rpcclient with setdriver

    + + Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and store this information in Samba's memory, the TDB files. The rpcclient setdriver command achieves exactly this: @@ -1309,18 +1309,18 @@ bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba, or at least send an HUP signal to all running smbd processes to work around this: kill -HUP `pidof smbd`. -

    Client Driver Installation Procedure

    +

    Client Driver Installation Procedure

    As Don Quixote said, “The proof of the pudding is in the eating.” The proof for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is not as straightforward as it may seem. Read on. -

    First Client Driver Installation

    +

    First Client Driver Installation

    Especially important is the installation onto the first client PC (for each architectural platform separately). Once this is done correctly, all further clients are easy to set up and shouldn't need further attention. What follows is a description for the recommended first procedure. You now work from a client workstation. You should check that your connection is not unwittingly mapped to bad user nobody. In a DOS box type:

    net use \\SAMBA-SERVER\print$ /user:root

    -Replace root, if needed, by another valid printer admin user as given in +Replace root, if needed, by another valid printer admin user as given in the definition. Should you already be connected as a different user, you will get an error message. There is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging off from a share connection (do not confuse this with logging off from the local workstation; that is @@ -1347,7 +1347,7 @@ Settings -> Control Panel -> Printers and Faxes).

    - + Most likely you are tempted to try to print a test page. After all, you now can open the printer properties, and on the General tab there is a button offering to do just that. But chances are that you get an error message saying "Unable to print Test Page." The @@ -1359,18 +1359,18 @@

    Setting Device Modes on New Printers

    For a printer to be truly usable by a Windows NT/200x/XP client, it must possess:

    • - + A valid device mode generated by the driver for the printer (defining things like paper size, orientation and duplex settings).

    • - + A complete set of printer driver data generated by the driver.

    - - - - - + + + + + If either of these is incomplete, the clients can produce less than optimal output at best. In the worst cases, unreadable garbage or nothing at all comes from the printer, or it produces a harvest of error messages when attempting to print. Samba stores the named values and all printing-related information in @@ -1384,7 +1384,7 @@ This can be achieved by accessing the drivers remotely from an NT (or 200x/XP) client, as discussed in the following paragraphs.

    -Be aware that a valid device mode can only be initiated by a printer admin or root +Be aware that a valid device mode can only be initiated by a printer admin or root (the reason should be obvious). Device modes can be correctly set only by executing the printer driver program itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL (which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the @@ -1396,7 +1396,7 @@ the server's printer. This executes enough of the printer driver program on the client for the desired effect to happen and feeds back the new device mode to our Samba server. You can use the native Windows NT/200x/XP printer properties page from a Window client for this: -

    Procedure 20.2. Procedure to Initialize the Printer Driver Settings

    1. +

      Procedure 20.2. Procedure to Initialize the Printer Driver Settings

      1. Browse the Network Neighborhood.

      2. Find the Samba server. @@ -1426,13 +1426,13 @@ you can follow the analogous steps by accessing the local Printers folder, too, if you are a Samba printer admin user. From now on, printing should work as expected.

        - + Samba includes a service-level parameter name default devmode for generating a default device mode for a printer. Some drivers function well with Samba's default set of properties. Others may crash the client's spooler service. So use this parameter with caution. It is always better to have the client generate a valid device mode for the printer and store it on the server for you. -

      Additional Client Driver Installation

      - +

      Additional Client Driver Installation

      + Every additional driver may be installed in the same way as just described. Browse Network Neighborhood, open the Printers folder on Samba server, right-click on Printer, and choose Connect.... Once this completes (should be @@ -1445,17 +1445,17 @@ rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

      or this command on Windows NT 4.0 workstations: - + 

       rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2

      You can enter the commands either inside a DOS box window or in the Run command... field from the Start menu. -

      Always Make First Client Connection as root or “printer admin

      +

      Always Make First Client Connection as root or “printer admin

      After you installed the driver on the Samba server (in its [print$] share), you should always make sure that your first client installation completes correctly. Make it a habit for yourself -to build the very first connection from a client as printer admin. This is to make +to build the very first connection from a client as printer admin. This is to make sure that:

      • A first valid device mode is really initialized (see above Setting Device Modes on New Printers) for more explanation details). @@ -1467,7 +1467,7 @@ Letter when you are all using A4, right? You may want to set the printer for duplex as the default, and so on).

        - + To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt: 

         C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n 
@@ -1476,18 +1476,18 @@
 
        
 You will be prompted for root's Samba password; type it, wait a few seconds, click on
 Printing Defaults, and proceed to set the job options that should be used as defaults
-by all clients. Alternatively, instead of root you can name one other member of the printer admin from the setting.
+by all clients. Alternatively, instead of root you can name one other member of the printer admin from the setting.
 
        
 Now all the other users downloading and installing the driver the same way (using
 Point'n'Print) will have the same defaults set for them. If you miss this step, you'll get a
 lot of help desk calls from your users, but maybe you like to talk to people.
-

      Other Gotchas

      +

    Other Gotchas

    Your driver is installed. It is now ready for Point'n'Print installation by the clients. You may have tried to download and use it on your first client machine, but wait. Let's make sure you are acquainted first with a few tips and tricks you may find useful. For example, suppose you did not set the defaults on the printer, as advised in the preceding paragraphs. Your users complain about various issues (such as, “We need to set the paper size for each job from Letter to A4 and it will not store it”). -

    Setting Default Print Options for Client Drivers

    +

    Setting Default Print Options for Client Drivers

    The last sentence might be viewed with mixed feelings by some users and Admins. They have struggled for hours and could not arrive at a point where their settings seemed to be saved. It is not their fault. The confusing thing is that in the multitabbed dialog that pops up when you right-click on the printer name and select @@ -1524,7 +1524,7 @@ Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults for new users. If you want all clients to have the same defaults, you need to conduct these steps as -administrator (printer admin) before a client downloads the driver (the clients can +administrator (printer admin) before a client downloads the driver (the clients can later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user default settings and the ones the administrator gives them before they set up their own. The parents of the identical-looking dialogs have a slight difference in their window names; one is called @@ -1536,7 +1536,7 @@ there is now a different path to arrive at an identical-looking, but functionally different, dialog to set defaults for all users.

    Tip

    Try (on Windows 200x/XP) to run this command (as a user with the right privileges): - +

    rundll32 printui.dll,PrintUIEntry /p /t3 /n\\SAMBA-SERVER\printersharename

    @@ -1547,7 +1547,7 @@ To see the tab with the Printing Preferences button (the one that does not set systemwide defaults), you can start the commands from inside a DOS box or from Start -> Run. -

    Supporting Large Numbers of Printers

    +

    Supporting Large Numbers of Printers

    One issue that has arisen during the recent development phase of Samba is the need to support driver downloads for hundreds of printers. Using Windows NT APW for this task is somewhat awkward (to say the least). If you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need @@ -1630,19 +1630,19 @@ “dm9110” printer with an empty string where the driver should have been listed (between the two commas in the description field). After the setdriver command succeeds, all is well. -

    Adding New Printers with the Windows NT APW

    +

    Adding New Printers with the Windows NT APW

    By default, Samba exhibits all printer shares defined in smb.conf in the Printers folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if:

    • The connected user is able to successfully execute an OpenPrinterEx(\\server) with - administrative privileges (i.e., root or printer admin). + administrative privileges (i.e., root or printer admin).

      Tip

      Try this from a Windows 200x/XP DOS box command prompt:

      runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\SAMBA-SERVER\printersharename

      Click on Printing Preferences.

    • ... contains the setting - show add printer wizard = yes (the + show add printer wizard = yes (the default).

    The APW can do various things:

    • @@ -1653,28 +1653,28 @@ Exchange the currently used driver for an existing print queue with one that has been uploaded before.

    • Add an entirely new printer to the Samba host (only in conjunction with a working - add printer command. A corresponding - delete printer command for removing entries from the + add printer command. A corresponding + delete printer command for removing entries from the Printers folder may also be provided).

    The last one (add a new printer) requires more effort than the previous ones. To use the APW to successfully -add a printer to a Samba server, the add printer command must have a defined value. +add a printer to a Samba server, the add printer command must have a defined value. The program hook must successfully add the printer to the UNIX print system (i.e., to /etc/printcap, /etc/cups/printers.conf or other appropriate files) and to smb.conf if necessary.

    When using the APW from a client, if the named printer share does not exist, smbd will execute the -add printer command and reparse to attempt to locate the new printer share. If the +add printer command and reparse to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. The -add printer command is executed under the context of the connected user, not -necessarily a root account. A map to guest = bad user may have connected +add printer command is executed under the context of the connected user, not +necessarily a root account. A map to guest = bad user may have connected you unwittingly under the wrong privilege. You should check it by using the smbstatus command. -

    Error Message: “Cannot connect under a different Name

    +

    Error Message: “Cannot connect under a different Name

    Once you are connected with the wrong credentials, there is no means to reverse the situation other than to close all Explorer windows, and perhaps reboot.

    • - + The net use \\SAMBA-SERVER\sharename /user:root gives you an error message: “Multiple connections to a server or a shared resource by the same user utilizing several user names are not allowed. Disconnect all previous connections to the server, @@ -1700,7 +1700,7 @@ C:\> net use * /delete

      This will also disconnect all mapped drives and will allow you create fresh connection as required. -

    Take Care When Assembling Driver Files

    +

    Take Care When Assembling Driver Files

    You need to be extremely careful when you take notes about the files belonging to a particular driver. Don't confuse the files for driver version “0” (for Windows 9x/Me, going into [print$]/WIN/0/), driver version 2 (kernel mode driver for Windows NT, @@ -1831,11 +1831,11 @@ In my example were even more differences than shown here. Conclusion: you must be careful to select the correct driver files for each driver version. Don't rely on the names alone, and don't interchange files belonging to different driver versions. -

    Samba and Printer Ports

    - - - - +

    Samba and Printer Ports

    + + + + Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, and so on. Samba must also support the concept of ports associated with a printer. By default, only one printer port, named “Samba @@ -1844,22 +1844,22 @@ they request this information; otherwise, they throw an error message at you. So Samba fakes the port information to keep the Windows clients happy.

    - + Samba does not support the concept of Printer Pooling internally either. Printer pooling assigns a logical printer to multiple ports as a form of load balancing or failover.

    If you require multiple ports to be defined for some reason or another (my users and my boss should not know -that they are working with Samba), configure the enumports command, +that they are working with Samba), configure the enumports command, which can be used to define an external program that generates a listing of ports on a system. -

    Avoiding Common Client Driver Misconfiguration

    +

    Avoiding Common Client Driver Misconfiguration

    So now the printing works, but there are still problems. Most jobs print well, some do not print at all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about “Avoiding the Wrong PostScript Driver Settings” in CUPS Printing Chapter, Avoiding Critical PostScript Driver Settings on the Client. -

    The Imprints Toolset

    - +

    The Imprints Toolset

    + The Imprints tool set provides a UNIX equivalent of the Windows NT APW. For complete information, please refer to the Imprints Web site as well as the documentation included with the Imprints source distribution. This section provides only a brief introduction @@ -1871,7 +1871,7 @@ mailing list. The toolset is still in usable form, but only for a series of older printer models where there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints should have a future. Information regarding the Imprints toolset can be obtained from the Imprints home page. -

    What Is Imprints?

    +

    What Is Imprints?

    Imprints is a collection of tools for supporting these goals:

    • Providing a central repository of information regarding Windows NT and 95/98 printer driver packages. @@ -1880,20 +1880,20 @@

    • Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server repository and install them on remote Samba and Windows NT4 print servers. -

    Creating Printer Driver Packages

    +

    Creating Printer Driver Packages

    The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt, included with the Samba distribution for more information). In short, an Imprints driver package is a gzipped tarball containing the driver files, related INF files, and a control file needed by the installation client. -

    The Imprints Server

    +

    The Imprints Server

    The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer entry in the database has an associated URL for the actual downloading of the package. Each package is digitally signed via GnuPG, which can be used to verify that the package downloaded is actually the one referred in the Imprints database. It is strongly recommended that this security check not be disabled. -

    The Installation Client

    -More information regarding the Imprints installation client is available from the the documentation file +

    The Installation Client

    +More information regarding the Imprints installation client is available from the documentation file Imprints-Client-HOWTO.ps that is included with the Imprints source package. The Imprints installation client comes in two forms:

    • A set of command-line Perl scripts.

    • A GTK+-based graphical interface to the command-line Perl scripts.

    @@ -1922,7 +1922,7 @@

    The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and 95/98 printer drivers and that the NT driver is installed first. -

    Adding Network Printers without User Interaction

    +

    Adding Network Printers without User Interaction

    The following MS Knowledge Base article may be of some help if you need to handle Windows 2000 clients: How to Add Printers with No User Interaction in Windows 2000, (Microsoft KB 189105). It also applies to Windows XP Professional clients. The ideas sketched out in this section are inspired by this @@ -1981,7 +1981,7 @@ up to date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally added, changed, and deleted at will on the server with no user intervention required from the clients (you just need to keep the logon scripts up to date). -

    The addprinter Command

    +

    The addprinter Command

    The addprinter command can be configured to be a shell script or program executed by Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks the user to fill in several fields (such as printer name, driver to be used, comment, port monitor, @@ -1989,7 +1989,7 @@ way that it can create a new printer (through writing correct printcap entries on legacy systems or by executing the lpadmin command on more modern systems) and create the associated share, then the APW will in effect really create a new printer on Samba and the UNIX print subsystem! -

    Mig