--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Group Mapping MS Windows and UNIX"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2911341">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2911525">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="AccessControls.html#id2911956">Managing Directories</a></dt><dt><a href="AccessControls.html#id2912050">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2912290">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt><a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt><a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2913585">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2913670">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2913978">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2913986">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2914042">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2914124">Viewing File Ownership</a></dt><dt><a href="AccessControls.html#id2914264">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914515">Modifying File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt><a href="AccessControls.html#id2915106">Interaction with the Standard Samba File Attribute Mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2915195">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2915209">Users Cannot Write to a Public Share</a></dt><dt><a href="AccessControls.html#id2915635">File Operations Done as root with force user Set</a></dt><dt><a href="AccessControls.html#id2915690">MS Word with Samba Changes Owner of File</a></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2911255"></a>
+Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
+resources shared via Samba do not behave in the manner they might expect. MS Windows network
+administrators are often confused regarding network access controls and how to
+provide users with the access they need while protecting resources from unauthorized access.
+</p><p>
+Many UNIX administrators are unfamiliar with the MS Windows environment and in particular
+have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
+and directory access permissions.
+</p><p>
+The problem lies in the differences in how file and directory permissions and controls work
+between the two environments. This difference is one that Samba cannot completely hide, even
+though it does try to bridge the chasm to a degree.
+</p><p>
+<a class="indexterm" name="id2911291"></a>
+<a class="indexterm" name="id2911300"></a>
+
+POSIX Access Control List technology has been available (along with Extended Attributes)
+for UNIX for many years, yet there is little evidence today of any significant use. This
+explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
+administrators are astounded at this, given that ACLs were a foundational capability of the now
+decade-old MS Windows NT operating system.
+</p><p>
+The purpose of this chapter is to present each of the points of control that are possible with
+Samba-3 in the hope that this will help the network administrator to find the optimum method
+for delivering the best environment for MS Windows desktop users.
+</p><p>
+This is an opportune point to mention that Samba was created to provide a means of interoperability
+and interchange of data between differing operating environments. Samba has no intent to change
+UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient
+level of exchange of data between the two environments. What is available today extends well
+beyond early plans and expectations, yet the gap continues to shrink.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911341"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ Samba offers a lot of flexibility in file system access management. These are the key access control
+ facilities present in Samba today:
+ </p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
+ <a class="indexterm" name="id2911368"></a>
+ <span class="emphasis"><em>UNIX File and Directory Permissions</em></span>
+ </p><p>
+ Samba honors and implements UNIX file system access controls. Users
+ who access a Samba server will do so as a particular MS Windows user.
+ This information is passed to the Samba server as part of the logon or
+ connection setup process. Samba uses this user identity to validate
+ whether or not the user should be given access to file system resources
+ (files and directories). This chapter provides an overview for those
+ to whom the UNIX permissions and controls are a little strange or unknown.
+ </p></li><li><p>
+ <span class="emphasis"><em>Samba Share Definitions</em></span>
+ </p><p>
+ In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file,
+ the network administrator can exercise overrides to native file
+ system permissions and behaviors. This can be handy and convenient
+ to effect behavior that is more like what MS Windows NT users expect
+ but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this.
+ The basic options and techniques are described herein.
+ </p></li><li><p>
+ <span class="emphasis"><em>Samba Share ACLs</em></span>
+ <a class="indexterm" name="id2911453"></a>
+ </p><p>
+ Just like it is possible in MS Windows NT to set ACLs on shares
+ themselves, so it is possible to do this in Samba.
+ Few people make use of this facility, yet it remains on of the
+ easiest ways to affect access controls (restrictions) and can often
+ do so with minimum invasiveness compared with other methods.
+ </p></li><li><p>
+ <a class="indexterm" name="id2911481"></a>
+ <a class="indexterm" name="id2911492"></a>
+ <span class="emphasis"><em>MS Windows ACLs through UNIX POSIX ACLs</em></span>
+ </p><p>
+ The use of POSIX ACLs on UNIX/Linux is possible only if the underlying
+ operating system supports them. If not, then this option will not be
+ available to you. Current UNIX technology platforms have native support
+ for POSIX ACLs. There are patches for the Linux kernel that also provide
+ this. Sadly, few Linux platforms ship today with native ACLs and
+ Extended Attributes enabled. This chapter has pertinent information
+ for users of platforms that support them.
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2911525"></a>File System Access Controls</h2></div></div><div></div></div><p>
+Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP
+implement a totally divergent file system technology from what is provided in the UNIX operating system
+environment. First we consider what the most significant differences are, then we look
+at how Samba helps to bridge the differences.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911543"></a>MS Windows NTFS Comparison with UNIX File Systems</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2911555"></a>
+<a class="indexterm" name="id2911563"></a>
+<a class="indexterm" name="id2911571"></a>
+<a class="indexterm" name="id2911582"></a>
+
+ Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions
+ and permissions. It also means that if the MS Windows networking environment requires file system
+ behavior that differs from UNIX file system behavior then somehow Samba is responsible for emulating
+ that in a transparent and consistent manner.
+ </p><p>
+ It is good news that Samba does this to a large extent and on top of that provides a high degree
+ of optional configuration to override the default behavior. We look at some of these over-rides,
+ but for the greater part we will stay within the bounds of default behavior. Those wishing to explore
+ the depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
+ </p><p>The following compares file system features for UNIX with those of Microsoft Windows NT/200x:
+ <a class="indexterm" name="id2911624"></a>
+
+ </p><div class="variablelist"><dl><dt><span class="term">Name Space</span></dt><dd><p>
+ MS Windows NT4/200x/XP files names may be up to 254 characters long, and UNIX file names
+ may be 1023 characters long. In MS Windows, file extensions indicate particular file types,
+ in UNIX this is not so rigorously observed as all names are considered arbitrary.
+ </p><p>
+ What MS Windows calls a folder, UNIX calls a directory.
+ </p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p>
+ <a class="indexterm" name="id2911680"></a>
+ <a class="indexterm" name="id2911689"></a>
+ MS Windows file names are generally upper case if made up of 8.3 (8 character file name
+ and 3 character extension. File names that are longer than 8.3 are case preserving and case
+ insensitive.
+ </p><p>
+ UNIX file and directory names are case sensitive and case preserving. Samba implements the
+ MS Windows file name behavior, but it does so as a user application. The UNIX file system
+ provides no mechanism to perform case insensitive file name lookups. MS Windows does this
+ by default. This means that Samba has to carry the processing overhead to provide features
+ that are not native to the UNIX operating system environment.
+ </p><p>
+ Consider the following. All are unique UNIX names but one single MS Windows file name:
+ </p><pre class="screen">
+ MYFILE.TXT
+ MyFile.txt
+ myfile.txt
+ </pre><p>
+ So clearly, in an MS Windows file name space these three files cannot co-exist, but in UNIX
+ they can.
+ </p><p>
+ So what should Samba do if all three are present? That which is lexically first will be
+ accessible to MS Windows users, the others are invisible and unaccessible any
+ other solution would be suicidal.
+ </p></dd><dt><span class="term">Directory Separators</span></dt><dd><p>
+ <a class="indexterm" name="id2911762"></a>
+ MS Windows and DOS uses the backslash <tt class="constant">\</tt> as a directory delimiter, and UNIX uses
+ the forward-slash <tt class="constant">/</tt> as its directory delimiter. This is handled transparently by Samba.
+ </p></dd><dt><span class="term">Drive Identification</span></dt><dd><p>
+ <a class="indexterm" name="id2911799"></a>
+ MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
+ disk partitions. UNIX has no concept of separate identifiers for file partitions, each
+ such file system is mounted to become part of the overall directory tree.
+ The UNIX directory tree begins at <tt class="constant">/</tt> just like the root of a DOS drive is specified as
+ <tt class="constant">C:\</tt>.
+ </p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p>
+ <a class="indexterm" name="id2911846"></a>
+ MS Windows generally never experiences file names that begin with a dot (<tt class="constant">.</tt>) while in UNIX these
+ are commonly found in a user's home directory. Files that begin with a dot (<tt class="constant">.</tt>) are typically
+ either start-up files for various UNIX applications, or they may be files that contain
+ start-up configuration data.
+ </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
+ <a class="indexterm" name="id2911886"></a>
+ <a class="indexterm" name="id2911897"></a>
+ <a class="indexterm" name="id2911908"></a>
+ MS Windows make use of “<span class="quote">links and short-cuts</span>” that are actually special types of files that will
+ redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory
+ links, but they are entirely different from what MS Windows users are used to.
+ </p><p>
+ Symbolic links are files in UNIX that contain the actual location of the data (file or directory). An
+ operation (like read or write) will operate directly on the file referenced. Symbolic links are also
+ referred to as “<span class="quote">soft links.</span>” A hard link is something that MS Windows is not familiar with. It allows
+ one physical file to be known simultaneously by more than one file name.
+ </p></dd></dl></div><p>
+ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
+ in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the
+ purpose of UNIX/Linux training and education.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2911956"></a>Managing Directories</h3></div></div><div></div></div><p>
+ There are three basic operations for managing directories: <b class="command">create, delete, rename</b>.
+ </p><div class="table"><a name="id2911975"></a><p class="title"><b>Table 13.1. Managing Directories with UNIX and Windows</b></p><table summary="Managing Directories with UNIX and Windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">UNIX Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912050"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2912062"></a>
+ The network administrator is strongly advised to read foundational training manuals and reference materials
+ regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions
+ without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
+ Attributes (EAs).
+ </p><p>
+ UNIX/Linux file and directory access permissions involves setting three primary sets of data and one control set.
+ A UNIX file listing looks as follows:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>ls -la</tt></b>
+total 632
+drwxr-xr-x 13 maryo gnomes 816 2003-05-12 22:56 .
+drwxrwxr-x 37 maryo gnomes 3800 2003-05-12 22:29 ..
+dr-xr-xr-x 2 maryo gnomes 48 2003-05-12 22:29 muchado02
+drwxrwxrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado03
+drw-rw-rw- 2 maryo gnomes 48 2003-05-12 22:29 muchado04
+d-w--w--w- 2 maryo gnomes 48 2003-05-12 22:29 muchado05
+dr--r--r-- 2 maryo gnomes 48 2003-05-12 22:29 muchado06
+drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
+---------- 1 maryo gnomes 1242 2003-05-12 22:31 mydata00.lst
+--w--w--w- 1 maryo gnomes 7754 2003-05-12 22:33 mydata02.lst
+-r--r--r-- 1 maryo gnomes 21017 2003-05-12 22:32 mydata04.lst
+-rw-rw-rw- 1 maryo gnomes 41105 2003-05-12 22:32 mydata06.lst
+<tt class="prompt">$ </tt>
+</pre><p>
+ </p><p>
+ The columns above represent (from left to right): permissions, number of hard links to file, owner, group, size (bytes), access date, access time, file name.
+ </p><p>
+ An overview of the permissions field can be found in <link linkend="access1">.
+ </p><div class="figure"><a name="access1"></a><p class="title"><b>Figure 13.1. Overview of UNIX permissions field.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/access1.png" width="270" alt="Overview of UNIX permissions field."></div></div><p>
+ Any bit flag may be unset. An unset bit flag is the equivalent of “<span class="quote">cannot</span>” and is represented as a “<span class="quote">-</span>” character.
+
+ </p><div class="example"><a name="id2912202"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
+ -rwxr-x--- Means: The owner (user) can read, write, execute
+ the group can read and execute
+ everyone else cannot do anything with it.
+ </pre></div><p>
+
+ </p><p>
+ Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.
+ </p><p>
+ The letters <tt class="constant">rwxXst</tt> set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
+ execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
+ sticky (t).
+ </p><p>
+ When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
+ Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
+ directories, such as <tt class="filename">/tmp</tt>, that are world-writable.
+ </p><p>
+ When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
+ group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that
+ all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
+ to be exclusively owned by a user whose primary group is not the group that all such users belong to.
+ </p><p>
+ When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
+ the (x) execute flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the
+ directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then
+ group members will be able to write to (or delete) them.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2912290"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2912301"></a>
+The following parameters in the <tt class="filename">smb.conf</tt> file sections define a share control or effect access controls.
+Before using any of the following options, please refer to the man page for <tt class="filename">smb.conf</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912329"></a>User and Group-Based Controls</h3></div></div><div></div></div><p>
+ User and group-based controls can prove quite useful. In some situations it is distinctly desirable to affect all
+ file system operations as if a single user were doing so. The use of the <a class="indexterm" name="id2912343"></a><i class="parameter"><tt>force user</tt></i> and
+ <a class="indexterm" name="id2912356"></a><i class="parameter"><tt>force group</tt></i> behavior will achieve this. In other situations it may be necessary to effect a
+ paranoia level of control to ensure that only particular authorized persons will be able to access a share or
+ its contents. Here the use of the <a class="indexterm" name="id2912374"></a><i class="parameter"><tt>valid users</tt></i> or the
+ <a class="indexterm" name="id2912388"></a><i class="parameter"><tt>invalid users</tt></i> may be most useful.
+ </p><p>
+ As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
+ controlling access. Remember, when you leave the scene someone else will need to provide assistance and
+ if he finds too great a mess or does not understand what you have done, there is risk of
+ Samba being removed and an alternative solution being adopted.
+ </p><p>
+ <link linkend="ugbc"> enumerates these controls.
+ </p><div class="table"><a name="ugbc"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2912501"></a><i class="parameter"><tt>admin users</tt></i></td><td align="justify"><p>
+ List of users who will be granted administrative privileges on the share.
+ They will do all file operations as the super-user (root).
+ Any user in this list will be able to do anything they like on the share,
+ irrespective of file permissions.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912530"></a><i class="parameter"><tt>force group</tt></i></td><td align="justify"><p>
+ Specifies a UNIX group name that will be assigned as the default primary group
+ for all users connecting to this service.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912558"></a><i class="parameter"><tt>force user</tt></i></td><td align="justify"><p>
+ Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. Incorrect use can cause security problems.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912586"></a><i class="parameter"><tt>guest ok</tt></i></td><td align="justify"><p>
+ If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
+ those of the guest account.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912614"></a><i class="parameter"><tt>invalid users</tt></i></td><td align="justify"><p>
+ List of users that should not be allowed to login to this service.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912640"></a><i class="parameter"><tt>only user</tt></i></td><td align="justify"><p>
+ Controls whether connections with usernames not in the user list will be allowed.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912666"></a><i class="parameter"><tt>read list</tt></i></td><td align="justify"><p>
+ List of users that are given read-only access to a service. Users in this list
+ will not be given write access, no matter what the read only option is set to.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912694"></a><i class="parameter"><tt>username</tt></i></td><td align="justify"><p>
+ Refer to the <tt class="filename">smb.conf</tt> man page for more information -- this is a complex and potentially misused parameter.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912727"></a><i class="parameter"><tt>valid users</tt></i></td><td align="justify"><p>
+ List of users that should be allowed to login to this service.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912754"></a><i class="parameter"><tt>write list</tt></i></td><td align="justify"><p>
+ List of users that are given read-write access to a service.
+ </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2912779"></a>File and Directory Permissions-Based Controls</h3></div></div><div></div></div><p>
+ The following file and directory permission-based controls, if misused, can result in considerable difficulty to
+ diagnose causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each one by one,
+ undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually
+ reintroduce them in a controlled way.
+ </p><p>
+ Refer to <link linkend="fdpbc"> for information regarding the parameters that may be used to affect file and
+ directory permission-based access controls.
+ </p><div class="table"><a name="fdpbc"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2912884"></a><i class="parameter"><tt>create mask</tt></i></td><td align="justify"><p>
+ Refer to the <tt class="filename">smb.conf</tt> man page.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912916"></a><i class="parameter"><tt>directory mask</tt></i></td><td align="justify"><p>
+ The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
+ See also: directory security mask.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912942"></a><i class="parameter"><tt>dos filemode</tt></i></td><td align="justify"><p>
+ Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912969"></a><i class="parameter"><tt>force create mode</tt></i></td><td align="justify"><p>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2912996"></a><i class="parameter"><tt>force directory mode</tt></i></td><td align="justify"><p>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913024"></a><i class="parameter"><tt>force directory security mode</tt></i></td><td align="justify"><p>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913052"></a><i class="parameter"><tt>force security mode</tt></i></td><td align="justify"><p>
+ Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913079"></a><i class="parameter"><tt>hide unreadable</tt></i></td><td align="justify"><p>
+ Prevents clients from seeing the existence of files that cannot be read.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913105"></a><i class="parameter"><tt>hide unwriteable files</tt></i></td><td align="justify"><p>
+ Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913133"></a><i class="parameter"><tt>nt acl support</tt></i></td><td align="justify"><p>
+ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
+ </p></td></tr><tr><td align="left"><a class="indexterm" name="id2913160"></a><i class="parameter"><tt>security mask</tt></i></td><td align="justify"><p>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
+ </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913187"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
+ The following are documented because of the prevalence of administrators creating inadvertent barriers to file
+ access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings. See <link linkend="mcoc">.
+ </p><div class="table"><a name="mcoc"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col align="justify"><col align="justify"></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td align="justify"><a class="indexterm" name="id2913282"></a><i class="parameter"><tt>case sensitive</tt></i>, <a class="indexterm" name="id2913296"></a><i class="parameter"><tt>default case</tt></i>, <a class="indexterm" name="id2913310"></a><i class="parameter"><tt>short preserve case</tt></i></td><td align="justify"><p>
+ This means that all file name lookup will be done in a case sensitive manner.
+ Files will be created with the precise file name Samba received from the MS Windows client.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913339"></a><i class="parameter"><tt>csc policy</tt></i></td><td align="justify"><p>
+ Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913365"></a><i class="parameter"><tt>dont descend</tt></i></td><td align="justify"><p>
+ Allows specifying a comma-delimited list of directories that the server should always show as empty.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913392"></a><i class="parameter"><tt>dos filetime resolution</tt></i></td><td align="justify"><p>
+ This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913419"></a><i class="parameter"><tt>dos filetimes</tt></i></td><td align="justify"><p>
+ DOS and Windows allow users to change file time stamps if they can write to the file. POSIX semantics prevent this.
+ This option allows DOS and Windows behavior.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913448"></a><i class="parameter"><tt>fake oplocks</tt></i></td><td align="justify"><p>
+ Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
+ oplock, the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913477"></a><i class="parameter"><tt>hide dot files</tt></i>, <a class="indexterm" name="id2913492"></a><i class="parameter"><tt>hide files</tt></i>, <a class="indexterm" name="id2913505"></a><i class="parameter"><tt>veto files</tt></i></td><td align="justify"><p>
+ Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913532"></a><i class="parameter"><tt>read only</tt></i></td><td align="justify"><p>
+ If this parameter is yes, then users of a service may not create or modify files in the service's directory.
+ </p></td></tr><tr><td align="justify"><a class="indexterm" name="id2913559"></a><i class="parameter"><tt>veto files</tt></i></td><td align="justify"><p>
+ List of files and directories that are neither visible nor accessible.
+ </p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2913585"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2913597"></a>
+ This section deals with how to configure Samba per share access control restrictions.
+ By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
+ can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can
+ connect to a share. In the absence of specific restrictions the default setting is to allow
+ the global user <tt class="constant">Everyone - Full Control</tt> (full control, change and read).
+ </p><p>
+ At this time Samba does not provide a tool for configuring access control setting on the share
+ itself. Samba does have the capacity to store and act on access control settings, but the only
+ way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
+ Computer Management.
+ </p><p>
+ Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
+ The location of this file on your system will depend on how Samba was compiled. The default location
+ for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
+ utility has been compiled and installed on your system, then you can examine the contents of this file
+ by executing: <b class="command">tdbdump share_info.tdb</b> in the directory containing the tdb files.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913670"></a>Share Permissions Management</h3></div></div><div></div></div><p>
+ The best tool for the task is platform dependant. Choose the best tool for your environment.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913682"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
+ The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
+ Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
+ You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft see details below.
+ </p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
+ Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer. From the menu
+ select <span class="guimenu">Computer</span>, then click on <span class="guimenuitem">Shared Directories</span>.
+ </p></li><li><p>
+ Click on the share that you wish to manage, then click the <span class="guilabel">Properties</span> tab. then click
+ the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
+ </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2913771"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
+ On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
+ tools, usually from File Manager. For example, in Windows 200x, right click on the shared folder,
+ then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
+ Windows NT4/200x permission allows “<span class="quote">Everyone</span>” full control on the share.
+ </p><p>
+ MS Windows 200x and later versions come with a tool called the <span class="application">Computer Management</span> snap-in for the
+ Microsoft Management Console (MMC). This tool is located by clicking on <span class="guimenu">Control Panel ->
+ Administrative Tools -> Computer Management</span>.
+ </p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
+ After launching the MMC with the Computer Management snap-in, click the menu item <span class="guimenuitem">Action</span>,
+ and select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
+ to enter a domain login user identifier and a password. This will authenticate you to the domain.
+ If you are already logged in with administrative privilege, this step is not offered.
+ </p></li><li><p>
+ If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, type in the name of the target
+ Samba server in the field <span class="guilabel">Name:</span>. Now click the on <span class="guibutton">[+]</span> next to
+ <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
+ left panel.
+ </p></li><li><p>
+ In the right panel, double-click on the share on which you wish to set access control permissions.
+ Then click the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
+ to the shared folder. Remember to set what type of access (full control, change, read) you
+ wish to assign for each entry.
+ </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user,
+ effectively no user will be able to access the share. This is a result of what is known as
+ ACL precedence. Everyone with <span class="emphasis"><em>no access</em></span> means that <tt class="constant">MaryK</tt> who is part of the group
+ <tt class="constant">Everyone</tt> will have no access even if she is given explicit full control access.
+ </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2913978"></a>MS Windows Access Control Lists and UNIX Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2913986"></a>Managing UNIX Permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2913998"></a>
+ Windows NT clients can use their native security settings dialog box to view and modify the
+ underlying UNIX permissions.
+ </p><p>
+ This ability is careful not to compromise the security of the UNIX host on which Samba is running, and
+ still obeys all the file permission rules that a Samba administrator can set.
+ </p><p>
+ Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control
+ options provided in Windows are actually ignored.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls.
+ When trying to figure out file access problems, it is vitally important to find the identity of the Windows
+ user as it is presented by Samba at the point of file access. This can best be determined from the
+ Samba log files.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914042"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>
+ From an NT4/2000/XP client, right click on any file or directory in a Samba-mounted drive letter
+ or UNC path. When the menu pops up, click on the <span class="guilabel">Properties</span> entry at the bottom
+ of the menu. This brings up the file <tt class="constant">Properties</tt> dialog box. Click on the
+ <span class="guilabel">Security</span> tab and you will see three buttons: <span class="guibutton">Permissions</span>,
+ <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>. The <span class="guibutton">Auditing</span>
+ button will cause either an error message <span class="errorname">`A requested privilege is not held by the client'</span>
+ to appear if the user is not the NT Administrator, or a dialog which is intended to allow an Administrator
+ to add auditing requirements to a file if the user is logged on as the NT Administrator. This dialog is
+ non-functional with a Samba share at this time, as the only useful button, the <span class="guibutton">Add</span>
+ button, will not currently allow a list of users to be seen.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914124"></a>Viewing File Ownership</h3></div></div><div></div></div><p>
+ Clicking on the <span class="guibutton">Ownership</span> button brings up a dialog box telling you who owns
+ the given file. The owner name will be displayed like this:
+ </p><p>
+ <b class="command">“<span class="quote">SERVER\user (Long name)</span>”</b>
+ </p><p>
+ <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of the Samba server, <i class="replaceable"><tt>user</tt></i>
+ is the user name of the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i> is the
+ descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).
+ Click on the <span class="guibutton">Close </span> button to remove this dialog.
+ </p><p>
+ If the parameter <a class="indexterm" name="id2914189"></a><i class="parameter"><tt>nt acl support</tt></i> is set to <tt class="constant">false</tt>,
+ the file owner will be shown as the NT user <span class="emphasis"><em>Everyone</em></span>.
+ </p><p>
+ The <span class="guibutton">Take Ownership</span> button will not allow you to change the ownership of this file to
+ yourself (clicking it will display a dialog box complaining that the user you are currently logged onto
+ the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
+ operation in UNIX, available only to the <span class="emphasis"><em>root</em></span> user. As clicking on this button causes
+ NT to attempt to change the ownership of a file to the current user logged into the NT clienti, this will
+ not work with Samba at this time.</p><p>
+ There is an NT <b class="command">chown</b> command that will work with Samba and allow a user with Administrator privilege connected
+ to a Samba server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS
+ or Samba drive. This is available as part of the <span class="application">Seclib</span> NT security library written
+ by Jeremy Allison of the Samba Team, and is available from the main Samba FTP site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914264"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>
+ The third button is the <span class="guibutton">Permissions</span> button. Clicking on this brings up a dialog box
+ that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:
+ </p><p><b class="command"><i class="replaceable"><tt>SERVER</tt></i>\
+ <i class="replaceable"><tt>user</tt></i>
+ <i class="replaceable"><tt>(Long name)</tt></i></b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of the Samba server,
+ <i class="replaceable"><tt>user</tt></i> is the user name of the UNIX user who owns the file, and
+ <i class="replaceable"><tt>(Long name)</tt></i> is the descriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database).</p><p>
+ If the parameter <a class="indexterm" name="id2914328"></a><i class="parameter"><tt>nt acl support</tt></i> is set to <tt class="constant">false</tt>,
+ the file owner will be shown as the NT user <tt class="constant">Everyone</tt> and the permissions will be
+ shown as NT “<span class="quote">Full Control</span>”.
+ </p><p>
+ The permissions field is displayed differently for files and directories, so I'll describe the way file permissions
+ are displayed first.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914362"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and the corresponding <tt class="constant">read, write, execute</tt> permissions
+ triplets are mapped by Samba into a three element NT ACL with the “<span class="quote">r</span>”, “<span class="quote">w</span>” and “<span class="quote">x</span>” bits mapped into the corresponding
+ NT permissions. The UNIX world permissions are mapped into the global NT group <tt class="constant">Everyone</tt>, followed
+ by the list of permissions allowed for UNIX world. The UNIX owner and group permissions are displayed as an NT
+ <span class="guiicon">user</span> icon and an NT <span class="guiicon">local group</span> icon, respectively, followed by the list
+ of permissions allowed for the UNIX user and group.</p><p>Because many UNIX permission sets do not map into common NT names such as <tt class="constant">read</tt>,
+ <tt class="constant">change</tt> or <tt class="constant">full control</tt>, usually the permissions will be prefixed
+ by the words <tt class="constant">Special Access</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed for a particular UNIX user group or world component? In order
+ to allow “<span class="quote">no permissions</span>” to be seen and modified Samba then overloads the NT <tt class="constant">Take Ownership</tt> ACL attribute
+ (which has no meaning in UNIX) and reports a component with no permissions as having the NT <b class="command">O</b> bit set.
+ This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this is
+ given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2914471"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the
+ directory itself, which is usually displayed in the first set of parentheses in the normal <tt class="constant">RW</tt>
+ NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described
+ above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning in the UNIX permissions world and represents the <tt class="constant">
+ inherited</tt> permissions that any file created within this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file
+ created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914515"></a>Modifying File or Directory Permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
+ as changing the displayed permissions in the dialog box, and
+ clicking on <span class="guibutton">OK</span>. However, there are
+ limitations that a user needs to be aware of, and also interactions
+ with the standard Samba permission masks and mapping of DOS
+ attributes that need to also be taken into account.</p><p>If the parameter <a class="indexterm" name="id2914543"></a><i class="parameter"><tt>nt acl support</tt></i>
+ is set to <tt class="constant">false</tt>, any attempt to set
+ security permissions will fail with an <span class="errorname">`Access Denied'
+ </span> message.</p><p>The first thing to note is that the <span class="guibutton">Add</span>
+ button will not return a list of users in Samba (it will give
+ an error message saying <span class="errorname">`The remote procedure call failed
+ and did not execute'</span>). This means that you can only
+ manipulate the current user/group/world permissions listed in
+ the dialog box. This actually works quite well as these are the
+ only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
+ is removed from the list of permissions in the NT dialog box,
+ then when the <span class="guibutton">OK</span> button is pressed it will
+ be applied as “<span class="quote">no permissions</span>” on the UNIX side. If you then
+ view the permissions again, the “<span class="quote">no permissions</span>” entry will appear
+ as the NT <b class="command">O</b> flag, as described above. This
+ allows you to add permissions back to a file or directory once
+ you have removed them from a triplet component.</p><p>As UNIX supports only the “<span class="quote">r</span>”, “<span class="quote">w</span>” and “<span class="quote">x</span>” bits of
+ an NT ACL, if other NT security attributes such as <tt class="constant">Delete Access</tt> are
+ selected they will be ignored when applied on the Samba server.</p><p>When setting permissions on a directory, the second
+ set of permissions (in the second set of parentheses) is
+ by default applied to all files within that directory. If this
+ is not what you want, you must uncheck the <span class="guilabel">Replace
+ permissions on existing files</span> checkbox in the NT
+ dialog before clicking on <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
+ user/group/world component, you may either highlight the
+ component and click on the <span class="guibutton">Remove</span> button,
+ or set the component to only have the special <tt class="constant">Take
+ Ownership</tt> permission (displayed as <b class="command">O
+ </b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2914698"></a>Interaction with the Standard Samba “<span class="quote">create mask</span>” Parameters</h3></div></div><div></div></div><p>There are four parameters that control interaction with the standard Samba <i class="parameter"><tt>create mask</tt></i> parameters.
+ These are:
+
+ </p><div class="itemizedlist"><ul type="disc"><li><a class="indexterm" name="id2914726"></a><i class="parameter"><tt>security mask</tt></i></li><li><a class="indexterm" name="id2914742"></a><i class="parameter"><tt>force security mode</tt></i></li><li><a class="indexterm" name="id2914757"></a><i class="parameter"><tt>directory security mask</tt></i></li><li><a class="indexterm" name="id2914773"></a><i class="parameter"><tt>force directory security mode</tt></i></li></ul></div><p>
+
+ </p><p>Once a user clicks on <span class="guibutton">OK</span> to apply the
+ permissions, Samba maps the given permissions into a user/group/world
+ r/w/x triplet set, and then checks the changed permissions for a
+ file against the bits set in the
+ <a class="indexterm" name="id2914803"></a><i class="parameter"><tt>security mask</tt></i> parameter. Any bits that
+ were changed that are not set to “<span class="quote">1</span>” in this parameter are left alone
+ in the file permissions.</p><p>Essentially, zero bits in the <a class="indexterm" name="id2914828"></a><i class="parameter"><tt>security mask</tt></i>
+ may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span>
+ allowed to change, and one bits are those the user is allowed to change.
+ </p><p>If not explicitly set, this parameter defaults to the same value as
+ the <a class="indexterm" name="id2914853"></a><i class="parameter"><tt>create mask</tt></i> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter to 0777.
+ </p><p>Next Samba checks the changed permissions for a file against the bits set in the
+ <a class="indexterm" name="id2914875"></a><i class="parameter"><tt>force security mode</tt></i> parameter. Any bits
+ that were changed that correspond to bits set to “<span class="quote">1</span>” in this parameter
+ are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode</tt></i> parameter
+ may be treated as a set of bits that, when modifying security on a file, the user has always set to be “<span class="quote">on</span>”.</p><p>If not explicitly set, this parameter defaults to the same value
+ as the <a class="indexterm" name="id2914918"></a><i class="parameter"><tt>force create mode</tt></i> parameter.
+ To allow a user to modify all the user/group/world permissions on a file
+ with no restrictions set this parameter to 000. The
+ <a class="indexterm" name="id2914935"></a><i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
+ security mode</tt></i> parameters are applied to the change
+ request in that order.</p><p>For a directory, Samba will perform the same operations as
+ described above for a file except it uses the parameter <i class="parameter"><tt>
+ directory security mask</tt></i> instead of <i class="parameter"><tt>security
+ mask</tt></i>, and <i class="parameter"><tt>force directory security mode
+ </tt></i> parameter instead of <i class="parameter"><tt>force security mode
+ </tt></i>.</p><p>The <a class="indexterm" name="id2914996"></a><i class="parameter"><tt>directory security mask</tt></i> parameter
+ by default is set to the same value as the <i class="parameter"><tt>directory mask
+ </tt></i> parameter and the <i class="parameter"><tt>force directory security
+ mode</tt></i> parameter by default is set to the same value as
+ the <a class="indexterm" name="id2915027"></a><i class="parameter"><tt>force directory mode</tt></i> parameter.
+ In this way Samba enforces the permission restrictions that
+ an administrator can set on a Samba share, while still allowing users
+ to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
+ in modifying the permission bits on their files and directories and
+ does not force any particular bits to be set “<span class="quote">on</span>”, then set the following
+ parameters in the <tt class="filename">smb.conf</tt> file in that share-specific section:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915106"></a>Interaction with the Standard Samba File Attribute Mapping</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Samba maps some of the DOS attribute bits (such as “<span class="quote">read
+ only</span>”) into the UNIX permissions of a file. This means there can
+ be a conflict between the permission bits set via the security
+ dialog and the permission bits set by the file attribute mapping.
+ </p></div><p>If a file has no UNIX read access for the owner, it will show up
+ as “<span class="quote">read only</span>” in the standard file attributes tabbed dialog.
+ Unfortunately, this dialog is the same one that contains the security information
+ in another tab.</p><p>What this can mean is that if the owner changes the permissions
+ to allow himself read access using the security dialog, clicks on
+ <span class="guibutton">OK</span> to get back to the standard attributes tab
+ dialog, and clicks on <span class="guibutton">OK</span> on that dialog, then
+ NT will set the file permissions back to read-only (as that is what
+ the attributes still say in the dialog). This means that after setting
+ permissions and clicking on <span class="guibutton">OK</span> to get back to the
+ attributes dialog, you should always press <span class="guibutton">Cancel</span>
+ rather than <span class="guibutton">OK</span> to ensure that your changes
+ are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2915195"></a>Common Errors</h2></div></div><div></div></div><p>
+File, directory and share access problems are common on the mailing list. The following
+are examples taken from the mailing list in recent times.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915209"></a>Users Cannot Write to a Public Share</h3></div></div><div></div></div><p>
+ “<span class="quote">
+ We are facing some troubles with file/directory permissions. I can log on the domain as admin user(root),
+ and there's a public share on which everyone needs to have permission to create/modify files, but only
+ root can change the file, no one else can. We need to constantly go to the server to
+ <b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
+ </span>”
+ </p><p>
+ There are many ways to solve this problem and here are a few hints:
+ </p><div class="procedure"><ol type="1"><li><p>
+ Go to the top of the directory that is shared.
+ </p></li><li><p>
+ Set the ownership to what ever public owner and group you want
+</p><pre class="screen">
+<tt class="prompt">$ </tt>find 'directory_name' -type d -exec chown user.group {}\;
+<tt class="prompt">$ </tt>find 'directory_name' -type d -exec chmod 6775 'directory_name'
+<tt class="prompt">$ </tt>find 'directory_name' -type f -exec chmod 0775 {} \;
+<tt class="prompt">$ </tt>find 'directory_name' -type f -exec chown user.group {}\;
+</pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The above will set the <tt class="constant">sticky bit</tt> on all directories. Read your
+ UNIX/Linux man page on what that does. It causes the OS to assign
+ to all files created in the directories the ownership of the
+ directory.
+ </p></div></li><li><p>
+
+ Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
+</pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ </p><p>This is the same as doing:</p><p>
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
+</pre><p>
+ </p></div></li><li><p>Now type:
+
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
+</pre><p>
+
+ </p><p>You should see:
+</p><pre class="screen">
+drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
+</pre><p>
+ </p></li><li><p>Now type:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
+</pre><p>
+ </p><p>
+ You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
+ and permissions of Jack, as follows:
+</p><pre class="screen">
+-rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
+</pre><p>
+ </p></li><li><p>
+ Now in your <tt class="filename">smb.conf</tt> for the share add:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force create mode = 0775</tt></i></td></tr><tr><td><i class="parameter"><tt>force direcrtory mode = 6775</tt></i></td></tr></table><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ These procedures are needed only if your users are not members of the group
+ you have used. That is if within the OS do not have write permission on the directory.
+ </p></div><p>
+ An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force user = jack</tt></i></td></tr><tr><td><i class="parameter"><tt>force group = engr</tt></i></td></tr></table><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915635"></a>File Operations Done as <span class="emphasis"><em>root</em></span> with <span class="emphasis"><em>force user</em></span> Set</h3></div></div><div></div></div><p>
+ When you have a user in <a class="indexterm" name="id2915654"></a><i class="parameter"><tt>admin users</tt></i>, Samba will always do file operations for
+ this user as <span class="emphasis"><em>root</em></span>, even if <a class="indexterm" name="id2915674"></a><i class="parameter"><tt>force user</tt></i> has been set.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2915690"></a>MS Word with Samba Changes Owner of File</h3></div></div><div></div></div><p>
+ <span class="emphasis"><em>Question:</em></span> “<span class="quote">When user B saves a word document that is owned by user A the updated file is now owned by user B.
+ Why is Samba doing this? How do I fix this?</span>”
+ </p><p>
+ <span class="emphasis"><em>Answer:</em></span> Word does the following when you modify/change a Word document: MS Word creates a NEW document with
+ a temporary name, Word then closes the old document and deletes it, Word then renames the new document to the original document name.
+ There is no mechanism by which Samba can in any way know that the new document really should be owned by the owners
+ of the original file. Samba has no way of knowing that the file will be renamed by MS Word. As far as Samba is able
+ to tell, the file that gets created is a NEW file, not one that the application (Word) is updating.
+ </p><p>
+ There is a work-around to solve the permissions problem. That work-around involves understanding how you can manage file
+ system behavior from within the <tt class="filename">smb.conf</tt> file, as well as understanding how UNIX file systems work. Set on the directory
+ in which you are changing Word documents: <b class="command">chmod g+s `directory_name'</b> This ensures that all files will
+ be created with the group that owns the directory. In <tt class="filename">smb.conf</tt> share declaration section set:
+ </p><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>force create mode = 0660</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory mode = 0770</tt></i></td></tr></table><p>
+ </p><p>
+ These two settings will ensure that all directories and files that get created in the share will be read/writable by the
+ owner and group set on the directory itself.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Group Mapping MS Windows and UNIX </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Winbind: Use of Domain Accounts"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2952277">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952449">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952467">Remote Management from NoMachine.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2952700">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952929">Adding Printers without User Intervention</a></dt></dl></dd></dl></div><p>
+This section documents peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment and to make their lives a little easier.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2952277"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Often the difference between a working network environment and a well appreciated one can
+best be measured by the <span class="emphasis"><em>little things</em></span> that make everything work more
+harmoniously. A key part of every network environment solution is the
+ability to remotely
+manage MS Windows workstations, remotely access the Samba server, provide customized
+logon scripts, as well as other housekeeping activities that help to sustain more reliable
+network operations.
+</p><p>
+This chapter presents information on each of these areas. They are placed here, and not in
+other chapters, for ease of reference.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2952308"></a>Remote Server Administration</h2></div></div><div></div></div><p>“<span class="quote">How do I get `User Manager' and `Server Manager'?</span>”</p><p>
+<a class="indexterm" name="id2952326"></a>
+<a class="indexterm" name="id2952334"></a>
+<a class="indexterm" name="id2952343"></a>
+Since I do not need to buy an <span class="application">NT4 Server</span>, how do I get the `User Manager for Domains'
+and the `Server Manager'?
+</p><p>
+<a class="indexterm" name="id2952364"></a>
+Microsoft distributes a version of these tools called <tt class="filename">Nexus.exe</tt> for installation
+on <span class="application">Windows 9x/Me</span> systems. The tools set includes:
+</p><div class="itemizedlist"><ul type="disc"><li>Server Manager</li><li>User Manager for Domains</li><li>Event Viewer</li></ul></div><p>
+Download the archived file at <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE.</ulink>
+</p><p>
+<a class="indexterm" name="id2952422"></a>
+The <span class="application">Windows NT 4.0</span> version of the `User Manager for
+Domains' and `Server Manager' are available from Microsoft <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2952449"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
+There are a number of possible remote desktop management solutions that range from free
+through costly. Do not let that put you off. Sometimes the most costly solution is the
+most cost effective. In any case, you will need to draw your own conclusions as to which
+is the best tool in your network environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2952467"></a>Remote Management from NoMachine.Com</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2952479"></a>
+ The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
+ It is presented in slightly edited form (with author details omitted for privacy reasons).
+ The entire answer is reproduced below with some comments removed.
+ </p><p>“<span class="quote">
+ I have a wonderful Linux/Samba server running as pdc for a network. Now I would like to add remote
+ desktop capabilities so users outside could login to the system and get their desktop up from home or
+ another country.
+ </span>”</p><p>“<span class="quote">
+ Is there a way to accomplish this? Do I need a Windows Terminal Server? Do I need to configure it so
+ it is a member of the domain or a BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
+ even if the computer is in a domain?
+ </span>”</p><p>
+ Answer provided: Check out the new offer from NoMachine, “<span class="quote">NX</span>” software:
+ <ulink url="http://www.nomachine.com/">http://www.nomachine.com/</ulink>.
+ </p><p>
+ It implements an easy-to-use interface to the Remote X protocol as
+ well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
+ performance much better than anything you may have ever seen.
+ </p><p>
+ Remote X is not new at all, but what they did achieve successfully is
+ a new way of compression and caching technologies that makes the thing
+ fast enough to run even over slow modem/ISDN connections.
+ </p><p>
+ I could test drive their (public) Red Hat machine in Italy, over a loaded
+ Internet connection, with enabled thumbnail previews in KDE konqueror
+ which popped up immediately on “<span class="quote">mouse-over</span>”. From inside that (remote X)
+ session I started a rdesktop session on another, a Windows XP machine.
+ To test the performance, I played Pinball. I am proud to announce
+ that my score was 631750 points at first try.
+ </p><p>
+ NX performs better on my local LAN than any of the other “<span class="quote">pure</span>”
+ connection methods I am using from time to time: TightVNC, rdesktop or
+ Remote X. It is even faster than a direct crosslink connection between
+ two nodes.
+ </p><p>
+ I even got sound playing from the Remote X app to my local boxes, and
+ had a working “<span class="quote">copy'n'paste</span>” from an NX window (running a KDE session
+ in Italy) to my Mozilla mailing agent. These guys are certainly doing
+ something right!
+ </p><p>
+ I recommend to test drive NX to anybody with a only a passing interest in remote computing
+ <ulink url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
+ </p><p>
+ Just download the free of charge client software (available for Red Hat,
+ SuSE, Debian and Windows) and be up and running within five minutes (they
+ need to send you your account data, though, because you are assigned
+ a real UNIX account on their testdrive.nomachine.com box.
+ </p><p>
+ They plan to get to the point were you can have NX application servers
+ running as a cluster of nodes, and users simply start an NX session locally,
+ and can select applications to run transparently (apps may even run on
+ another NX node, but pretend to be on the same as used for initial login,
+ because it displays in the same window. You also can run it
+ fullscreen, and after a short time you forget that it is a remote session
+ at all).
+ </p><p>
+ Now the best thing for last: All the core compression and caching
+ technologies are released under the GPL and available as source code
+ to anybody who wants to build on it! These technologies are working,
+ albeit started from the command line only (and very inconvenient to
+ use in order to get a fully running remote X session up and running.)
+ </p><p>
+ To answer your questions:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ You do not need to install a terminal server; XP has RDP support built in.
+ </p></li><li><p>
+ NX is much cheaper than Citrix and comparable in performance, probably faster.
+ </p></li><li><p>
+ You do not need to hack XP it just works.
+ </p></li><li><p>
+ You log into the XP box from remote transparently (and I think there is no
+ need to change anything to get a connection, even if authentication is against a domain).
+ </p></li><li><p>
+ The NX core technologies are all Open Source and released under the GPL
+ you can now use a (very inconvenient) commandline at no cost,
+ but you can buy a comfortable (proprietary) NX GUI frontend for money.
+ </p></li><li><p>
+ NoMachine are encouraging and offering help to OSS/Free Software implementations
+ for such a frontend too, even if it means competition to them (they have written
+ to this effect even to the LTSP, KDE and GNOME developer mailing lists).
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2952700"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
+There are several opportunities for creating a custom network startup configuration environment.
+</p><div class="itemizedlist"><ul type="disc"><li>No Logon Script.</li><li>Simple universal Logon Script that applies to all users.</li><li>Use of a conditional Logon Script that applies per user or per group attributes.</li><li>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
+ a custom logon script and then execute it.</li><li>User of a tool such as KixStart.</li></ul></div><p>
+The Samba source code tree includes two logon script generation/execution tools.
+See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
+<tt class="filename">ntlogon</tt> subdirectories.
+</p><p>
+The following listings are from the genlogon directory.
+</p><p>
+<a class="indexterm" name="id2952778"></a>
+This is the <tt class="filename">genlogon.pl</tt> file:
+
+</p><pre class="programlisting">
+ #!/usr/bin/perl
+ #
+ # genlogon.pl
+ #
+ # Perl script to generate user logon scripts on the fly, when users
+ # connect from a Windows client. This script should be called from
+ # smb.conf with the %U, %G and %L parameters. I.e:
+ #
+ # root preexec = genlogon.pl %U %G %L
+ #
+ # The script generated will perform
+ # the following:
+ #
+ # 1. Log the user connection to /var/log/samba/netlogon.log
+ # 2. Set the PC's time to the Linux server time (which is maintained
+ # daily to the National Institute of Standard's Atomic clock on the
+ # internet.
+ # 3. Connect the user's home drive to H: (H for Home).
+ # 4. Connect common drives that everyone uses.
+ # 5. Connect group-specific drives for certain user groups.
+ # 6. Connect user-specific drives for certain users.
+ # 7. Connect network printers.
+
+ # Log client connection
+ #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ open LOG, ">>/var/log/samba/netlogon.log";
+ print LOG "$mon/$mday/$year $hour:$min:$sec";
+ print LOG " - User $ARGV[0] logged into $ARGV[1]\n";
+ close LOG;
+
+ # Start generating logon script
+ open LOGON, ">/shared/netlogon/$ARGV[0].bat";
+ print LOGON "\@ECHO OFF\r\n";
+
+ # Connect shares just use by Software Development group
+ if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+ {
+ print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+ }
+
+ # Connect shares just use by Technical Support staff
+ if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+ {
+ print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+ }
+
+ # Connect shares just used by Administration staff
+ If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+ {
+ print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+ print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+ }
+
+ # Now connect Printers. We handle just two or three users a little
+ # differently, because they are the exceptions that have desktop
+ # printers on LPT1: - all other user's go to the LaserJet on the
+ # server.
+ if ($ARGV[0] eq 'jim'
+ || $ARGV[0] eq 'yvonne')
+ {
+ print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+ else
+ {
+ print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+
+ # All done! Close the output file.
+ close LOGON;
+</pre><p>
+</p><p>
+Those wishing to use more elaborate or capable logon processing system should check out these sites:
+</p><div class="itemizedlist"><ul type="disc"><li><ulink url="http://www.craigelachi.e.org/rhacer/ntlogon">http://www.craigelachi.e.org/rhacer/ntlogon</ulink></li><li><ulink url="http://www.kixtart.org">http://www.kixtart.org</ulink></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2952929"></a>Adding Printers without User Intervention</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2952940"></a>
+Printers may be added automatically during logon script processing through the use of:
+
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /?</tt></b>
+</pre><p>
+
+See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft knowledgebase article 189105.</ulink>
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Winbind: Use of Domain Accounts </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to Compile Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to Compile Samba</a></dt><dd><dl><dt><a href="compiling.html#id2972995">Access Samba Source Code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id2973003">Introduction</a></dt><dt><a href="compiling.html#id2973049">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id2973311">Accessing the Samba Sources via rsync and ftp</a></dt><dt><a href="compiling.html#id2973389">Verifying Samba's PGP Signature</a></dt><dt><a href="compiling.html#id2973553">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id2973768">Compiling Samba with Active Directory Support</a></dt></dl></dd><dt><a href="compiling.html#id2973958">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id2974312">Alternative: Starting smbd as a Daemon</a></dt></dl></dd></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id2974513">HPUX</a></dt><dt><a href="Portability.html#id2974600">SCO UNIX</a></dt><dt><a href="Portability.html#id2974655">DNIX</a></dt><dt><a href="Portability.html#id2974825">Red Hat Linux</a></dt><dt><a href="Portability.html#id2974869">AIX</a></dt><dd><dl><dt><a href="Portability.html#id2974876">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id2974902">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id2974909">Locking Improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and Other CIFS Clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975129">Macintosh Clients</a></dt><dt><a href="Other-Clients.html#id2975206">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975213">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></dt><dt><a href="Other-Clients.html#id2975348">Configuring Other Versions of OS/2</a></dt><dt><a href="Other-Clients.html#id2975411">Printer Driver Download for OS/2 Clients</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975516">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975524">Latest TCP/IP Stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id2975610">Delete .pwl Files After Password Change</a></dt><dt><a href="Other-Clients.html#id2975641">Configuring Windows for Workgroups Password Handling</a></dt><dt><a href="Other-Clients.html#id2975701">Password Case Sensitivity</a></dt><dt><a href="Other-Clients.html#id2975739">Use TCP/IP as Default Protocol</a></dt><dt><a href="Other-Clients.html#id2975757">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975803">Windows 95/98</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975876">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975901">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id2976103">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id2976235">Comparisons</a></dt><dt><a href="speed.html#id2976281">Socket Options</a></dt><dt><a href="speed.html#id2976372">Read Size</a></dt><dt><a href="speed.html#id2976422">Max Xmit</a></dt><dt><a href="speed.html#id2976477">Log Level</a></dt><dt><a href="speed.html#id2976507">Read Raw</a></dt><dt><a href="speed.html#id2976592">Write Raw</a></dt><dt><a href="speed.html#id2976655">Slow Logins</a></dt><dt><a href="speed.html#id2976683">Client Tuning</a></dt><dt><a href="speed.html#id2976707">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt><a href="speed.html#id2976766">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id2976885">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id2976952">Websites</a></dt><dt><a href="Further-Resources.html#id2977349">Related updates from Microsoft</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to Compile Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id2963903">Note</a></dt><dt><a href="Backup.html#id2963917">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963903"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963917"></a>Features and Benefits</h2></div></div><div></div></div><p>
+We need feedback from people who are backing up samba servers.
+We would like to know what software tools you are using to backup
+your samba server/s.
+</p><p>
+In particular, if you have any success and / or failure stories you could
+share with other users this would be appreciated.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. CUPS Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="printing.html" title="Chapter 18. Classical Printing Support"><link rel="next" href="VFS.html" title="Chapter 20. Stackable VFS modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. CUPS Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 19. CUPS Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname">Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawings</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (3 June 2003) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="CUPS-printing.html#id2931072">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931079">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2931130">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2931182">Basic CUPS Support Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2931526">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932089">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2932110">Central Spooling vs. Peer-to-Peer Printing</a></dt><dt><a href="CUPS-printing.html#id2932163">Raw Print Serving Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2932223">Installation of Windows Client Drivers</a></dt><dt><a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt><a href="CUPS-printing.html#id2932552">Driver Upload Methods</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932699">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2933354">Ghostscript the Software RIP for Non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2933497">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2933573">Using Windows-Formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2933679">CUPS Also Uses PPDs for Non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2934287">Filtering Overview</a></dt><dt><a href="CUPS-printing.html#id2934481">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2934591">pstops</a></dt><dt><a href="CUPS-printing.html#id2934715">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2934912">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2934991">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2935143">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a></dt><dt><a href="CUPS-printing.html#id2935673">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2935688">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2935752">Raw Printing</a></dt><dt><a href="CUPS-printing.html#id2935861">application/octet-stream Printing</a></dt><dt><a href="CUPS-printing.html#id2936129">PostScript Printer Descriptions (PPDs) for Non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a></dt><dt><a href="CUPS-printing.html#id2936743">Examples for Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2937128">Sources of CUPS Drivers/PPDs</a></dt><dt><a href="CUPS-printing.html#id2937265">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937358">Network Printing (Purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937377">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2937434">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937618">Network Printing (Windows Clients UNIX/Samba Print
+Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2937834">Samba Receiving Jobfiles and Passing Them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937924">Network PostScript RIP</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938025">PPDs for Non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2938085">PPDs for Non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938166">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938184">Printer Drivers Running in Kernel Mode Cause Many
+Problems</a></dt><dt><a href="CUPS-printing.html#id2938229">Workarounds Impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2938250">CUPS: A Magical Stone?</a></dt><dt><a href="CUPS-printing.html#id2938313">PostScript Drivers with No Major Problems Even in Kernel
+Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938378">Configuring CUPS for Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938397">cupsaddsmb: The Unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2938514">Prepare Your smb.conf for cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939044">Recognizing Different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939174">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939204">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939274">Caveats to be Considered</a></dt><dt><a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt><a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a></dt><dt><a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2940352">How to Recognize If cupsaddsmb Completed Successfully</a></dt><dt><a href="CUPS-printing.html#id2940450">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2940538">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2940801">Avoiding Critical PostScript Driver Settings on the Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2941083">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941229">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941358">Producing an Example by Querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a></dt><dt><a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt><a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943322">Trivial Database Files</a></dt><dt><a href="CUPS-printing.html#id2943400">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2943470">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2943528">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943860">foomatic-rip and Foomatic Explained</a></dt><dt><a href="CUPS-printing.html#id2944657">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945207">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2945248">Setting Up Quotas</a></dt><dt><a href="CUPS-printing.html#id2945318">Correct and Incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2945366">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2945495">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2945665">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2945745">Future Developments</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945799">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2946030">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946094">CUPS Configuration Settings Explained</a></dt><dt><a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt><a href="CUPS-printing.html#id2946367">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2946425">Printing from CUPS to Windows Attached Printers</a></dt><dt><a href="CUPS-printing.html#id2946721">More CUPS-Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2946814">Common Errors</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946820">Windows 9x/ME Client Can't Install Driver</a></dt><dt><a href="CUPS-printing.html#id2946839">cupsaddsmb Keeps Asking for Root Password in Never-ending Loop</a></dt><dt><a href="CUPS-printing.html#id2946889">cupsaddsmb Errors</a></dt><dt><a href="CUPS-printing.html#id2946973">Client Can't Connect to Samba Printer</a></dt><dt><a href="CUPS-printing.html#id2947002">New Account Reconnection from Windows 200x/XP Troubles</a></dt><dt><a href="CUPS-printing.html#id2947106">Avoid Being Connected to the Samba Server as the Wrong User</a></dt><dt><a href="CUPS-printing.html#id2947158">Upgrading to CUPS Drivers from Adobe Drivers</a></dt><dt><a href="CUPS-printing.html#id2947200">Can't Use cupsaddsmb on Samba Server Which Is a PDC</a></dt><dt><a href="CUPS-printing.html#id2947239">Deleted Windows 200x Printer Driver Is Still Shown</a></dt><dt><a href="CUPS-printing.html#id2947278">Windows 200x/XP "Local Security Policies"</a></dt><dt><a href="CUPS-printing.html#id2947293">Administrator Cannot Install Printers for All Local Users</a></dt><dt><a href="CUPS-printing.html#id2947323">Print Change Notify Functions on NT-clients</a></dt><dt><a href="CUPS-printing.html#id2947350">WinXP-SP1</a></dt><dt><a href="CUPS-printing.html#id2947402">Print Options for All Users Can't Be Set on Windows 200x/XP</a></dt><dt><a href="CUPS-printing.html#id2947717">Most Common Blunders in Driver Settings on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2947779">cupsaddsmb Does Not Work with Newly Installed Printer</a></dt><dt><a href="CUPS-printing.html#id2947835">Permissions on /var/spool/samba/ Get Reset After Each Reboot</a></dt><dt><a href="CUPS-printing.html#id2947951">Print Queue Called lp Mis-handles Print Jobs</a></dt><dt><a href="CUPS-printing.html#id2948008">Location of Adobe PostScript Driver Files for cupsaddsmb</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2948065">Overview of the CUPS Printing Processes</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931072"></a>Introduction</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931079"></a>Features and Benefits</h3></div></div><div></div></div><p>
+ The Common UNIX Print System (<ulink url="http://www.cups.org/">CUPS</ulink>)
+ has become quite popular. All major Linux distributions now ship it as their default printing
+ system. To many, it is still a mystical tool. Mostly, it just works.
+ People tend to regard it as a “<span class="quote">black box</span>”
+ that they do not want to look into as long as it works. But once
+ there is a little problem, they are in trouble to find out where to
+ start debugging it. Refer to the chapter “<span class="quote">Classical Printing</span>” that
+ contains a lot of information that is relevant for CUPS.
+ </p><p>
+ CUPS sports quite a few unique and powerful features. While their
+ basic functions may be grasped quite easily, they are also
+ new. Because they are different from other, more traditional printing
+ systems, it is best not to try and apply any prior knowledge about
+ printing to this new system. Rather, try to understand CUPS
+ from the beginning. This documentation will lead you to a
+ complete understanding of CUPS. Let's start with the most basic
+ things first.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931130"></a>Overview</h3></div></div><div></div></div><p>
+ CUPS is more than just a print spooling system. It is a complete
+ printer management system that complies with the new
+ Internet Printing Protocol (IPP). IPP is an industry
+ and Internet Engineering Task Force (IETF)
+ standard for network printing. Many of its functions can be managed
+ remotely (or locally) via a Web browser (giving you a
+ platform-independent access to the CUPS print server). Additionally, it
+ has the traditional command line and several more modern GUI interfaces
+ (GUI interfaces developed by third parties, like KDE's
+ overwhelming <ulink url="http://printing.kde.org/">KDEPrint</ulink>).
+ </p><p>
+ CUPS allows creation of “<span class="quote">raw</span>” printers (i.e., no print file
+ format translation) as well as “<span class="quote">smart</span>” printers (i.e., CUPS does
+ file format conversion as required for the printer). In many ways
+ this gives CUPS similar capabilities to the MS Windows print
+ monitoring system. Of course, if you are a CUPS advocate, you would
+ argue that CUPS is better! In any case, let us now move on to
+ explore how one may configure CUPS for interfacing with MS Windows
+ print clients via Samba.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2931182"></a>Basic CUPS Support Configuration</h2></div></div><div></div></div><p>
+ Printing with CUPS in the most basic <tt class="filename">smb.conf</tt> setup in Samba-3.0 (as was true for 2.2.x) only needs two
+ settings: <a class="indexterm" name="id2931202"></a><i class="parameter"><tt>printing</tt></i> = cups and
+ <a class="indexterm" name="id2931216"></a><i class="parameter"><tt>printcap</tt></i> = cups. CUPS does not need a printcap file.
+ However, the <tt class="filename">cupsd.conf</tt> configuration file knows of two related directives that control
+ how such a file will be automatically created and maintained by CUPS for the convenience of third-party
+ applications (example: <i class="parameter"><tt>Printcap /etc/printcap</tt></i> and <i class="parameter"><tt>PrintcapFormat BSD</tt></i>).
+ Legacy programs often require the existence of a printcap file containing printer names or they will refuse to
+ print. Make sure CUPS is set to generate and maintain a printcap file. For details, see
+ <b class="command">man cupsd.conf</b> and other CUPS-related documentation, like the wealth of documents on your CUPS server
+ itself: <ulink url="http://localhost:631/documentation.html">http://localhost:631/documentation.html</ulink>.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931276"></a>Linking smbd with libcups.so</h3></div></div><div></div></div><p>
+ Samba has a special relationship to CUPS. Samba can be compiled with CUPS library support.
+ Most recent installations have this support enabled. Per default, CUPS linking is compiled
+ into smbd and other Samba binaries. Of course, you can use CUPS even
+ if Samba is not linked against <tt class="filename">libcups.so</tt> but
+ there are some differences in required or supported configuration.
+ </p><p>
+ When Samba is compiled against <tt class="filename">libcups</tt>, <a class="indexterm" name="id2931315"></a><i class="parameter"><tt>printcap</tt></i> = cups
+ uses the CUPS API to list printers, submit jobs, query queues, and so on. Otherwise it maps to the System V
+ commands with an additional <b class="command">-oraw</b> option for printing. On a Linux
+ system, you can use the <b class="command">ldd</b> utility to find out details (ldd may not be present on
+ other OS platforms, or its function may be embodied by a different command):
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ldd `which smbd`</tt></b>
+libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000)
+libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000)
+libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
+[....]
+</pre><p>
+ The line <tt class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)</tt> shows
+ there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups
+ is set, then <span class="emphasis"><em>any otherwise manually set print command in <tt class="filename">smb.conf</tt> is ignored</em></span>.
+ This is an important point to remember!
+ </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should it be necessary, for any reason, to set your own print commands, you can do this by setting
+ <a class="indexterm" name="id2931409"></a><i class="parameter"><tt>printing</tt></i> = sysv. However, you will loose all the benefits
+ of tight CUPS/Samba integration. When you do this you must manually configure the printing system commands
+ (most important:
+ <a class="indexterm" name="id2931426"></a><i class="parameter"><tt>print command</tt></i>; other commands are
+ <a class="indexterm" name="id2931440"></a><i class="parameter"><tt>lppause command</tt></i>,
+ <a class="indexterm" name="id2931454"></a><i class="parameter"><tt>lpresume command</tt></i>,
+ <a class="indexterm" name="id2931468"></a><i class="parameter"><tt>lpq command</tt></i>,
+ <a class="indexterm" name="id2931482"></a><i class="parameter"><tt>lprm command</tt></i>,
+ <a class="indexterm" name="id2931496"></a><i class="parameter"><tt>queuepause command</tt></i> and
+ <a class="indexterm" name="id2931510"></a><i class="parameter"><tt>queue resume command</tt></i>).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931526"></a>Simple <tt class="filename">smb.conf</tt> Settings for CUPS</h3></div></div><div></div></div><p>
+ To summarize, <link linkend="cups-exam-simple"> shows simplest printing-related setup for <tt class="filename">smb.conf</tt> to enable basic CUPS support:
+ </p><div class="example"><a name="cups-exam-simple"></a><p class="title"><b>Example 19.1. Simplest printing-related smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root, @ntadmins</tt></i></td></tr></table></div><p>
+ This is all you need for basic printing setup for CUPS. It will print
+ all graphic, text, PDF, and PostScript files submitted from Windows
+ clients. However, most of your Windows users would not know how to
+ send these kinds of files to print without opening a GUI
+ application. Windows clients tend to have local printer drivers
+ installed, and the GUI application's print buttons start a printer
+ driver. Your users also rarely send files from the command
+ line. Unlike UNIX clients, they hardly submit graphic, text or PDF
+ formatted files directly to the spooler. They nearly exclusively print
+ from GUI applications with a “<span class="quote">printer driver</span>” hooked in between the
+ application's native format and the print-data-stream. If the backend
+ printer is not a PostScript device, the print data stream is “<span class="quote">binary,</span>”
+ sensible only for the target printer. Read on to learn which problem
+ this may cause and how to avoid it.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2931722"></a>More Complex CUPS <tt class="filename">smb.conf</tt> Settings</h3></div></div><div></div></div><p>
+ <link linkend="overridesettings"> is a slightly more complex printing-related setup
+ for <tt class="filename">smb.conf</tt>. It enables general CUPS printing
+ support for all printers, but defines one printer share, which is set
+ up differently.
+ </p><div class="example"><a name="overridesettings"></a><p class="title"><b>Example 19.2. Overriding global CUPS settings for one printer</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root, @ntadmins</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[special_printer]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = A special printer with his own settings</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba-special</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = sysv</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap = lpstat</tt></i></td></tr><tr><td><i class="parameter"><tt>print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; \</tt></i></td></tr><tr><td><i class="parameter"><tt>echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; \</tt></i></td></tr><tr><td><i class="parameter"><tt>echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log : rm %f</tt></i></td></tr><tr><td><i class="parameter"><tt>public = no</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = kurt</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60</tt></i></td></tr></table></div><p>
+ This special share is only there for testing purposes. It does not write the print job to a file. It just logs the job parameters
+ known to Samba into the <tt class="filename">/tmp/smbprn.log</tt> file and deletes the jobfile. Moreover, the
+ <a class="indexterm" name="id2932031"></a><i class="parameter"><tt>printer admin</tt></i> of this share is “<span class="quote">kurt</span>” (not the “<span class="quote">@ntadmins</span>” group),
+ guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it only
+ allows access from only three hosts. To prevent CUPS kicking in and taking over the print jobs for that share, we need to set
+ <a class="indexterm" name="id2932058"></a><i class="parameter"><tt>printing</tt></i> = sysv and
+ <a class="indexterm" name="id2932072"></a><i class="parameter"><tt>printcap</tt></i> = lpstat.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932089"></a>Advanced Configuration</h2></div></div><div></div></div><p>
+ Before we delve into all the configuration options, let us clarify a few
+ points. <span class="emphasis"><em>Network printing needs to be organized and setup
+ correctly</em></span>. This frequently doesn't happen. Legacy systems
+ or small business LAN environments often lack design and good housekeeping.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932110"></a>Central Spooling vs. “<span class="quote">Peer-to-Peer</span>” Printing</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2932125"></a>
+<a class="indexterm" name="id2932136"></a>
+ Many small office or home networks, as well as badly organized larger
+ environments, allow each client a direct access to available network
+ printers. This is generally a bad idea. It often blocks one client's
+ access to the printer when another client's job is printing. It might
+ freeze the first client's application while it is waiting to get
+ rid of the job. Also, there are frequent complaints about various jobs
+ being printed with their pages mixed with each other. A better concept
+ is the usage of a print server: it routes all jobs through one
+ central system, which responds immediately, takes jobs from multiple
+ concurrent clients at the same time, and in turn transfers them to the
+ printer(s) in the correct order.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932163"></a>Raw Print Serving Vendor Drivers on Windows Clients</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2932178"></a>
+ <a class="indexterm" name="id2932186"></a>
+ Most traditionally configured UNIX print servers acting on behalf of
+ Samba's Windows clients represented a really simple setup. Their only
+ task was to manage the “<span class="quote">raw</span>” spooling of all jobs handed to them by
+ Samba. This approach meant that the Windows clients were expected to
+ prepare the print job file that its ready to be sent to the printing
+ device. Here is a native (vendor-supplied) Windows printer
+ driver for the target device needed to be installed on each and every
+ client.
+ </p><p>
+ It is possible to configure CUPS, Samba and your Windows clients in the
+ same traditional and simple way. When CUPS printers are configured
+ for RAW print-through mode operation, it is the responsibility of the
+ Samba client to fully render the print job (file). The file must be
+ sent in a format that is suitable for direct delivery to the
+ printer. Clients need to run the vendor-provided drivers to do
+ this. In this case, CUPS will not do any print file format conversion
+ work.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932223"></a>Installation of Windows Client Drivers</h3></div></div><div></div></div><p>
+ The printer drivers on the Windows clients may be installed
+ in two functionally different ways:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Manually install the drivers locally on each client,
+ one by one; this yields the old <span class="emphasis"><em>LanMan</em></span> style
+ printing and uses a <tt class="filename">\\sambaserver\printershare</tt>
+ type of connection.</p></li><li><p>
+ <a class="indexterm" name="id2932265"></a>
+ Deposit and prepare the drivers (for later download) on
+ the print server (Samba); this enables the clients to use
+ “<span class="quote">Point'n'Print</span>” to get drivers semi-automatically installed the
+ first time they access the printer; with this method NT/200x/XP
+ clients use the <span class="emphasis"><em>SPOOLSS/MS-RPC</em></span>
+ type printing calls.</p></li></ul></div><p>
+ The second method is recommended for use over the first.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="cups-raw"></a>Explicitly Enable “<span class="quote">raw</span>” Printing for <span class="emphasis"><em>application/octet-stream</em></span></h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2932317"></a>
+ <a class="indexterm" name="id2932325"></a>
+ <a class="indexterm" name="id2932334"></a>
+ If you use the first option (drivers are installed on the client
+ side), there is one setting to take care of: CUPS needs to be told
+ that it should allow “<span class="quote">raw</span>” printing of deliberate (binary) file
+ formats. The CUPS files that need to be correctly set for RAW mode
+ printers to work are:
+ </p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/cups/mime.types</tt></p></li><li><p><tt class="filename">/etc/cups/mime.convs</tt></p></li></ul></div><p>
+ Both contain entries (at the end of the respective files) which must
+ be uncommented to allow RAW mode operation.
+ In <tt class="filename">/etc/cups/mime.types</tt>, make sure this line is
+ present:
+
+ </p><pre class="programlisting">
+ application/octet-stream
+ </pre><p>
+
+ <a class="indexterm" name="id2932400"></a>
+ <a class="indexterm" name="id2932408"></a>
+
+ In <tt class="filename">/etc/cups/mime.convs</tt>,
+ have this line:
+
+ <a class="indexterm" name="id2932425"></a>
+
+ </p><pre class="programlisting">
+ application/octet-stream application/vnd.cups-raw 0 -
+ </pre><p>
+
+ If these two files are not set up correctly for raw Windows client
+ printing, you may encounter the dreaded <tt class="computeroutput">Unable to
+ convert file 0</tt> in your CUPS error_log file.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Editing the <tt class="filename">mime.convs</tt> and the
+ <tt class="filename">mime.types</tt> file does not
+ <span class="emphasis"><em>enforce</em></span> “<span class="quote">raw</span>” printing, it only
+ <span class="emphasis"><em>allows</em></span> it.
+ </p></div><p><b>Background. </b>
+ <a class="indexterm" name="id2932493"></a>
+ CUPS being a more security-aware printing system than traditional ones
+ does not by default allow a user to send deliberate (possibly binary)
+ data to printing devices. This could be easily abused to launch a
+ “<span class="quote">Denial of Service</span>” attack on your printer(s), causing at least
+ the loss of a lot of paper and ink. “<span class="quote">Unknown</span>” data are tagged by CUPS
+ as <i class="parameter"><tt>MIME type: application/octet-stream</tt></i> and not
+ allowed to go to the printer. By default, you can only send other
+ (known) MIME types “<span class="quote">raw</span>”. Sending data “<span class="quote">raw</span>” means that CUPS does not
+ try to convert them and passes them to the printer untouched (see the next
+ chapter for even more background explanations).
+ </p><p>
+ This is all you need to know to get the CUPS/Samba combo printing
+ “<span class="quote">raw</span>” files prepared by Windows clients, which have vendor drivers
+ locally installed. If you are not interested in background information about
+ more advanced CUPS/Samba printing, simply skip the remaining sections
+ of this chapter.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932552"></a>Driver Upload Methods</h3></div></div><div></div></div><p>
+ This section describes three familiar methods, plus one new one, by which
+ printer drivers may be uploaded.
+ </p><p>
+ <a class="indexterm" name="id2932570"></a>
+ If you want to use the MS-RPC type printing, you must upload the
+ drivers onto the Samba server first (<i class="parameter"><tt>[print$]</tt></i>
+ share). For a discussion on how to deposit printer drivers on the
+ Samba host (so the Windows clients can download and use them via
+ “<span class="quote">Point'n'Print</span>”), please refer to the previous chapter of this
+ HOWTO Collection. There you will find a description or reference to
+ three methods of preparing the client drivers on the Samba server:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2932606"></a>
+ The GUI, “<span class="quote">Add Printer Wizard</span>”
+ <span class="emphasis"><em>upload-from-a-Windows-client</em></span>
+ method.</p></li><li><p>The command line, “<span class="quote">smbclient/rpcclient</span>”
+ upload-from-a-UNIX-workstation method.</p></li><li><p>
+ <a class="indexterm" name="id2932640"></a>
+ The Imprints Toolset
+ method.</p></li></ul></div><p>
+ These three methods apply to CUPS all the same. A new and more
+ convenient way to load the Windows drivers into Samba is provided
+ if you use CUPS:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2932666"></a>
+ the <i class="parameter"><tt>cupsaddsmb</tt></i>
+ utility.</p></li></ul></div><p>
+ <b class="command">cupsaddsmb</b> is discussed in much detail further below. But we first
+ explore the CUPS filtering system and compare the Windows and UNIX printing architectures.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2932699"></a>Advanced Intelligent Printing with PostScript Driver Download</h2></div></div><div></div></div><p>
+ <a class="indexterm" name="id2932710"></a>
+ We now know
+ how to set up a “<span class="quote">dump</span>” printserver, that is, a server which is spooling
+ printjobs “<span class="quote">raw</span>”, leaving the print data untouched.
+ </p><p>
+ Possibly you need to setup CUPS in a smarter way. The reasons could
+ be manifold:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Maybe your boss wants to get monthly statistics: Which
+ printer did how many pages? What was the average data size of a job?
+ What was the average print run per day? What are the typical hourly
+ peaks in printing? Which department prints how much?</p></li><li><p>Maybe you are asked to setup a print quota system:
+ Users should not be able to print more jobs, once they have surpassed
+ a given limit per period.</p></li><li><p>Maybe your previous network printing setup is a mess
+ and must be re-organized from a clean beginning.</p></li><li><p>Maybe you have experiencing too many “<span class="quote">blue screens</span>”
+ originating from poorly debugged printer drivers running in NT “<span class="quote">kernel mode</span>”?</p></li></ul></div><p>
+ These goals cannot be achieved by a raw print server. To build a
+ server meeting these requirements, you'll first need to learn about
+ how CUPS works and how you can enable its features.
+ </p><p>
+ What follows is the comparison of some fundamental concepts for
+ Windows and UNIX printing; then follows a description of the
+ CUPS filtering system, how it works and how you can tweak it.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="gdipost"></a>GDI on Windows -- PostScript on UNIX</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2932814"></a>
+ <a class="indexterm" name="id2932822"></a>
+ Network printing is one of the most complicated and error-prone
+ day-to-day tasks any user or administrator may encounter. This is
+ true for all OS platforms. And there are reasons for this.
+ </p><p>
+ <a class="indexterm" name="id2932838"></a>
+ <a class="indexterm" name="id2932846"></a>
+ You can't expect most file formats to just throw them toward
+ printers and they get printed. There needs to be a file format
+ conversion in between. The problem is that there is no common standard for
+ print file formats across all manufacturers and printer types. While
+ PostScript (trademark held by Adobe) and, to an
+ extent, PCL (trademark held by HP) have developed
+ into semi-official “<span class="quote">standards</span>” by being the most widely used PDLs
+ Page Description Languages (PDLs), there are still
+ many manufacturers who “<span class="quote">roll their own</span>” (their reasons may be
+ unacceptable license fees for using printer-embedded PostScript
+ interpreters, and so on).
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2932876"></a>Windows Drivers, GDI and EMF</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2932888"></a>
+ <a class="indexterm" name="id2932896"></a>
+ <a class="indexterm" name="id2932904"></a>
+ In Windows OS, the format conversion job is done by the printer
+ drivers. On MS Windows OS platforms all application programmers have
+ at their disposal a built-in API, the Graphical Device
+ Interface (GDI), as part and parcel of the OS itself to base
+ themselves on. This GDI core is used as one common unified ground for
+ all Windows programs to draw pictures, fonts and documents
+ <span class="emphasis"><em>on screen</em></span> as well as <span class="emphasis"><em>on
+ paper</em></span> (print). Therefore, printer driver developers can
+ standardize on a well-defined GDI output for their own driver
+ input. Achieving WYSIWYG (“<span class="quote">What You See Is What You Get</span>”) is
+ relatively easy, because the on-screen graphic primitives, as well as
+ the on-paper drawn objects, come from one common source. This source,
+ the GDI, often produces a file format called Enhanced
+ MetaFile (EMF). The EMF is processed by the printer driver and
+ converted to the printer-specific file format.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2932947"></a>
+ To the GDI foundation in MS Windows, Apple has chosen to
+ put paper and screen output on a common foundation for their
+ (BSD-UNIX-based, did you know?) Mac OS X and Darwin Operating
+ <a class="indexterm" name="id2932959"></a>
+ <a class="indexterm" name="id2932967"></a>
+ <a class="indexterm" name="id2932976"></a>
+ <a class="indexterm" name="id2932984"></a>
+ Systems. Their <span class="emphasis"><em>Core Graphic Engine</em></span> uses a
+ <span class="emphasis"><em>PDF</em></span> derivative for all display work.
+ </p></div><p>
+
+ </p><div class="figure"><a name="1small"></a><p class="title"><b>Figure 19.1. Windows printing to a local printer.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" width="270" alt="Windows printing to a local printer."></div></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933049"></a>UNIX Printfile Conversion and GUI Basics</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2933059"></a>
+ <a class="indexterm" name="id2933067"></a>
+ <a class="indexterm" name="id2933075"></a>
+ <a class="indexterm" name="id2933084"></a>
+ In UNIX and Linux, there is no comparable layer built into the OS
+ kernel(s) or the X (screen display) server. Every application is
+ responsible for itself to create its print output. Fortunately, most
+ use PostScript and that at least gives some common ground. Unfortunately,
+ there are many different levels of quality for this PostScript. And
+ worse, there is a huge difference (and no common root) in the way
+ the same document is displayed on screen and how it is presented on
+ paper. WYSIWYG is more difficult to achieve. This goes back to the
+ time, decades ago, when the predecessors of X.org,
+ designing the UNIX foundations and protocols for Graphical User
+ Interfaces, refused to take responsibility for “<span class="quote">paper output</span>”
+ also, as some had demanded at the time, and restricted itself to
+ “<span class="quote">on-screen only.</span>” (For some years now, the “<span class="quote">Xprint</span>” project has been
+ under development, attempting to build printing support into the X
+ framework, including a PostScript and a PCL driver, but it is not yet
+ ready for prime time.) You can see this unfavorable inheritance up to
+ the present day by looking into the various “<span class="quote">font</span>” directories on your
+ system; there are separate ones for fonts used for X display and fonts
+ to be used on paper.
+ </p><p><b>Background. </b>
+ <a class="indexterm" name="id2933141"></a>
+ The PostScript programming language is an “<span class="quote">invention</span>” by Adobe Inc.,
+ but its specifications have been published to the full. Its strength
+ lies in its powerful abilities to describe graphical objects (fonts,
+ shapes, patterns, lines, curves, and dots), their attributes (color,
+ linewidth) and the way to manipulate (scale, distort, rotate,
+ shift) them. Because of its open specification, anybody with the
+ skill can start writing his own implementation of a PostScript
+ interpreter and use it to display PostScript files on screen or on
+ paper. Most graphical output devices are based on the concept of
+ “<span class="quote">raster images</span>” or “<span class="quote">pixels</span>” (one notable exception is pen
+ plotters). Of course, you can look at a PostScript file in its textual
+ form and you will be reading its PostScript code, the language
+ instructions which need to be interpreted by a rasterizer. Rasterizers
+ produce pixel images, which may be displayed on screen by a viewer
+ program or on paper by a printer.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="post-and-ghost"></a>PostScript and Ghostscript</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2933199"></a>
+ <a class="indexterm" name="id2933207"></a>
+ <a class="indexterm" name="id2933218"></a>
+ So, UNIX is lacking a common ground for printing on paper and
+ displaying on screen. Despite this unfavorable legacy for UNIX, basic
+ printing is fairly easy if you have PostScript printers at your
+ disposal. The reason is these devices have a built-in PostScript
+ language “<span class="quote">interpreter,</span>” also called a Raster Image
+ Processor (RIP) (which makes them more expensive than
+ other types of printers); throw PostScript toward them, and they will
+ spit out your printed pages. Their RIP is doing all the hard work of
+ converting the PostScript drawing commands into a bitmap picture as
+ you see it on paper, in a resolution as done by your printer. This is
+ no different to PostScript printing a file from a Windows origin.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2933261"></a>
+ Traditional UNIX programs and printing systems while
+ using PostScript are largely not PPD-aware. PPDs are “<span class="quote">PostScript
+ Printer Description</span>” files. They enable you to specify and control all
+ options a printer supports: duplexing, stapling and punching. Therefore,
+ UNIX users for a long time couldn't choose many of the supported
+ device and job options, unlike Windows or Apple users. But now there
+ is CUPS.
+ </p></div><p>
+ </p><div class="figure"><a name="2small"></a><p class="title"><b>Figure 19.2. Printing to a PostScript printer.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/2small.png" width="270" alt="Printing to a PostScript printer."></div></div><p>
+ </p><p>
+ <a class="indexterm" name="id2933337"></a>
+ However, there are other types of printers out there. These do not know
+ how to print PostScript. They use their own Page Description
+ Language (PDL, often proprietary). To print to them is much
+ more demanding. Since your UNIX applications mostly produce
+ PostScript, and since these devices do not understand PostScript, you
+ need to convert the printfiles to a format suitable for your printer
+ on the host before you can send it away.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933354"></a>Ghostscript the Software RIP for Non-PostScript Printers</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2933369"></a>
+ Here is where Ghostscript kicks in. Ghostscript is
+ the traditional (and quite powerful) PostScript interpreter used on
+ UNIX platforms. It is a RIP in software, capable of doing a
+ <span class="emphasis"><em>lot</em></span> of file format conversions for a very broad
+ spectrum of hardware devices as well as software file formats.
+ Ghostscript technology and drivers are what enable PostScript printing
+ to non-PostScript hardware.
+ </p><p>
+ </p><div class="figure"><a name="3small"></a><p class="title"><b>Figure 19.3. Ghostscript as a RIP for non-postscript printers.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/3small.png" width="270" alt="Ghostscript as a RIP for non-postscript printers."></div></div><p>
+ </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+ Use the “<span class="quote">gs -h</span>” command to check for all built-in “<span class="quote">devices</span>”
+ of your Ghostscript version. If you specify a parameter of
+ <i class="parameter"><tt>-sDEVICE=png256</tt></i> on your Ghostscript command
+ line, you are asking Ghostscript to convert the input into a PNG
+ file. Naming a “<span class="quote">device</span>” on the command line is the most important
+ single parameter to tell Ghostscript exactly how it should render the
+ input. New Ghostscript versions are released at fairly regular
+ intervals, now by artofcode LLC. They are initially put under the
+ “<span class="quote">AFPL</span>” license, but re-released under the GNU GPL as soon as the next
+ AFPL version appears. GNU Ghostscript is probably the version
+ installed on most Samba systems. But it has some deficiencies.
+ <a class="indexterm" name="id2933472"></a>
+ Therefore, ESP Ghostscript was developed as an
+ enhancement over GNU Ghostscript, with lots of bug-fixes, additional
+ devices and improvements. It is jointly maintained by developers from
+ CUPS, Gimp-Print, MandrakeSoft, SuSE, RedHat, and Debian. It includes
+ the “<span class="quote">cups</span>” device (essential to print to non-PS printers from CUPS).
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933497"></a>PostScript Printer Description (PPD) Specification</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2933509"></a>
+ While PostScript in essence is a Page Description
+ Language (PDL) to represent the page layout in a
+ device-independent way, real-world print jobs are
+ always ending up being output on hardware with device-specific
+ features. To take care of all the differences in hardware and to
+ allow for innovations, Adobe has specified a syntax and file format
+ for PostScript Printer Description (PPD)
+ files. Every PostScript printer ships with one of these files.
+ </p><p>
+ PPDs contain all the information about general and special features of the
+ given printer model: Which different resolutions can it handle? Does
+ it have a Duplexing Unit? How many paper trays are there? What media
+ types and sizes does it take? For each item, it also names the special
+ command string to be sent to the printer (mostly inside the PostScript
+ file) in order to enable it.
+ </p><p>
+ Information from these PPDs is meant to be taken into account by the
+ printer drivers. Therefore, installed as part of the Windows
+ PostScript driver for a given printer is the printer's PPD. Where it
+ makes sense, the PPD features are presented in the drivers' UI dialogs
+ to display to the user a choice of print options. In the end, the
+ user selections are somehow written (in the form of special
+ PostScript, PJL, JCL or vendor-dependent commands) into the PostScript
+ file created by the driver.
+ </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ <a class="indexterm" name="id2933556"></a>
+ A PostScript file that was created to contain device-specific commands
+ for achieving a certain print job output (e.g., duplexed, stapled and
+ punched) on a specific target machine, may not print as expected, or
+ may not be printable at all on other models; it also may not be fit
+ for further processing by software (e.g., by a PDF distilling program).
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933573"></a>Using Windows-Formatted Vendor PPDs</h3></div></div><div></div></div><p>
+ CUPS can handle all spec-compliant PPDs as supplied by the
+ manufacturers for their PostScript models. Even if a
+ vendor might not have mentioned our favorite
+ OS in his manuals and brochures, you can safely trust this:
+ <span class="emphasis"><em>If you get the Windows NT version of the PPD, you
+ can use it unchanged in CUPS</em></span> and thus access the full
+ power of your printer just like a Windows NT user could!
+ </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+ To check the spec compliance of any PPD online, go to <ulink url="http://www.cups.org/testppd.php">http://www.cups.org/testppd.php</ulink>
+ and upload your PPD. You will see the results displayed
+ immediately. CUPS in all versions after 1.1.19 has a much more strict
+ internal PPD parsing and checking code enabled; in case of printing
+ trouble, this online resource should be one of your first pitstops.
+ </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ <a class="indexterm" name="id2933620"></a>
+ <a class="indexterm" name="id2933629"></a>
+ For real PostScript printers, <span class="emphasis"><em>do not</em></span> use the
+ <span class="emphasis"><em>Foomatic</em></span> or <span class="emphasis"><em>cupsomatic</em></span>
+ PPDs from Linuxprinting.org. With these devices, the original
+ vendor-provided PPDs are always the first choice!
+ </p></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+ If you are looking for an original vendor-provided PPD of a specific
+ device, and you know that an NT4 box (or any other Windows box) on
+ your LAN has the PostScript driver installed, just use
+ <b class="command">smbclient //NT4-box/print\$ -U username</b> to
+ access the Windows directory where all printer driver files are
+ stored. First look in the <tt class="filename">W32X86/2</tt> subdir for
+ the PPD you are seeking.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933679"></a>CUPS Also Uses PPDs for Non-PostScript Printers</h3></div></div><div></div></div><p>
+ CUPS also uses specially crafted PPDs to handle non-PostScript
+ printers. These PPDs are usually not available from the vendors (and
+ no, you can't just take the PPD of a PostScript printer with the same
+ model name and hope it works for the non-PostScript version too). To
+ understand how these PPDs work for non-PS printers, we first need to
+ dive deeply into the CUPS filtering and file format conversion
+ architecture. Stay tuned.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933709"></a>The CUPS Filtering Architecture</h2></div></div><div></div></div><p>
+The core of the CUPS filtering system is based on
+Ghostscript. In addition to Ghostscript, CUPS
+uses some other filters of its own. You (or your OS vendor) may have
+plugged in even more filters. CUPS handles all data file formats under
+the label of various MIME types. Every incoming
+printfile is subjected to an initial
+auto-typing. The auto-typing determines its given
+MIME type. A given MIME type implies zero or more possible filtering
+chains relevant to the selected target printer. This section discusses
+how MIME types recognition and conversion rules interact. They are
+used by CUPS to automatically setup a working filtering chain for any
+given input data format.
+</p><p>
+If CUPS rasterizes a PostScript file natively to
+a bitmap, this is done in two stages:
+</p><div class="itemizedlist"><ul type="disc"><li><p>The first stage uses a Ghostscript device named “<span class="quote">cups</span>”
+(this is since version 1.1.15) and produces a generic raster format
+called “<span class="quote">CUPS raster</span>”.
+</p></li><li><p>The second stage uses a “<span class="quote">raster driver</span>” that converts
+ the generic CUPS raster to a device-specific raster.</p></li></ul></div><p>
+Make sure your Ghostscript version has the “<span class="quote">cups</span>” device compiled in
+(check with <b class="command">gs -h | grep cups</b>). Otherwise you
+may encounter the dreaded <tt class="computeroutput">Unable to convert file
+0</tt> in your CUPS error_log file. To have “<span class="quote">cups</span>” as a
+device in your Ghostscript, you either need to patch GNU
+Ghostscript and re-compile, or use <a class="indexterm" name="id2933802"></a><ulink url="http://www.cups.org/ghostscript.php">ESP Ghostscript</ulink>. The
+superior alternative is ESP Ghostscript. It supports not just CUPS,
+but 300 other devices too (while GNU Ghostscript supports only about
+180). Because of this broad output device support, ESP Ghostscript is
+the first choice for non-CUPS spoolers, too. It is now recommended by
+Linuxprinting.org for all spoolers.
+</p><p>
+<a class="indexterm" name="id2933830"></a>
+<a class="indexterm" name="id2933839"></a>
+CUPS printers may be setup to use external
+rendering paths. One of the most common is provided by the
+Foomatic/cupsomatic concept from <ulink url="http://www.linuxprinting.org/">Linuxprinting.org.</ulink> This
+uses the classical Ghostscript approach, doing everything in one
+step. It does not use the “<span class="quote">cups</span>” device, but one of the many
+others. However, even for Foomatic/cupsomatic usage, best results and
+<a class="indexterm" name="id2933864"></a>
+broadest printer model support is provided by ESP Ghostscript (more
+about cupsomatic/Foomatic, particularly the new version called now
+<span class="emphasis"><em>foomatic-rip</em></span>, follows below).
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933883"></a>MIME Types and CUPS Filters</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2933894"></a>
+ <a class="indexterm" name="id2933905"></a>
+CUPS reads the file <tt class="filename">/etc/cups/mime.types</tt>
+(and all other files carrying a <tt class="filename">*.types</tt> suffix
+in the same directory) upon startup. These files contain the MIME
+type recognition rules that are applied when CUPS runs its
+auto-typing routines. The rule syntax is explained in the man page
+for <tt class="filename">mime.types</tt> and in the comments section of the
+<tt class="filename">mime.types</tt> file itself. A simple rule reads
+like this:
+
+<a class="indexterm" name="id2933946"></a>
+</p><pre class="programlisting">
+ application/pdf pdf string(0,%PDF)
+</pre><p>
+
+This means if a filename has either a
+<tt class="filename">.pdf</tt> suffix or if the magic
+string <span class="emphasis"><em>%PDF</em></span> is right at the
+beginning of the file itself (offset 0 from the start), then it is
+a PDF file (<i class="parameter"><tt>application/pdf</tt></i>).
+Another rule is this:
+
+</p><pre class="programlisting">
+ application/postscript ai eps ps string(0,%!) string(0,<04>%!)
+</pre><p>
+
+If the filename has one of the suffixes
+<tt class="filename">.ai</tt>, <tt class="filename">.eps</tt>,
+<tt class="filename">.ps</tt> or if the file itself starts with one of the
+strings <span class="emphasis"><em>%!</em></span> or <span class="emphasis"><em><04>%!</em></span>, it
+is a generic PostScript file
+(<i class="parameter"><tt>application/postscript</tt></i>).
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Don't confuse the other mime.types files your system might be using
+with the one in the <tt class="filename">/etc/cups/</tt> directory.
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+There is an important difference between two similar MIME types in
+CUPS: one is <i class="parameter"><tt>application/postscript</tt></i>, the other is
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>. While
+<i class="parameter"><tt>application/postscript</tt></i> is meant to be device
+independent (job options for the file are still outside the PS file
+content, embedded in command line or environment variables by CUPS),
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i> may have the job
+options inserted into the PostScript data itself (where
+applicable). The transformation of the generic PostScript
+(<i class="parameter"><tt>application/postscript</tt></i>) to the device-specific version
+(<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>) is the responsibility of the
+CUPS <i class="parameter"><tt>pstops</tt></i> filter. pstops uses information
+contained in the PPD to do the transformation.
+</p></div><p>
+CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI, and
+many image formats (GIF. PNG, TIFF, JPEG, Photo-CD, SUN-Raster,
+PNM, PBM, SGI-RGB, and more) and their associated MIME types
+with its filters.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934118"></a>MIME Type Conversion Rules</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2934130"></a>
+<a class="indexterm" name="id2934138"></a>
+CUPS reads the file <tt class="filename">/etc/cups/mime.convs</tt>
+(and all other files named with a <tt class="filename">*.convs</tt>
+suffix in the same directory) upon startup. These files contain
+lines naming an input MIME type, an output MIME type, a format
+conversion filter that can produce the output from the input type
+and virtual costs associated with this conversion. One example line
+reads like this:
+
+</p><pre class="programlisting">
+ application/pdf application/postscript 33 pdftops
+</pre><p>
+
+This means that the <i class="parameter"><tt>pdftops</tt></i> filter will take
+<i class="parameter"><tt>application/pdf</tt></i> as input and produce
+<i class="parameter"><tt>application/postscript</tt></i> as output; the virtual
+cost of this operation is 33 CUPS-$. The next filter is more
+expensive, costing 66 CUPS-$:
+
+<a class="indexterm" name="id2934198"></a>
+
+</p><pre class="programlisting">
+ application/vnd.hp-HPGL application/postscript 66 hpgltops
+</pre><p>
+
+This is the <i class="parameter"><tt>hpgltops</tt></i>, which processes HP-GL
+plotter files to PostScript.
+
+<a class="indexterm" name="id2934222"></a>
+
+</p><pre class="programlisting">
+ application/octet-stream
+</pre><p>
+
+Here are two more examples:
+
+<a class="indexterm" name="id2934239"></a>
+
+</p><pre class="programlisting">
+ application/x-shell application/postscript 33 texttops
+ text/plain application/postscript 33 texttops
+</pre><p>
+
+The last two examples name the <i class="parameter"><tt>texttops</tt></i> filter
+to work on <i class="parameter"><tt>text/plain</tt></i> as well as on <i class="parameter"><tt>application/x-shell</tt></i>. (Hint:
+This differentiation is needed for the syntax highlighting feature of
+<i class="parameter"><tt>texttops</tt></i>).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934287"></a>Filtering Overview</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2934298"></a>
+There are many more combinations named in <tt class="filename">mime.convs</tt>. However, you
+are not limited to use the ones pre-defined there. You can plug in any
+filter you like into the CUPS framework. It must meet, or must be made
+to meet, some minimal requirements. If you find (or write) a cool
+conversion filter of some kind, make sure it complies to what CUPS
+needs and put in the right lines in <tt class="filename">mime.types</tt>
+and <tt class="filename">mime.convs</tt>, then it will work seamlessly
+inside CUPS.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2934336"></a>Filter requirements</h4></div></div><div></div></div><p>
+The mentioned “<span class="quote">CUPS requirements</span>” for filters are simple. Take
+filenames or <tt class="filename">stdin</tt> as input and write to
+<tt class="filename">stdout</tt>. They should take these 5 or 6 arguments:
+<span class="emphasis"><em>printer job user title copies options [filename]</em></span>
+</p><div class="variablelist"><dl><dt><span class="term">Printer </span></dt><dd><p>The name of the printer queue (normally this is the
+name of the filter being run).</p></dd><dt><span class="term">job </span></dt><dd><p>The numeric job ID for the job being
+printed.</p></dd><dt><span class="term">user </span></dt><dd><p>The string from the originating-user-name
+attribute.</p></dd><dt><span class="term">title </span></dt><dd><p>The string from the job-name attribute.</p></dd><dt><span class="term">copies </span></dt><dd><p>The numeric value from the number-copies
+attribute.</p></dd><dt><span class="term">options </span></dt><dd><p>The job options.</p></dd><dt><span class="term">filename </span></dt><dd><p>(Optionally) The print request file (if missing,
+filters expected data fed through <tt class="filename">stdin</tt>). In most
+cases, it is easy to write a simple wrapper script around existing
+filters to make them work with CUPS.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934481"></a>Prefilters</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2934492"></a>
+As previously stated, PostScript is the central file format to any UNIX-based
+printing system. From PostScript, CUPS generates raster data to feed
+non-PostScript printers.
+</p><p>
+But what happens if you send one of the supported non-PS formats
+to print? Then CUPS runs “<span class="quote">pre-filters</span>” on these input formats to
+generate PostScript first. There are pre-filters to create PS from
+ASCII text, PDF, DVI, or HP-GL. The outcome of these filters is always
+of MIME type <i class="parameter"><tt>application/postscript</tt></i> (meaning that
+any device-specific print options are not yet embedded into the
+PostScript by CUPS, and that the next filter to be called is
+pstops). Another pre-filter is running on all supported image formats,
+the <i class="parameter"><tt>imagetops</tt></i> filter. Its outcome is always of
+MIME type <i class="parameter"><tt>application/vnd.cups-postscript</tt></i>
+(not application/postscript), meaning it has the
+print options already embedded into the file.
+</p><p>
+ </p><div class="figure"><a name="4small"></a><p class="title"><b>Figure 19.4. Pre-filtering in CUPS to form PostScript.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/4small.png" width="270" alt="Pre-filtering in CUPS to form PostScript."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934591"></a>pstops</h3></div></div><div></div></div><p>
+<span class="emphasis"><em>pstops</em></span> is the filter to convert
+<i class="parameter"><tt>application/postscript</tt></i> to
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>. It was said
+above that this filter inserts all device-specific print options
+(commands to the printer to ask for the duplexing of output, or
+stapling and punching it, and so on) into the PostScript file.
+</p><p>
+ </p><div class="figure"><a name="5small"></a><p class="title"><b>Figure 19.5. Adding device-specific print options.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/5small.png" width="270" alt="Adding device-specific print options."></div></div><p>
+</p><p>
+This is not all. Other tasks performed by it are:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+Selecting the range of pages to be printed (if you choose to
+print only pages “<span class="quote">3, 6, 8-11, 16, 19-21</span>”, or only the odd numbered
+ones).
+</p></li><li><p>
+Putting 2 or more logical pages on one sheet of paper (the
+so-called “<span class="quote">number-up</span>” function).
+</p></li><li><p>Counting the pages of the job to insert the accounting
+information into the <tt class="filename">/var/log/cups/page_log</tt>.
+</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934715"></a>pstoraster</h3></div></div><div></div></div><p>
+<i class="parameter"><tt>pstoraster</tt></i> is at the core of the CUPS filtering
+system. It is responsible for the first stage of the rasterization
+process. Its input is of MIME type application/vnd.cups-postscript;
+its output is application/vnd.cups-raster. This output format is not
+yet meant to be printable. Its aim is to serve as a general purpose
+input format for more specialized <span class="emphasis"><em>raster drivers</em></span>
+that are able to generate device-specific printer data.
+</p><p>
+ </p><div class="figure"><a name="6small"></a><p class="title"><b>Figure 19.6. PostScript to intermediate raster format.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/6small.png" width="270" alt="PostScript to intermediate raster format."></div></div><p>
+</p><p>
+CUPS raster is a generic raster format with powerful features. It is
+able to include per-page information, color profiles, and more, to be
+used by the following downstream raster drivers. Its MIME type is
+registered with IANA and its specification is, of course, completely
+open. It is designed to make it quite easy and inexpensive for
+manufacturers to develop Linux and UNIX raster drivers for their
+printer models, should they choose to do so. CUPS always takes care
+for the first stage of rasterization so these vendors do not need to care
+about Ghostscript complications (in fact, there is currently more
+than one vendor financing the development of CUPS raster drivers).
+</p><p>
+ </p><div class="figure"><a name="7small"></a><p class="title"><b>Figure 19.7. CUPS-raster production using Ghostscript.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/7small.png" width="270" alt="CUPS-raster production using Ghostscript."></div></div><p>
+</p><p>
+CUPS versions before version 1.1.15 were shipping a binary (or source
+code) standalone filter, named <i class="parameter"><tt>pstoraster</tt></i>. <i class="parameter"><tt>pstoraster</tt></i> was derived
+from GNU Ghostscript 5.50, and could be installed besides and in
+addition to any GNU or AFPL Ghostscript package without conflicting.
+</p><p>
+>From version 1.1.15, this has changed. The functions for this have been
+integrated back into Ghostscript (now based on GNU Ghostscript version
+7.05). The <i class="parameter"><tt>pstoraster</tt></i> filter is now a simple shell script calling
+<b class="command">gs</b> with the <b class="command">-sDEVICE=cups</b>
+parameter. If your Ghostscript does not show a success on asking for
+<b class="command">gs -h |grep cups</b>, you might not be able to
+print. Update your Ghostscript.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934912"></a>imagetops and imagetoraster</h3></div></div><div></div></div><p>
+In the section about pre-filters, we mentioned the pre-filter
+that generates PostScript from image formats. The <i class="parameter"><tt>imagetoraster</tt></i>
+filter is used to convert directly from image to raster, without the
+intermediate PostScript stage. It is used more often than the above
+mentioned pre-filters. A summarizing flowchart of image file
+filtering is shown in <link linkend="small8">.
+</p><p>
+ </p><div class="figure"><a name="small8"></a><p class="title"><b>Figure 19.8. Image format to CUPS-raster format conversion.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/8small.png" width="270" alt="Image format to CUPS-raster format conversion."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2934991"></a>rasterto [printers specific]</h3></div></div><div></div></div><p>
+CUPS ships with quite different raster drivers processing CUPS
+raster. On my system I find in /usr/lib/cups/filter/ these:
+<i class="parameter"><tt>rastertoalps</tt></i>, <i class="parameter"><tt>rastertobj</tt></i>, <i class="parameter"><tt>rastertoepson</tt></i>, <i class="parameter"><tt>rastertoescp</tt></i>,
+<i class="parameter"><tt>rastertopcl</tt></i>, <i class="parameter"><tt>rastertoturboprint</tt></i>, <i class="parameter"><tt>rastertoapdk</tt></i>, <i class="parameter"><tt>rastertodymo</tt></i>,
+<i class="parameter"><tt>rastertoescp</tt></i>, <i class="parameter"><tt>rastertohp</tt></i>, and
+<i class="parameter"><tt>rastertoprinter</tt></i>. Don't worry if you have less
+than this; some of these are installed by commercial add-ons to CUPS
+(like <i class="parameter"><tt>rastertoturboprint</tt></i>), others (like
+<i class="parameter"><tt>rastertoprinter</tt></i>) by third-party driver
+development projects (such as Gimp-Print) wanting to cooperate as
+closely as possible with CUPS.
+</p><p>
+ </p><div class="figure"><a name="small9"></a><p class="title"><b>Figure 19.9. Raster to printer-specific formats.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/9small.png" width="270" alt="Raster to printer-specific formats."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935143"></a>CUPS Backends</h3></div></div><div></div></div><p>
+The last part of any CUPS filtering chain is a backend. Backends
+are special programs that send the print-ready file to the final
+device. There is a separate backend program for any transfer
+protocol of sending printjobs over the network, or for every local
+interface. Every CUPS print queue needs to have a CUPS “<span class="quote">device-URI</span>”
+associated with it. The device URI is the way to encode the backend
+used to send the job to its destination. Network device-URIs are using
+two slashes in their syntax, local device URIs only one, as you can
+see from the following list. Keep in mind that local interface names
+may vary much from my examples, if your OS is not Linux:
+</p><div class="variablelist"><dl><dt><span class="term">usb </span></dt><dd><p>
+ This backend sends printfiles to USB-connected printers. An
+ example for the CUPS device-URI to use is:
+ <tt class="filename">usb:/dev/usb/lp0</tt>.
+ </p></dd><dt><span class="term">serial </span></dt><dd><p>
+ This backend sends printfiles to serially connected printers.
+ An example for the CUPS device-URI to use is:
+ <tt class="filename">serial:/dev/ttyS0?baud=11500</tt>.
+ </p></dd><dt><span class="term">parallel </span></dt><dd><p>
+ This backend sends printfiles to printers connected to the
+ parallel port. An example for the CUPS device-URI to use is:
+ <tt class="filename">parallel:/dev/lp0</tt>.
+ </p></dd><dt><span class="term">scsi </span></dt><dd><p>
+ This backend sends printfiles to printers attached to the
+ SCSI interface. An example for the CUPS device-URI to use is:
+ <tt class="filename">scsi:/dev/sr1</tt>.
+ </p></dd><dt><span class="term">lpd </span></dt><dd><p>
+ This backend sends printfiles to LPR/LPD connected network
+ printers. An example for the CUPS device-URI to use is:
+ <tt class="filename">lpd://remote_host_name/remote_queue_name</tt>.
+ </p></dd><dt><span class="term">AppSocket/HP JetDirect </span></dt><dd><p>
+ This backend sends printfiles to AppSocket (a.k.a. "HP
+ JetDirect") connected network printers. An example for the CUPS
+ device-URI to use is:
+ <tt class="filename">socket://10.11.12.13:9100</tt>.
+ </p></dd><dt><span class="term">ipp </span></dt><dd><p>
+ This backend sends printfiles to IPP connected network
+ printers (or to other CUPS servers). Examples for CUPS device-URIs
+ to use are:
+ <tt class="filename">ipp:://192.193.194.195/ipp</tt>
+ (for many HP printers) or
+ <tt class="filename">ipp://remote_cups_server/printers/remote_printer_name</tt>.
+ </p></dd><dt><span class="term">http </span></dt><dd><p>
+ This backend sends printfiles to HTTP connected printers.
+ (The http:// CUPS backend is only a symlink to the ipp:// backend.)
+ Examples for the CUPS device-URIs to use are:
+ <tt class="filename">http:://192.193.194.195:631/ipp</tt>
+ (for many HP printers) or
+ <tt class="filename">http://remote_cups_server:631/printers/remote_printer_name</tt>.
+ </p></dd><dt><span class="term">smb </span></dt><dd><p>
+ This backend sends printfiles to printers shared by a Windows
+ host. An example for CUPS device-URIs that may be used includes:
+ </p><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">smb://workgroup/server/printersharename</tt></td></tr><tr><td><tt class="filename">smb://server/printersharename</tt></td></tr><tr><td><tt class="filename">smb://username:password@workgroup/server/printersharename</tt></td></tr><tr><td><tt class="filename">smb://username:password@server/printersharename</tt></td></tr></table><p>
+ </p><p>
+ The smb:// backend is a symlink to the Samba utility
+ <i class="parameter"><tt>smbspool</tt></i> (does not ship with CUPS). If the
+ symlink is not present in your CUPS backend directory, have your
+ root user create it: <b class="command">ln -s `which smbspool'
+ /usr/lib/cups/backend/smb</b>.
+ </p></dd></dl></div><p>
+It is easy to write your own backends as shell or Perl scripts, if you
+need any modification or extension to the CUPS print system. One
+reason could be that you want to create “<span class="quote">special</span>” printers that send
+the printjobs as email (through a “<span class="quote">mailto:/</span>” backend), convert them to
+PDF (through a “<span class="quote">pdfgen:/</span>” backend) or dump them to “<span class="quote">/dev/null</span>”. (In
+fact I have the system-wide default printer set up to be connected to
+a devnull:/ backend: there are just too many people sending jobs
+without specifying a printer, or scripts and programs which do not name
+a printer. The system-wide default deletes the job and sends a polite
+email back to the $USER asking him to always specify the correct
+printer name.)
+</p><p>
+Not all of the mentioned backends may be present on your system or
+usable (depending on your hardware configuration). One test for all
+available CUPS backends is provided by the <span class="emphasis"><em>lpinfo</em></span>
+utility. Used with the <tt class="option">-v</tt> parameter, it lists
+all available backends:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>lpinfo -v</tt></b>
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935508"></a>The Role of <i class="parameter"><tt>cupsomatic/foomatic</tt></i></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2935523"></a>
+<a class="indexterm" name="id2935532"></a>
+<i class="parameter"><tt>cupsomatic</tt></i> filters may be the most widely used on CUPS
+installations. You must be clear about the fact that these were not
+developed by the CUPS people. They are a third party add-on to
+CUPS. They utilize the traditional Ghostscript devices to render jobs
+for CUPS. When troubleshooting, you should know about the
+difference. Here the whole rendering process is done in one stage,
+inside Ghostscript, using an appropriate device for the target
+printer. <i class="parameter"><tt>cupsomatic</tt></i> uses PPDs that are generated from the Foomatic
+Printer & Driver Database at Linuxprinting.org.
+</p><p>
+You can recognize these PPDs from the line calling the
+<i class="parameter"><tt>cupsomatic</tt></i> filter:
+
+</p><pre class="programlisting">
+ *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic"
+</pre><p>
+
+You may find this line among the first 40 or so lines of the PPD
+file. If you have such a PPD installed, the printer shows up in the
+CUPS Web interface with a <i class="parameter"><tt>foomatic</tt></i> namepart for
+the driver description. <i class="parameter"><tt>cupsomatic</tt></i> is a Perl script that runs
+Ghostscript with all the complicated command line options
+auto-constructed from the selected PPD and command line options give to
+the printjob.
+</p><p>
+<a class="indexterm" name="id2935609"></a>
+ However, <i class="parameter"><tt>cupsomatic</tt></i> is now deprecated. Its PPDs (especially the first
+generation of them, still in heavy use out there) are not meeting the
+Adobe specifications. You might also suffer difficulties when you try
+to download them with “<span class="quote">Point'n'Print</span>” to Windows clients. A better
+and more powerful successor is now in a stable beta-version: it is called <i class="parameter"><tt>foomatic-rip</tt></i>. To use
+<i class="parameter"><tt>foomatic-rip</tt></i> as a filter with CUPS, you need the new-type PPDs. These
+have a similar but different line:
+
+</p><pre class="programlisting">
+ *cupsFilter: "application/vnd.cups-postscript 0 foomatic-rip"
+</pre><p>
+
+The PPD generating engine at Linuxprinting.org has been revamped.
+The new PPDs comply to the Adobe spec. On top, they also provide a
+new way to specify different quality levels (hi-res photo, normal
+color, grayscale, and draft) with a single click, whereas before you
+could have required five or more different selections (media type,
+resolution, inktype and dithering algorithm). There is support for
+custom-size media built in. There is support to switch
+print-options from page to page in the middle of a job. And the
+best thing is the new foomatic-rip now works seamlessly with all
+legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR and so on), providing
+for them access to use PPDs for their printing.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935673"></a>The Complete Picture</h3></div></div><div></div></div><p>
+If you want to see an overview of all the filters and how they
+relate to each other, the complete picture of the puzzle is at the end
+of this document.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935688"></a><tt class="filename">mime.convs</tt></h3></div></div><div></div></div><p>
+CUPS auto-constructs all possible filtering chain paths for any given
+MIME type, and every printer installed. But how does it decide in
+favor or against a specific alternative? (There may often be cases
+where there is a choice of two or more possible filtering chains for
+the same target printer.) Simple. You may have noticed the figures in
+the third column of the mime.convs file. They represent virtual costs
+assigned to this filter. Every possible filtering chain will sum up to
+a total “<span class="quote">filter cost.</span>” CUPS decides for the most “<span class="quote">inexpensive</span>” route.
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+The setting of <i class="parameter"><tt>FilterLimit 1000</tt></i> in
+<tt class="filename">cupsd.conf</tt> will not allow more filters to
+run concurrently than will consume a total of 1000 virtual filter
+cost. This is an efficient way to limit the load of any CUPS
+server by setting an appropriate “<span class="quote">FilterLimit</span>” value. A FilterLimit of
+200 allows roughly one job at a time, while a FilterLimit of 1000 allows
+approximately five jobs maximum at a time.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935752"></a>“<span class="quote">Raw</span>” Printing</h3></div></div><div></div></div><p>
+ You can tell CUPS to print (nearly) any file “<span class="quote">raw</span>”. “<span class="quote">Raw</span>” means it
+ will not be filtered. CUPS will send the file to the printer “<span class="quote">as is</span>”
+without bothering if the printer is able to digest it. Users need to
+take care themselves that they send sensible data formats only. Raw
+printing can happen on any queue if the “<span class="quote"><i class="parameter"><tt>-o raw</tt></i></span>” option is specified
+on the command line. You can also set up raw-only queues by simply not
+associating any PPD with it. This command:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E</tt></b>
+</pre><p>
+ sets up a queue named “<span class="quote">rawprinter</span>”, connected via the “<span class="quote">socket</span>”
+ protocol (a.k.a. “<span class="quote">HP JetDirect</span>”) to the device at IP address
+11.12.1.3.14, using port 9100. (If you had added a PPD with
+<b class="command">-P /path/to/PPD</b> to this command line, you would
+have installed a “<span class="quote">normal</span>” print queue.
+</p><p>
+CUPS will automatically treat each job sent to a queue as a “<span class="quote">raw</span>” one,
+if it can't find a PPD associated with the queue. However, CUPS will
+only send known MIME types (as defined in its own mime.types file) and
+refuse others.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2935861"></a>application/octet-stream Printing</h3></div></div><div></div></div><p>
+Any MIME type with no rule in the
+<tt class="filename">/etc/cups/mime.types</tt> file is regarded as unknown
+or <i class="parameter"><tt>application/octet-stream</tt></i> and will not be
+sent. Because CUPS refuses to print unknown MIME types per default,
+you will probably have experienced the fact that print jobs originating
+from Windows clients were not printed. You may have found an error
+message in your CUPS logs like:
+</p><p><tt class="computeroutput">
+ Unable to convert file 0 to printable format for job
+</tt></p><p>
+To enable the printing of <i class="parameter"><tt>application/octet-stream</tt></i> files, edit
+these two files:
+</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/cups/mime.convs</tt></p></li><li><p><tt class="filename">/etc/cups/mime.types</tt></p></li></ul></div><p>
+Both contain entries (at the end of the respective files) which must
+be uncommented to allow RAW mode operation for
+<i class="parameter"><tt>application/octet-stream</tt></i>. In <tt class="filename">/etc/cups/mime.types</tt>
+make sure this line is present:
+
+<a class="indexterm" name="id2935958"></a>
+
+</p><pre class="programlisting">
+application/octet-stream
+</pre><p>
+
+This line (with no specific auto-typing rule set) makes all files
+not otherwise auto-typed a member of <i class="parameter"><tt>application/octet-stream</tt></i>. In
+<tt class="filename">/etc/cups/mime.convs</tt>, have this
+line:
+
+</p><pre class="programlisting">
+application/octet-stream application/vnd.cups-raw 0 -
+</pre><p>
+
+<a class="indexterm" name="id2935999"></a>
+
+This line tells CUPS to use the <span class="emphasis"><em>Null Filter</em></span>
+(denoted as “<span class="quote">-</span>”, doing nothing at all) on
+<i class="parameter"><tt>application/octet-stream</tt></i>, and tag the result as
+<i class="parameter"><tt>application/vnd.cups-raw</tt></i>. This last one is
+always a green light to the CUPS scheduler to now hand the file over
+to the backend connecting to the printer and sending it over.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Editing the <tt class="filename">mime.convs</tt> and the
+<tt class="filename">mime.types</tt> file does not
+<span class="emphasis"><em>enforce</em></span> “<span class="quote">raw</span>” printing, it only
+<span class="emphasis"><em>allows</em></span> it.
+</p></div><p><b>Background. </b>
+CUPS being a more security-aware printing system than traditional ones
+does not by default allow one to send deliberate (possibly binary)
+data to printing devices. (This could be easily abused to launch a
+Denial of Service attack on your printer(s), causing at least the loss
+of a lot of paper and ink...) “<span class="quote">Unknown</span>” data are regarded by CUPS
+as <span class="emphasis"><em>MIME type</em></span>
+<span class="emphasis"><em>application/octet-stream</em></span>. While you
+<span class="emphasis"><em>can</em></span> send data “<span class="quote">raw</span>”, the MIME type for these must
+be one that is known to CUPS and an allowed one. The file
+<tt class="filename">/etc/cups/mime.types</tt> defines the “<span class="quote">rules</span>” of how CUPS
+recognizes MIME types. The file
+<tt class="filename">/etc/cups/mime.convs</tt> decides which file
+conversion filter(s) may be applied to which MIME types.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936129"></a>PostScript Printer Descriptions (PPDs) for Non-PS Printers</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2936141"></a>
+Originally PPDs were meant to be used for PostScript printers
+only. Here, they help to send device-specific commands and settings
+to the RIP which processes the jobfile. CUPS has extended this
+scope for PPDs to cover non-PostScript printers too. This was not
+difficult, because it is a standardized file format. In a way
+it was logical too: CUPS handles PostScript and uses a PostScript
+RIP (Ghostscript) to process the jobfiles. The only difference is:
+a PostScript printer has the RIP built-in, for other types of
+printers the Ghostscript RIP runs on the host computer.
+</p><p>
+PPDs for a non-PS printer have a few lines that are unique to
+CUPS. The most important one looks similar to this:
+
+<a class="indexterm" name="id2936166"></a>
+
+</p><pre class="programlisting">
+ *cupsFilter: application/vnd.cups-raster 66 rastertoprinter
+</pre><p>
+
+It is the last piece in the CUPS filtering puzzle. This line tells the
+CUPS daemon to use as a last filter <i class="parameter"><tt>rastertoprinter</tt></i>. This filter
+should be served as input an <i class="parameter"><tt>application/vnd.cups-raster</tt></i> MIME type
+file. Therefore, CUPS should auto-construct a filtering chain, which
+delivers as its last output the specified MIME type. This is then
+taken as input to the specified <i class="parameter"><tt>rastertoprinter</tt></i> filter. After this
+the last filter has done its work (<i class="parameter"><tt>rastertoprinter</tt></i> is a Gimp-Print
+filter), the file should go to the backend, which sends it to the
+output device.
+</p><p>
+CUPS by default ships only a few generic PPDs, but they are good for
+several hundred printer models. You may not be able to control
+different paper trays, or you may get larger margins than your
+specific model supports. See <link linkend="cups-ppds"> for summary information.
+</p><div class="table"><a name="cups-ppds"></a><p class="title"><b>Table 19.1. PPDs shipped with CUPS</b></p><table summary="PPDs shipped with CUPS" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">PPD file</th><th align="justify">Printer type</th></tr></thead><tbody><tr><td align="left">deskjet.ppd</td><td align="justify">older HP inkjet printers and compatible</td></tr><tr><td align="left">deskjet2.ppd</td><td align="justify">newer HP inkjet printers and compatible </td></tr><tr><td align="left">dymo.ppd</td><td align="justify">label printers </td></tr><tr><td align="left">epson9.ppd</td><td align="justify">Epson 24pin impact printers and compatible </td></tr><tr><td align="left">epson24.ppd</td><td align="justify">Epson 24pin impact printers and compatible </td></tr><tr><td align="left">okidata9.ppd</td><td align="justify">Okidata 9pin impact printers and compatible </td></tr><tr><td align="left">okidat24.ppd</td><td align="justify">Okidata 24pin impact printers and compatible </td></tr><tr><td align="left">stcolor.ppd</td><td align="justify">older Epson Stylus Color printers </td></tr><tr><td align="left">stcolor2.ppd</td><td align="justify">newer Epson Stylus Color printers </td></tr><tr><td align="left">stphoto.ppd</td><td align="justify">older Epson Stylus Photo printers </td></tr><tr><td align="left">stphoto2.ppd</td><td align="justify">newer Epson Stylus Photo printers </td></tr><tr><td align="left">laserjet.ppd</td><td align="justify">all PCL printers. Further below is a discussion
+ of several other driver/PPD-packages suitable for use with CUPS. </td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936430"></a><span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> Versus <span class="emphasis"><em>native CUPS</em></span> Printing</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2936449"></a>
+<a class="indexterm" name="id2936457"></a>
+Native CUPS rasterization works in two steps:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+First is the <i class="parameter"><tt>pstoraster</tt></i> step. It uses the special CUPS
+<a class="indexterm" name="id2936483"></a>
+device from ESP Ghostscript 7.05.x as its tool.
+</p></li><li><p>
+Second comes the <i class="parameter"><tt>rasterdriver</tt></i> step. It uses various
+device-specific filters; there are several vendors who provide good
+quality filters for this step. Some are free software, some are
+shareware/non-free and some are proprietary.</p></li></ul></div><p>
+Often this produces better quality (and has several more
+advantages) than other methods.
+</p><p>
+ </p><div class="figure"><a name="cupsomatic-dia"></a><p class="title"><b>Figure 19.10. cupsomatic/foomatic Processing versus Native CUPS.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/10small.png" width="270" alt="cupsomatic/foomatic Processing versus Native CUPS."></div></div><p>
+</p><p>
+One other method is the <i class="parameter"><tt>cupsomatic/foomatic-rip</tt></i>
+way. Note that <i class="parameter"><tt>cupsomatic</tt></i> is <span class="emphasis"><em>not</em></span> made by the CUPS
+developers. It is an independent contribution to printing development,
+made by people from Linuxprinting.org <sup>[<a name="id2936587" href="#ftn.id2936587">4</a>]</sup>.
+<i class="parameter"><tt>cupsomatic</tt></i> is no longer developed and maintained and is no longer
+supported. It has now been replaced by
+<i class="parameter"><tt>foomatic-rip</tt></i>. <i class="parameter"><tt>foomatic-rip</tt></i> is a complete re-write
+of the old <i class="parameter"><tt>cupsomatic</tt></i> idea, but very much improved and generalized to
+other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly
+advised, especially if you are upgrading to a recent version of CUPS,
+too.
+</p><p>
+ <a class="indexterm" name="id2936634"></a>
+ <a class="indexterm" name="id2936642"></a>
+Both the <i class="parameter"><tt>cupsomatic</tt></i> (old) and the <i class="parameter"><tt>foomatic-rip</tt></i> (new) methods from
+Linuxprinting.org use the traditional Ghostscript print file
+processing, doing everything in a single step. It therefore relies on
+all the other devices built into Ghostscript. The quality is as
+good (or bad) as Ghostscript rendering is in other spoolers. The
+advantage is that this method supports many printer models not
+supported (yet) by the more modern CUPS method.
+</p><p>
+Of course, you can use both methods side by side on one system (and
+even for one printer, if you set up different queues) and find out
+which works best for you.
+</p><p>
+<i class="parameter"><tt>cupsomatic</tt></i> kidnaps the printfile after the
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i> stage and
+deviates it through the CUPS-external, system-wide Ghostscript
+installation. Therefore the printfile bypasses the <i class="parameter"><tt>pstoraster</tt></i> filter
+(and also bypasses the CUPS-raster-drivers
+<i class="parameter"><tt>rastertosomething</tt></i>). After Ghostscript finished its rasterization,
+<i class="parameter"><tt>cupsomatic</tt></i> hands the rendered file directly to the CUPS backend. The
+flowchart in <link linkend="cupsomatic-dia"> illustrates the difference between native CUPS
+rendering and the <i class="parameter"><tt>Foomatic/cupsomatic</tt></i> method.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2936743"></a>Examples for Filtering Chains</h3></div></div><div></div></div><p>
+Here are a few examples of commonly occurring filtering chains to
+illustrate the workings of CUPS.
+</p><p>
+Assume you want to print a PDF file to an HP JetDirect-connected
+PostScript printer, but you want to print the pages 3-5, 7, 11-13
+only, and you want to print them “<span class="quote">two-up</span>” and “<span class="quote">duplex</span>”:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Your print options (page selection as required, two-up,
+duplex) are passed to CUPS on the command line.</p></li><li><p>The (complete) PDF file is sent to CUPS and autotyped as
+<i class="parameter"><tt>application/pdf</tt></i>.</p></li><li><p>The file therefore must first pass the
+<i class="parameter"><tt>pdftops</tt></i> pre-filter, which produces PostScript
+MIME type <i class="parameter"><tt>application/postscript</tt></i> (a preview here
+would still show all pages of the original PDF).</p></li><li><p>The file then passes the <i class="parameter"><tt>pstops</tt></i>
+filter that applies the command line options: it selects the pages
+2-5, 7 and 11-13, creates an imposed layout “<span class="quote">2 pages on 1 sheet</span>” and
+inserts the correct “<span class="quote">duplex</span>” command (as defined in the printer's
+PPD) into the new PostScript file; the file is now of PostScript MIME
+type
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>.</p></li><li><p>The file goes to the <i class="parameter"><tt>socket</tt></i>
+backend, which transfers the job to the printers.</p></li></ul></div><p>
+ The resulting filter chain, therefore, is as drawn in <link linkend="pdftosocket">.
+</p><div class="figure"><a name="pdftosocket"></a><p class="title"><b>Figure 19.11. PDF to socket chain.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/pdftosocket.png" width="270" alt="PDF to socket chain."></div></div><p>
+Assume your want to print the same filter to an USB-connected
+Epson Stylus Photo printer installed with the CUPS
+<tt class="filename">stphoto2.ppd</tt>. The first few filtering stages
+are nearly the same:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Your print options (page selection as required, two-up,
+duplex) are passed to CUPS on the commandline.</p></li><li><p>The (complete) PDF file is sent to CUPS and autotyped as
+<i class="parameter"><tt>application/pdf</tt></i>.</p></li><li><p>The file must first pass the
+<i class="parameter"><tt>pdftops</tt></i> pre-filter, which produces PostScript
+MIME type <i class="parameter"><tt>application/postscript</tt></i> (a preview here
+would still show all pages of the original PDF).</p></li><li><p>The file then passes the “<span class="quote">pstops</span>” filter that applies
+the commandline options: it selects the pages 2-5, 7 and 11-13,
+creates an imposed layout “<span class="quote">two pages on one sheet</span>” and inserts the
+correct “<span class="quote">duplex</span>” command... (Oops this printer and PPD
+do not support duplex printing at all so this option will
+be ignored) into the new PostScript file; the file is now of PostScript
+MIME type
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>.</p></li><li><p>The file then passes the
+
+<i class="parameter"><tt>pstoraster</tt></i> stage and becomes MIME type
+<i class="parameter"><tt>application/
+cups-raster</tt></i>.</p></li><li><p>Finally, the <i class="parameter"><tt>rastertoepson</tt></i> filter
+does its work (as indicated in the printer's PPD), creating the
+rinter-specific raster data and embedding any user-selected
+print-options into the print data stream.</p></li><li><p>The file goes to the <i class="parameter"><tt>usb</tt></i> backend,
+which transfers the job to the printers.</p></li></ul></div><p>
+ The resulting filter chain therefore is as drawn in <link linkend="pdftoepsonusb">.
+</p><div class="figure"><a name="pdftoepsonusb"></a><p class="title"><b>Figure 19.12. PDF to USB chain.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/pdftoepsonusb.png" width="270" alt="PDF to USB chain."></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937128"></a>Sources of CUPS Drivers/PPDs</h3></div></div><div></div></div><p>
+On the Internet you can now find many thousands of CUPS-PPD files
+(with their companion filters), in many national languages
+supporting more than thousand non-PostScript models.
+</p><div class="itemizedlist"><a class="indexterm" name="id2937144"></a><a class="indexterm" name="id2937154"></a><ul type="disc"><li><p><ulink url="http://wwwl.easysw.com/printpro/">ESP
+PrintPro</ulink> (commercial,
+non-free) is packaged with more than three thousand PPDs, ready for
+successful use “<span class="quote">out of the box</span>” on Linux, Mac OS X, IBM-AIX,
+HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital UNIX, and some
+more commercial Unices (it is written by the CUPS developers
+themselves and its sales help finance the further development of
+CUPS, as they feed their creators).</p></li><li><p>The <ulink url="http://gimp-print.sourceforge.net/">Gimp-Print-Project
+</ulink> (GPL, free software)
+provides around 140 PPDs (supporting nearly 400 printers, many driven
+to photo quality output), to be used alongside the Gimp-Print CUPS
+filters.</p></li><li><p><ulink url="http://www.turboprint.com/">TurboPrint
+</ulink> (shareware, non-free) supports
+roughly the same amount of printers in excellent
+quality.</p></li><li><p><ulink url="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/">OMNI
+</ulink>
+(LPGL, free) is a package made by IBM, now containing support for more
+than 400 printers, stemming from the inheritance of IBM OS/2 Know-How
+ported over to Linux (CUPS support is in a beta-stage at
+present).</p></li><li><p><ulink url="http://hpinkjet.sourceforge.net/">HPIJS
+</ulink> (BSD-style licenses, free)
+supports around 150 of HP's own printers and is also providing
+excellent print quality now (currently available only via the Foomatic
+path).</p></li><li><p><ulink url="http://www.linuxprinting.org/">Foomatic/cupsomatic
+</ulink> (LPGL, free) from
+Linuxprinting.org are providing PPDs for practically every Ghostscript
+filter known to the world (including Omni, Gimp-Print and
+HPIJS).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937265"></a>Printing with Interface Scripts</h3></div></div><div></div></div><p>
+CUPS also supports the usage of “<span class="quote">interface scripts</span>” as known from
+System V AT&T printing systems. These are often used for PCL
+printers, from applications that generate PCL print jobs. Interface
+scripts are specific to printer models. They have a similar role as
+PPDs for PostScript printers. Interface scripts may inject the Escape
+sequences as required into the print data stream, if the user has
+chosen to select a certain paper tray, or print landscape, or use A3
+paper, etc. Interfaces scripts are practically unknown in the Linux
+realm. On HP-UX platforms they are more often used. You can use any
+working interface script on CUPS too. Just install the printer with
+the <b class="command">-i</b> option:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p pclprinter -v socket://11.12.13.14:9100 \
+ -i /path/to/interface-script</tt></b>
+</pre><p>
+Interface scripts might be the “<span class="quote">unknown animal</span>” to many. However,
+with CUPS they provide the easiest way to plug in your own
+custom-written filtering script or program into one specific print
+queue (some information about the traditional usage of interface scripts is
+to be found at <ulink url="http://playground.sun.com/printing/documentation/interface.html">http://playground.sun.com/printing/documentation/interface.html</ulink>).
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2937358"></a>Network Printing (Purely Windows)</h2></div></div><div></div></div><p>
+Network printing covers a lot of ground. To understand what exactly
+goes on with Samba when it is printing on behalf of its Windows
+clients, let's first look at a “<span class="quote">purely Windows</span>” setup: Windows clients
+with a Windows NT print server.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937377"></a>From Windows Clients to an NT Print Server</h3></div></div><div></div></div><p>
+Windows clients printing to an NT-based print server have two
+options. They may:
+<a class="indexterm" name="id2937390"></a>
+<a class="indexterm" name="id2937399"></a>
+</p><div class="itemizedlist"><ul type="disc"><li><p>Execute the driver locally and render the GDI output
+ (EMF) into the printer-specific format on their own.
+ </p></li><li><p>Send the GDI output (EMF) to the server, where the
+driver is executed to render the printer specific
+output.</p></li></ul></div><p>
+ Both print paths are shown in the flowcharts in the figures below.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937434"></a>Driver Execution on the Client</h3></div></div><div></div></div><p>
+In the first case the print server must spool the file as raw,
+meaning it shouldn't touch the jobfile and try to convert it in any
+way. This is what a traditional UNIX-based print server can do too, and
+at a better performance and more reliably than an NT print server. This
+is what most Samba administrators probably are familiar with. One
+advantage of this setup is that this “<span class="quote">spooling-only</span>” print server may
+be used even if no driver(s) for UNIX are available it is sufficient
+to have the Windows client drivers available; and installed on the
+clients.
+</p><p>
+ </p><div class="figure"><a name="small11"></a><p class="title"><b>Figure 19.13. Print driver execution on the client.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/11small.png" width="270" alt="Print driver execution on the client."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937506"></a>Driver Execution on the Server</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2937515"></a>
+<a class="indexterm" name="id2937523"></a>
+<a class="indexterm" name="id2937532"></a>
+<a class="indexterm" name="id2937540"></a>
+<a class="indexterm" name="id2937548"></a>
+The other path executes the printer driver on the server. The client
+transfers print files in EMF format to the server. The server uses the
+PostScript, PCL, ESC/P or other driver to convert the EMF file into
+the printer-specific language. It is not possible for UNIX to do the
+same. Currently, there is no program or method to convert a Windows
+client's GDI output on a UNIX server into something a printer could
+understand.
+</p><p>
+ </p><div class="figure"><a name="small12"></a><p class="title"><b>Figure 19.14. Print driver execution on the server.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/12small.png" width="270" alt="Print driver execution on the server."></div></div><p>
+</p><p>
+However, there is something similar possible with CUPS. Read on.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2937618"></a>Network Printing (Windows Clients UNIX/Samba Print
+Servers)</h2></div></div><div></div></div><p>
+Since UNIX print servers <span class="emphasis"><em>cannot</em></span> execute the Win32
+program code on their platform, the picture is somewhat
+different. However, this does not limit your options all that
+much. On the contrary, you may have a way here to implement printing
+features that are not possible otherwise.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937639"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div><div></div></div><p>
+Here is a simple recipe showing how you can take advantage of CUPS'
+powerful features for the benefit of your Windows network printing
+clients:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Let the Windows clients send PostScript to the CUPS
+server.</p></li><li><p>Let the CUPS server render the PostScript into device-specific raster format.</p></li></ul></div><p>
+This requires the clients to use a PostScript driver (even if the
+printer is a non-PostScript model. It also requires that you have a
+driver on the CUPS server.
+</p><p>
+First, to enable CUPS-based rinting through Samba the
+following options should be set in your <tt class="filename">smb.conf</tt> file [global]
+section:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap = cups</tt></i></td></tr></table><p>
+When these parameters are specified, all manually set print directives
+(like <a class="indexterm" name="id2937719"></a><i class="parameter"><tt>print command</tt></i>, or <a class="indexterm" name="id2937734"></a><i class="parameter"><tt>lppause command</tt></i>) in <tt class="filename">smb.conf</tt> (as well as
+in Samba itself) will be ignored. Instead, Samba will directly
+interface with CUPS through its application program interface (API),
+as long as Samba has been compiled with CUPS library (libcups)
+support. If Samba has not been compiled with CUPS support, and if no
+other print commands are set up, then printing will use the
+<span class="emphasis"><em>System V</em></span> AT&T command set, with the -oraw
+option automatically passing through (if you want your own defined
+print commands to work with a Samba that has CUPS support compiled in,
+simply use <a class="indexterm" name="id2937772"></a><i class="parameter"><tt>printing</tt></i> = sysv).
+</p><p>
+</p><div class="figure"><a name="13small"></a><p class="title"><b>Figure 19.15. Printing via CUPS/Samba server.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/13small.png" width="270" alt="Printing via CUPS/Samba server."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2937834"></a>Samba Receiving Jobfiles and Passing Them to CUPS</h3></div></div><div></div></div><p>
+Samba <span class="emphasis"><em>must</em></span> use its own spool directory (it is set
+by a line similar to <a class="indexterm" name="id2937848"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba,
+in the <i class="parameter"><tt>[printers]</tt></i> or
+<i class="parameter"><tt>[printername]</tt></i> section of
+<tt class="filename">smb.conf</tt>). Samba receives the job in its own
+spool space and passes it into the spool directory of CUPS (the CUPS
+spooling directory is set by the <i class="parameter"><tt>RequestRoot</tt></i>
+directive, in a line that defaults to <i class="parameter"><tt>RequestRoot
+/var/spool/cups</tt></i>). CUPS checks the access rights of its
+spool dir and resets it to healthy values with every restart. We have
+seen quite a few people who had used a common spooling space for Samba
+and CUPS, and were struggling for weeks with this “<span class="quote">problem.</span>”
+</p><p>
+A Windows user authenticates only to Samba (by whatever means is
+configured). If Samba runs on the same host as CUPS, you only need to
+allow “<span class="quote">localhost</span>” to print. If they run on different machines, you
+need to make sure the Samba host gets access to printing on CUPS.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2937924"></a>Network PostScript RIP</h2></div></div><div></div></div><p>
+This section discusses the use of CUPS filters on the server configuration where
+clients make use of a PostScript driver with CUPS-PPDs.
+</p><p>
+<a class="indexterm" name="id2937945"></a>
+<a class="indexterm" name="id2937953"></a>
+<a class="indexterm" name="id2937961"></a>
+PPDs can control all print device options. They are usually provided
+by the manufacturer, if you own a PostScript printer, that is. PPD
+files (PostScript Printer Descriptions) are always a component of
+PostScript printer drivers on MS Windows or Apple Mac OS systems. They
+are ASCII files containing user-selectable print options, mapped to
+appropriate PostScript, PCL or PJL commands for the target
+printer. Printer driver GUI dialogs translate these options
+“<span class="quote">on-the-fly</span>” into buttons and drop-down lists for the user to select.
+</p><p>
+CUPS can load, without any conversions, the PPD file from any Windows
+(NT is recommended) PostScript driver and handle the options. There is
+a Web browser interface to the print options (select <ulink url="http://localhost:631/printers/">http://localhost:631/printers/</ulink>
+and click on one <span class="guibutton">Configure Printer</span> button to see
+it), or a command line interface (see <b class="command">man lpoptions</b>
+or see if you have <b class="command">lphelp</b> on your system). There are also some
+different GUI frontends on Linux/UNIX, which can present PPD options
+to users. PPD options are normally meant to be evaluated by the
+PostScript RIP on the real PostScript printer.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938025"></a>PPDs for Non-PS Printers on UNIX</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938037"></a>
+CUPS does not limit itself to “<span class="quote">real</span>” PostScript printers in its usage
+of PPDs. The CUPS developers have extended the scope of the PPD
+concept to also describe available device and driver options for
+non-PostScript printers through CUPS-PPDs.
+</p><p>
+This is logical, as CUPS includes a fully featured PostScript
+interpreter (RIP). This RIP is based on Ghostscript. It can process
+all received PostScript (and additionally many other file formats)
+from clients. All CUPS-PPDs geared to non-PostScript printers contain
+an additional line, starting with the keyword
+<i class="parameter"><tt>*cupsFilter</tt></i>. This line tells the CUPS print
+system which printer-specific filter to use for the interpretation of
+the supplied PostScript. Thus CUPS lets all its printers appear as
+PostScript devices to its clients, because it can act as a PostScript
+RIP for those printers, processing the received PostScript code into a
+proper raster print format.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938085"></a>PPDs for Non-PS Printers on Windows</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938096"></a>
+CUPS-PPDs can also be used on Windows-Clients, on top of a
+“<span class="quote">core</span>” PostScript driver (now recommended is the "CUPS PostScript
+Driver for WindowsNT/200x/XP"; you can also use the Adobe one, with
+limitations). This feature enables CUPS to do a few tricks no other
+spooler can do:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Act as a networked PostScript RIP (Raster Image
+Processor), handling printfiles from all client platforms in a uniform
+way.</p></li><li><p>Act as a central accounting and billing server, since
+all files are passed through the pstops filter and are, therefore,
+logged in the CUPS <tt class="filename">page_log</tt> file.
+<span class="emphasis"><em>Note:</em></span> this cannot happen with “<span class="quote">raw</span>” print jobs,
+which always remain unfiltered per definition.</p></li><li><p>Enable clients to consolidate on a single PostScript
+driver, even for many different target printers.</p></li></ul></div><p>
+Using CUPS PPDs on Windows clients enables these to control
+all print job settings just as a UNIX client can do.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938166"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div><div></div></div><p>
+This setup may be of special interest to people experiencing major
+problems in WTS environments. WTS often need a multitude of
+non-PostScript drivers installed to run their clients' variety of
+different printer models. This often imposes the price of much
+increased instability.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938184"></a>Printer Drivers Running in “<span class="quote">Kernel Mode</span>” Cause Many
+Problems</h3></div></div><div></div></div><p>
+ In Windows NT printer drivers which run in “<span class="quote">Kernel
+Mode</span>”, introduces a high risk for the stability of the system
+if the driver is not really stable and well-tested. And there are a
+lot of bad drivers out there! Especially notorious is the example
+of the PCL printer driver that had an additional sound module
+running, to notify users via soundcard of their finished jobs. Do I
+need to say that this one was also reliably causing “<span class="quote">blue screens
+of death</span>” on a regular basis?
+</p><p>
+PostScript drivers are generally well tested. They are not known
+to cause any problems, even though they also run in kernel mode. This
+might be because there have been so far only two different PostScript
+drivers: the ones from Adobe and the one from Microsoft. Both are
+well tested and are as stable as you can imagine on
+Windows. The CUPS driver is derived from the Microsoft one.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938229"></a>Workarounds Impose Heavy Limitations</h3></div></div><div></div></div><p>
+In many cases, in an attempt to work around this problem, site
+administrators have resorted to restricting the allowed drivers installed
+on their WTS to one generic PCL and one PostScript driver. This,
+however, restricts the clients in the number of printer options
+available for them. Often they can't get out more than simplex
+prints from one standard paper tray, while their devices could do much
+better, if driven by a different driver!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938250"></a>CUPS: A “<span class="quote">Magical Stone</span>”?</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938266"></a>
+<a class="indexterm" name="id2938274"></a>
+Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very
+elegant way to overcome all these shortcomings. There are, depending
+on the version of Windows OS you use, up to three different PostScript
+drivers available: Adobe, Microsoft and CUPS PostScript drivers. None
+of them is known to cause major stability problems on WTS (even if
+used with many different PPDs). The clients will be able to (again)
+chose paper trays, duplex printing and other settings. However, there
+is a certain price for this too: a CUPS server acting as a PostScript
+RIP for its clients requires more CPU and RAM than when just acting as
+a “<span class="quote">raw spooling</span>” device. Plus, this setup is not yet widely tested,
+although the first feedbacks look very promising.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938313"></a>PostScript Drivers with No Major Problems Even in Kernel
+Mode</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938329"></a>
+More recent printer drivers on W200x and XP no longer run in kernel mode
+(unlike Windows NT). However, both operating systems can still
+use the NT drivers, running in kernel mode (you can roughly tell which
+is which as the drivers in subdirectory “<span class="quote">2</span>” of “<span class="quote">W32X86</span>” are “<span class="quote">old</span>”
+ones). As was said before, the Adobe as well as the Microsoft
+PostScript drivers are not known to cause any stability problems. The
+CUPS driver is derived from the Microsoft one. There is a simple
+reason for this: The MS DDK (Device Development Kit) for Windows NT (which
+used to be available at no cost to licensees of Visual Studio)
+includes the source code of the Microsoft driver, and licensees of
+Visual Studio are allowed to use and modify it for their own driver
+development efforts. This is what the CUPS people have done. The
+license does not allow them to publish the whole of the source code.
+However, they have released the “<span class="quote">diff</span>” under the GPL, and if you are
+the owner of an “<span class="quote">MS DDK for Windows NT,</span>” you can check the driver yourself.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2938378"></a>Configuring CUPS for Driver Download</h2></div></div><div></div></div><p>
+As we have said before, all previously known methods to prepare client
+printer drivers on the Samba server for download and Point'n'Print
+convenience of Windows workstations are working with CUPS, too. These
+methods were described in the previous chapter. In reality, this is a
+pure Samba business and only relates to the Samba/Windows client
+relationship.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938397"></a><span class="emphasis"><em>cupsaddsmb</em></span>: The Unknown Utility</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938412"></a>
+The <b class="command">cupsaddsmb</b> utility (shipped with all current CUPS versions) is an
+alternate method to transfer printer drivers into the Samba
+<i class="parameter"><tt>[print$]</tt></i> share. Remember, this share is where
+clients expect drivers deposited and setup for download and
+installation. It makes the sharing of any (or all) installed CUPS
+printers quite easy. <b class="command">cupsaddsmb</b> can use the Adobe PostScript driver as
+well as the newly developed CUPS PostScript Driver for
+Windows NT/200x/XP. <i class="parameter"><tt>cupsaddsmb</tt></i> does
+<span class="emphasis"><em>not</em></span> work with arbitrary vendor printer drivers,
+but only with the <span class="emphasis"><em>exact</em></span> driver files that are
+named in its man page.
+</p><p>
+The CUPS printer driver is available from the CUPS download site. Its
+package name is <tt class="filename">cups-samba-[version].tar.gz</tt> . It
+is preferred over the Adobe drivers since it has a number of
+advantages:
+</p><div class="itemizedlist"><ul type="disc"><li><p>It supports a much more accurate page
+accounting.</p></li><li><p>It supports banner pages, and page labels on all
+printers.</p></li><li><p>It supports the setting of a number of job IPP
+attributes (such as job-priority, page-label and
+job-billing).</p></li></ul></div><p>
+However, currently only Windows NT, 2000 and XP are supported by the
+CUPS drivers. You will also need to get the respective part of Adobe driver
+if you need to support Windows 95, 98 and ME clients.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938514"></a>Prepare Your <tt class="filename">smb.conf</tt> for <b class="command">cupsaddsmb</b></h3></div></div><div></div></div><p>
+Prior to running <b class="command">cupsaddsmb</b>, you need the settings in
+<tt class="filename">smb.conf</tt> as shown in <link linkend="cupsadd-ex">:
+</p><div class="example"><a name="cupsadd-ex"></a><p class="title"><b>Example 19.3. smb.conf for cupsaddsmb usage</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td># setting depends on your requirements</td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer Drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /etc/samba/drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = root</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2938755"></a>CUPS “<span class="quote">PostScript Driver for Windows NT/200x/XP</span>”</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2938770"></a>
+CUPS users may get the exact same packages from <ulink url="http://www.cups.org/software.html">http://www.cups.org/software.html</ulink>.
+It is a separate package from the CUPS base software files, tagged as
+CUPS 1.1.x Windows NT/200x/XP Printer Driver for Samba
+(tar.gz, 192k). The filename to download is
+<tt class="filename">cups-samba-1.1.x.tar.gz</tt>. Upon untar and unzipping,
+it will reveal these files:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>tar xvzf cups-samba-1.1.19.tar.gz</tt></b>
+cups-samba.install
+cups-samba.license
+cups-samba.readme
+cups-samba.remove
+cups-samba.ss
+</pre><p>
+<a class="indexterm" name="id2938825"></a>
+<a class="indexterm" name="id2938836"></a>
+These have been packaged with the ESP meta packager software
+EPM. The <tt class="filename">*.install</tt> and
+<tt class="filename">*.remove</tt> files are simple shell scripts, which
+untars the <tt class="filename">*.ss</tt> (the <tt class="filename">*.ss</tt> is
+nothing else but a tar-archive, which can be untarred by “<span class="quote">tar</span>”
+too). Then it puts the content into
+<tt class="filename">/usr/share/cups/drivers/</tt>. This content includes three
+files:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>tar tv cups-samba.ss</tt></b>
+cupsdrvr.dll
+cupsui.dll
+cups.hlp
+</pre><p>
+The <i class="parameter"><tt>cups-samba.install</tt></i> shell scripts are easy to
+handle:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>./cups-samba.install</tt></b>
+[....]
+Installing software...
+Updating file permissions...
+Running post-install commands...
+Installation is complete.
+</pre><p>
+The script should automatically put the driver files into the
+<tt class="filename">/usr/share/cups/drivers/</tt> directory.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Due to a bug, one recent CUPS release puts the
+<tt class="filename">cups.hlp</tt> driver file
+into<tt class="filename">/usr/share/drivers/</tt> instead of
+<tt class="filename">/usr/share/cups/drivers/</tt>. To work around this,
+copy/move the file (after running the
+<b class="command">./cups-samba.install</b> script) manually to the
+correct place.
+</p></div><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</tt></b>
+</pre><p>
+<a class="indexterm" name="id2939020"></a>
+This new CUPS PostScript driver is currently binary-only, but free of
+charge. No complete source code is provided (yet). The reason is that
+it has been developed with the help of the Microsoft Driver
+Developer Kit (DDK) and compiled with Microsoft Visual
+Studio 6. Driver developers are not allowed to distribute the whole of
+the source code as free software. However, CUPS developers released
+the “<span class="quote">diff</span>” in source code under the GPL, so anybody with a license of
+Visual Studio and a DDK will be able to compile for him/herself.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939044"></a>Recognizing Different Driver Files</h3></div></div><div></div></div><p>
+The CUPS drivers do not support the older Windows 95/98/Me, but only
+the Windows NT/2000/XP client.
+</p><p>Windows NT, 2000 and XP are supported by:</p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li>cups.hlp</li><li>cupsdrvr.dll</li><li>cupsui.dll</li></ul></div><p>
+</p><p>
+Adobe drivers are available for the older Windows 95/98/Me as well as
+the Windows NT/2000/XP clients. The set of files is different from the
+different platforms.
+</p><p>Windows 95, 98 and ME are supported by:</p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li>ADFONTS.MFM</li><li>ADOBEPS4.DRV</li><li>ADOBEPS4.HLP</li><li>DEFPRTR2.PPD</li><li>ICONLIB.DLL</li><li>PSMON.DLL</li></ul></div><p>
+</p><p>Windows NT, 2000 and XP are supported by:</p><p>
+</p><div class="itemizedlist"><ul type="disc"><li>ADOBEPS5.DLL</li><li>ADOBEPSU.DLL</li><li>ADOBEPSU.HLP</li></ul></div><p>
+
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+If both the Adobe driver files and the CUPS driver files for the
+support of Windows NT/200x/XP are present in FIXME, the Adobe ones will be ignored
+and the CUPS ones will be used. If you prefer for whatever reason
+ to use Adobe-only drivers, move away the three CUPS driver files. The
+Windows 9x/Me clients use the Adobe drivers in any case.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939174"></a>Acquiring the Adobe Driver Files</h3></div></div><div></div></div><p>
+Acquiring the Adobe driver files seems to be unexpectedly difficult
+for many users. They are not available on the Adobe Web site as single
+files and the self-extracting and/or self-installing Windows-.exe is
+not easy to locate either. Probably you need to use the included
+native installer and run the installation process on one client
+once. This will install the drivers (and one Generic PostScript
+printer) locally on the client. When they are installed, share the
+Generic PostScript printer. After this, the client's
+<i class="parameter"><tt>[print$]</tt></i> share holds the Adobe files, from
+where you can get them with smbclient from the CUPS host.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939204"></a>ESP Print Pro PostScript Driver for Windows NT/200x/XP</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2939217"></a>
+Users of the ESP Print Pro software are able to install their Samba
+drivers package for this purpose with no problem. Retrieve the driver
+files from the normal download area of the ESP Print Pro software
+at <ulink url="http://www.easysw.com/software.html">http://www.easysw.com/software.html</ulink>.
+You need to locate the link labelled “<span class="quote">SAMBA</span>” among the
+<span class="guilabel">Download Printer Drivers for ESP Print Pro 4.x</span>
+area and download the package. Once installed, you can prepare any
+driver by simply highlighting the printer in the Printer Manager GUI
+and select <span class="guilabel">Export Driver...</span> from the menu. Of
+course you need to have prepared Samba beforehand to handle the
+driver files; i.e., setup the <i class="parameter"><tt>[print$]</tt></i>
+share, and so on. The ESP Print Pro package includes the CUPS driver files
+as well as a (licensed) set of Adobe drivers for the Windows 95/98/Me
+client family.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939274"></a>Caveats to be Considered</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2939286"></a>
+Once you have run the install script (and possibly manually
+moved the <tt class="filename">cups.hlp</tt> file to
+<tt class="filename">/usr/share/cups/drivers/</tt>), the driver is
+ready to be put into Samba's <i class="parameter"><tt>[print$]</tt></i> share (which often maps to
+<tt class="filename">/etc/samba/drivers/</tt> and contains a subdirectory
+tree with <span class="emphasis"><em>WIN40</em></span> and
+<span class="emphasis"><em>W32X86</em></span> branches). You do this by running
+<b class="command">cupsaddsmb</b> (see also <b class="command">man cupsaddsmb</b> for
+CUPS since release 1.1.16).
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+<a class="indexterm" name="id2939354"></a>
+You may need to put root into the smbpasswd file by running
+<b class="command">smbpasswd</b>; this is especially important if you
+should run this whole procedure for the first time, and are not
+working in an environment where everything is configured for
+<span class="emphasis"><em>single sign on</em></span> to a Windows Domain Controller.
+</p></div><p>
+Once the driver files are in the <i class="parameter"><tt>[print$]</tt></i> share
+and are initialized, they are ready to be downloaded and installed by
+the Windows NT/200x/XP clients.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Win 9x/Me clients will not work with the CUPS PostScript driver. For
+these you still need to use the <tt class="filename">ADOBE*.*</tt>
+drivers as previously stated.
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+It is not harmful if you still have the
+<tt class="filename">ADOBE*.*</tt> driver files from previous
+installations in the <tt class="filename">/usr/share/cups/drivers/</tt>
+directory. The new <b class="command">cupsaddsmb</b> (from 1.1.16) will
+automatically prefer its own drivers if it finds both.
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2939442"></a>
+Should your Windows clients have had the old <tt class="filename">ADOBE*.*</tt>
+files for the Adobe PostScript driver installed, the download and
+installation of the new CUPS PostScript driver for Windows NT/200x/XP
+will fail at first. You need to wipe the old driver from the clients
+first. It is not enough to “<span class="quote">delete</span>” the printer, as the driver files
+will still be kept by the clients and re-used if you try to re-install
+the printer. To really get rid of the Adobe driver files on the
+clients, open the <span class="guilabel">Printers</span> folder (possibly via <span class="guilabel">Start > Settings > Control Panel > Printers</span>),
+right-click on the folder background and select <span class="guimenuitem">Server
+Properties</span>. When the new dialog opens, select the
+<span class="guilabel">Drivers</span> tab. On the list select the driver you
+want to delete and click the <span class="guilabel">Delete</span>
+button. This will only work if there is not one single printer left
+that uses that particular driver. You need to “<span class="quote">delete</span>” all printers
+using this driver in the <span class="guilabel">Printers</span> folder first. You will need
+Administrator privileges to do this.
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2939527"></a>
+Once you have successfully downloaded the CUPS PostScript driver to a
+client, you can easily switch all printers to this one by proceeding
+as described in <link linkend="printing">. Either change
+a driver for an existing printer by running the <span class="guilabel">Printer Properties</span>
+dialog, or use <b class="command">rpcclient</b> with the
+<b class="command">setdriver</b> subcommand.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939571"></a>Windows CUPS PostScript Driver Versus Adobe Driver</h3></div></div><div></div></div><p>
+Are you interested in a comparison between the CUPS and the Adobe
+PostScript drivers? For our purposes these are the most important
+items that weigh in favor of the CUPS ones:
+</p><div class="itemizedlist"><ul type="disc"><li><p>No hassle with the Adobe EULA.</p></li><li><p>No hassle with the question “<span class="quote">Where do I
+get the ADOBE*.* driver files from?</span>”</p></li><li><p>
+<a class="indexterm" name="id2939611"></a>
+The Adobe drivers (on request of the printer PPD
+associated with them) often put a PJL header in front of the main
+PostScript part of the print file. Thus, the printfile starts with
+<i class="parameter"><tt><1B >%-12345X</tt></i> or
+<i class="parameter"><tt><escape>%-12345X</tt></i> instead
+of <i class="parameter"><tt>%!PS</tt></i>). This leads to the
+CUPS daemon auto-typing the incoming file as a print-ready file,
+not initiating a pass through the <i class="parameter"><tt>pstops</tt></i> filter (to speak more
+technically, it is not regarded as the generic MIME-type
+<a class="indexterm" name="id2939654"></a>
+<i class="parameter"><tt>application/postscript</tt></i>, but as
+the more special MIME type
+<a class="indexterm" name="id2939671"></a>
+<i class="parameter"><tt>application/cups.vnd-postscript</tt></i>),
+which therefore also leads to the page accounting in
+<i class="parameter"><tt>/var/log/cups/page_log</tt></i> not
+receiving the exact number of pages; instead the dummy page number
+of “<span class="quote">1</span>” is logged in a standard setup).</p></li><li><p>The Adobe driver has more options to misconfigure the
+PostScript generated by it (like setting it inadvertently to
+<span class="guilabel">Optimize for Speed</span>, instead of
+<span class="guilabel">Optimize for Portability</span>, which
+could lead to CUPS being unable to process it).</p></li><li><p>The CUPS PostScript driver output sent by Windows
+clients to the CUPS server is guaranteed to auto-type
+as the generic MIME type <i class="parameter"><tt>application/postscript</tt></i>,
+thus passing through the CUPS <i class="parameter"><tt>pstops</tt></i> filter and logging the
+correct number of pages in the <tt class="filename">page_log</tt> for
+accounting and quota purposes.</p></li><li><p>The CUPS PostScript driver supports the sending of
+additional standard (IPP) print options by Windows NT/200x/XP clients. Such
+additional print options are: naming the CUPS standard
+<span class="emphasis"><em>banner pages</em></span> (or the custom ones, should they be
+installed at the time of driver download), using the CUPS
+page-label option, setting a
+job-priority, and setting the scheduled
+time of printing (with the option to support additional
+useful IPP job attributes in the future).</p></li><li><p>The CUPS PostScript driver supports the inclusion of
+the new <i class="parameter"><tt>*cupsJobTicket</tt></i> comments at the
+beginning of the PostScript file (which could be used in the future
+for all sort of beneficial extensions on the CUPS side, but which will
+not disturb any other applications as they will regard it as a comment
+and simply ignore it).</p></li><li><p>The CUPS PostScript driver will be the heart of the
+fully fledged CUPS IPP client for Windows NT/200x/XP to be released soon
+(probably alongside the first beta release for CUPS
+1.2).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939801"></a>Run cupsaddsmb (Quiet Mode)</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2939812"></a>
+<a class="indexterm" name="id2939820"></a>
+The <b class="command">cupsaddsmb</b> command copies the needed files into your
+<i class="parameter"><tt>[print$]</tt></i> share. Additionally, the PPD
+associated with this printer is copied from
+<tt class="filename">/etc/cups/ppd/</tt> to
+<i class="parameter"><tt>[print$]</tt></i>. There the files wait for convenient
+Windows client installations via Point'n'Print. Before we can run the
+command successfully, we need to be sure that we can authenticate
+toward Samba. If you have a small network, you are probably using user-level
+security (<a class="indexterm" name="id2939861"></a><i class="parameter"><tt>security</tt></i> = user).
+</p><p>
+Here is an example of a successfully run <b class="command">cupsaddsmb</b> command:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U root infotec_IS2027</tt></b>
+Password for root required to access localhost via Samba: <b class="userinput"><tt>['secret']</tt></b>
+</pre><p>
+To share <span class="emphasis"><em>all</em></span> printers and drivers, use the
+<tt class="option">-a</tt> parameter instead of a printer name. Since
+<b class="command">cupsaddsmb</b> “<span class="quote">exports</span>” the printer drivers to Samba, it should be
+obvious that it only works for queues with a CUPS driver associated.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2939946"></a>Run cupsaddsmb with Verbose Output</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2939957"></a>
+Probably you want to see what's going on. Use the
+<tt class="option">-v</tt> parameter to get a more verbose output. The
+output below was edited for better readability: all “<span class="quote">\</span>” at the end of
+a line indicate that I inserted an artificial line break plus some
+indentation here:
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+You will see the root password for the Samba account printed on
+screen.
+</p></div><p>
+
+<a class="indexterm" name="id2939988"></a>
+<a class="indexterm" name="id2939999"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U root -v infotec_2105</tt></b>
+Password for root required to access localhost via GANDALF:
+Running command: smbclient //localhost/print\$ -N -U'root%secret' \
+ -c 'mkdir W32X86; \
+ put /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd; \
+ put /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll; \
+ put /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll; \
+ put /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp'
+added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
+NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
+putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd
+putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll
+putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll
+putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp
+
+Running command: rpcclient localhost -N -U'root%secret'
+ -c 'adddriver "Windows NT x86" \
+ "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \
+ RAW:NULL"'
+cmd = adddriver "Windows NT x86" \
+ "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \
+ RAW:NULL"
+Printer Driver infotec_2105 successfully installed.
+
+Running command: smbclient //localhost/print\$ -N -U'root%secret' \
+-c 'mkdir WIN40; \
+ put /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; \
+ put /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM; \
+ put /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV; \
+ put /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP; \
+ put /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD; \
+ put /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL; \
+ put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
+ added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+ Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
+ NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
+ putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD
+ putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM
+ putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV
+ putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP
+ putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD
+ putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL
+ putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL
+
+ Running command: rpcclient localhost -N -U'root%secret' \
+ -c 'adddriver "Windows 4.0" \
+ "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \
+ PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \
+ ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
+ cmd = adddriver "Windows 4.0" "infotec_2105:ADOBEPS4.DRV:\
+ infotec_2105.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,\
+ infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,\
+ ICONLIB.DLL"
+ Printer Driver infotec_2105 successfully installed.
+
+ Running command: rpcclient localhost -N -U'root%secret' \
+ -c 'setdriver infotec_2105 infotec_2105'
+ cmd = setdriver infotec_2105 infotec_2105
+ Successfully set infotec_2105 to driver infotec_2105.
+
+</pre><p>
+If you look closely, you'll discover your root password was transferred
+unencrypted over the wire, so beware! Also, if you look further,
+you'll discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in between. They occur, because the directories WIN40 and W32X86 already existed in the <i class="parameter"><tt>[print$]</tt></i> driver download share (from a previous driver installation). They are harmless here.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940175"></a>Understanding cupsaddsmb</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2940187"></a>
+What has happened? What did <b class="command">cupsaddsmb</b> do? There are five stages of
+the procedure:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ <a class="indexterm" name="id2940218"></a>
+ Call the CUPS server via IPP and request the
+driver files and the PPD file for the named printer.</p></li><li><p>Store the files temporarily in the local
+TEMPDIR (as defined in
+<tt class="filename">cupsd.conf</tt>).</p></li><li><p>Connect via smbclient to the Samba server's
+ <i class="parameter"><tt>[print$]</tt></i> share and put the files into the
+ share's WIN40 (for Windows 9x/Me) and W32X86/ (for Windows NT/200x/XP) subdirectories.</p></li><li><p>
+<a class="indexterm" name="id2940262"></a>
+ Connect via rpcclient to the Samba server and
+execute the <b class="command">adddriver</b> command with the correct
+parameters.</p></li><li><p>
+<a class="indexterm" name="id2940287"></a>
+ Connect via rpcclient to the Samba server a second
+time and execute the <b class="command">setdriver</b> command.</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+You can run the <b class="command">cupsaddsmb</b> utility with parameters to
+specify one remote host as Samba host and a second remote host as CUPS
+host. Especially if you want to get a deeper understanding, it is a
+good idea to try it and see more clearly what is going on (though in real
+life most people will have their CUPS and Samba servers run on the
+same host):
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H sambaserver -h cupsserver -v printer</tt></b>
+</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940352"></a>How to Recognize If cupsaddsmb Completed Successfully</h3></div></div><div></div></div><p>
+You <span class="emphasis"><em>must</em></span> always check if the utility completed
+successfully in all fields. You need as a minimum these three messages
+among the output:
+</p><div class="orderedlist"><ol type="1"><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
+installed.</em></span> # (for the W32X86 == Windows NT/200x/XP
+architecture).</p></li><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
+installed.</em></span> # (for the WIN40 == Windows 9x/Me
+architecture).</p></li><li><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver
+[printerXYZ].</em></span></p></li></ol></div><p>
+These messages are probably not easily recognized in the general
+output. If you run <b class="command">cupsaddsmb</b> with the <tt class="option">-a</tt>
+parameter (which tries to prepare <span class="emphasis"><em>all</em></span> active CUPS
+printer drivers for download), you might miss if individual printers
+drivers had problems installing properly. Here a redirection of the
+output will help you analyze the results in retrospective.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+It is impossible to see any diagnostic output if you do not run
+<b class="command">cupsaddsmb</b> in verbose mode. Therefore, we strongly recommend to not
+use the default quiet mode. It will hide any problems from you that
+might occur.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940450"></a>cupsaddsmb with a Samba PDC</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2940460"></a>
+Can't get the standard <b class="command">cupsaddsmb</b> command to run on a Samba PDC?
+Are you asked for the password credential all over again and again and
+the command just will not take off at all? Try one of these
+variations:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -U MIDEARTH\\root -v printername</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H SAURON -U MIDEARTH\\root -v printername</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername</tt></b>
+</pre><p>
+(Note the two backslashes: the first one is required to
+“<span class="quote">escape</span>” the second one).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940538"></a>cupsaddsmb Flowchart</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2940548"></a>
+<link linkend="small14"> shows a chart about the procedures, commandflows and
+dataflows of the <b class="command">cupaddsmb</b> command. Note again: cupsaddsmb is
+not intended to, and does not work with, raw queues!
+</p><p>
+ </p><div class="figure"><a name="small14"></a><p class="title"><b>Figure 19.16. cupsaddsmb flowchart.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/14small.png" width="270" alt="cupsaddsmb flowchart."></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940621"></a>Installing the PostScript Driver on a Client</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2940631"></a>
+After <b class="command">cupsaddsmb</b> is completed, your driver is prepared for the clients to
+use. Here are the steps you must perform to download and install it
+via Point'n'Print. From a Windows client, browse to the CUPS/Samba
+server:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+<a class="indexterm" name="id2940659"></a>
+Open the <span class="guilabel">Printers</span>
+share of Samba in Network Neighborhood.</p></li><li><p>Right-click on the printer in
+question.</p></li><li><p>From the opening context-menu select
+<span class="guimenuitem">Install...</span> or
+<span class="guimenuitem">Connect...</span> (depending on the Windows version you
+use).</p></li></ul></div><p>
+After a few seconds, there should be a new printer in your
+client's <span class="emphasis"><em>local</em></span> <span class="guilabel">Printers</span> folder. On Windows
+XP it will follow a naming convention of <span class="emphasis"><em>PrinterName on
+SambaServer</em></span>. (In my current case it is "infotec_2105 on
+kde-bitshop"). If you want to test it and send your first job from
+an application like Winword, the new printer appears in a
+<tt class="filename">\\SambaServer\PrinterName</tt> entry in the
+drop-down list of available printers.
+</p><p>
+<a class="indexterm" name="id2940738"></a>
+<b class="command">cupsaddsmb</b> will only reliably work with CUPS version 1.1.15 or higher
+and Samba from 2.2.4. If it does not work, or if the automatic printer
+driver download to the clients does not succeed, you can still manually
+install the CUPS printer PPD on top of the Adobe PostScript driver on
+clients. Then point the client's printer queue to the Samba printer
+share for a UNC type of connection:
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>net use lpt1: \\sambaserver\printershare /user:ntadmin</tt></b>
+</pre><p>
+should you desire to use the CUPS networked PostScript RIP
+functions. (Note that user “<span class="quote">ntadmin</span>” needs to be a valid Samba user
+with the required privileges to access the printershare.) This
+sets up the printer connection in the traditional
+<span class="emphasis"><em>LanMan</em></span> way (not using MS-RPC).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2940801"></a>Avoiding Critical PostScript Driver Settings on the Client</h3></div></div><div></div></div><p>
+Printing works, but there are still problems. Most jobs print
+well, some do not print at all. Some jobs have problems with fonts,
+which do not look very good. Some jobs print fast and some are
+dead-slow. Many of these problems can be greatly reduced or even
+completely eliminated if you follow a few guidelines. Remember, if
+your print device is not PostScript-enabled, you are treating your
+Ghostscript installation on your CUPS host with the output your client
+driver settings produce. Treat it well:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Avoid the PostScript Output Option: Optimize
+for Speed setting. Use the Optimize for
+Portability instead (Adobe PostScript
+driver).</p></li><li><p>Don't use the Page Independence:
+NO setting. Instead, use Page Independence
+YES (CUPS PostScript Driver).</p></li><li><p>Recommended is the True Type Font
+Downloading Option: Native True Type over
+Automatic and Outline; you
+should by all means avoid Bitmap (Adobe
+PostScript Driver).</p></li><li><p>Choose True Type Font: Download as Softfont
+into Printer over the default Replace by Device
+Font (for exotic fonts, you may need to change it back to
+get a printout at all) (Adobe).</p></li><li><p>Sometimes you can choose PostScript Language
+Level: In case of problems try 2
+instead of 3 (the latest ESP Ghostscript package
+handles Level 3 PostScript very well) (Adobe).</p></li><li><p>Say Yes to PostScript
+Error Handler (Adobe).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2940875"></a>Installing PostScript Driver Files Manually Using rpcclient</h2></div></div><div></div></div><p>
+Of course, you can run all the commands that are embedded into the
+cupsaddsmb convenience utility yourself, one by one, and hereby upload
+and prepare the driver files for future client downloads.
+</p><div class="orderedlist"><ol type="1"><li><p>Prepare Samba (A CUPS print queue with the name of the
+printer should be there. We are providing the driver
+now).</p></li><li><p>Copy all files to
+ <i class="parameter"><tt>[print$]</tt></i>.</p></li><li><p>
+<a class="indexterm" name="id2940926"></a>
+Run <b class="command">rpcclient adddriver</b>
+(for each client architecture you want to support).</p></li><li><p>
+<a class="indexterm" name="id2940950"></a>
+Run <b class="command">rpcclient
+setdriver.</b></p></li></ol></div><p>
+<a class="indexterm" name="id2940972"></a>
+<a class="indexterm" name="id2940983"></a>
+<a class="indexterm" name="id2940994"></a>
+<a class="indexterm" name="id2941005"></a>
+<a class="indexterm" name="id2941016"></a>
+We are going to do this now. First, read the man page on <i class="parameter"><tt>rpcclient</tt></i>
+to get a first idea. Look at all the printing related
+subcommands. <b class="command">enumprinters</b>,
+<b class="command">enumdrivers</b>, <b class="command">enumports</b>,
+<b class="command">adddriver</b>, <b class="command">setdriver</b> are among
+the most interesting ones. <i class="parameter"><tt>rpcclient</tt></i> implements an important part of
+the MS-RPC protocol. You can use it to query (and command) a Windows NT
+(or 200x/XP) PC, too. MS-RPC is used by Windows clients, among other
+things, to benefit from the Point'n'Print features. Samba can now
+mimic this as well.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941083"></a>A Check of the rpcclient man Page</h3></div></div><div></div></div><p>
+ First let's check the <i class="parameter"><tt>rpcclient</tt></i> man page. Here are
+two relevant passages:
+</p><p>
+<b class="command">adddriver <arch> <config></b> Execute an
+<b class="command">AddPrinterDriver()</b> RPC to install the printer driver information on
+the server. The driver files should already exist in the
+directory returned by <b class="command">getdriverdir</b>. Possible
+values for <i class="parameter"><tt>arch</tt></i> are the same as those for the
+<b class="command">getdriverdir</b> command. The
+<i class="parameter"><tt>config</tt></i> parameter is defined as follows:
+</p><pre class="screen">
+Long Printer Name:\
+Driver File Name:\
+Data File Name:\
+Config File Name:\
+Help File Name:\
+Language Monitor Name:\
+Default Data Type:\
+Comma Separated list of Files
+</pre><p>Any empty fields should be enter as the string “<span class="quote">NULL</span>”. </p><p>Samba does not need to support the concept of Print Monitors
+since these only apply to local printers whose driver can make use of
+a bi-directional link for communication. This field should be “<span class="quote">NULL</span>”.
+On a remote NT print server, the Print Monitor for a driver must
+already be installed prior to adding the driver or else the RPC will
+fail.
+</p><p>
+<b class="command">setdriver <printername> <drivername></b>
+Execute a <b class="command">SetPrinter()</b> command to update the
+printer driver associated with an installed printer. The printer
+driver must already be correctly installed on the print server.
+</p><p>See also the <b class="command">enumprinters</b> and <b class="command">enumdrivers</b> commands for
+obtaining a list of installed printers and drivers.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941229"></a>Understanding the rpcclient man Page</h3></div></div><div></div></div><p>
+The <span class="emphasis"><em>exact</em></span> format isn't made too clear by the man
+page, since you have to deal with some parameters containing
+spaces. Here is a better description for it. We have line-broken the
+command and indicated the breaks with “<span class="quote">\</span>”. Usually you would type the
+command in one line without the linebreaks:
+<a class="indexterm" name="id2941254"></a>
+</p><pre class="screen">
+ adddriver "Architecture" \
+ "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\
+ LanguageMonitorFile:DataType:ListOfFiles,Comma-separated"
+</pre><p>
+What the man pages denote as a simple <i class="parameter"><tt><config></tt></i>
+keyword, in reality consists of eight colon-separated fields. The
+last field may take multiple (in some very insane cases, even
+20 different additional) files. This might sound confusing at first.
+What the man pages names the “<span class="quote">LongPrinterName</span>” in
+reality should be called the “<span class="quote">Driver Name</span>”. You can name it
+anything you want, as long as you use this name later in the
+<b class="command">rpcclient ... setdriver</b> command. For
+practical reasons, many name the driver the same as the
+printer.
+</p><p>
+It isn't simple at all. I hear you asking:
+“<span class="quote">How do I know which files are "Driver
+File</span>”, “<span class="quote">Data File</span>”, “<span class="quote">Config File</span>”, “<span class="quote">Help File</span>” and “<span class="quote">Language
+Monitor File" in each case?</span>” For an answer, you may
+want to have a look at how a Windows NT box with a shared printer
+presents the files to us. Remember, that this whole procedure has
+to be developed by the Samba team by overhearing the traffic caused
+by Windows computers on the wire. We may as well turn to a Windows
+box now and access it from a UNIX workstation. We will query it
+with <b class="command">rpcclient</b> to see what it tells us and
+try to understand the man page more clearly that we've read just
+now.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941358"></a>Producing an Example by Querying a Windows Box</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2941369"></a>
+ <a class="indexterm" name="id2941380"></a>
+We could run <b class="command">rpcclient</b> with a
+<b class="command">getdriver</b> or a <b class="command">getprinter</b>
+subcommand (in level 3 verbosity) against it. Just sit down at a UNIX or
+Linux workstation with the Samba utilities installed, then type the
+following command:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'user%secret' NT-SERVER -c 'getdriver printername 3'</tt></b>
+</pre><p>
+From the result it should become clear which is which. Here is an example from my installation:
+</p><p>
+<a class="indexterm" name="id2941447"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'Danka%xxxx' W200xSERVER \
+ -c'getdriver "DANKA InfoStream Virtual Printer" 3'</tt></b>
+ cmd = getdriver "DANKA InfoStream Virtual Printer" 3
+
+ [Windows NT x86]
+ Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [DANKA InfoStream]
+ Architecture: [Windows NT x86]
+ Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL]
+ Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD]
+ Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL]
+ Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP]
+
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+
+ Monitorname: []
+ Defaultdatatype: []
+
+</pre><p>
+Some printer drivers list additional files under the label
+<i class="parameter"><tt>Dependentfiles</tt></i> and these would go into the last field
+<i class="parameter"><tt>ListOfFiles,Comma-separated</tt></i>. For the CUPS
+PostScript drivers, we do not need any (nor would we for the Adobe
+PostScript driver), therefore, the field will get a “<span class="quote">NULL</span>” entry.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941534"></a>Requirements for adddriver and setdriver to Succeed</h3></div></div><div></div></div><p>
+>From the man page (and from the quoted output
+of <b class="command">cupsaddsmb</b> above) it becomes clear that you
+need to have certain conditions in order to make the manual uploading
+and initializing of the driver files succeed. The two <b class="command">rpcclient</b>
+<a class="indexterm" name="id2941564"></a>
+subcommands (<b class="command">adddriver</b> and
+<b class="command">setdriver</b>) need to encounter the following
+preconditions to complete successfully:
+</p><div class="itemizedlist"><ul type="disc"><li><p>You are connected as <a class="indexterm" name="id2941599"></a><i class="parameter"><tt>printer admin</tt></i> or root (this is <span class="emphasis"><em>not</em></span> the “<span class="quote">Printer Operators</span>” group in
+NT, but the <span class="emphasis"><em>printer admin</em></span> group as defined in
+the <i class="parameter"><tt>[global]</tt></i> section of
+<tt class="filename">smb.conf</tt>).</p></li><li><p>Copy all required driver files to
+<tt class="filename">\\SAMBA\print$\w32x86</tt> and
+<tt class="filename">\\SAMBA\print$\win40</tt> as appropriate. They
+will end up in the “<span class="quote">0</span>” respective “<span class="quote">2</span>” subdirectories later. For now,
+<span class="emphasis"><em>do not</em></span> put them there, they'll be automatically
+used by the <b class="command">adddriver</b> subcommand. (If you use
+<b class="command">smbclient</b> to put the driver files into the share, note that you need
+to escape the “<span class="quote">$</span>”: <b class="command">smbclient //sambaserver/print\$ -U
+root.</b>)</p></li><li><p>The user you're connecting as must be able to write to
+the <i class="parameter"><tt>[print$]</tt></i> share and create
+subdirectories.</p></li><li><p>The printer you are going to setup for the Windows
+clients needs to be installed in CUPS already.</p></li><li><p>
+ <a class="indexterm" name="id2941729"></a>
+ <a class="indexterm" name="id2941740"></a>
+ The CUPS printer must be known to Samba, otherwise the
+<b class="command">setdriver</b> subcommand fails with an
+NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by
+Samba, you may use the <b class="command">enumprinters</b> subcommand to
+<b class="command">rpcclient</b>. A long-standing bug prevented a proper update of the
+printer list until every smbd process had received a SIGHUP or was
+restarted. Remember this in case you've created the CUPS printer just
+recently and encounter problems: try restarting
+Samba.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2941782"></a>Manual Driver Installation in 15 Steps</h3></div></div><div></div></div><p>
+We are going to install a printer driver now by manually executing all
+required commands. As this may seem a rather complicated process at
+first, we go through the procedure step by step, explaining every
+single action item as it comes up.
+</p><div class="procedure"><p class="title"><b>Procedure 19.1. Manual Driver Installation</b></p><ol type="1"><li><p class="title"><b>Install the printer on CUPS.</b></p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E \
+ -P canonIR85.ppd</tt></b>
+</pre><p>
+This installs a printer with the name <i class="parameter"><tt>mysmbtstprn</tt></i>
+to the CUPS system. The printer is accessed via a socket
+(a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root
+for this step.
+</p></li><li><p class="title"><b>(Optional) Check if the printer is recognized by Samba.</b></p><p>
+<a class="indexterm" name="id2941868"></a>
+</p><pre class="screen">
+ <tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \
+ | grep -C2 mysmbtstprn</tt></b>
+flags:[0x800000]
+name:[\\kde-bitshop\mysmbtstprn]
+description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn]
+comment:[mysmbtstprn]
+</pre><p>
+This should show the printer in the list. If not, stop and restart
+the Samba daemon (smbd), or send a HUP signal:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>kill -HUP `pidof smbd`</tt></b>
+</pre><p>Check again. Troubleshoot and repeat until
+successful. Note the “<span class="quote">empty</span>” field between the two commas in the
+“<span class="quote">description</span>” line. The driver name would appear here if there was one already. You need to know root's Samba password (as set by the
+<b class="command">smbpasswd</b> command) for this step and most of the
+following steps. Alternately, you can authenticate as one of the
+users from the “<span class="quote">write list</span>” as defined in <tt class="filename">smb.conf</tt> for
+<i class="parameter"><tt>[print$]</tt></i>.
+</p></li><li><p class="title"><b>(Optional) Check if Samba knows a driver for the printer.</b></p><p>
+ <a class="indexterm" name="id2941980"></a>
+ <a class="indexterm" name="id2941991"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
+ | grep driver </tt></b>
+drivername:[]
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
+ | grep -C4 driv</tt></b>
+servername:[\\kde-bitshop]
+printername:[\\kde-bitshop\mysmbtstprn]
+sharename:[mysmbtstprn]
+portname:[Samba Printer Port]
+drivername:[]
+comment:[mysmbtstprn]
+location:[]
+sepfile:[]
+printprocessor:[winprint]
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</tt></b>
+ result was WERR_UNKNOWN_PRINTER_DRIVER
+
+</pre><p>
+None of the three commands shown above should show a driver.
+This step was done for the purpose of demonstrating this condition. An
+attempt to connect to the printer at this stage will prompt the
+message along the lines of: “<span class="quote">The server does not have the required printer
+driver installed.</span>”
+</p></li><li><p class="title"><b>Put all required driver files into Samba's
+[print$].</b></p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //localhost/print\$ -U 'root%xxxx' \
+ -c 'cd W32X86; \
+ put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \
+ put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \
+ put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \
+ put /usr/share/cups/drivers/cups.hlp cups.hlp'</tt></b>
+</pre><p>
+(This command should be entered in one long single
+line. Line-breaks and the line-end indicated by “<span class="quote">\</span>” have been inserted
+for readability reasons.) This step is <span class="emphasis"><em>required</em></span>
+for the next one to succeed. It makes the driver files physically
+present in the <i class="parameter"><tt>[print$]</tt></i> share. However, clients
+would still not be able to install them, because Samba does not yet
+treat them as driver files. A client asking for the driver would still
+be presented with a “<span class="quote">not installed here</span>” message.
+</p></li><li><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/</tt></b>
+total 669
+drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2
+drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
+-rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
+-rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll
+-rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll
+-rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
+</pre><p>
+The driver files now are in the W32X86 architecture “<span class="quote">root</span>” of
+<i class="parameter"><tt>[print$]</tt></i>.
+</p></li><li><p class="title"><b>Tell Samba that these are driver files (<b class="command">adddriver</b>).</b></p><p>
+<a class="indexterm" name="id2942214"></a>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c `adddriver "Windows NT x86" \
+ "mydrivername:cupsdrvr.dll:mysmbtstprn.PPD: \
+ cupsui.dll:cups.hlp:NULL:RAW:NULL" \
+ localhost</tt></b>
+Printer Driver mydrivername successfully installed.
+</pre><p>
+You cannot repeat this step if it fails. It could fail even
+as a result of a simple typo. It will most likely have moved a part of
+the driver files into the “<span class="quote">2</span>” subdirectory. If this step fails, you
+need to go back to the fourth step and repeat it before you can try
+this one again. In this step, you need to choose a name for your
+driver. It is normally a good idea to use the same name as is used for
+the printer name; however, in big installations you may use this driver
+for a number of printers that obviously have different names, so the
+name of the driver is not fixed.
+</p></li><li><p class="title"><b>Verify where the driver files are now.</b></p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/</tt></b>
+total 1
+drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2
+drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /etc/samba/drivers/W32X86/2</tt></b>
+total 5039
+[....]
+-rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
+-rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll
+-rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll
+-rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
+</pre><p>
+Notice how step 6 also moved the driver files to the appropriate
+subdirectory. Compare this with the situation after step 5.
+</p></li><li><p class="title"><b>(Optional) Verify if Samba now recognizes the driver.</b></p><p>
+<a class="indexterm" name="id2942341"></a>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumdrivers 3' \
+ localhost | grep -B2 -A5 mydrivername</tt></b>
+Printer Driver Info 3:
+Version: [2]
+Driver Name: [mydrivername]
+Architecture: [Windows NT x86]
+Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
+Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
+Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
+Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
+</pre><p>
+Remember, this command greps for the name you chose for the
+driver in step 6. This command must succeed before you can proceed.
+</p></li><li><p>Tell Samba which printer should use these driver files (<b class="command">setdriver</b>).</p><p>
+<a class="indexterm" name="id2942406"></a>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' \
+ localhost</tt></b>
+Successfully set mysmbtstprn to driver mydrivername
+</pre><p>
+Since you can bind any printername (print queue) to any driver, this
+is a convenient way to setup many queues that use the same
+driver. You do not need to repeat all the previous steps for the
+setdriver command to succeed. The only preconditions are:
+<b class="command">enumdrivers</b> must find the driver and
+<b class="command">enumprinters</b> must find the printer.
+</p></li><li><p class="title"><b>(Optional) Verify if Samba has recognized this association.</b></p><p>
+<a class="indexterm" name="id2942476"></a>
+<a class="indexterm" name="id2942487"></a>
+<a class="indexterm" name="id2942498"></a>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
+ | grep driver</tt></b>
+drivername:[mydrivername]
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \
+ | grep -C4 driv</tt></b>
+servername:[\\kde-bitshop]
+printername:[\\kde-bitshop\mysmbtstprn]
+sharename:[mysmbtstprn]
+portname:[Done]
+drivername:[mydrivername]
+comment:[mysmbtstprn]
+location:[]
+sepfile:[]
+printprocessor:[winprint]
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost</tt></b>
+[Windows NT x86]
+Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [mydrivername]
+ Architecture: [Windows NT x86]
+ Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
+ Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
+ Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
+ Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
+ Monitorname: []
+ Defaultdatatype: [RAW]
+ Monitorname: []
+ Defaultdatatype: [RAW]
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'enumprinters' localhost \
+ | grep mysmbtstprn</tt></b>
+ name:[\\kde-bitshop\mysmbtstprn]
+ description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn]
+ comment:[mysmbtstprn]
+
+</pre><p>
+<a class="indexterm" name="id2942589"></a>
+Compare these results with the ones from steps 2 and 3. Every one of these commands show the driver is installed. Even
+the <b class="command">enumprinters</b> command now lists the driver
+on the “<span class="quote">description</span>” line.
+</p></li><li><p class="title"><b>(Optional) Tickle the driver into a correct
+device mode.</b></p><p>
+<a class="indexterm" name="id2942629"></a>
+You certainly know how to install the driver on the client. In case
+you are not particularly familiar with Windows, here is a short
+recipe: Browse the Network Neighborhood, go to the Samba server, and look
+for the shares. You should see all shared Samba printers.
+Double-click on the one in question. The driver should get
+installed and the network connection set up. An alternate way is to
+open the <span class="guilabel">Printers (and Faxes)</span> folder, right-click on the printer in
+question and select <span class="guilabel">Connect</span> or <span class="guilabel">Install</span>. As a result, a new printer
+should have appeared in your client's local <span class="guilabel">Printers (and Faxes)</span>
+folder, named something like <span class="guilabel">printersharename on Sambahostname</span>.
+</p><p>
+It is important that you execute this step as a Samba printer admin
+(as defined in <tt class="filename">smb.conf</tt>). Here is another method
+to do this on Windows XP. It uses a command line, which you may type
+into the “<span class="quote">DOS box</span>” (type root's smbpassword when prompted):
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry \
+ /in /n \\sambaserver\mysmbtstprn"</tt></b>
+</pre><p>
+Change any printer setting once (like changing <span class="emphasis"><em><span class="guilabel">portrait</span> to
+ <span class="guilabel">landscape</span></em></span>), click on <span class="guibutton">Apply</span>; change the setting
+back.
+</p></li><li><p class="title"><b>Install the printer on a client
+(Point'n'Print).</b></p><p>
+<a class="indexterm" name="id2942767"></a>
+ </p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /in /n “<span class="quote">\\sambaserver\mysmbtstprn</span>”</tt></b>
+</pre><p>
+If it does not work it could be a permission problem with the
+<i class="parameter"><tt>[print$]</tt></i> share.
+</p></li><li><p class="title"><b>(Optional) Print a test page.</b></p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /p /n "\\sambaserver\mysmbtstprn"</tt></b>
+</pre><p>
+Then hit [TAB] five times, [ENTER] twice, [TAB] once and [ENTER] again
+and march to the printer.
+</p></li><li><p class="title"><b>(Recommended) Study the test page.</b></p><p>
+Hmmm.... just kidding! By now you know everything about printer
+installations and you do not need to read a word. Just put it in a
+frame and bolt it to the wall with the heading "MY FIRST
+RPCCLIENT-INSTALLED PRINTER" why not just throw it away!
+</p></li><li><p class="title"><b>(Obligatory) Enjoy. Jump. Celebrate your
+success.</b></p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd</tt></b>
+</pre></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2942909"></a>Troubleshooting Revisited</h3></div></div><div></div></div><p>
+The setdriver command will fail, if in Samba's mind the queue is not
+already there. You had promising messages about the:
+</p><pre class="screen">
+ Printer Driver ABC successfully installed.
+</pre><p>
+after the <b class="command">adddriver</b> parts of the procedure? But you are also seeing
+a disappointing message like this one?
+</p><p><tt class="computeroutput">
+ result was NT_STATUS_UNSUCCESSFUL
+</tt></p><p>
+<a class="indexterm" name="id2942956"></a>
+It is not good enough that you
+can see the queue in CUPS, using
+the <b class="command">lpstat -p ir85wm</b> command. A
+bug in most recent versions of Samba prevents the proper update of
+the queuelist. The recognition of newly installed CUPS printers
+fails unless you restart Samba or send a HUP to all smbd
+processes. To verify if this is the reason why Samba does not
+execute the <b class="command">setdriver</b> command successfully, check if Samba “<span class="quote">sees</span>”
+the printer:
+</p><p>
+<a class="indexterm" name="id2942993"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm</tt></b>
+ printername:[ir85wm]
+</pre><p>
+An alternate command could be this:
+</p><p>
+<a class="indexterm" name="id2943033"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' </tt></b>
+ cmd = getprinter ir85wm
+ flags:[0x800000]
+ name:[\\transmeta\ir85wm]
+ description:[\\transmeta\ir85wm,ir85wm,DPD]
+ comment:[CUPS PostScript-Treiber for Windows NT/200x/XP]
+</pre><p>
+By the way, you can use these commands, plus a few more, of course,
+to install drivers on remote Windows NT print servers too!
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943077"></a>The Printing <tt class="filename">*.tdb</tt> Files</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2943094"></a>
+<a class="indexterm" name="id2943102"></a>
+<a class="indexterm" name="id2943113"></a>
+<a class="indexterm" name="id2943124"></a>
+<a class="indexterm" name="id2943136"></a>
+<a class="indexterm" name="id2943147"></a>
+<a class="indexterm" name="id2943158"></a>
+<a class="indexterm" name="id2943169"></a>
+<a class="indexterm" name="id2943180"></a>
+<a class="indexterm" name="id2943191"></a>
+<a class="indexterm" name="id2943202"></a>
+<a class="indexterm" name="id2943214"></a>
+<a class="indexterm" name="id2943225"></a>
+Some mystery is associated with the series of files with a
+tdb suffix appearing in every Samba installation. They are
+<tt class="filename">connections.tdb</tt>,
+<tt class="filename">printing.tdb</tt>,
+<tt class="filename">share_info.tdb</tt>,
+<tt class="filename">ntdrivers.tdb</tt>,
+<tt class="filename">unexpected.tdb</tt>,
+<tt class="filename">brlock.tdb</tt>,
+<tt class="filename">locking.tdb</tt>,
+<tt class="filename">ntforms.tdb</tt>,
+<tt class="filename">messages.tdb</tt> ,
+<tt class="filename">ntprinters.tdb</tt>,
+<tt class="filename">sessionid.tdb</tt> and
+<tt class="filename">secrets.tdb</tt>. What is their purpose?
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943322"></a>Trivial Database Files</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2943333"></a>
+A Windows NT (print) server keeps track of all information needed to serve
+its duty toward its clients by storing entries in the Windows
+registry. Client queries are answered by reading from the registry,
+Administrator or user configuration settings that are saved by writing into
+the registry. Samba and UNIX obviously do not have such a
+Registry. Samba instead keeps track of all client related information in a
+series of <tt class="filename">*.tdb</tt> files. (TDB = Trivial Data
+Base). These are often located in <tt class="filename">/var/lib/samba/</tt>
+or <tt class="filename">/var/lock/samba/</tt>. The printing related files
+are <tt class="filename">ntprinters.tdb</tt>,
+<tt class="filename">printing.tdb</tt>,<tt class="filename">ntforms.tdb</tt> and
+<tt class="filename">ntdrivers.tdb</tt>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943400"></a>Binary Format</h3></div></div><div></div></div><p>
+<tt class="filename">*.tdb</tt> files are not human readable. They are
+written in a binary format. “<span class="quote">Why not ASCII?</span>”, you may ask. “<span class="quote">After all,
+ASCII configuration files are a good and proven tradition on UNIX.</span>”
+The reason for this design decision by the Samba team is mainly
+performance. Samba needs to be fast; it runs a separate
+<b class="command">smbd</b> process for each client connection, in some
+environments many thousands of them. Some of these smbds might need to
+write-access the same <tt class="filename">*.tdb</tt> file <span class="emphasis"><em>at the
+same time</em></span>. The file format of Samba's
+<tt class="filename">*.tdb</tt> files allows for this provision. Many smbd
+processes may write to the same <tt class="filename">*.tdb</tt> file at the
+same time. This wouldn't be possible with pure ASCII files.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943470"></a>Losing <tt class="filename">*.tdb</tt> Files</h3></div></div><div></div></div><p>
+It is very important that all <tt class="filename">*.tdb</tt> files remain
+consistent over all write and read accesses. However, it may happen
+that these files <span class="emphasis"><em>do</em></span> get corrupted. (A
+<b class="command">kill -9 `pidof smbd'</b> while a write access is in
+progress could do the damage as well as a power interruption,
+etc.). In cases of trouble, a deletion of the old printing-related
+<tt class="filename">*.tdb</tt> files may be the only option. After that you need to
+re-create all print-related setup or you have made a
+backup of the <tt class="filename">*.tdb</tt> files in time.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943528"></a>Using <b class="command">tdbbackup</b></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2943544"></a>
+<a class="indexterm" name="id2943558"></a>
+Samba ships with a little utility that helps the root user of your
+system to backup your <tt class="filename">*.tdb</tt> files. If you run it
+with no argument, it prints a usage message:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>tdbbackup</tt></b>
+ Usage: tdbbackup [options] <fname...>
+
+ Version:3.0a
+ -h this help message
+ -s suffix set the backup suffix
+ -v verify mode (restore if corrupt)
+
+</pre><p>
+Here is how I backed up my <tt class="filename">printing.tdb</tt> file:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls</tt></b>
+. browse.dat locking.tdb ntdrivers.tdb printing.tdb
+.. share_info.tdb connections.tdb messages.tdb ntforms.tdb
+printing.tdbkp unexpected.tdb brlock.tdb gmon.out namelist.debug
+ntprinters.tdb sessionid.tdb
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>tdbbackup -s .bak printing.tdb</tt></b>
+ printing.tdb : 135 records
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l printing.tdb*</tt></b>
+ -rw------- 1 root root 40960 May 2 03:44 printing.tdb
+ -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak
+
+</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2943673"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2943683"></a>
+CUPS ships with good support for HP LaserJet-type printers. You can
+install the generic driver as follows:
+</p><p>
+<a class="indexterm" name="id2943698"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd</tt></b>
+</pre><p>
+The <tt class="option">-m</tt> switch will retrieve the
+<tt class="filename">laserjet.ppd</tt> from the standard repository for
+not-yet-installed-PPDs, which CUPS typically stores in
+<tt class="filename">/usr/share/cups/model</tt>. Alternately, you may use
+<tt class="option">-P /path/to/your.ppd</tt>.
+</p><p>
+The generic <tt class="filename">laserjet.ppd,</tt> however, does not support every special option
+for every LaserJet-compatible model. It constitutes a sort of “<span class="quote">least common
+denominator</span>” of all the models. If for some reason
+you must pay for the commercially available ESP Print Pro drivers, your
+first move should be to consult the database on <ulink url="http://www.linuxprinting.org/printer_list.cgi">http://www.linuxprinting.org/printer_list.cgi</ulink>.
+Linuxprinting.org has excellent recommendations about which driver is
+best used for each printer. Its database is kept current by the
+tireless work of Till Kamppeter from MandrakeSoft, who is also the
+principal author of the <b class="command">foomatic-rip</b> utility.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2943800"></a>
+The former <b class="command">cupsomatic</b> concept is now being replaced by the new
+successor, a much
+more powerful <b class="command">foomatic-rip</b>.
+<b class="command">cupsomatic</b> is no longer maintained. Here is the new URL
+to the Foomatic-3.0 database: <ulink url="http://www.linuxprinting.org/driver_list.cgi">http://www.linuxprinting.org/driver_list.cgi</ulink>.
+If you upgrade to <b class="command">foomatic-rip</b>, remember to also upgrade to the
+new-style PPDs for your Foomatic-driven printers. foomatic-rip will
+not work with PPDs generated for the old <b class="command">cupsomatic</b>. The new-style
+PPDs are 100% compliant to the Adobe PPD specification. They are
+also intended to be used by Samba and the cupsaddsmb utility, to
+provide the driver files for the Windows clients!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2943860"></a>foomatic-rip and Foomatic Explained</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2943871"></a>
+<a class="indexterm" name="id2943880"></a>
+Nowadays, most Linux distributions rely on the utilities of Linuxprinting.org
+to create their printing-related software (which, by the way, works on all
+UNIXes and on Mac OS X or Darwin, too). It is not known as well as it
+should be, that it also has a very end-user-friendly interface that
+allows for an easy update of drivers and PPDs for all supported
+models, all spoolers, all operating systems, and all package formats
+(because there is none). Its history goes back a few years.
+</p><p>
+Recently, Foomatic has achieved the astonishing milestone of <ulink url="http://www.linuxprinting.org/printer_list.cgi?make=Anyone">1000
+listed</ulink> printer models. Linuxprinting.org keeps all the
+important facts about printer drivers, supported models and which
+options are available for the various driver/printer combinations in
+its <ulink url="http://www.linuxprinting.org/foomatic.html">Foomatic</ulink>
+database. Currently there are <ulink url="http://www.linuxprinting.org/driver_list.cgi">245 drivers</ulink>
+in the database. Many drivers support various models, and many models
+may be driven by different drivers its your choice!
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2943935"></a>690 “<span class="quote">Perfect</span>” Printers</h4></div></div><div></div></div><p>
+At present, there are 690 devices dubbed as working perfectly, 181
+mostly, 96 partially, and 46 are paperweights. Keeping in mind
+that most of these are non-PostScript models (PostScript printers are
+automatically supported by CUPS to perfection, by using
+their own manufacturer-provided Windows-PPD), and that a
+multifunctional device never qualifies as working perfectly if it
+does not also scan and copy and fax under GNU/Linux then this is a
+truly astonishing achievement! Three years ago the number was not
+more than 500, and Linux or UNIX printing at the time wasn't
+anywhere near the quality it is today.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2943975"></a>How the Printing HOWTO Started It All</h4></div></div><div></div></div><p>
+A few years ago <ulink url="http://www2.picante.com:81/~gtaylor/">Grant Taylor</ulink>
+started it all. The roots of today's Linuxprinting.org are in the
+first <ulink url="http://www.linuxprinting.org/foomatic2.9/howto/">Linux Printing
+HOWTO</ulink> that he authored. As a side-project to this document,
+which served many Linux users and admins to guide their first steps in
+this complicated and delicate setup (to a scientist, printing is
+“<span class="quote">applying a structured deposition of distinct patterns of ink or toner
+particles on paper substrates</span>”, he started to
+build in a little Postgres database with information about the
+hardware and driver zoo that made up Linux printing of the time. This
+database became the core component of today's Foomatic collection of
+tools and data. In the meantime, it has moved to an XML representation
+of the data.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944020"></a>Foomatic's Strange Name</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2944031"></a>
+“<span class="quote">Why the funny name?</span>” you ask. When it really took off, around spring
+2000, CUPS was far less popular than today, and most systems used LPD,
+LPRng or even PDQ to print. CUPS shipped with a few generic drivers
+(good for a few hundred different printer models). These didn't
+support many device-specific options. CUPS also shipped with its own
+built-in rasterization filter (<i class="parameter"><tt>pstoraster</tt></i>, derived from
+Ghostscript). On the other hand, CUPS provided brilliant support for
+<span class="emphasis"><em>controlling</em></span> all printer options through
+standardized and well-defined PPD files (PostScript Printers
+Description files). Plus, CUPS was designed to be easily extensible.
+</p><p>
+Taylor already had in his database a respectable compilation
+of facts about many more printers and the Ghostscript “<span class="quote">drivers</span>”
+they run with. His idea, to generate PPDs from the database information
+and use them to make standard Ghostscript filters work within CUPS,
+proved to work very well. It also killed several birds with one
+stone:
+</p><div class="itemizedlist"><ul type="disc"><li><p>It made all current and future Ghostscript filter
+developments available for CUPS.</p></li><li><p>It made available a lot of additional printer models
+to CUPS users (because often the traditional Ghostscript way of
+printing was the only one available).</p></li><li><p>It gave all the advanced CUPS options (Web interface,
+GUI driver configurations) to users wanting (or needing) to use
+Ghostscript filters.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944109"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2944121"></a>
+<a class="indexterm" name="id2944129"></a>
+<a class="indexterm" name="id2944137"></a>
+CUPS worked through a quickly-hacked up filter script named <ulink url="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0">cupsomatic.</ulink>
+cupsomatic ran the printfile through Ghostscript, constructing
+automatically the rather complicated command line needed. It just
+needed to be copied into the CUPS system to make it work. To
+configure the way cupsomatic controls the Ghostscript rendering
+process, it needs a CUPS-PPD. This PPD is generated directly from the
+contents of the database. For CUPS and the respective printer/filter
+combo, another Perl script named CUPS-O-Matic did the PPD
+generation. After that was working, Taylor implemented within a few
+days a similar thing for two other spoolers. Names chosen for the
+config-generator scripts were <ulink url="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0">PDQ-O-Matic</ulink>
+(for PDQ) and <ulink url="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0">LPD-O-Matic</ulink>
+(for you guessed it LPD); the configuration here didn't use PPDs
+but other spooler-specific files.
+</p><p>
+From late summer of that year, <ulink url="http://www.linuxprinting.org/till/">Till Kamppeter</ulink>
+started to put work into the database. Kamppeter had been newly employed by
+<ulink url="http://www.mandrakesoft.com/">MandrakeSoft</ulink> to
+convert its printing system over to CUPS, after they had seen his
+<ulink url="http://www.fltk.org/">FLTK</ulink>-based <ulink url="http://cups.sourceforge.net/xpp/">XPP</ulink> (a GUI frontend to
+the CUPS lp-command). He added a huge amount of new information and new
+printers. He also developed the support for other spoolers, like
+<ulink url="http://ppr.sourceforge.net/">PPR</ulink> (via ppromatic),
+<ulink url="http://sourceforge.net/projects/lpr/">GNUlpr</ulink> and
+<ulink url="http://www.lprng.org/">LPRng</ulink> (both via an extended
+lpdomatic) and spoolerless printing (<ulink url="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0">directomatic</ulink>).
+</p><p>
+So, to answer your question: “<span class="quote">Foomatic</span>” is the general name for all
+the overlapping code and data behind the “<span class="quote">*omatic</span>” scripts.
+Foomatic, up to versions 2.0.x, required (ugly) Perl data structures
+attached to Linuxprinting.org PPDs for CUPS. It had a different
+“<span class="quote">*omatic</span>” script for every spooler, as well as different printer
+configuration files.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944302"></a>The <span class="emphasis"><em>Grand Unification</em></span> Achieved</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2944318"></a>
+This has all changed in Foomatic versions 2.9 (beta) and released as
+“<span class="quote">stable</span>” 3.0. It has now achieved the convergence of all *omatic
+scripts and is called the <ulink url="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0">foomatic-rip.</ulink>
+This single script is the unification of the previously different
+spooler-specific *omatic scripts. foomatic-rip is used by all the
+different spoolers alike and because it can read PPDs (both the
+original PostScript printer PPDs and the Linuxprinting.org-generated
+ones), all of a sudden all supported spoolers can have the power of
+PPDs at their disposal. Users only need to plug foomatic-rip into
+their system. For users there is improved media type and source
+support paper sizes and trays are easier to configure.
+</p><p>
+Also, the New Generation of Linuxprinting.org PPDs no longer contains
+Perl data structures. If you are a distro maintainer and have
+used the previous version of Foomatic, you may want to give the new
+one a spin, but remember to generate a new-version set of PPDs
+via the new <ulink url="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz">foomatic-db-engine!</ulink>
+Individual users just need to generate a single new PPD specific to
+their model by <ulink url="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html">following
+the steps</ulink> outlined in the Foomatic tutorial or in this chapter. This new development is truly amazing.
+</p><p>
+foomatic-rip is a very clever wrapper around the need to run
+Ghostscript with a different syntax, options, device selections, and/or filters for each different printer
+or spooler. At the same time it can read the PPD associated
+with a print queue and modify the print job according to the user
+selections. Together with this comes the 100% compliance of the new
+Foomatic PPDs with the Adobe spec. Some innovative features of
+the Foomatic concept may surprise users. It will support custom paper
+sizes for many printers and will support printing on media drawn
+from different paper trays within the same job (in both cases, even
+where there is no support for this from Windows-based vendor printer
+drivers).
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944417"></a>Driver Development Outside</h4></div></div><div></div></div><p>
+Most driver development itself does not happen within
+Linuxprinting.org. Drivers are written by independent maintainers.
+Linuxprinting.org just pools all the information and stores it in its
+database. In addition, it also provides the Foomatic glue to integrate
+the many drivers into any modern (or legacy) printing system known to
+the world.
+</p><p>
+Speaking of the different driver development groups, most of
+the work is currently done in three projects. These are:
+</p><div class="itemizedlist"><ul type="disc"><li><p><ulink url="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/">Omni</ulink>
+ a free software project by IBM that tries to convert their printer
+driver knowledge from good-ol' OS/2 times into a modern, modular,
+universal driver architecture for Linux/UNIX (still beta). This
+currently supports 437 models.</p></li><li><p><ulink url="http://hpinkjet.sf.net/">HPIJS</ulink>
+a free software project by HP to provide the support for their own
+range of models (very mature, printing in most cases is perfect and
+provides true photo quality). This currently supports 369
+models.</p></li><li><p><ulink url="http://gimp-print.sf.net/">Gimp-Print</ulink> a free software
+effort, started by Michael Sweet (also lead developer for CUPS), now
+directed by Robert Krawitz, which has achieved an amazing level of
+photo print quality (many Epson users swear that its quality is
+better than the vendor drivers provided by Epson for the Microsoft
+platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944507"></a>Forums, Downloads, Tutorials, Howtos also for Mac OS X and Commercial UNIX</h4></div></div><div></div></div><p>
+Linuxprinting.org today is the one-stop shop to download printer
+drivers. Look for printer information and <ulink url="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/">tutorials</ulink>
+or solve printing problems in its popular <ulink url="http://www.linuxprinting.org/newsportal/">forums.</ulink> This forum
+it's not just for GNU/Linux users, but admins of <ulink url="http://www.linuxprinting.org/macosx/">commercial UNIX
+systems</ulink> are also going there, and the relatively new <ulink url="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general">Mac
+OS X forum</ulink> has turned out to be one of the most frequented
+forums after only a few weeks.
+</p><p>
+Linuxprinting.org and the Foomatic driver wrappers around Ghostscript
+are now a standard toolchain for printing on all the important
+distros. Most of them also have CUPS underneath. While in recent years
+most printer data had been added by Kamppeter (who works at Mandrake), many
+additional contributions came from engineers with SuSE, RedHat,
+Connectiva, Debian, and others. Vendor-neutrality is an important goal
+of the Foomatic project.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Till Kamppeter from MandrakeSoft is doing an excellent job in his
+spare time to maintain Linuxprinting.org and Foomatic. So if you use
+it often, please send him a note showing your appreciation.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2944580"></a>Foomatic Database-Generated PPDs</h4></div></div><div></div></div><p>
+The Foomatic database is an amazing piece of ingenuity in itself. Not
+only does it keep the printer and driver information, but it is
+organized in a way that it can generate PPD files on the fly from
+its internal XML-based datasets. While these PPDs are modelled to the
+Adobe specification of PostScript Printer Descriptions (PPDs), the
+Linuxprinting.org/Foomatic-PPDs do not normally drive PostScript
+printers. They are used to describe all the bells and whistles you
+could ring or blow on an Epson Stylus inkjet, or a HP Photosmart, or
+what-have-you. The main trick is one little additional line, not
+envisaged by the PPD specification, starting with the <i class="parameter"><tt>*cupsFilter</tt></i>
+keyword. It tells the CUPS daemon how to proceed with the PostScript
+print file (old-style Foomatic-PPDs named the
+cupsomatic filter script, while the new-style
+PPDs are now call foomatic-rip). This filter
+script calls Ghostscript on the host system (the recommended variant
+is ESP Ghostscript) to do the rendering work. foomatic-rip knows which
+filter or internal device setting it should ask from Ghostscript to
+convert the PostScript printjob into a raster format ready for the
+target device. This usage of PPDs to describe the options of non-PS
+printers was the invention of the CUPS developers. The rest is easy.
+GUI tools (like KDE's marvelous <ulink url="http://printing.kde.org/overview/kprinter.phtml">kprinter,</ulink>
+or the GNOME <ulink url="http://gtklp.sourceforge.net/">gtklp,</ulink> xpp and the CUPS
+Web interface) read the PPD as well and use this information to present
+the available settings to the user as an intuitive menu selection.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2944657"></a>foomatic-rip and Foomatic-PPD Download and Installation</h3></div></div><div></div></div><p>
+Here are the steps to install a foomatic-rip driven LaserJet 4 Plus-compatible
+printer in CUPS (note that recent distributions of SuSE, UnitedLinux and
+Mandrake may ship with a complete package of Foomatic-PPDs plus the
+<b class="command">foomatic-rip</b> utility. Going directly to
+Linuxprinting.org ensures that you get the latest driver/PPD files):
+</p><div class="itemizedlist"><ul type="disc"><li><p>Open your browser at the Linuxprinting.org printer list<ulink url="http://www.linuxprinting.org/printer_list.cgi">page.</ulink>
+</p></li><li><p>Check the complete list of printers in the
+<ulink url="http://www.linuxprinting.org/printer_list.cgi?make=Anyone">database.</ulink>.
+</p></li><li><p>Select your model and click on the link.
+</p></li><li><p>You'll arrive at a page listing all drivers working with this
+model (for all printers, there will always be <span class="emphasis"><em>one</em></span>
+recommended driver. Try this one first).
+</p></li><li><p>In our case (HP LaserJet 4 Plus), we'll arrive at the default driver for the
+<ulink url="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus">HP-LaserJet 4 Plus.</ulink>
+</p></li><li><p>The recommended driver is ljet4.</p></li><li><p>Several links are provided here. You should visit them all if you
+are not familiar with the Linuxprinting.org database.
+</p></li><li><p>There is a link to the database page for the
+<ulink url="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4">ljet4.</ulink>
+On the driver's page, you'll find important and detailed information
+about how to use that driver within the various available
+spoolers.</p></li><li><p>Another link may lead you to the homepage of the
+driver author or the driver.</p></li><li><p>Important links are the ones that provide hints with
+setup instructions for <ulink url="http://www.linuxprinting.org/cups-doc.html">CUPS</ulink>,
+<ulink url="http://www.linuxprinting.org/pdq-doc.html">PDQ</ulink>,
+<ulink url="http://www.linuxprinting.org/lpd-doc.html">LPD, LPRng and GNUlpr</ulink>)
+as well as <ulink url="http://www.linuxprinting.org/ppr-doc.html">PPR</ulink>
+or “<span class="quote">spooler-less</span>” <ulink url="http://www.linuxprinting.org/direct-doc.html">printing.</ulink>
+</p></li><li><p>You can view the PPD in your browser through this link:
+<ulink url="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</ulink>
+</p></li><li><p>Most importantly, you can also generate and download
+the <ulink url="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0">PPD.</ulink>
+</p></li><li><p>The PPD contains all the information needed to use our
+model and the driver; once installed, this works transparently
+for the user. Later you'll only need to choose resolution, paper size,
+and so on from the Web-based menu, or from the print dialog GUI, or from
+the command line.</p></li><li><p>If you ended up on the drivers
+<ulink url="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4">page</ulink>
+you can choose to use the “<span class="quote">PPD-O-Matic</span>” online PPD generator
+program.</p></li><li><p>Select the exact model and check either <span class="guilabel">Download</span> or
+<span class="guilabel">Display PPD file</span> and click <span class="guilabel">Generate PPD file</span>.</p></li><li><p>If you save the PPD file from the browser view, please
+do not use cut and paste (since it could possibly damage line endings
+and tabs, which makes the PPD likely to fail its duty), but use <span class="guimenuitem">Save
+as...</span> in your browser's menu. (It is best to use the <span class="guilabel">Download</span> option
+directly from the Web page).</p></li><li><p>Another interesting part on each driver page is
+the <span class="guimenuitem">Show execution details</span> button. If you
+select your printer model and click on that button,
+a complete Ghostscript command line will be displayed, enumerating all options
+available for that combination of driver and printer model. This is a great way to
+“<span class="quote">learn Ghostscript by doing</span>”. It is also an excellent cheat sheet
+for all experienced users who need to re-construct a good command line
+for that damn printing script, but can't remember the exact
+syntax. </p></li><li><p>Some time during your visit to Linuxprinting.org, save
+the PPD to a suitable place on your harddisk, say
+<tt class="filename">/path/to/my-printer.ppd</tt> (if you prefer to install
+your printers with the help of the CUPS Web interface, save the PPD to
+the <tt class="filename">/usr/share/cups/model/</tt> path and restart
+cupsd).</p></li><li><p>Then install the printer with a suitable command line,
+like this:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \
+ -P path/to/my-printer.ppd</tt></b>
+</pre></li><li><p>For all the new-style “<span class="quote">Foomatic-PPDs</span>”
+from Linuxprinting.org, you also need a special CUPS filter named
+foomatic-rip.
+</p></li><li><p>The foomatic-rip Perlscript itself also makes some
+interesting <ulink url="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1">reading</ulink>
+because it is well documented by Kamppeter's inline comments (even
+non-Perl hackers will learn quite a bit about printing by reading
+it).</p></li><li><p>Save foomatic-rip either directly in
+<tt class="filename">/usr/lib/cups/filter/foomatic-rip</tt> or somewhere in
+your $PATH (and remember to make it world-executable). Again,
+do not save by copy and paste but use the appropriate link or the
+<span class="guimenuitem">Save as...</span> menu item in your browser.</p></li><li><p>If you save foomatic-rip in your $PATH, create a symlink:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cd /usr/lib/cups/filter/ ; ln -s `which foomatic-rip'</tt></b>
+</pre><p>
+</p><p>
+CUPS will discover this new available filter at startup after restarting
+cupsd.</p></li></ul></div><p>
+Once you print to a print queue set up with the Foomatic-PPD, CUPS will
+insert the appropriate commands and comments into the resulting
+PostScript jobfile. foomatic-rip is able to read and act upon
+these and uses some specially encoded Foomatic comments
+embedded in the jobfile. These in turn are used to construct
+(transparently for you, the user) the complicated Ghostscript command
+line telling the printer driver exactly how the resulting raster
+data should look and which printer commands to embed into the
+data stream. You need:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A “<span class="quote">foomatic+something</span>” PPD but this is not enough
+to print with CUPS (it is only <span class="emphasis"><em>one</em></span> important
+component).</p></li><li><p>The <i class="parameter"><tt>foomatic-rip</tt></i> filter script (Perl) in
+<tt class="filename">/usr/lib/cups/filters/</tt>.</p></li><li><p>Perl to make foomatic-rip run.</p></li><li><p>Ghostscript (because it is doing the main work,
+controlled by the PPD/foomatic-rip combo) to produce the raster data
+fit for your printer model's consumption.</p></li><li><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on
+the driver/model) contain support for a certain device representing
+the selected driver for your model (as shown by <b class="command">gs
+ -h</b>).</p></li><li><p>foomatic-rip needs a new version of PPDs (PPD versions
+produced for cupsomatic do not work with
+foomatic-rip).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945207"></a>Page Accounting with CUPS</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2945218"></a>
+Often there are questions regarding print quotas where Samba users
+(that is, Windows clients) should not be able to print beyond a
+certain number of pages or data volume per day, week or month. This
+feature is dependent on the real print subsystem you're using.
+Samba's part is always to receive the job files from the clients
+(filtered <span class="emphasis"><em>or</em></span> unfiltered) and hand it over to this
+printing subsystem.
+</p><p>
+Of course one could hack things with one's own scripts. But then
+there is CUPS. CUPS supports quotas that can be based on the size of
+jobs or on the number of pages or both, and span any time
+period you want.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945248"></a>Setting Up Quotas</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2945260"></a>
+This is an example command of how root would set a print quota in CUPS,
+assuming an existing printer named “<span class="quote">quotaprinter</span>”:
+</p><p>
+<a class="indexterm" name="id2945281"></a>
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p quotaprinter -o job-quota-period=604800 \
+ -o job-k-limit=1024 -o job-page-limit=100</tt></b>
+</pre><p>
+This would limit every single user to print 100 pages or 1024 KB of
+data (whichever comes first) within the last 604,800 seconds ( = 1
+week).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945318"></a>Correct and Incorrect Accounting</h3></div></div><div></div></div><p>
+For CUPS to count correctly, the printfile needs to pass the CUPS
+pstops filter, otherwise it uses a dummy count of “<span class="quote">one</span>”. Some
+print files do not pass it (e.g., image files) but then those are mostly one-
+page jobs anyway. This also means that proprietary drivers for the
+target printer running on the client computers and CUPS/Samba, which
+then spool these files as “<span class="quote">raw</span>” (i.e., leaving them untouched, not
+filtering them), will be counted as one-pagers too!
+</p><p>
+You need to send PostScript from the clients (i.e., run a PostScript
+driver there) to have the chance to get accounting done. If the
+printer is a non-PostScript model, you need to let CUPS do the job to
+convert the file to a print-ready format for the target printer. This
+is currently working for about a thousand different printer models.
+Linuxprinting has a driver
+<ulink url="http://www.linuxprinting.org/printer_list.cgi">list.</ulink>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945366"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div><div></div></div><p>
+Before CUPS 1.1.16, your only option was to use the Adobe PostScript
+Driver on the Windows clients. The output of this driver was not
+always passed through the <b class="command">pstops</b> filter on the CUPS/Samba side, and
+therefore was not counted correctly (the reason is that it often,
+depending on the PPD being used, wrote a PJL-header in front of
+the real PostScript which caused CUPS to skip <b class="command">pstops</b> and go directly
+to the <b class="command">pstoraster</b> stage).
+</p><p>
+From CUPS 1.1.16 onward, you can use the CUPS PostScript Driver for
+Windows NT/200x/XP clients (which is tagged in the download area of
+<tt class="filename">http://www.cups.org/</tt> as the <tt class="filename">cups-samba-1.1.16.tar.gz</tt>
+package). It does <span class="emphasis"><em>not</em></span> work for Windows 9x/ME clients, but it guarantees:
+</p><div class="itemizedlist"><ul type="disc"><li><p> <a class="indexterm" name="id2945443"></a> To not write a PJL-header.</p></li><li><p>To still read and support all PJL-options named in the
+driver PPD with its own means.</p></li><li><p>That the file will pass through the <b class="command">pstops</b> filter
+on the CUPS/Samba server.</p></li><li><p>To page-count correctly the print file.</p></li></ul></div><p>
+You can read more about the setup of this combination in the man page
+for <b class="command">cupsaddsmb</b> (which is only present with CUPS installed, and only
+current from CUPS 1.1.16).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945495"></a>The page_log File Syntax</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2945506"></a>
+These are the items CUPS logs in the <tt class="filename">page_log</tt> for every
+page of a job:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Printer name</p></li><li><p>User name</p></li><li><p>Job ID</p></li><li><p>Time of printing</p></li><li><p>The page number</p></li><li><p>The number of copies</p></li><li><p>A billing information string (optional)</p></li><li><p>The host that sent the job (included since version 1.1.19)</p></li></ul></div><p>
+Here is an extract of my CUPS server's <tt class="filename">page_log</tt> file to illustrate the
+format and included items:
+</p><pre class="screen">
+tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13
+tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13
+tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13
+tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13
+Dig9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33
+</pre><p>
+This was job ID <i class="parameter"><tt>401</tt></i>, printed on <i class="parameter"><tt>tec_IS2027</tt></i>
+by user <i class="parameter"><tt>kurt</tt></i>, a 64-page job printed in three copies and billed to
+<i class="parameter"><tt>#marketing</tt></i>, sent from IP address <tt class="constant">10.160.50.13.</tt>
+ The next job had ID <i class="parameter"><tt>402</tt></i>, was sent by user <i class="parameter"><tt>boss</tt></i>
+from IP address <tt class="constant">10.160.51.33</tt>, printed from one page 440 copies and
+is set to be billed to <i class="parameter"><tt>finance-dep</tt></i>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945665"></a>Possible Shortcomings</h3></div></div><div></div></div><p>
+What flaws or shortcomings are there with this quota system?
+</p><div class="itemizedlist"><ul type="disc"><li><p>The ones named above (wrongly logged job in case of
+printer hardware failure, and so on).</p></li><li><p>In reality, CUPS counts the job pages that are being
+processed in <span class="emphasis"><em>software</em></span> (that is, going through the
+RIP) rather than the physical sheets successfully leaving the
+printing device. Thus if there is a jam while printing the fifth sheet out
+of a thousand and the job is aborted by the printer, the page count will
+still show the figure of a thousand for that job.</p></li><li><p>All quotas are the same for all users (no flexibility
+to give the boss a higher quota than the clerk) and no support for
+groups.</p></li><li><p>No means to read out the current balance or the
+“<span class="quote">used-up</span>” number of current quota.</p></li><li><p>A user having used up 99 sheets of a 100 quota will
+still be able to send and print a thousand sheet job.</p></li><li><p>A user being denied a job because of a filled-up quota
+does not get a meaningful error message from CUPS other than
+“<span class="quote">client-error-not-possible</span>”.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945745"></a>Future Developments</h3></div></div><div></div></div><p>
+This is the best system currently available, and there are huge
+improvements under development for CUPS 1.2:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Page counting will go into the backends (these talk
+directly to the printer and will increase the count in sync with the
+actual printing process; thus, a jam at the fifth sheet will lead to a
+stop in the counting).</p></li><li><p>Quotas will be handled more flexibly.</p></li><li><p>Probably there will be support for users to inquire
+about their accounts in advance.</p></li><li><p>Probably there will be support for some other tools
+around this topic.</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945799"></a>Additional Material</h2></div></div><div></div></div><p>
+A printer queue with <span class="emphasis"><em>no</em></span> PPD associated to it is a
+“<span class="quote">raw</span>” printer and all files will go directly there as received by the
+spooler. The exceptions are file types <i class="parameter"><tt>application/octet-stream</tt></i>
+that need passthrough feature enabled. “<span class="quote">Raw</span>” queues do not do any
+filtering at all, they hand the file directly to the CUPS backend.
+This backend is responsible for sending the data to the device
+(as in the “<span class="quote">device URI</span>” notation: <tt class="filename">lpd://, socket://,
+smb://, ipp://, http://, parallel:/, serial:/, usb:/</tt>, and so on).
+</p><p>
+cupsomatic/Foomatic are <span class="emphasis"><em>not</em></span> native CUPS drivers
+and they do not ship with CUPS. They are a third party add-on
+developed at Linuxprinting.org. As such, they are a brilliant hack to
+make all models (driven by Ghostscript drivers/filters in traditional
+spoolers) also work via CUPS, with the same (good or bad!) quality as
+in these other spoolers. <i class="parameter"><tt>cupsomatic</tt></i> is only a vehicle to execute a
+Ghostscript commandline at that stage in the CUPS filtering chain,
+where normally the native CUPS <i class="parameter"><tt>pstoraster</tt></i> filter would kick
+in. cupsomatic bypasses pstoraster, kidnaps the printfile from CUPS
+away and redirects it to go through Ghostscript. CUPS accepts this,
+because the associated cupsomatic/foomatic-PPD specifies:
+
+</p><pre class="programlisting">
+ *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic"
+</pre><p>
+
+This line persuades CUPS to hand the file to cupsomatic, once it has
+successfully converted it to the MIME type
+<i class="parameter"><tt>application/vnd.cups-postscript</tt></i>. This conversion will not happen for
+Jobs arriving from Windows that are auto-typed
+<i class="parameter"><tt>application/octet-stream</tt></i>, with the according changes in
+<tt class="filename">/etc/cups/mime.types</tt> in place.
+</p><p>
+CUPS is widely configurable and flexible, even regarding its filtering
+mechanism. Another workaround in some situations would be to have in
+<tt class="filename">/etc/cups/mime.types</tt> entries as follows:
+
+</p><pre class="programlisting">
+ application/postscript application/vnd.cups-raw 0 -
+ application/vnd.cups-postscript application/vnd.cups-raw 0 -
+</pre><p>
+
+This would prevent all PostScript files from being filtered (rather,
+they will through the virtual <span class="emphasis"><em>nullfilter</em></span>
+denoted with “<span class="quote">-</span>”). This could only be useful for PS printers. If you
+want to print PS code on non-PS printers (provided they support ASCII
+text printing), an entry as follows could be useful:
+
+</p><pre class="programlisting">
+ */* application/vnd.cups-raw 0 -
+</pre><p>
+
+and would effectively send <span class="emphasis"><em>all</em></span> files to the
+backend without further processing.
+</p><p>
+You could have the following entry:
+
+</p><pre class="programlisting">
+application/vnd.cups-postscript application/vnd.cups-raw 0 \
+ my_PJL_stripping_filter
+</pre><p>
+
+You will need to write a <i class="parameter"><tt>my_PJL_stripping_filter</tt></i>
+(which could be a shell script) that parses the PostScript and removes the
+unwanted PJL. This needs to conform to CUPS filter design
+(mainly, receive and pass the parameters printername, job-id,
+username, jobtitle, copies, print options and possibly the
+filename). It is installed as world executable into
+<tt class="filename">/usr/lib/cups/filters/</tt> and is called by CUPS
+if it encounters a MIME type <i class="parameter"><tt>application/vnd.cups-postscript</tt></i>.
+</p><p>
+CUPS can handle <i class="parameter"><tt>-o job-hold-until=indefinite</tt></i>.
+This keeps the job in the queue on hold. It will only be printed
+upon manual release by the printer operator. This is a requirement in
+many central reproduction departments, where a few operators manage
+the jobs of hundreds of users on some big machine, where no user is
+allowed to have direct access (such as when the operators often need
+to load the proper paper type before running the 10,000 page job
+requested by marketing for the mailing, and so on).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2946030"></a>Auto-Deletion or Preservation of CUPS Spool Files</h2></div></div><div></div></div><p>
+Samba print files pass through two spool directories. One is the
+incoming directory managed by Samba, (set in the
+<a class="indexterm" name="id2946043"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba
+directive in the <i class="parameter"><tt>[printers]</tt></i> section of
+<tt class="filename">smb.conf</tt>). The other is the spool directory of
+your UNIX print subsystem. For CUPS it is normally
+<tt class="filename">/var/spool/cups/</tt>, as set by the <tt class="filename">cupsd.conf</tt>
+directive <tt class="filename">RequestRoot /var/spool/cups</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946094"></a>CUPS Configuration Settings Explained</h3></div></div><div></div></div><p>
+Some important parameter settings in the CUPS configuration file
+<tt class="filename">cupsd.conf</tt> are:
+</p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p>
+This keeps some details of jobs in cupsd's mind (well it keeps the
+c12345, c12346, and so on, files in the CUPS spool directory, which do a
+similar job as the old-fashioned BSD-LPD control files). This is set
+to “<span class="quote">Yes</span>” as a default.
+</p></dd><dt><span class="term">PreserveJobFiles Yes</span></dt><dd><p>
+This keeps the job files themselves in cupsd's mind
+(it keeps the d12345, d12346 etc. files in the CUPS spool
+directory). This is set to “<span class="quote">No</span>” as the CUPS
+default.
+</p></dd><dt><span class="term"><span class="emphasis"><em>“<span class="quote">MaxJobs 500</span>”</em></span></span></dt><dd><p>
+This directive controls the maximum number of jobs
+that are kept in memory. Once the number of jobs reaches the limit,
+the oldest completed job is automatically purged from the system to
+make room for the new one. If all of the known jobs are still
+pending or active, then the new job will be rejected. Setting the
+maximum to 0 disables this functionality. The default setting is
+0.
+</p></dd></dl></div><p>
+(There are also additional settings for <i class="parameter"><tt>MaxJobsPerUser</tt></i> and
+<i class="parameter"><tt>MaxJobsPerPrinter</tt></i>...)
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946198"></a>Pre-Conditions</h3></div></div><div></div></div><p>
+For everything to work as announced, you need to have three
+things:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A Samba-smbd that is compiled against <tt class="filename">libcups</tt> (check
+on Linux by running <b class="userinput"><tt>ldd `which smbd'</tt></b>).</p></li><li><p>A Samba-<tt class="filename">smb.conf</tt> setting of
+ <a class="indexterm" name="id2946246"></a><i class="parameter"><tt>printing</tt></i> = cups.</p></li><li><p>Another Samba-<tt class="filename">smb.conf</tt> setting of
+ <a class="indexterm" name="id2946272"></a><i class="parameter"><tt>printcap</tt></i> = cups.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+In this case, all other manually set printing-related commands (like
+<a class="indexterm" name="id2946294"></a><i class="parameter"><tt>print command</tt></i>,
+<a class="indexterm" name="id2946308"></a><i class="parameter"><tt>lpq command</tt></i>,
+<a class="indexterm" name="id2946321"></a><i class="parameter"><tt>lprm command</tt></i>,
+<a class="indexterm" name="id2946335"></a><i class="parameter"><tt>lppause command</tt></i> or
+<a class="indexterm" name="id2946349"></a><i class="parameter"><tt>lpresume command</tt></i>) are ignored and they should normally have no
+influence whatsoever on your printing.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946367"></a>Manual Configuration</h3></div></div><div></div></div><p>
+If you want to do things manually, replace the <a class="indexterm" name="id2946378"></a><i class="parameter"><tt>printing</tt></i> = cups
+by <a class="indexterm" name="id2946391"></a><i class="parameter"><tt>printing</tt></i> = bsd. Then your manually set commands may work
+(I haven't tested this), and a <a class="indexterm" name="id2946407"></a><i class="parameter"><tt>print command</tt></i> = lp -d %P %s; rm %s"
+may do what you need.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2946425"></a>Printing from CUPS to Windows Attached Printers</h2></div></div><div></div></div><p>
+>From time to time the question arises, how can you print
+<span class="emphasis"><em>to</em></span> a Windows attached printer
+<span class="emphasis"><em>from</em></span> Samba? Normally the local connection
+from Windows host to printer would be done by USB or parallel
+cable, but this does not matter to Samba. From here only an SMB
+connection needs to be opened to the Windows host. Of course, this
+printer must be shared first. As you have learned by now, CUPS uses
+<span class="emphasis"><em>backends</em></span> to talk to printers and other
+servers. To talk to Windows shared printers, you need to use the
+<tt class="filename">smb</tt> (surprise, surprise!) backend. Check if this
+is in the CUPS backend directory. This usually resides in
+<tt class="filename">/usr/lib/cups/backend/</tt>. You need to find an <tt class="filename">smb</tt>
+file there. It should be a symlink to <tt class="filename">smbspool</tt>
+and the file must exist and be executable:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l /usr/lib/cups/backend/</tt></b>
+total 253
+drwxr-xr-x 3 root root 720 Apr 30 19:04 .
+drwxr-xr-x 6 root root 125 Dec 19 17:13 ..
+-rwxr-xr-x 1 root root 10692 Feb 16 21:29 canon
+-rwxr-xr-x 1 root root 10692 Feb 16 21:29 epson
+lrwxrwxrwx 1 root root 3 Apr 17 22:50 http -> ipp
+-rwxr-xr-x 1 root root 17316 Apr 17 22:50 ipp
+-rwxr-xr-x 1 root root 15420 Apr 20 17:01 lpd
+-rwxr-xr-x 1 root root 8656 Apr 20 17:01 parallel
+-rwxr-xr-x 1 root root 2162 Mar 31 23:15 pdfdistiller
+lrwxrwxrwx 1 root root 25 Apr 30 19:04 ptal -> /usr/sbin/ptal-cups
+-rwxr-xr-x 1 root root 6284 Apr 20 17:01 scsi
+lrwxrwxrwx 1 root root 17 Apr 2 03:11 smb -> /usr/bin/smbspool
+-rwxr-xr-x 1 root root 7912 Apr 20 17:01 socket
+-rwxr-xr-x 1 root root 9012 Apr 20 17:01 usb
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>ls -l `which smbspool`</tt></b>
+-rwxr-xr-x 1 root root 563245 Dec 28 14:49 /usr/bin/smbspool
+</pre><p>
+If this symlink does not exist, create it:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s `which smbspool` /usr/lib/cups/backend/smb</tt></b>
+</pre><p>
+<b class="command">smbspool</b> has been written by Mike Sweet from the CUPS folks. It is
+included and ships with Samba. It may also be used with print
+subsystems other than CUPS, to spool jobs to Windows printer shares. To
+set up printer <i class="replaceable"><tt>winprinter</tt></i> on CUPS, you need to have a driver for
+it. Essentially this means to convert the print data on the CUPS/Samba
+host to a format that the printer can digest (the Windows host is
+unable to convert any files you may send). This also means you should
+be able to print to the printer if it were hooked directly at your
+Samba/CUPS host. For troubleshooting purposes, this is what you
+should do to determine if that part of the process chain is in
+order. Then proceed to fix the network connection/authentication to
+the Windows host, and so on.
+</p><p>
+To install a printer with the <i class="parameter"><tt>smb</tt></i> backend on CUPS, use this command:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \
+ -P /path/to/PPD</tt></b>
+</pre><p>
+The PPD must be able to direct CUPS to generate
+the print data for the target model. For PostScript printers, just use
+the PPD that would be used with the Windows NT PostScript driver. But
+what can you do if the printer is only accessible with a password? Or
+if the printer's host is part of another workgroup? This is provided
+for: You can include the required parameters as part of the
+<tt class="filename">smb://</tt> device-URI like this:
+</p><div class="itemizedlist"><ul type="disc"><li><tt class="filename">smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename</tt></li><li><tt class="filename">smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename</tt></li><li><tt class="filename">smb://username:password@WINDOWSNETBIOSNAME/printersharename</tt></li></ul></div><p>
+Note that the device-URI will be visible in the process list of the
+Samba server (e.g., when someone uses the <b class="command">ps -aux</b>
+command on Linux), even if the username and passwords are sanitized
+before they get written into the log files. So this is an inherently
+insecure option, however, it is the only one. Don't use it if you want
+to protect your passwords. Better share the printer in a way that
+does not require a password! Printing will only work if you have a
+working netbios name resolution up and running. Note that this is a
+feature of CUPS and you do not necessarily need to have smbd running.
+
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2946721"></a>More CUPS-Filtering Chains</h2></div></div><div></div></div><p>
+The following diagrams reveal how CUPS handles print jobs.
+</p><div class="figure"><a name="cups1"></a><p class="title"><b>Figure 19.17. Filtering chain 1.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/cups1.png" width="270" alt="Filtering chain 1."></div></div><div class="figure"><a name="cups2"></a><p class="title"><b>Figure 19.18. Filtering chain with cupsomatic</b></p><div class="mediaobject"><img src="projdoc/imagefiles/cups2.png" width="270" alt="Filtering chain with cupsomatic"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2946814"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946820"></a>Windows 9x/ME Client Can't Install Driver</h3></div></div><div></div></div><p>For Windows 9x/ME, clients require the printer names to be eight
+characters (or “<span class="quote">8 plus 3 chars suffix</span>”) max; otherwise, the driver files
+will not get transferred when you want to download them from
+Samba.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946839"></a>“<span class="quote">cupsaddsmb</span>” Keeps Asking for Root Password in Never-ending Loop</h3></div></div><div></div></div><p>Have you <a class="indexterm" name="id2946853"></a><i class="parameter"><tt>security</tt></i> = user? Have
+you used <b class="command">smbpasswd</b> to give root a Samba account?
+You can do two things: open another terminal and execute
+<b class="command">smbpasswd -a root</b> to create the account and
+continue entering the password into the first terminal. Or break
+out of the loop by pressing ENTER twice (without trying to type a
+password).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946889"></a>“<span class="quote">cupsaddsmb</span>” Errors</h3></div></div><div></div></div><p>
+ The use of “<span class="quote">cupsaddsmb</span>” gives “<span class="quote">No PPD file for printer...</span>” Message While PPD File Is Present.
+ What might the problem be?
+ </p><p>Have you enabled printer sharing on CUPS? This means:
+Do you have a <i class="parameter"><tt><Location
+/printers>....</Location></tt></i> section in CUPS
+server's <tt class="filename">cupsd.conf</tt> that does not deny access to
+the host you run “<span class="quote">cupsaddsmb</span>” from? It <span class="emphasis"><em>could</em></span> be
+an issue if you use cupsaddsmb remotely, or if you use it with a
+<tt class="option">-h</tt> parameter: <b class="userinput"><tt>cupsaddsmb -H
+ sambaserver -h cupsserver -v printername</tt></b>.
+</p><p>Is your
+<i class="parameter"><tt>TempDir</tt></i> directive in
+<tt class="filename">cupsd.conf</tt>
+set to a valid value and is it writeable?
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946973"></a>Client Can't Connect to Samba Printer</h3></div></div><div></div></div><p>Use <b class="command">smbstatus</b> to check which user
+you are from Samba's point of view. Do you have the privileges to
+write into the <i class="parameter"><tt>[print$]</tt></i>
+share?</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947002"></a>New Account Reconnection from Windows 200x/XP Troubles</h3></div></div><div></div></div><p>Once you are connected as the wrong user (for
+example, as <tt class="constant">nobody</tt>, which often occurs if you have
+<a class="indexterm" name="id2947018"></a><i class="parameter"><tt>map to guest</tt></i> = bad user), Windows Explorer will not accept an
+attempt to connect again as a different user. There will not be any byte
+transfered on the wire to Samba, but still you'll see a stupid error
+message that makes you think Samba has denied access. Use
+<b class="command">smbstatus</b> to check for active connections. Kill the
+PIDs. You still can't re-connect and you get the dreaded
+<tt class="computeroutput">You can't connect with a second account from the same
+machine</tt> message, as soon as you are trying. And you
+do not see any single byte arriving at Samba (see logs; use “<span class="quote">ethereal</span>”)
+indicating a renewed connection attempt. Shut all Explorer Windows.
+This makes Windows forget what it has cached in its memory as
+established connections. Then reconnect as the right user. The best
+method is to use a DOS terminal window and <span class="emphasis"><em>first</em></span>
+do <b class="userinput"><tt>net use z: \\GANDALF\print$ /user:root</tt></b>. Check
+with <b class="command">smbstatus</b> that you are connected under a
+different account. Now open the <span class="guilabel">Printers</span> folder (on the Samba server
+in the <span class="guilabel">Network Neighborhood</span>), right-click on the
+printer in question and select
+<span class="guibutton">Connect...</span></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947106"></a>Avoid Being Connected to the Samba Server as the Wrong User</h3></div></div><div></div></div><p>You see per <b class="command">smbstatus</b> that you are
+connected as user nobody; while you want to be root or
+printeradmin. This is probably due to
+<a class="indexterm" name="id2947126"></a><i class="parameter"><tt>map to guest</tt></i> = bad user, which silently connects you under the guest account
+when you gave (maybe by accident) an incorrect username. Remove
+<a class="indexterm" name="id2947142"></a><i class="parameter"><tt>map to guest</tt></i>, if you want to prevent
+this.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947158"></a>Upgrading to CUPS Drivers from Adobe Drivers</h3></div></div><div></div></div><p>
+This information came from a mailinglist posting regarding problems experienced when
+upgrading from Adobe drivers to CUPS drivers on Microsoft Windows NT/200x/XP Clients.
+</p><p>First delete all old Adobe-using printers. Then
+delete all old Adobe drivers. (On Windows 200x/XP, right-click in
+the background of <span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties...</span>, select
+tab <span class="guilabel">Drivers</span> and delete here).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947200"></a>Can't Use “<span class="quote">cupsaddsmb</span>” on Samba Server Which Is a PDC</h3></div></div><div></div></div><p>Do you use the “<span class="quote">naked</span>” root user name? Try to do it
+this way: <b class="userinput"><tt>cupsaddsmb -U <i class="replaceable"><tt>DOMAINNAME</tt></i>\\root -v
+<i class="replaceable"><tt>printername</tt></i></tt></b>> (note the two backslashes: the first one is
+required to “<span class="quote">escape</span>” the second one).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947239"></a>Deleted Windows 200x Printer Driver Is Still Shown</h3></div></div><div></div></div><p>Deleting a printer on the client will not delete the
+driver too (to verify, right-click on the white background of the
+<span class="guilabel">Printers</span> folder, select <span class="guimenuitem">Server Properties</span> and click on the
+<span class="guilabel">Drivers</span> tab). These same old drivers will be re-used when you try to
+install a printer with the same name. If you want to update to a new
+driver, delete the old ones first. Deletion is only possible if no
+other printer uses the same driver.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947278"></a>Windows 200x/XP "Local Security Policies"</h3></div></div><div></div></div><p>Local Security Policies may not
+allow the installation of unsigned drivers. “<span class="quote">Local Security Policies</span>”
+may not allow the installation of printer drivers at
+all.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947293"></a>Administrator Cannot Install Printers for All Local Users</h3></div></div><div></div></div><p>Windows XP handles SMB printers on a “<span class="quote">per-user</span>” basis.
+This means every user needs to install the printer himself. To have a
+printer available for everybody, you might want to use the built-in
+IPP client capabilities of WinXP. Add a printer with the print path of
+<i class="parameter"><tt>http://cupsserver:631/printers/printername</tt></i>.
+We're still looking into this one. Maybe a logon script could
+automatically install printers for all
+users.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947323"></a>Print Change Notify Functions on NT-clients</h3></div></div><div></div></div><p>For print change, notify functions on NT++ clients.
+These need to run the <b class="command">Server</b> service first (renamed to
+<b class="command">File & Print Sharing for MS Networks</b> in
+XP).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947350"></a>WinXP-SP1</h3></div></div><div></div></div><p>WinXP-SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to
+“<span class="quote">Administrator</span>” or “<span class="quote">Power User</span>” groups of users). In Group Policy
+Object Editor, go to <span class="guimenu">User Configuration -> Administrative Templates ->
+ Control Panel -> Printers</span>. The policy is automatically set to
+<tt class="constant">Enabled</tt> and the <tt class="constant">Users can only Point
+and Print to machines in their Forest</tt> . You probably need
+to change it to <tt class="constant">Disabled</tt> or <tt class="constant">Users can
+only Point and Print to these servers</tt> to make
+driver downloads from Samba possible.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947402"></a>Print Options for All Users Can't Be Set on Windows 200x/XP</h3></div></div><div></div></div><p>How are you doing it? I bet the wrong way (it is not
+easy to find out, though). There are three different ways to bring
+you to a dialog that <span class="emphasis"><em>seems</em></span> to set everything. All
+three dialogs <span class="emphasis"><em>look</em></span> the same, yet only one of them
+does what you intend. You need to be
+Administrator or Print Administrator to do this for all users. Here
+is how I do in on XP:
+</p><div class="orderedlist"><ol type="A"><li><p>The first wrong way:
+
+</p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span>
+folder.</p></li><li><p>Right-click on the printer
+(<span class="guilabel">remoteprinter on cupshost</span>) and
+select in context menu <span class="guimenuitem">Printing
+Preferences...</span></p></li><li><p>Look at this dialog closely and remember what it looks
+like.</p></li></ol></div><p>
+</p></li><li><p>The second wrong way:
+
+</p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span>
+folder.</p></li><li><p>Right-click on the printer (<span class="guilabel">remoteprinter on
+cupshost</span>) and select the context menu
+<span class="guimenuitem">Properties</span>.</p></li><li><p>Click on the <span class="guilabel">General</span>
+tab.</p></li><li><p>Click on the button <span class="guibutton">Printing
+Preferences...</span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
+to the parent dialog.</p></li></ol></div><p>
+</p></li><li><p>The third, and the correct way:
+
+</p><div class="orderedlist"><ol type="I"><li><p>Open the <span class="guilabel">Printers</span>
+folder.</p></li><li><p>Click on the <span class="guilabel">Advanced</span>
+tab. (If everything is “<span class="quote">grayed out,</span>” then you are not logged
+in as a user with enough privileges).</p></li><li><p>Click on the <span class="guibutton">Printing
+Defaults...</span> button.</p></li><li><p>On any of the two new tabs, click on the
+<span class="guibutton">Advanced...</span>
+button.</p></li><li><p>A new dialog opens. Compare this one to the other
+identical looking one from “<span class="quote">B.5</span>” or A.3".</p></li></ol></div><p>
+</p></li></ol></div><p>
+Do you see any difference? I don't either. However, only the last
+one, which you arrived at with steps “<span class="quote">C.1.-6.</span>”, will save any settings
+permanently and be the defaults for new users. If you want all clients
+to get the same defaults, you need to conduct these steps <span class="emphasis"><em>as
+Administrator</em></span> (<a class="indexterm" name="id2947677"></a><i class="parameter"><tt>printer admin</tt></i> in
+<tt class="filename">smb.conf</tt>) <span class="emphasis"><em>before</em></span> a client
+downloads the driver (the clients can later set their own
+<span class="emphasis"><em>per-user defaults</em></span> by following the
+procedures <span class="emphasis"><em>A</em></span> or <span class="emphasis"><em>B</em></span>
+above).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947717"></a>Most Common Blunders in Driver Settings on Windows Clients</h3></div></div><div></div></div><p>Don't use <i class="parameter"><tt>Optimize for
+Speed</tt></i>, but use <i class="parameter"><tt>Optimize for
+Portability</tt></i> instead (Adobe PS Driver). Don't use
+<i class="parameter"><tt>Page Independence: No</tt></i>: always
+settle with <i class="parameter"><tt>Page Independence:
+Yes</tt></i> (Microsoft PS Driver and CUPS PS Driver for
+Windows NT/200x/XP). If there are problems with fonts, use
+<i class="parameter"><tt>Download as Softfont into
+printer</tt></i> (Adobe PS Driver). For
+<span class="guilabel">TrueType Download Options</span>
+choose <tt class="constant">Outline</tt>. Use PostScript
+Level 2, if you are having trouble with a non-PS printer and if
+there is a choice.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947779"></a><b class="command">cupsaddsmb</b> Does Not Work with Newly Installed Printer</h3></div></div><div></div></div><p>Symptom: The last command of
+<b class="command">cupsaddsmb</b> does not complete successfully:
+<b class="command">cmd = setdriver printername printername</b> result was
+NT_STATUS_UNSUCCESSFUL then possibly the printer was not yet
+recognized by Samba. Did it show up in Network
+Neighborhood? Did it show up i n <b class="command">rpcclient
+hostname -c `enumprinters'</b>? Restart smbd (or send a
+<b class="command">kill -HUP</b> to all processes listed by
+<b class="command">smbstatus</b> and try
+again.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947835"></a>Permissions on <tt class="filename">/var/spool/samba/</tt> Get Reset After Each Reboot</h3></div></div><div></div></div><p>Have you ever by accident set the CUPS spool directory to
+the same location? (<i class="parameter"><tt>RequestRoot /var/spool/samba/</tt></i> in <tt class="filename">cupsd.conf</tt> or
+the other way round: <tt class="filename">/var/spool/cups/</tt> is set as
+<a class="indexterm" name="id2947875"></a><i class="parameter"><tt>path</tt></i>> in the <i class="parameter"><tt>[printers]</tt></i>
+section). These <i class="parameter"><tt>must</tt></i> be different. Set
+
+<i class="parameter"><tt>RequestRoot /var/spool/cups/</tt></i> in
+<tt class="filename">cupsd.conf</tt> and <a class="indexterm" name="id2947919"></a><i class="parameter"><tt>path</tt></i> =
+/var/spool/samba in the <i class="parameter"><tt>[printers]</tt></i>
+section of <tt class="filename">smb.conf</tt>. Otherwise cupsd will
+sanitize permissions to its spool directory with each restart and
+printing will not work reliably.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947951"></a>Print Queue Called “<span class="quote">lp</span>” Mis-handles Print Jobs</h3></div></div><div></div></div><p>
+In this case a print queue called “<span class="quote">lp</span>” intermittently swallows jobs and
+spits out completely different ones from what was sent.
+</p><p>It is a bad idea to name any printer “<span class="quote">lp</span>”. This
+is the traditional UNIX name for the default printer. CUPS may be set
+up to do an automatic creation of Implicit Classes. This means, to
+group all printers with the same name to a pool of devices, and
+load-balancing the jobs across them in a round-robin fashion. Chances
+are high that someone else has a printer named “<span class="quote">lp</span>” too. You may
+receive his jobs and send your own to his device unwittingly. To have
+tight control over the printer names, set <i class="parameter"><tt>BrowseShortNames
+No</tt></i>. It will present any printer as <i class="replaceable"><tt>printername@cupshost</tt></i>
+and then gives you better control over what may happen in a large
+networked environment.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948008"></a>Location of Adobe PostScript Driver Files for “<span class="quote">cupsaddsmb</span>”</h3></div></div><div></div></div><p>Use <b class="command">smbclient</b> to connect to any
+Windows box with a shared PostScript printer: <b class="command">smbclient
+//windowsbox/print\$ -U guest</b>. You can navigate to the
+<tt class="filename">W32X86/2</tt> subdir to <b class="command">mget ADOBE*</b>
+and other files or to <tt class="filename">WIN40/0</tt> to do the same.
+Another option is to download the <tt class="filename">*.exe</tt> packaged
+files from the Adobe Web site.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2948065"></a>Overview of the CUPS Printing Processes</h2></div></div><div></div></div><p>A complete overview of the CUPS printing processes can be found in <link linkend="a_small">.</p><div class="figure"><a name="a_small"></a><p class="title"><b>Figure 19.19. CUPS printing overview.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/a_small.png" width="270" alt="CUPS printing overview."></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><ulink url="http://www.cups.org/cups-help.html"><sup>[<a name="ftn.id2936587" href="#id2936587">4</a>] </sup>http://www.cups.org/cups-help.html</ulink></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Classical Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Stackable VFS modules</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2897131">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897131"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id2976885">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976885"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2885815">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885815"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id2976952">Websites</a></dt><dt><a href="Further-Resources.html#id2977349">Related updates from Microsoft</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976952"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ <ulink url="http://hr.uoregon.edu/davidrl/cifs.txt">
+ CIFS: Common Insecurities Fail Scrutiny by Hobbit</ulink>
+ </p></li><li><p>
+ <ulink url="http://afr.com/it/2002/10/01/FFXDF43AP6D.html">
+ Doing the Samba on Windows by Financial Review
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://ubiqx.org/cifs/">
+ Implementing CIFS by Christopher R. Hertel
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://samba.anu.edu.au/cifs/docs/what-is-smb.html">
+ Just What Is SMB? by Richard Sharpe
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.linux-mag.com/1999-05/samba_01.html">
+ Opening Windows Everywhere by Mike Warfield
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.tldp.org/HOWTO/SMB-HOWTO.html">
+ SMB HOWTO by David Wood
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.phrack.org/phrack/60/p60-0x0b.txt">
+ SMB/CIFS by The Root by ledin
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.linux-mag.com/1999-09/samba_01.html">
+ The Story of Samba by Christopher R. Hertel
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://hr.uoregon.edu/davidrl/samba/">
+ The Unofficial Samba HOWTO by David Lechnyr
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.linux-mag.com/2001-05/smb_01.html">
+ Understanding the Network Neighborhood by Christopher R. Hertel
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.linux-mag.com/2002-02/samba_01.html">
+ Using Samba as a PDC by Andrew Bartlett
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf">
+ PDF version of the Troubleshooting Techniques chapter
+ from the second edition of Sam's Teach Yourself Samba in 24 Hours
+ (publishing date of Dec. 12, 2001)</ulink>
+ </p></li><li><p>
+ <ulink url="http://ru.samba.org/samba/ftp/slides/">
+ Slide presentations by Samba Team members
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html">
+ Introduction to Samba-3.0 by Motonobu Takahashi
+ (written in Japanese). </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.linux-mag.com/2001-05/smb_01.html">
+ Understanding the Network Neighborhood, by team member
+ Chris Hertel. This article appeared in the May 2001 issue of
+ Linux Magazine.
+ </ulink>
+ </p></li><li><p>
+ <ulink url="ftp://ftp.stratus.com/pub/vos/customers/samba/">
+ Samba 2.0.x Troubleshooting guide from Paul Green
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://samba.org/samba/docs/10years.html">
+ Ten Years of Samba
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html">
+ Samba Authenticated Gateway HOWTO
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://samba.org/samba/docs/SambaIntro.html">
+ An Introduction to Samba
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://www.samba.org/cifs/">
+ What is CIFS?
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://support.microsoft.com/support/kb/articles/q92/5/88.asp">
+ WFWG: Password Caching and How It Affects LAN Manager
+ Security at Microsoft Knowledge Base
+ </ulink>
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2977349"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ <ulink url="http://support.microsoft.com/support/kb/articles/q92/5/88.asp">
+ Enhanced Encryption for Windows 95 Password Cache
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://support.microsoft.com/support/kb/articles/q136/4/18.asp">
+ Windows '95 File Sharing Updates
+ </ulink>
+ </p></li><li><p>
+ <ulink url="http://support.microsoft.com/support/kb/articles/q136/4/18.asp">
+ Windows for Workgroups Sharing Updates
+ </ulink>
+ </p></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2919130">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2919159">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2919243">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2919270">Creating an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919342">Completing an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919402">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919600">Configuring Samba NT-Style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="InterdomainTrusts.html#id2919809">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919952">NT4-Style Domain Trusts with Windows 2000</a></dt><dt><a href="InterdomainTrusts.html#id2920058">Common Errors</a></dt></dl></div><p>
+<a class="indexterm" name="id2919104"></a>
+Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
+will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
+adopt Active Directory or an LDAP-based authentication backend. This section explains
+some background information regarding trust relationships and how to create them. It is now
+possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba
+trusts.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919130"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
+trust relationships. This imparts to Samba similar scalability as with MS Windows NT4.
+</p><p>
+Given that Samba-3 has the capability to function with a scalable backend authentication
+database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control
+modes, the administrator would be well advised to consider alternatives to the use of
+Interdomain trusts simply because by the very nature of how this works it is fragile.
+That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919159"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
+MS Windows NT3/4 type security domains employ a non-hierarchical security structure.
+The limitations of this architecture as it effects the scalability of MS Windows networking
+in large organizations is well known. Additionally, the flat namespace that results from
+this design significantly impacts the delegation of administrative responsibilities in
+large and diverse organizations.
+</p><p>
+Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
+of circumventing the limitations of the older technologies. Not every organization is ready
+or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
+is quite adequate, there remains an entrenched user base for whom there is no direct
+desire to go through a disruptive change to adopt ADS.
+</p><p>
+With MS Windows NT, Microsoft introduced the ability to allow differing security domains
+to effect a mechanism so users from one domain may be given access rights and privileges
+in another domain. The language that describes this capability is couched in terms of
+<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
+from another domain. The domain from which users are available to another security domain is
+said to be a trusted domain. The domain in which those users have assigned rights and privileges
+is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
+thus if users in both domains are to have privileges and rights in each others' domain, then it is
+necessary to establish two relationships, one in each direction.
+</p><p>
+In an NT4-style MS security domain, all trusts are non-transitive. This means that if there
+are three domains (let's call them RED, WHITE and BLUE) where RED and WHITE have a trust
+relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
+implied trust between the RED and BLUE domains. Relationships are explicit and not
+transitive.
+</p><p>
+New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
+by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
+domains above, with Windows 2000 and ADS the RED and BLUE domains can trust each other. This is
+an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style Interdomain trusts
+and interoperates with MS Windows 200x ADS security domains in similar manner to MS Windows NT4-style domains.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919243"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
+There are two steps to creating an interdomain trust relationship. To effect a two-way trust
+relationship, it is necessary for each domain administrator to create a trust account for the
+other domain to use in verifying security credentials.
+<a class="indexterm" name="id2919259"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919270"></a>Creating an NT4 Domain Trust</h3></div></div><div></div></div><p>
+For MS Windows NT4, all domain trust relationships are configured using the
+<span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies
+entry on the menu bar. From the <span class="guimenu">Policy</span> menu, select
+<span class="guimenuitem">Trust Relationships</span>. Next to the lower box labeled
+<span class="guilabel">Permitted to Trust this Domain</span> are two buttons, <span class="guibutton">Add</span>
+and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> button will open a panel in which
+to enter the name of the remote domain that will be able to assign access rights to users in
+your domain. You will also need to enter a password for this trust relationship, which the
+trusting domain will use when authenticating users from the trusted domain.
+The password needs to be typed twice (for standard confirmation).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919342"></a>Completing an NT4 Domain Trust</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2919354"></a>
+A trust relationship will work only when the other (trusting) domain makes the appropriate connections
+with the trusted domain. To consummate the trust relationship, the administrator will launch the
+Domain User Manager from the menu select <span class="guilabel">Policies</span>, then select
+<span class="guilabel">Trust Relationships</span>, click on the <span class="guibutton">Add</span> button
+next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel will open in which
+must be entered the name of the remote domain as well as the password assigned to that trust.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919402"></a>Inter-Domain Trust Facilities</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2919413"></a>
+A two-way trust relationship is created when two one-way trusts are created, one in each direction.
+Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
+DomA and DomB), the following facilities are created:
+</p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 16.1. Trusts overview.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/trusts1.png" width="270" alt="Trusts overview."></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ DomA (completes the trust connection) <i class="parameter"><tt>Trusts</tt></i> DomB.
+ </p></li><li><p>
+ DomA is the <i class="parameter"><tt>Trusting</tt></i> domain.
+ </p></li><li><p>
+ DomB is the <i class="parameter"><tt>Trusted</tt></i> domain (originates the trust account).
+ </p></li><li><p>
+ Users in DomB can access resources in DomA.
+ </p></li><li><p>
+ Users in DomA cannot access resources in DomB.
+ </p></li><li><p>
+ Global groups from DomB can be used in DomA.
+ </p></li><li><p>
+ Global groups from DomA cannot be used in DomB.
+ </p></li><li><p>
+ DomB does appear in the logon dialog box on client workstations in DomA.
+ </p></li><li><p>
+ DomA does not appear in the logon dialog box on client workstations in DomB.
+ </p></li></ul></div><div class="itemizedlist"><ul type="disc"><li><p>
+ Users/Groups in a trusting domain cannot be granted rights, permissions or access
+ to a trusted domain.
+ </p></li><li><p>
+ The trusting domain can access and use accounts (Users/Global Groups) in the
+ trusted domain.
+ </p></li><li><p>
+ Administrators of the trusted domain can be granted admininstrative rights in the
+ trusting domain.
+ </p></li><li><p>
+ Users in a trusted domain can be given rights and privileges in the trusting
+ domain.
+ </p></li><li><p>
+ Trusted domain Global Groups can be given rights and permissions in the trusting
+ domain.
+ </p></li><li><p>
+ Global Groups from the trusted domain can be made members in Local Groups on
+ MS Windows Domain Member machines.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919600"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div><div></div></div><p>
+This description is meant to be a fairly short introduction about how to set up a Samba server so
+that it can participate in interdomain trust relationships. Trust relationship support in Samba
+is at an early stage, so do not be surprised if something does not function as it should.
+</p><p>
+Each of the procedures described below assumes the peer domain in the trust relationship is
+controlled by a Windows NT4 server. However, the remote end could just as well be another
+Samba-3 domain. It can be clearly seen, after reading this document, that combining
+Samba-specific parts of what's written below leads to trust between domains in a purely Samba
+environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div><div></div></div><p>
+In order to set the Samba PDC to be the trusted party of the relationship, you first need
+to create a special account for the domain that will be the trusting party. To do that,
+you can use the <b class="command">smbpasswd</b> utility. Creating the trusted domain account is
+similar to creating a trusted machine account. Suppose, your domain is
+called SAMBA, and the remote domain is called RUMBA. The first step
+will be to issue this command from your favorite shell:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
+New SMB password: <b class="userinput"><tt>XXXXXXXX</tt></b>
+Retype SMB password: <b class="userinput"><tt>XXXXXXXX</tt></b>
+Added user rumba$
+</pre><p>
+
+where <tt class="option">-a</tt> means to add a new account into the
+passdb database and <tt class="option">-i</tt> means: “<span class="quote">create this
+account with the InterDomain trust flag</span>”.
+</p><p>
+The account name will be “<span class="quote">rumba$</span>” (the name of the remote domain).
+</p><p>
+After issuing this command, you will be asked to enter the password for
+the account. You can use any password you want, but be aware that Windows NT will
+not change this password until seven days following account creation.
+After the command returns successfully, you can look at the entry for the new account
+(in the standard way as appropriate for your configuration) and see that account's name is
+really RUMBA$ and it has the “<span class="quote">I</span>” flag set in the flags field. Now you are ready to confirm
+the trust by establishing it from Windows NT Server.
+</p><p>
+<a class="indexterm" name="id2919744"></a>
+Open <span class="application">User Manager for Domains</span> and from the
+<span class="guimenu">Policies</span> menu, select <span class="guimenuitem">Trust Relationships...</span>.
+Beside the <span class="guilabel">Trusted domains</span> list box click the
+<span class="guimenu">Add...</span> button. You will be prompted for
+the trusted domain name and the relationship password. Type in SAMBA, as this is
+the name of the remote domain and the password used at the time of account creation.
+Click on <span class="guibutton">OK</span> and, if everything went without incident, you will see
+the <tt class="computeroutput">Trusted domain relationship successfully
+established</tt> message.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2919809"></a>Samba as the Trusting Domain</h3></div></div><div></div></div><p>
+This time activities are somewhat reversed. Again, we'll assume that your domain
+controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.
+</p><p>
+The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
+</p><p>
+<a class="indexterm" name="id2919833"></a>
+Launch the <span class="application">Domain User Manager</span>, then from the menu select
+<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
+Now, next to the <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
+button and type in the name of the trusted domain (SAMBA) and the password to use in securing
+the relationship.
+</p><p>
+The password can be arbitrarily chosen. It is easy to change the password
+from the Samba server whenever you want. After confirming the password your account is
+ready for use. Now its Samba's turn.
+</p><p>
+Using your favorite shell while being logged in as root, issue this command:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
+</p><p>
+You will be prompted for the password you just typed on your Windows NT4 Server box.
+An error message <span class="errorname">`NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT'</span>
+that may be reported periodically is of no concern and may safely be ignored.
+It means the password you gave is correct and the NT4 Server says the account is ready for
+interdomain connection and not for ordinary connection. After that, be patient;
+it can take a while (especially in large networks), but eventually you should see
+the <tt class="computeroutput">Success</tt> message. Congratulations! Your trust
+relationship has just been established.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+You have to run this command as root because you must have write access to
+the <tt class="filename">secrets.tdb</tt> file.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2919952"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div><div></div></div><p>
+Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is
+also possible to establish an NT4-style trust relationship with a Windows 2000 domain
+controller running in mixed mode as the trusting server. It should also be possible for
+Samba to trust a Windows 2000 server, however, more testing is still needed in this area.
+</p><p>
+After <link linkend="samba-trusted-domain"> as described above, open <span class="application">Active Directory Domains and
+Trusts</span> on the AD controller of the domain whose resources you wish Samba users
+to have access to. Remember that since NT4-style trusts are not transitive, if you want
+your users to have access to multiple mixed-mode domains in your AD forest, you will need to
+repeat this process for each of those domains. With <span class="application">Active Directory Domains
+and Trusts</span> open, right-click on the name of the Active Directory domain that
+will trust our Samba domain and choose <span class="guimenuitem">Properties</span>, then click on
+the <span class="guilabel">Trusts</span> tab. In the upper part of the panel, you will see a list box
+labeled <span class="guilabel">Domains trusted by this domain:</span>, and an
+<span class="guilabel">Add...</span> button next to it. Press this button and just as with NT4, you
+will be prompted for the trusted domain name and the relationship password. Press OK and
+after a moment, Active Directory will respond with <tt class="computeroutput">The trusted domain has
+been added and the trust has been verified.</tt> Your Samba users can now be
+granted acess to resources in the AD domain.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920058"></a>Common Errors</h2></div></div><div></div></div><p>
+Interdomain trust relationships should not be attempted on networks that are unstable
+or that suffer regular outages. Network stability and integrity are key concerns with
+distributed trusted domains.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2875896">Background</a></dt><dt><a href="IntroSMB.html#id2875954">Terminology</a></dt><dt><a href="IntroSMB.html#id2876091">Related Projects</a></dt><dt><a href="IntroSMB.html#id2876169">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2876258">Epilogue</a></dt><dt><a href="IntroSMB.html#id2876344">Miscellaneous</a></dt></dl></div><p>“<span class="quote">
+"If you understand what you're doing, you're not learning anything."
+-- Anonymous
+</span>”</p><p>
+Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
+transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big
+strengths is that you can use it to blend your mix of Windows and Linux machines together
+without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
+by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875896"></a>Background</h2></div></div><div></div></div><p>
+Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
+Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
+originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
+ran over UDP. When there was a need to run it over TCP so that it would be compatible
+with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became
+known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to
+license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the
+concept continued in the form of SMB (Server Message Block, or the "what") using the
+NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can
+run SMB (i.e., transport) over several different protocols; many different implementations
+arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT
+(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form
+of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing
+term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445
+only. As of yet, direct-hosted TCP has yet to catch on.
+</p><p>
+Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS:
+Common Insecurities Fail Scrutiny:
+</p><p><span class="emphasis"><em>
+Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba
+stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have
+been dutifully waded through during the information-gathering stages of this project, and there
+are *still* many missing pieces... While often tedious, at least the way has been generously
+littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
+thinking?
+</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2875954"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol.
+ </p></li><li><p>
+ CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently
+ decided that SMB needed the word "Internet" in it, so they changed it to CIFS.
+ </p></li><li><p>
+ Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp
+ only using DNS for name resolution instead of WINS.
+ </p></li><li><p>
+ IPC: Acronym for "Inter-Process Communication". A method to communicate specific
+ information between programs.
+ </p></li><li><p>
+ Marshalling: - A method of serializing (i.e., sequential ordering of) variable data
+ suitable for transmission via a network connection or storing in a file. The source
+ data can be re-created using a similar process called unmarshalling.
+ </p></li><li><p>
+ NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol;
+ it is a method of communication across an existing protocol. This is a standard which
+ was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit,
+ it can help to think of this in comparison your computer's BIOS -- it controls the
+ essential functions of your input/output hardware -- whereas NetBIOS controls the
+ essential functions of your input/output traffic via the network. Again, this is a bit
+ of an exaggeration but it should help that paradigm shift. What is important to realize
+ is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically
+ brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second
+ thought; this will cause no end (and no doubt) of confusion.
+ </p></li><li><p>
+ NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI
+ is a protocol, not a standard. It is also not routable, so traffic on one side of a
+ router will be unable to communicate with the other side. Understanding NetBEUI is
+ not essential to deciphering SMB; however it helps to point out that it is not the
+ same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally
+ referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver".
+ It is not often heard from these days.
+ </p></li><li><p>
+ NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use
+ of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made
+ to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports.
+ This is how file and printer sharing are accomplished in Windows 95/98/ME. They
+ traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137,
+ NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service
+ (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts,
+ and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002
+ (Detailed specifications).
+ </p></li><li><p>
+ W2K: Acronym for Windows 2000 Professional or Server
+ </p></li><li><p>
+ W3K: Acronym for Windows 2003 Server
+ </p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
+<ulink url="http://www.samba.org/">http://www.samba.org</ulink>).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876091"></a>Related Projects</h2></div></div><div></div></div><p>
+There are currently two network filesystem client projects for Linux that are directly
+related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol
+ that Microsoft Windows and OS/2 Lan Manager use to share files and printers
+ over local networks) and access them just like any other Unix directory. This is useful
+ if you just want to mount such filesystems without being a SMBFS server.
+ </p></li><li><p>
+ CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
+ is being actively developed for the upcoming version of the Linux kernel. The intent of this module
+ is to provide advanced network file system functionality including support for dfs (hierarchical
+ name space), secure per-user session establishment, safe distributed caching (oplock),
+ optional packet signing, Unicode and other internationalization improvements, and optional
+ Winbind (nsswitch) integration.
+ </p></li></ul></div><p>
+Again, it's important to note that these are implementations for client filesystems, and have
+nothing to do with acting as a file and print server for SMB/CIFS clients.
+</p><p>
+There are other Open Source CIFS client implementations, such as the
+<ulink url="http://jcifs.samba.org/">jCIFS project</ulink>
+which provides an SMB client toolkit written in Java.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876169"></a>SMB Methodology</h2></div></div><div></div></div><p>
+Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
+UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
+session service, or netbios-ssn). Anyone looking at their network with a good
+packet sniffer will be amazed at the amount of traffic generated by just opening
+up a single file. In general, SMB sessions are established in the following order:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ "TCP Connection" - establish 3-way handshake (connection) to port 139/tcp
+ or 445/tcp.
+ </p></li><li><p>
+ "NetBIOS Session Request" - using the following "Calling Names": The local
+ machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS
+ name plus the 16th character 0x20
+ </p></li><li><p>
+ "SMB Negotiate Protocol" - determine the protocol dialect to use, which will
+ be one of the following: PC Network Program 1.0 (Core) - share level security
+ mode only; Microsoft Networks 1.03 (Core Plus) - share level security
+ mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response
+ Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response
+ Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response
+ Authentication
+ </p></li><li><p>
+ SMB Session Startup. Passwords are encrypted (or not) according to one of
+ the following methods: Null (no encryption); Cleartext (no encryption); LM
+ and NTLM; NTLM; NTLMv2
+ </p></li><li><p>
+ SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect
+ to a service type (e.g., IPC$ named pipe)
+ </p></li></ul></div><p>
+A good way to examine this process in depth is to try out
+<ulink url="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html">SecurityFriday's SWB program</ulink>.
+It allows you to walk through the establishment of a SMB/CIFS session step by step.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876258"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote">
+What's fundamentally wrong is that nobody ever had any taste when they
+did it. Microsoft has been very much into making the user interface look good,
+but internally it's just a complete mess. And even people who program for Microsoft
+and who have had years of experience, just don't know how it works internally.
+Worse, nobody dares change it. Nobody dares to fix bugs because it's such a
+mess that fixing one bug might just break a hundred programs that depend on
+that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
+in making money. They don't have anybody who takes pride in Windows 95 as an
+operating system.
+</span>”</p><p>“<span class="quote">
+People inside Microsoft know it's a bad operating system and they still
+continue obviously working on it because they want to get the next version out
+because they want to have all these new features to sell more copies of the
+system.
+</span>”</p><p>“<span class="quote">
+The problem with that is that over time, when you have this kind of approach,
+and because nobody understands it, because nobody REALLY fixes bugs (other than
+when they're really obvious), the end result is really messy. You can't trust
+it because under certain circumstances it just spontaneously reboots or just
+halts in the middle of something that shouldn't be strange. Normally it works
+fine and then once in a blue moon for some completely unknown reason, it's dead,
+and nobody knows why. Not Microsoft, not the experienced user and certainly
+not the completely clueless user who probably sits there shivering thinking
+"What did I do wrong?" when they didn't do anything wrong at all.
+</span>”</p><p>“<span class="quote">
+That's what's really irritating to me."
+</span>”</p><p>--
+<ulink url="http://hr.uoregon.edu/davidrl/boot.txt">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</ulink>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876344"></a>Miscellaneous</h2></div></div><div></div></div><p>
+This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
+Permission is granted to copy, distribute and/or modify this document under the terms
+of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
+Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id2966015">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966040">Objectives</a></dt><dt><a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id2966757">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966862">Planning for Success</a></dt><dt><a href="NT4Migration.html#id2967145">Samba-3 Implementation Choices</a></dt></dl></dd></dl></div><p>
+This is a rough guide to assist those wishing to migrate from NT4 Domain Control to
+Samba-3-based Domain Control.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2966015"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
+In the IT world there is often a saying that all problems are encountered because of
+poor planning. The corollary to this saying is that not all problems can be anticipated
+and planned for. Then again, good planning will anticipate most show-stopper-type situations.
+</p><p>
+Those wishing to migrate from MS Windows NT4 Domain Control to a Samba-3 Domain Control
+environment would do well to develop a detailed migration plan. So here are a few pointers to
+help migration get under way.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2966040"></a>Objectives</h3></div></div><div></div></div><p>
+The key objective for most organizations will be to make the migration from MS Windows NT4
+to Samba-3 Domain Control as painless as possible. One of the challenges you may experience
+in your migration process may well be one of convincing management that the new environment
+should remain in place. Many who have introduced open source technologies have experienced
+pressure to return to a Microsoft-based platform solution at the first sign of trouble.
+</p><p>
+Before attempting a migration to a Samba-3 controlled network, make every possible effort to
+gain all-round commitment to the change. Know precisely <span class="emphasis"><em>why</em></span> the change
+is important for the organization. Possible motivations to make a change include:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Improve network manageability.</p></li><li><p>Obtain better user level functionality.</p></li><li><p>Reduce network operating costs.</p></li><li><p>Reduce exposure caused by Microsoft withdrawal of NT4 support.</p></li><li><p>Avoid MS License 6 implications.</p></li><li><p>Reduce organization's dependency on Microsoft.</p></li></ul></div><p>
+Make sure everyone knows that Samba-3 is not MS Windows NT4. Samba-3 offers
+an alternative solution that is both different from MS Windows NT4 and offers
+advantages compared with it. Gain recognition that Samba-3 lacks many of the
+features that Microsoft has promoted as core values in migration from MS Windows NT4 to
+MS Windows 2000 and beyond (with or without Active Directory services).
+</p><p>
+What are the features that Samba-3 cannot provide?
+</p><div class="itemizedlist"><ul type="disc"><li><p>Active Directory Server.</p></li><li><p>Group Policy Objects (in Active Directory).</p></li><li><p>Machine Policy Objects.</p></li><li><p>Logon Scripts in Active Directory.</p></li><li><p>Software Application and Access Controls in Active Directory.</p></li></ul></div><p>
+The features that Samba-3 does provide and that may be of compelling interest to your site
+include:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Lower cost of ownership.</p></li><li><p>Global availability of support with no strings attached.</p></li><li><p>Dynamic SMB Servers (can run more than one SMB/CIFS server per UNIX/Linux system).</p></li><li><p>Creation of on-the-fly logon scripts.</p></li><li><p>Creation of on-the-fly Policy Files.</p></li><li><p>Greater stability, reliability, performance and availability.</p></li><li><p>Manageability via an ssh connection.</p></li><li><p>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam).</p></li><li><p>Ability to implement a full single-sign-on architecture.</p></li><li><p>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand.</p></li></ul></div><p>
+Before migrating a network from MS Windows NT4 to Samba-3, consider all necessary factors. Users
+should be educated about changes they may experience so the change will be a welcome one
+and not become an obstacle to the work they need to do. The following are factors that will
+help ensure a successful migration:
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2966252"></a>Domain Layout</h4></div></div><div></div></div><p>
+Samba-3 can be configured as a Domain Controller, a back-up Domain Controller (probably best called
+a secondary controller), a Domain Member, or as a stand-alone Server. The Windows network security
+domain context should be sized and scoped before implementation. Particular attention needs to be
+paid to the location of the primary Domain Controller (PDC) as well as backup controllers (BDCs).
+One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP
+authentication backend, then the same database can be used by several different domains. In a
+complex organization, there can be a single LDAP database, which itself can be distributed (have
+a master server and multiple slave servers) that can simultaneously serve multiple domains.
+</p><p>
+>From a design perspective, the number of users per server as well as the number of servers per
+domain should be scaled taking into consideration server capacity and network bandwidth.
+</p><p>
+A physical network segment may house several domains. Each may span multiple network segments.
+Where domains span routed network segments, consider and test the performance implications of
+the design and layout of a network. A centrally located Domain Controller that is designed to
+serve multiple routed network segments may result in severe performance problems. Check the
+response time (ping timing) between the remote segment and the PDC. If
+it's long (more than 100 ms),
+locate a backup controller (BDC) on the remote segment to serve as the local authentication and
+access control server.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2966306"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
+There are cardinal rules to effective network design that cannot be broken with impunity.
+The most important rule: Simplicity is king in every well-controlled network. Every part of
+the infrastructure must be managed; the more complex it is, the greater will be the demand
+of keeping systems secure and functional.
+</p><p>
+Keep in mind the nature of how data must be shared. Physical disk space layout should be considered
+carefully. Some data must be backed up. The simpler the disk layout the easier it will be to
+keep track of backup needs. Identify what backup media will meet your needs; consider backup to tape,
+CD-ROM or (DVD-ROM), or other offline storage medium. Plan and implement for minimum
+maintenance. Leave nothing to chance in your design; above all, do not leave backups to chance:
+Backup, test, and validate every backup, create a disaster recovery plan and prove that it works.
+</p><p>
+Users should be grouped according to data access control needs. File and directory access
+is best controlled via group permissions and the use of the “<span class="quote">sticky bit</span>” on group controlled
+directories may substantially avoid file access complaints from Samba share users.
+</p><p>
+Inexperienced network administrators often attempt elaborate techniques to set access
+controls on files, directories, shares, as well as in share definitions.
+Keep your design and implementation simple and document your design extensively. Have others
+audit your documentation. Do not create a complex mess that your successor will not understand.
+Remember, job security through complex design and implementation may cause loss of operations
+and downtime to users as the new administrator learns to untangle your knots. Keep access
+controls simple and effective and make sure that users will never be interrupted by obtuse
+complexity.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2966369"></a>Logon Scripts</h4></div></div><div></div></div><p>
+Logon scripts can help to ensure that all users gain the share and printer connections they need.
+</p><p>
+Logon scripts can be created on-the-fly so all commands executed are specific to the
+rights and privileges granted to the user. The preferred controls should be affected through
+group membership so group information can be used to create a custom logon script using
+the <a class="indexterm" name="id2966390"></a><i class="parameter"><tt>root preexec</tt></i> parameters to the <i class="parameter"><tt>NETLOGON</tt></i> share.
+</p><p>
+Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
+user environment. In any case, you may wish to do a Google search for logon script process controls.
+In particular, you may wish to explore the use of the Microsoft KnowledgeBase article KB189105 that
+deals with how to add printers without user intervention via the logon script process.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2966432"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
+User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
+Management.
+</p><p>
+<a class="indexterm" name="id2966449"></a>
+Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
+the MS Windows NT-style security identifiers (SIDs) that are stored inside the profile <tt class="filename">NTuser.DAT</tt> file
+to be changed to the SID of the Samba-3 domain.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2966477"></a>User and Group Accounts</h4></div></div><div></div></div><p>
+It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
+attempting to migrate user and group accounts, it is STRONGLY advised to create in Samba-3 the
+groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to map them to
+suitable UNIX/Linux groups. By following this simple advice, all user and group attributes
+should migrate painlessly.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2966502"></a>Steps in Migration Process</h3></div></div><div></div></div><p>
+The approximate migration process is described below.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+You have an NT4 PDC that has the users, groups, policies and profiles to be migrated.
+</p></li><li><p>
+Samba-3 set up as a DC with netlogon share, profile share, and so on. Configure the <tt class="filename">smb.conf</tt> file
+to fucntion as a BDC, i.e., <i class="parameter"><tt>domain master = No</tt></i>.
+</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>
+<a class="indexterm" name="id2966561"></a>
+ Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager.</p><ol type="a"><li><p>Samba must not be running.</p></li></ol></li><li><p>
+<a class="indexterm" name="id2966592"></a>
+ <b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note did the users migrate?</p></li></ol></li><li><p>
+<a class="indexterm" name="id2966676"></a>
+<a class="indexterm" name="id2966687"></a>
+ Now assign each of the UNIX groups to NT groups:
+ (It may be useful to copy this text to a script called <tt class="filename">initGroups.sh</tt>)
+ </p><pre class="programlisting">
+#!/bin/bash
+#### Keep this as a shell script for future re-use
+
+# First assign well known domain global groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root rid=512
+net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
+
+# Now for our added domain global groups
+net groupmap add ntgroup="Designers" unixgroup=designers type=d rid=3200
+net groupmap add ntgroup="Engineers" unixgroup=engineers type=d rid=3210
+net groupmap add ntgroup="QA Team" unixgroup=qateam type=d rid=3220
+</pre><p>
+ </p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Check that all groups are recognized.</p></li></ol></li></ol></div><p>
+Migrate all the profiles, then migrate all policy files.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2966757"></a>Migration Options</h2></div></div><div></div></div><p>
+Sites that wish to migrate from MS Windows NT4 Domain Control to a Samba-based solution
+generally fit into three basic categories. <link linkend="majtypes"> shows the possibilities.
+</p><div class="table"><a name="majtypes"></a><p class="title"><b>Table 31.1. The Three Major Site Types</b></p><table summary="The Three Major Site Types" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Number of Users</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">< 50</td><td align="justify"><p>Want simple conversion with no pain.</p></td></tr><tr><td align="left">50 - 250</td><td align="justify"><p>Want new features, can manage some in-house complexity.</p></td></tr><tr><td align="left">> 250</td><td align="justify"><p>Solution/Implementation must scale well, complex needs. Cross-departmental decision process. Local expertise in most areas.</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2966862"></a>Planning for Success</h3></div></div><div></div></div><p>
+There are three basic choices for sites that intend to migrate from MS Windows NT4
+to Samba-3:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Simple conversion (total replacement).
+ </p></li><li><p>
+ Upgraded conversion (could be one of integration).
+ </p></li><li><p>
+ Complete redesign (completely new solution).
+ </p></li></ul></div><p>
+Minimize down-stream problems by:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Taking sufficient time.
+ </p></li><li><p>
+ Avoiding Panic.
+ </p></li><li><p>
+ Testing all assumptions.
+ </p></li><li><p>
+ Testing the full roll-out program, including workstation deployment.
+ </p></li></ul></div><p><link linkend="natconchoices"> lists the conversion choices given the type of migration
+being contemplated.
+</p><div class="table"><a name="natconchoices"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col align="justify"><col align="justify"><col align="justify"></colgroup><thead><tr><th align="justify">Simple</th><th align="justify">Upgraded</th><th align="justify">Redesign</th></tr></thead><tbody><tr><td align="justify"><p>Make use of minimal OS specific features.</p></td><td align="justify"><p>Translate NT4 features to new host OS features.</p></td><td align="justify"><p>Decide:</p></td></tr><tr><td align="justify"><p>Move all accounts from NT4 into Samba-3</p></td><td align="justify"><p>Copy and improve</p></td><td align="justify"><p>Authentication regime (database location and access)</p></td></tr><tr><td align="justify"><p>Make least number of operational changes</p></td><td align="justify"><p>Make progressive improvements</p></td><td align="justify"><p>Desktop management methods</p></td></tr><tr><td align="justify"><p>Take least amount of time to migrate</p></td><td align="justify"><p>Minimize user impact</p></td><td align="justify"><p>Better control of Desktops/Users</p></td></tr><tr><td align="justify"><p>Live versus isolated conversion</p></td><td align="justify"><p>Maximize functionality</p></td><td align="justify"><p>Identify Needs for: <span class="emphasis"><em>Manageability, Scalability, Security, Availability</em></span></p></td></tr><tr><td align="justify"><p>Integrate Samba-3 then migrate while users are active, then change of control (swap out)</p></td><td align="justify"><p>Take advantage of lower maintenance opportunity</p></td><td align="justify"><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2967145"></a>Samba-3 Implementation Choices</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Authentication Database/Backend</span></dt><dd><p>
+ Samba-3 can use an external authentication backend:
+ </p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Winbind (external Samba or NT4/200x server).</p></li><li><p>External server could use Active Directory or NT4 Domain.</p></li><li><p>Can use pam_mkhomedir.so to auto-create home dirs.</p></li><li><p>
+ Samba-3 can use a local authentication backend: <i class="parameter"><tt>smbpasswd, tdbsam, ldapsam, mysqlsam</tt></i></p></li></ul></div><p>
+ </p></dd><dt><span class="term">Access Control Points</span></dt><dd><p>
+ Samba permits Access Control Points to be set:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>On the share itself using Share ACLs.</p></li><li><p>On the file system using UNIX permissions on files and directories.</p><p>Note: Can enable Posix ACLs in file system also.</p></li><li><p>Through Samba share parameters not recommended except as last resort.</p></li></ul></div></dd><dt><span class="term">Policies (migrate or create new ones)</span></dt><dd><p>
+ Exercise great caution when affecting registry changes, use the right tool and be aware
+ that changes made through NT4-style <tt class="filename">NTConfig.POL</tt> files can leave
+ permanent changes.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Using Group Policy Editor (NT4).</p></li><li><p>Watch out for Tattoo effect.</p></li></ul></div></dd><dt><span class="term">User and Group Profiles</span></dt><dd><p>
+ Platform-specific so use platform tool to change from a Local to a Roaming profile.
+ Can use new profiles tool to change SIDs (<tt class="filename">NTUser.DAT</tt>).
+ </p></dd><dt><span class="term">Logon Scripts</span></dt><dd><p>
+ Know how they work.
+ </p></dd><dt><span class="term">User and Group Mapping to UNIX/Linux</span></dt><dd><p>
+<a class="indexterm" name="id2967357"></a>
+ User and Group mapping code is new. Many problems have been experienced as network administrators
+ who are familiar with Samba-2.2.x migrate to Samba-3. Carefully study the chapters that document
+ the new password backend behavior and the new group mapping functionality.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>The <i class="parameter"><tt>username map</tt></i> facility may be needed.</p></li><li><p>Use <b class="command">net groupmap</b> to connect NT4 groups to UNIX groups.</p></li><li><p>Use <b class="command">pdbedit</b> to set/change user configuration.</p><p>
+ When migrating to LDAP backend, it may be easier to dump the initial
+ LDAP database to LDIF, edit, then reload into LDAP.
+ </p></li></ul></div></dd><dt><span class="term">OS Specific Scripts/Programs may be Needed</span></dt><dd><p>
+ Every operating system has its peculiarities. These are the result of engineering decisions
+ that were based on the experience of the designer, and may have side-effects that were not
+ anticipated. Limitations that may bite the Windows network administrator include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Add/Delete Users: Note OS limits on size of name
+ (Linux 8 chars) NT4 up to 254 chars.</p></li><li><p>Add/Delete Machines: Applied only to Domain Members
+ (Note: machine names may be limited to 16 characters).</p></li><li><p>Use <b class="command">net groupmap</b> to connect NT4 groups to UNIX groups.</p></li><li><p>Add/Delete Groups: Note OS limits on size and nature.
+ Linux limit is 16 char, no spaces and no upper case chars (<b class="command">groupadd</b>).</p></li></ul></div></dd><dt><span class="term">Migration Tools</span></dt><dd><p>
+<a class="indexterm" name="id2967505"></a>
+ Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Samba: <b class="command">net, rpcclient, smbpasswd, pdbedit, profiles.</b></p></li><li><p>Windows: <b class="command">NT4 Domain User Manager, Server Manager (NEXUS)</b></p></li></ul></div><p>
+ </p></dd></dl></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT The Samba Web Administration Tool</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Network Browsing</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Network Browsing</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Network Browsing</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2897285">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2888743">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2900135">DOMAIN Browsing Configuration</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt><a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a></dt><dt><a href="NetworkBrowsing.html#id2900727">Note about Broadcast Addresses</a></dt><dt><a href="NetworkBrowsing.html#id2900745">Multiple Interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2900780">Use of the Remote Announce Parameter</a></dt><dt><a href="NetworkBrowsing.html#id2900939">Use of the Remote Browse Sync Parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901016">WINS The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a></dt><dt><a href="NetworkBrowsing.html#id2901481">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2901518">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901602">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901616">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2901696">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901872">Technical Overview of Browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901926">Browsing Support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2902057">Problem Resolution</a></dt><dt><a href="NetworkBrowsing.html#id2902187">Cross-Subnet Browsing</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2902960">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2902975">How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2903041">Server Resources Can Not Be Listed</a></dt><dt><a href="NetworkBrowsing.html#id2903097">I get an `Unable to browse the network' error</a></dt><dt><a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt></dl></dd></dl></div><p>
+This document contains detailed information as well as a fast track guide to
+implementing browsing across subnets and/or across workgroups (or domains).
+WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
+not involved in browse list handling except by way of name to address resolution.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows 2000 and later versions can be configured to operate with no NetBIOS
+over TCP/IP. Samba-3 and later versions also support this mode of operation.
+When the use of NetBIOS over TCP/IP has been disabled, the primary
+means for resolution of MS Windows machine names is via DNS and Active Directory.
+The following information assumes that your site is running NetBIOS over TCP/IP.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897285"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Someone once referred to the past in these words “<span class="quote"><span class="emphasis"><em>It was the best of times,
+it was the worst of times.</em></span></span>” The more we look back, the more we long for what was and
+hope it never returns.
+</p><p>
+<a class="indexterm" name="id2897309"></a>
+For many MS Windows network administrators, that statement sums up their feelings about
+NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
+nature was just par for the course. For those who never quite managed to tame its
+lusty features, NetBIOS is like Paterson's Curse.
+</p><p>
+For those not familiar with botanical problems in Australia, Paterson's Curse,
+<span class="emphasis"><em>Echium plantagineum</em></span>, was introduced to Australia from Europe during the mid-nineteenth
+century. Since then it has spread rapidly. The high seed production, with densities of
+thousands of seeds per square meter, a seed longevity of more than seven years, and an
+ability to germinate at any time of year, given the right conditions, are some of the
+features which make it such a persistent weed.
+</p><p>
+In this chapter we explore vital aspects of Server Message Block (SMB) networking with
+a particular focus on SMB as implemented through running NetBIOS (Network Basic
+Input/Output System) over TCP/IP. Since Samba does not implement SMB or NetBIOS over
+any other protocols, we need to know how to configure our network environment and simply
+remember to use nothing but TCP/IP on all our MS Windows network clients.
+</p><p>
+Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
+and implements extensions to Microsoft's implementation of WINS. These extensions
+help Samba to effect stable WINS operations beyond the normal scope of MS WINS.
+</p><p>
+WINS is exclusively a service that applies only to those systems
+that run NetBIOS over TCP/IP. MS Windows 200x/XP have the capacity to operate with
+support for NetBIOS disabled, in which case WINS is of no relevance. Samba supports this also.
+</p><p>
+For those networks on which NetBIOS has been disabled (i.e., WINS is not required)
+the use of DNS is necessary for host name resolution.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887786"></a>What Is Browsing?</h2></div></div><div></div></div><p>
+To most people browsing means they can see the MS Windows and Samba servers
+in the Network Neighborhood, and when the computer icon for a particular server is
+clicked, it opens up and shows the shares and printers available on the target server.
+</p><p>
+What seems so simple is in fact a complex interaction of different technologies.
+The technologies (or methods) employed in making all of this work include:
+</p><div class="itemizedlist"><ul type="disc"><li>MS Windows machines register their presence to the network.</li><li>Machines announce themselves to other machines on the network.</li><li>One or more machine on the network collates the local announcements.</li><li>The client machine finds the machine that has the collated list of machines.</li><li>The client machine is able to resolve the machine names to IP addresses.</li><li>The client machine is able to connect to a target machine.</li></ul></div><p>
+The Samba application that controls browse list management and name resolution is
+called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
+</p><p>Browsing options: <a class="indexterm" name="id2887863"></a><i class="parameter"><tt>os level</tt></i>(*),
+ <a class="indexterm" name="id2887876"></a><i class="parameter"><tt>lm announce</tt></i>,
+ <a class="indexterm" name="id2887890"></a><i class="parameter"><tt>lm interval</tt></i>,
+ <a class="indexterm" name="id2887904"></a><i class="parameter"><tt>preferred master</tt></i>(*),
+ <a class="indexterm" name="id2887918"></a><i class="parameter"><tt>local master</tt></i>(*),
+ <a class="indexterm" name="id2887932"></a><i class="parameter"><tt>domain master</tt></i>(*),
+ <a class="indexterm" name="id2887946"></a><i class="parameter"><tt>browse list</tt></i>,
+ <a class="indexterm" name="id2887959"></a><i class="parameter"><tt>enhanced browsing</tt></i>.
+</p><p>Name Resolution Method:
+ <a class="indexterm" name="id2887977"></a><i class="parameter"><tt>name resolve order</tt></i>(*).
+</p><p>WINS options:
+ <a class="indexterm" name="id2887996"></a><i class="parameter"><tt>dns proxy</tt></i>,
+ <a class="indexterm" name="id2888009"></a><i class="parameter"><tt>wins proxy</tt></i>,
+ <a class="indexterm" name="id2888023"></a><i class="parameter"><tt>wins server</tt></i>(*),
+ <a class="indexterm" name="id2888037"></a><i class="parameter"><tt>wins support</tt></i>(*),
+ <a class="indexterm" name="id2888051"></a><i class="parameter"><tt>wins hook</tt></i>.
+</p><p>
+<a class="indexterm" name="id2888069"></a>
+For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
+an (*) are the only options that commonly may need to be modified. Even if none of these
+parameters is set, <tt class="filename">nmbd</tt> will still do its job.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netdiscuss"></a>Discussion</h2></div></div><div></div></div><p>
+All MS Windows networking uses SMB-based messaging. SMB messaging may be implemented with or without NetBIOS.
+MS Windows 200x supports NetBIOS over TCP/IP for backwards compatibility. Microsoft appears intent on phasing
+out NetBIOS support.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888109"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
+Samba implements NetBIOS, as does MS Windows NT/200x/XP, by encapsulating it over TCP/IP.
+MS Windows products can do likewise. NetBIOS-based networking uses broadcast messaging to
+effect browse list management. When running NetBIOS over TCP/IP, this uses UDP-based messaging.
+UDP messages can be broadcast or unicast.
+</p><p>
+<a class="indexterm" name="id2888131"></a>
+Normally, only unicast UDP messaging can be forwarded by routers. The
+<a class="indexterm" name="id2888140"></a><i class="parameter"><tt>remote announce</tt></i> parameter to smb.conf helps to project browse announcements
+to remote network segments via unicast UDP. Similarly, the
+<a class="indexterm" name="id2888156"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter of <tt class="filename">smb.conf</tt>
+implements browse list collation using unicast UDP.
+</p><p>
+Secondly, in those networks where Samba is the only SMB server technology,
+wherever possible <tt class="filename">nmbd</tt> should be configured on one machine as the WINS
+server. This makes it easy to manage the browsing environment. If each network
+segment is configured with its own Samba WINS server, then the only way to
+get cross-segment browsing to work is by using the
+<a class="indexterm" name="id2888196"></a>
+<a class="indexterm" name="id2888207"></a>
+<a class="indexterm" name="id2888215"></a><i class="parameter"><tt>remote announce</tt></i> and the <a class="indexterm" name="id2888229"></a><i class="parameter"><tt>remote browse sync</tt></i>
+parameters to your <tt class="filename">smb.conf</tt> file.
+</p><p>
+<a class="indexterm" name="id2888255"></a>
+If only one WINS server is used for an entire multi-segment network, then
+the use of the <a class="indexterm" name="id2888264"></a><i class="parameter"><tt>remote announce</tt></i> and the
+<a class="indexterm" name="id2888278"></a><i class="parameter"><tt>remote browse sync</tt></i> parameters should not be necessary.
+</p><p>
+<a class="indexterm" name="id2888297"></a>
+As of Samba-3 WINS replication is being worked on. The bulk of the code has
+been committed, but it still needs maturation. This is not a supported feature
+of the Samba-3.0.0 release. Hopefully, this will become a supported feature
+of one of the Samba-3 release series.
+</p><p>
+Right now Samba WINS does not support MS-WINS replication. This means that
+when setting up Samba as a WINS server, there must only be one <tt class="filename">nmbd</tt>
+configured as a WINS server on the network. Some sites have used multiple Samba WINS
+servers for redundancy (one server per subnet) and then used
+<a class="indexterm" name="id2888330"></a><i class="parameter"><tt>remote browse sync</tt></i> and <a class="indexterm" name="id2888343"></a><i class="parameter"><tt>remote announce</tt></i>
+to effect browse list collation across all segments. Note that this means clients
+will only resolve local names, and must be configured to use DNS to resolve names
+on other subnets in order to resolve the IP addresses of the servers they can see
+on other subnets. This setup is not recommended, but is mentioned as a practical
+consideration (i.e., an “<span class="quote">if all else fails</span>” scenario).
+</p><p>
+Lastly, take note that browse lists are a collection of unreliable broadcast
+messages that are repeated at intervals of not more than 15 minutes. This means
+that it will take time to establish a browse list and it can take up to 45
+minutes to stabilize, particularly across network segments.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888380"></a>TCP/IP without NetBIOS</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2888391"></a>
+<a class="indexterm" name="id2888400"></a>
+<a class="indexterm" name="id2888408"></a>
+All TCP/IP-enabled systems use various forms of host name resolution. The primary
+methods for TCP/IP hostname resolution involve either a static file (<tt class="filename">/etc/hosts</tt>)
+or the Domain Name System (DNS). DNS is the technology that makes
+the Internet usable. DNS-based host name resolution is supported by nearly all
+TCP/IP-enabled systems. Only a few embedded TCP/IP systems do not support DNS.
+</p><p>
+When an MS Windows 200x/XP system attempts to resolve a host name to an IP address
+it follows a defined path:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Checks the <tt class="filename">hosts</tt> file. It is located in
+ <tt class="filename">C:\Windows NT\System32\Drivers\etc</tt>.
+ </p></li><li><p>
+ Does a DNS lookup.
+ </p></li><li><p>
+ Checks the NetBIOS name cache.
+ </p></li><li><p>
+ Queries the WINS server.
+ </p></li><li><p>
+ Does a broadcast name lookup over UDP.
+ </p></li><li><p>
+ Looks up entries in LMHOSTS. It is located in
+ <tt class="filename">C:\Windows NT\System32\Drivers\etc</tt>.
+ </p></li></ol></div><p>
+<a class="indexterm" name="id2888511"></a>
+Windows 200x/XP can register its host name with a Dynamic DNS server. You can
+force register with a Dynamic DNS server in Windows 200x/XP using:
+<b class="command">ipconfig /registerdns</b>.
+</p><p>
+With Active Directory (ADS), a correctly functioning DNS server is absolutely
+essential. In the absence of a working DNS server that has been correctly configured,
+MS Windows clients and servers will be unable to locate each other, so
+consequently network services will be severely impaired.
+</p><p>
+The use of Dynamic DNS is highly recommended with Active Directory, in which case
+the use of BIND9 is preferred for its ability to adequately support the SRV (service)
+records that are needed for Active Directory.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="adsdnstech"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2888564"></a>
+Occasionally we hear from UNIX network administrators who want to use a UNIX-based Dynamic
+DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
+MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
+to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
+so MS Active Directory clients can resolve host names to locate essential network services.
+The following are some of the default service records that Active Directory requires:
+</p><div class="variablelist"><dl><dt><span class="term">_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p>
+ This provides the address of the Windows NT PDC for the Domain.
+ </p></dd><dt><span class="term">_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p>
+ Resolves the addresses of Global Catalog servers in the domain.
+ </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p>
+ Provides list of Domain Controllers based on sites.
+ </p></dd><dt><span class="term">_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></span></dt><dd><p>
+ Enumerates list of Domain Controllers that have the writable copies of the Active Directory datastore.
+ </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p>
+ Entry used by MS Windows clients to locate machines using the Global Unique Identifier.
+ </p></dd><dt><span class="term">_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></span></dt><dd><p>
+ Used by MS Windows clients to locate site configuration dependent Global Catalog server.
+ </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888743"></a>How Browsing Functions</h2></div></div><div></div></div><p>
+MS Windows machines register their NetBIOS names
+(i.e., the machine name for each service type in operation) on start-up.
+The exact method by which this name registration
+takes place is determined by whether or not the MS Windows client/server
+has been given a WINS server address, whether or not LMHOSTS lookup
+is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
+</p><p>
+In the case where there is no WINS server, all name registrations as
+well as name lookups are done by UDP broadcast. This isolates name
+resolution to the local subnet, unless LMHOSTS is used to list all
+names and IP addresses. In such situations, Samba provides a means by
+which the Samba server name may be forcibly injected into the browse
+list of a remote MS Windows network (using the
+<a class="indexterm" name="id2888773"></a><i class="parameter"><tt>remote announce</tt></i> parameter).
+</p><p>
+Where a WINS server is used, the MS Windows client will use UDP
+unicast to register with the WINS server. Such packets can be routed
+and thus WINS allows name resolution to function across routed networks.
+</p><p>
+During the startup process an election will take place to create a
+Local Master Browser if one does not already exist. On each NetBIOS network
+one machine will be elected to function as the Domain Master Browser. This
+domain browsing has nothing to do with MS security Domain Control.
+Instead, the Domain Master Browser serves the role of contacting each local
+master browser (found by asking WINS or from LMHOSTS) and exchanging browse
+list contents. This way every master browser will eventually obtain a complete
+list of all machines that are on the network. Every 11 to 15 minutes an election
+is held to determine which machine will be the master browser. By the nature of
+the election criteria used, the machine with the highest uptime, or the
+most senior protocol version or other criteria, will win the election
+as Domain Master Browser.
+</p><p>
+Clients wishing to browse the network make use of this list, but also depend
+on the availability of correct name resolution to the respective IP
+address/addresses.
+</p><p>
+Any configuration that breaks name resolution and/or browsing intrinsics
+will annoy users because they will have to put up with protracted
+inability to use the network services.
+</p><p>
+Samba supports a feature that allows forced synchronization of browse lists across
+routed networks using the <a class="indexterm" name="id2888836"></a><i class="parameter"><tt>remote browse sync</tt></i>
+parameter in the <tt class="filename">smb.conf</tt> file. This causes Samba to contact the local master
+browser on a remote network and to request browse list synchronization. This
+effectively bridges two networks that are separated by routers. The two remote
+networks may use either broadcast-based name resolution or WINS-based name
+resolution, but it should be noted that the
+<a class="indexterm" name="id2888863"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter provides
+browse list synchronization and that is distinct from name to address
+resolution. In other words, for cross-subnet browsing to function correctly it is
+essential that a name-to-address resolution mechanism be provided. This mechanism
+could be via DNS, <tt class="filename">/etc/hosts</tt>, and so on.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="DMB"></a>Configuring WORKGROUP Browsing</h3></div></div><div></div></div><p>
+To configure cross-subnet browsing on a network containing machines
+in a WORKGROUP, not an NT Domain, you need to set up one
+Samba server to be the Domain Master Browser (note that this is not
+the same as a Primary Domain Controller, although in an NT Domain the
+same machine plays both roles). The role of a Domain Master Browser is
+to collate the browse lists from Local Master Browsers on all the
+subnets that have a machine participating in the workgroup. Without
+one machine configured as a Domain Master Browser, each subnet would
+be an isolated workgroup unable to see any machines on another
+subnet. It is the presence of a Domain Master Browser that makes
+cross-subnet browsing possible for a workgroup.
+</p><p>
+In a WORKGROUP environment the Domain Master Browser must be a
+Samba server, and there must only be one Domain Master Browser per
+workgroup name. To set up a Samba server as a Domain Master Browser,
+set the following option in the <i class="parameter"><tt>[global]</tt></i> section
+of the <tt class="filename">smb.conf</tt> file:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr></table><p>
+</p><p>
+The Domain Master Browser should preferably be the local master
+browser for its own subnet. In order to achieve this, set the following
+options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
+file as shown in <link linkend="dmbexample">.
+</p><p>
+</p><div class="example"><a name="dmbexample"></a><p class="title"><b>Example 10.1. Domain Master Browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
+</p><p>
+The Domain Master Browser may be the same machine as the WINS server, if necessary.
+</p><p>
+Next, you should ensure that each of the subnets contains a machine that can act as
+a Local Master Browser for the workgroup. Any MS Windows NT/200x/XP machine should
+be able to do this, as will Windows 9x/Me machines (although these tend to get
+rebooted more often, so it is not such a good idea to use these). To make a Samba
+server a Local Master Browser set the following options in the
+<i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file as
+shown in <link linkend="lmbexample">:
+</p><p>
+</p><div class="example"><a name="lmbexample"></a><p class="title"><b>Example 10.2. Local master browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
+</p><p>
+Do not do this for more than one Samba server on each subnet, or they will war with
+each other over which is to be the Local Master Browser.
+</p><p>
+The <a class="indexterm" name="id2899988"></a><i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
+Local Master Browser. The <a class="indexterm" name="id2900005"></a><i class="parameter"><tt>preferred master</tt></i> causes <b class="command">nmbd</b>
+to force a browser election on startup and the <a class="indexterm" name="id2900026"></a><i class="parameter"><tt>os level</tt></i>
+parameter sets Samba high enough so it should win any browser elections.
+</p><p>
+If you have an NT machine on the subnet that you wish to be the Local Master Browser, you can disable Samba from
+becoming a Local Master Browser by setting the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
+<tt class="filename">smb.conf</tt> file as shown in <link linkend="nombexample">:
+</p><p>
+</p><div class="example"><a name="nombexample"></a><p class="title"><b>Example 10.3. smb.conf for not being a Master Browser</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 0</tt></i></td></tr></table></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900135"></a>DOMAIN Browsing Configuration</h3></div></div><div></div></div><p>
+If you are adding Samba servers to a Windows NT Domain, then you must not set up a Samba server as a Domain Master Browser.
+By default, a Windows NT Primary Domain Controller for a domain is also the Domain Master Browser for that domain. Network
+browsing may break if a Samba server registers the domain master browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i><1B>)
+with WINS instead of the PDC.
+</p><p>
+For subnets other than the one containing the Windows NT PDC, you may set up Samba servers as Local Master Browsers as
+described. To make a Samba server a Local Master Browser, set the following options in the <i class="parameter"><tt>[global]</tt></i> section
+of the <tt class="filename">smb.conf</tt> file as shown in <link linkend="remsmb">:
+</p><p>
+</p><div class="example"><a name="remsmb"></a><p class="title"><b>Example 10.4. Local Master Browser smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 65</tt></i></td></tr></table></div><p>
+</p><p>
+If you wish to have a Samba server fight the election with machines on the same subnet you
+may set the <a class="indexterm" name="id2900256"></a><i class="parameter"><tt>os level</tt></i> parameter to lower levels.
+By doing this you can tune the order of machines that will become Local Master Browsers if
+they are running. For more details on this refer to <link linkend="browse-force-master">.
+</p><p>
+If you have Windows NT machines that are members of the domain on all subnets and you are
+sure they will always be running, you can disable Samba from taking part in browser elections
+and ever becoming a Local Master Browser by setting the following options in the
+<i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file as shown in <link linkend="xremmb">:
+</p><p>
+</p><div class="example"><a name="xremmb"></a><p class="title"><b>Example 10.5. smb.conf for not being a master browser</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 0</tt></i></td></tr></table></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to Be the Master</h3></div></div><div></div></div><p>
+Who becomes the master browser is determined by an election process using broadcasts. Each election packet contains a number of parameters
+that determine what precedence (bias) a host should have in the election. By default Samba uses a low precedence and thus loses
+elections to just about every Windows network server or client.
+</p><p>
+If you want Samba to win elections, set the <a class="indexterm" name="id2900406"></a><i class="parameter"><tt>os level</tt></i>
+global option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to zero. Using 34 would make it win
+all elections every other system (except other samba systems).
+</p><p>
+An <a class="indexterm" name="id2900432"></a><i class="parameter"><tt>os level</tt></i> of two would make it beat Windows for Workgroups and Windows 9x/Me, but not MS Windows
+NT/200x Server. An MS Windows NT/200x Server Domain Controller uses level 32. The maximum os level is 255.
+</p><p>
+If you want Samba to force an election on startup, set the
+<a class="indexterm" name="id2900455"></a><i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>.
+Samba will then have a slight advantage over other potential master browsers that are not Perferred Master Browsers.
+Use this parameter with care, as if you have two hosts (whether they are Windows 9x/Me or
+NT/200x/XP or Samba) on the same local subnet both set with <a class="indexterm" name="id2900485"></a><i class="parameter"><tt>preferred master</tt></i>
+to <tt class="constant">yes</tt>, then periodically and continually they will force an election in order
+to become the Local Master Browser.
+</p><p>
+If you want Samba to be a <span class="emphasis"><em>Domain Master Browser</em></span>, then it is recommended that
+you also set <a class="indexterm" name="id2900514"></a><i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
+Samba will not become a Domain Master Browser for the whole of your LAN or WAN if it is not also a
+Local Master Browser on its own broadcast isolated subnet.
+</p><p>
+It is possible to configure two Samba servers to attempt to become the Domain Master Browser for a domain. The first server that comes
+up will be the Domain Master Browser. All other Samba servers will attempt to become the Domain Master Browser every five minutes. They
+will find that another Samba server is already the domain master browser and will fail. This provides automatic redundancy, should
+the current Domain Master Browser fail.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900550"></a>Making Samba the Domain Master</h3></div></div><div></div></div><p>
+The domain master is responsible for collating the browse lists of multiple subnets so browsing can occur between subnets. You can
+make Samba act as the Domain Master by setting <a class="indexterm" name="id2900564"></a><i class="parameter"><tt>domain master</tt></i> = yes
+in <tt class="filename">smb.conf</tt>. By default it will not be a Domain Master.
+</p><p>
+Do not set Samba to be the Domain Master for a workgroup that has the same name as an NT/200x Domain.
+If Samba is configured to be the Domain Master for a workgroup that is present on the same
+network as a Windows NT/200x domain that has the same name, network browsing problems will
+certainly be experienced.
+</p><p>
+When Samba is the Domain Master and the Master Browser, it will listen for master
+announcements (made roughly every twelve minutes) from Local Master Browsers on
+other subnets and then contact them to synchronize browse lists.
+</p><p>
+If you want Samba to be the domain master, you should also set the
+<a class="indexterm" name="id2900610"></a><i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and
+set <a class="indexterm" name="id2900625"></a><i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to
+get Samba to force an election on startup.
+</p><p>
+All servers (including Samba) and clients should be using a WINS server to resolve NetBIOS names. If your
+clients are only using broadcasting to resolve NetBIOS names, then two things will occur:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Local Master Browsers will be unable to find a Domain Master Browser, as they will be looking only on the local subnet.
+ </p></li><li><p>
+ If a client happens to get hold of a domain-wide browse list and a user attempts to access a
+ host in that list, it will be unable to resolve the NetBIOS name of that host.
+ </p></li></ol></div><p>
+If, however, both Samba and your clients are using a WINS server, then:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Local master browsers will contact the WINS server and, as long as Samba has registered that it is a Domain Master Browser with the WINS
+ server, the Local Master Browser will receive Samba's IP address as its Domain Master Browser.
+ </p></li><li><p>
+ When a client receives a domain-wide browse list and a user attempts to access a host in that list, it will contact the WINS server to
+ resolve the NetBIOS name of that host. As long as that host has registered its NetBIOS name with the same WINS server, the user will
+ be able to see that host.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900727"></a>Note about Broadcast Addresses</h3></div></div><div></div></div><p>
+If your network uses a 0 based broadcast address (for example, if it ends in a 0) then you will strike problems. Windows for Workgroups
+does not seem to support a zeros broadcast and you will probably find that browsing and name lookups will not work.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900745"></a>Multiple Interfaces</h3></div></div><div></div></div><p>
+Samba supports machines with multiple network interfaces. If you have multiple interfaces, you will
+need to use the <a class="indexterm" name="id2900757"></a><i class="parameter"><tt>interfaces</tt></i> option in <tt class="filename">smb.conf</tt> to configure them.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900780"></a>Use of the Remote Announce Parameter</h3></div></div><div></div></div><p>
+The <a class="indexterm" name="id2900790"></a><i class="parameter"><tt>remote announce</tt></i> parameter of
+<tt class="filename">smb.conf</tt> can be used to forcibly ensure
+that all the NetBIOS names on a network get announced to a remote network.
+The syntax of the <a class="indexterm" name="id2900814"></a><i class="parameter"><tt>remote announce</tt></i> parameter is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote announce = a.b.c.d [e.f.g.h] ...</tt></i></td></tr></table><p>
+<span class="emphasis"><em>or</em></span>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</tt></i></td></tr></table><p>
+
+where:
+</p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and <i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>
+<a class="indexterm" name="id2900884"></a>
+<a class="indexterm" name="id2900896"></a>
+ is either the LMB (Local Master Browser) IP address or the broadcast address of the remote network.
+ i.e., the LMB is at 192.168.1.10, or the address could be given as 192.168.1.255 where the netmask
+ is assumed to be 24 bits (255.255.255.0). When the remote announcement is made to the broadcast
+ address of the remote network, every host will receive our announcements. This is noisy and therefore
+ undesirable but may be necessary if we do not know the IP address of the remote LMB.
+ </p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup or that of the remote network. If you use the
+ workgroup name of the remote network, our NetBIOS machine names will end up looking like
+ they belong to that workgroup. This may cause name resolution problems and should be avoided.
+ </p></dd></dl></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2900939"></a>Use of the Remote Browse Sync Parameter</h3></div></div><div></div></div><p>
+The <a class="indexterm" name="id2900949"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter of
+<tt class="filename">smb.conf</tt> is used to announce to another LMB that it must synchronize its NetBIOS name list with our
+Samba LMB. This works only if the Samba server that has this option is
+simultaneously the LMB on its network segment.
+</p><p>
+The syntax of the <a class="indexterm" name="id2900978"></a><i class="parameter"><tt>remote browse sync</tt></i> parameter is:
+
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>remote browse sync = a.b.c.d</tt></i></td></tr></table><p>
+
+where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
+remote LMB or else is the network broadcast address of the remote segment.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901016"></a>WINS The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
+Use of WINS (either Samba WINS or MS Windows NT Server WINS) is highly
+recommended. Every NetBIOS machine registers its name together with a
+name_type value for each of several types of service it has available.
+It registers its name directly as a unique (the type 0x03) name.
+It also registers its name if it is running the LanManager compatible
+server service (used to make shares and printers available to other users)
+by registering the server (the type 0x20) name.
+</p><p>
+All NetBIOS names are up to 15 characters in length. The name_type variable
+is added to the end of the name, thus creating a 16 character name. Any
+name that is shorter than 15 characters is padded with spaces to the 15th
+character. Thus, all NetBIOS names are 16 characters long (including the
+name_type information).
+</p><p>
+WINS can store these 16-character names as they get registered. A client
+that wants to log onto the network can ask the WINS server for a list
+of all names that have registered the NetLogon service name_type. This saves
+broadcast traffic and greatly expedites logon processing. Since broadcast
+name resolution cannot be used across network segments this type of
+information can only be provided via WINS or via a statically configured
+<tt class="filename">lmhosts</tt> file that must reside on all clients in the
+absence of WINS.
+</p><p>
+WINS also serves the purpose of forcing browse list synchronization by all
+LMBs. LMBs must synchronize their browse list with the DMB (Domain Master
+Browser) and WINS helps the LMB to identify its DMB. By definition this
+will work only within a single workgroup. Note that the Domain Master Browser
+has nothing to do with what is referred to as an MS Windows NT Domain. The
+later is a reference to a security environment while the DMB refers to the
+master controller for browse list information only.
+</p><p>
+WINS will work correctly only if every client TCP/IP protocol stack
+has been configured to use the WINS servers. Any client that has not been
+configured to use the WINS server will continue to use only broadcast-based
+name registration so WINS may never get to know about it. In any case,
+machines that have not registered with a WINS server will fail name to address
+lookup attempts by other clients and will therefore cause workstation access
+errors.
+</p><p>
+To configure Samba as a WINS server just add
+<a class="indexterm" name="id2901110"></a><i class="parameter"><tt>wins support</tt></i> = yes to the <tt class="filename">smb.conf</tt>
+file [global] section.
+</p><p>
+To configure Samba to register with a WINS server just add
+<a class="indexterm" name="id2901137"></a><i class="parameter"><tt>wins server</tt></i> = a.b.c.d
+to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[global]</tt></i> section.
+</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
+Never use both <a class="indexterm" name="id2901170"></a><i class="parameter"><tt>wins support</tt></i> = yes together
+with <a class="indexterm" name="id2901185"></a><i class="parameter"><tt>wins server</tt></i> = a.b.c.d
+particularly not using its own IP address. Specifying both will cause <span class="application">nmbd</span> to refuse to start!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901208"></a>WINS Server Configuration</h3></div></div><div></div></div><p>
+Either a Samba Server or a Windows NT Server machine may be set up
+as a WINS server. To configure a Samba Server to be a WINS server you must
+add to the <tt class="filename">smb.conf</tt> file on the selected Server the following line to
+the <i class="parameter"><tt>[global]</tt></i> section:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = yes</tt></i></td></tr></table><p>
+</p><p>
+Versions of Samba prior to 1.9.17 had this parameter default to
+yes. If you have any older versions of Samba on your network it is
+strongly suggested you upgrade to a recent version, or at the very
+least set the parameter to “<span class="quote">no</span>” on all these machines.
+</p><p>
+Machines configured with <a class="indexterm" name="id2901271"></a><i class="parameter"><tt>wins support</tt></i> = yes will keep a list of
+all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
+</p><p>
+It is strongly recommended to set up only one WINS server. Do not set the
+<a class="indexterm" name="id2901293"></a><i class="parameter"><tt>wins support</tt></i> = yes option on more than one Samba
+server.
+</p><p>
+<a class="indexterm" name="id2901313"></a>
+To configure Windows NT/200x Server as a WINS server, install and configure
+the WINS service. See the Windows NT/200x documentation for details.
+Windows NT/200x WINS servers can replicate to each other, allowing more
+than one to be set up in a complex subnet environment. As Microsoft
+refuses to document the replication protocols, Samba cannot currently
+participate in these replications. It is possible in the future that
+a Samba-to-Samba WINS replication protocol may be defined, in which
+case more than one Samba machine could be set up as a WINS server.
+Currently only one Samba server should have the
+<a class="indexterm" name="id2901335"></a><i class="parameter"><tt>wins support</tt></i> = yes parameter set.
+</p><p>
+After the WINS server has been configured, you must ensure that all
+machines participating on the network are configured with the address
+of this WINS server. If your WINS server is a Samba machine, fill in
+the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of
+the <span class="guilabel">Control Panel->Network->Protocols->TCP->WINS Server</span> dialogs
+in Windows 9x/Me or Windows NT/200x. To tell a Samba server the IP address
+of the WINS server, add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
+all <tt class="filename">smb.conf</tt> files:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins server = <name or IP address></tt></i></td></tr></table><p>
+</p><p>
+where <name or IP address> is either the DNS name of the WINS server
+machine or its IP address.
+</p><p>
+This line must not be set in the <tt class="filename">smb.conf</tt> file of the Samba
+server acting as the WINS server itself. If you set both the
+<a class="indexterm" name="id2901432"></a><i class="parameter"><tt>wins support</tt></i> = yes option and the
+<a class="indexterm" name="id2901447"></a><i class="parameter"><tt>wins server</tt></i> = <name> option then
+<b class="command">nmbd</b> will fail to start.
+</p><p>
+There are two possible scenarios for setting up cross-subnet browsing.
+The first details setting up cross-subnet browsing on a network containing
+Windows 9x/Me, Samba and Windows NT/200x machines that are not configured as
+part of a Windows NT Domain. The second details setting up cross-subnet
+browsing on networks that contain NT Domains.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901481"></a>WINS Replication</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2901492"></a>
+Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
+This tool is not currently capable of being used as it is still in active development.
+As soon as this tool becomes moderately functional, we will prepare man pages and enhance this
+section of the documentation to provide usage and technical details.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901518"></a>Static WINS Entries</h3></div></div><div></div></div><p>
+Adding static entries to your Samba WINS server is actually fairly easy.
+All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
+located in <tt class="filename">/usr/local/samba/var/locks</tt>.
+</p><p>
+Entries in <tt class="filename">wins.dat</tt> take the form of:
+
+</p><pre class="programlisting">
+"NAME#TYPE" TTL ADDRESS+ FLAGS
+</pre><p>
+
+where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
+time-to-live as an absolute time in seconds, ADDRESS+ is one or more
+addresses corresponding to the registration and FLAGS are the NetBIOS
+flags for the registration.
+</p><p>
+A typical dynamic entry looks like this:
+</p><pre class="programlisting">
+"MADMAN#03" 1055298378 192.168.1.2 66R
+</pre><p>
+
+To make it static, all that has to be done is set the TTL to 0, like this:
+
+</p><pre class="programlisting">
+"MADMAN#03" 0 192.168.1.2 66R
+</pre><p>
+</p><p>
+Though this method works with early Samba-3 versions, there is a
+possibility that it may change in future versions if WINS replication
+is added.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901602"></a>Helpful Hints</h2></div></div><div></div></div><p>
+The following hints should be carefully considered as they are stumbling points
+for many new network administrators.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901616"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Do not use more than one protocol on MS Windows machines.
+</p></div><p>
+A common cause of browsing problems results from installing more than
+one protocol on an MS Windows machine.
+</p><p>
+Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
+every 15 minutes. A set of election criteria is used to determine the order
+of precedence for winning this election process. A machine running Samba or
+Windows NT will be biased so the most suitable machine will predictably
+win and thus retain its role.
+</p><p>
+The election process is “<span class="quote">fought out</span>” so to speak over every NetBIOS network
+interface. In the case of a Windows 9x/Me machine that has both TCP/IP and IPX
+installed and has NetBIOS enabled over both protocols, the election will be
+decided over both protocols. As often happens, if the Windows 9x/Me machine is
+the only one with both protocols then the LMB may be won on the NetBIOS
+interface over the IPX protocol. Samba will then lose the LMB role as Windows
+9x/Me will insist it knows who the LMB is. Samba will then cease to function
+as an LMB and thus browse list operation on all TCP/IP-only machines will
+fail.
+</p><p>
+Windows 95, 98, 98se, and Me are referred to generically as Windows 9x/Me.
+The Windows NT4, 200x, and XP use common protocols. These are roughly
+referred to as the Windows NT family, but it should be recognized that 2000 and
+XP/2003 introduce new protocol extensions that cause them to behave
+differently from MS Windows NT4. Generally, where a server does not support
+the newer or extended protocol, these will fall back to the NT4 protocols.
+</p><p>
+The safest rule of all to follow is: use only one protocol!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901696"></a>Name Resolution Order</h3></div></div><div></div></div><p>
+Resolution of NetBIOS names to IP addresses can take place using a number
+of methods. The only ones that can provide NetBIOS name_type information
+are:
+</p><div class="itemizedlist"><ul type="disc"><li>WINS the best tool.</li><li>LMHOSTS static and hard to maintain.</li><li>Broadcast uses UDP and cannot resolve names across remote segments.</li></ul></div><p>
+Alternative means of name resolution include:
+</p><div class="itemizedlist"><ul type="disc"><li>Static <tt class="filename">/etc/hosts</tt> hard to maintain, and lacks name_type info.</li><li>DNS is a good choice but lacks essential name_type info.</li></ul></div><p>
+Many sites want to restrict DNS lookups and avoid broadcast name
+resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is of great help here.
+The syntax of the <i class="parameter"><tt>name resolve order</tt></i> parameter is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = wins lmhosts bcast host</tt></i></td></tr></table><p>
+<span class="emphasis"><em>or</em></span>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = wins lmhosts (eliminates bcast and host)</tt></i></td></tr></table><p>
+The default is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>name resolve order = host lmhost wins bcast</tt></i></td></tr></table><p>
+where “<span class="quote">host</span>” refers to the native methods used by the UNIX system
+to implement the gethostbyname() function call. This is normally
+controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901872"></a>Technical Overview of Browsing</h2></div></div><div></div></div><p>
+SMB networking provides a mechanism by which clients can access a list
+of machines in a network, a so-called <a class="indexterm" name="id2901884"></a><i class="parameter"><tt>browse list</tt></i>. This list
+contains machines that are ready to offer file and/or print services
+to other machines within the network. Thus it does not include
+machines that aren't currently able to do server tasks. The browse
+list is heavily used by all SMB clients. Configuration of SMB
+browsing has been problematic for some Samba users, hence this
+document.
+</p><p>
+MS Windows 2000 and later versions, as with Samba-3 and later versions, can be
+configured to not use NetBIOS over TCP/IP. When configured this way,
+it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
+configured and operative. Browsing will not work if name resolution
+from SMB machine names to IP addresses does not function correctly.
+</p><p>
+Where NetBIOS over TCP/IP is enabled, use of a WINS server is highly
+recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
+WINS allows remote segment clients to obtain NetBIOS name_type information
+that cannot be provided by any other means of name resolution.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2901926"></a>Browsing Support in Samba</h3></div></div><div></div></div><p>
+Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
+and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
+Samba can act as a local browse master for a workgroup and the ability
+to support domain logons and scripts is now available.
+</p><p>
+Samba can also act as a Domain Master Browser for a workgroup. This
+means that it will collate lists from Local Master Browsers into a
+wide area network server list. In order for browse clients to
+resolve the names they may find in this list, it is recommended that
+both Samba and your clients use a WINS server.
+</p><p>
+Do not set Samba to be the Domain Master for a workgroup that has the same
+name as an NT Domain. On each wide area network, you must only ever have one
+Domain Master Browser per workgroup, regardless of whether it is NT, Samba
+or any other type of domain master that is providing this service.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<b class="command">nmbd</b> can be configured as a WINS server, but it is not
+necessary to specifically use Samba as your WINS server. MS Windows
+NT4, Server or Advanced Server 200x can be configured as
+your WINS server. In a mixed NT/200x server and Samba environment on
+a Wide Area Network, it is recommended that you use the Microsoft
+WINS server capabilities. In a Samba-only environment, it is
+recommended that you use one and only one Samba server as the WINS server.
+</p></div><p>
+To get browsing to work you need to run nmbd as usual, but will need
+to use the <a class="indexterm" name="id2902000"></a><i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
+to control what workgroup Samba becomes a part of.
+</p><p>
+Samba also has a useful option for a Samba server to offer itself for
+browsing on another subnet. It is recommended that this option is only
+used for “<span class="quote">unusual</span>” purposes: announcements over the Internet, for
+example. See <a class="indexterm" name="id2902033"></a><i class="parameter"><tt>remote announce</tt></i> in the
+<tt class="filename">smb.conf</tt> man page.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902057"></a>Problem Resolution</h3></div></div><div></div></div><p>
+If something does not work, the <tt class="filename">log.nmbd</tt> file will help
+to track down the problem. Try a <a class="indexterm" name="id2902075"></a><i class="parameter"><tt>log level</tt></i> of 2 or 3 for finding
+problems. Also note that the current browse list usually gets stored
+in text form in a file called <tt class="filename">browse.dat</tt>.
+</p><p>
+If it does not work, you should still be able to
+type the server name as <tt class="filename">\\SERVER</tt> in <b class="command">filemanager</b>, then
+press enter and <b class="command">filemanager</b> should display the list of available shares.
+</p><p>
+Some people find browsing fails because they do not have the global
+<a class="indexterm" name="id2902130"></a><i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
+IPC$ connection that lists the shares is done as guest and, thus, you must have a valid guest account.
+</p><p>
+MS Windows 2000 and later (as with Samba) can be configured to disallow
+anonymous (i.e., guest account) access to the IPC$ share. In that case, the
+MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
+name of the currently logged-in user to query the IPC$ share. MS Windows
+9x/Me clients are not able to do this and thus will not be able to browse
+server resources.
+</p><p>
+The other big problem people have is that their broadcast address,
+netmask or IP address is wrong (specified with the <a class="indexterm" name="id2902164"></a><i class="parameter"><tt>interfaces</tt></i> option
+in <tt class="filename">smb.conf</tt>)
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902187"></a>Cross-Subnet Browsing</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2902198"></a>
+Since the release of Samba 1.9.17 (alpha1), Samba has supported the
+replication of browse lists across subnet boundaries. This section
+describes how to set this feature up in different settings.
+</p><p>
+To see browse lists that span TCP/IP subnets (i.e., networks separated
+by routers that do not pass broadcast traffic), you must set up at least
+one WINS server. The WINS server acts as a DNS for NetBIOS names. This will
+allow NetBIOS name-to-IP address translation to be completed by a direct
+query of the WINS server. This is done via a directed UDP packet on
+port 137 to the WINS server machine. The WINS server avoids the necessity
+of default NetBIOS name-to-IP address translation, which is done
+using UDP broadcasts from the querying machine. This means that machines
+on one subnet will not be able to resolve the names of machines on
+another subnet without using a WINS server.
+</p><p>
+Remember, for browsing across subnets to work correctly, all machines,
+be they Windows 95, Windows NT or Samba servers, must have the IP address
+of a WINS server given to them by a DHCP server, or by manual configuration
+(for Windows 9x/Me and Windows NT/200x/XP, this is in the TCP/IP Properties, under Network
+settings); for Samba, this is in the <tt class="filename">smb.conf</tt> file.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2902248"></a>Behavior of Cross-Subnet Browsing</h4></div></div><div></div></div><p>
+Cross-subnet Browsing is a complicated dance, containing multiple
+moving parts. It has taken Microsoft several years to get the code
+that achieves this correct, and Samba lags behind in some areas.
+Samba is capable of cross-subnet browsing when configured correctly.
+</p><p>
+Consider a network set up as <link linkend="browsing1">.
+</p><div class="figure"><a name="browsing1"></a><p class="title"><b>Figure 10.1. Cross-Subnet Browsing Example.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/browsing1.png" width="270" alt="Cross-Subnet Browsing Example."></div></div><p>
+This consists of 3 subnets (1, 2, 3) connected by two routers
+(R1, R2) which do not pass broadcasts. Subnet 1 has five machines
+on it, subnet 2 has four machines, subnet 3 has four machines. Assume
+for the moment that all machines are configured to be in the
+same workgroup (for simplicity's sake). Machine N1_C on subnet 1
+is configured as Domain Master Browser (i.e., it will collate the
+browse lists for the workgroup). Machine N2_D is configured as
+WINS server and all the other machines are configured to register
+their NetBIOS names with it.
+</p><p>
+As these machines are booted up, elections for master browsers
+will take place on each of the three subnets. Assume that machine
+N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
+subnet 3. These machines are known as Local Master Browsers for
+their particular subnet. N1_C has an advantage in winning as the
+Local Master Browser on subnet 1 as it is set up as Domain Master
+Browser.
+</p><p>
+On each of the three networks, machines that are configured to
+offer sharing services will broadcast that they are offering
+these services. The Local Master Browser on each subnet will
+receive these broadcasts and keep a record of the fact that
+the machine is offering a service. This list of records is
+the basis of the browse list. For this case, assume that
+all the machines are configured to offer services, so all machines
+will be on the browse list.
+</p><p>
+For each network, the Local Master Browser on that network is
+considered “<span class="quote">authoritative</span>” for all the names it receives via
+local broadcast. This is because a machine seen by the Local Master
+Browser via a local broadcast must be on the same network as the
+Local Master Browser and thus is a “<span class="quote">trusted</span>”
+and “<span class="quote">verifiable</span>” resource. Machines on other networks that
+the Local Master Browsers learn about when collating their
+browse lists have not been directly seen. These records are
+called “<span class="quote">non-authoritative.</span>”
+</p><p>
+At this point the browse lists appear as shown in <link linkend="browsubnet"> (these are
+the machines you would see in your network neighborhood if you looked in it on a particular network right now).
+</p><p>
+</p><div class="table"><a name="browsubnet"></a><p class="title"><b>Table 10.1. Browse Subnet Example 1</b></p><table summary="Browse Subnet Example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
+</p><p>
+At this point all the subnets are separate, and no machine is seen across any of the subnets.
+</p><p>
+Now examine subnet 2. As soon as N2_B has become the Local
+Master Browser it looks for a Domain Master Browser with which to synchronize
+its browse list. It does this by querying the WINS server
+(N2_D) for the IP address associated with the NetBIOS name
+WORKGROUP<1B>. This name was registered by the Domain Master
+Browser (N1_C) with the WINS server as soon as it was started.
+</p><p>
+Once N2_B knows the address of the Domain Master Browser, it
+tells it that is the Local Master Browser for subnet 2 by
+sending a <span class="emphasis"><em>MasterAnnouncement</em></span> packet as a UDP port 138 packet.
+It then synchronizes with it by doing a <span class="emphasis"><em>NetServerEnum2</em></span> call. This
+tells the Domain Master Browser to send it all the server
+names it knows about. Once the Domain Master Browser receives
+the <span class="emphasis"><em>MasterAnnouncement</em></span> packet, it schedules a synchronization
+request to the sender of that packet. After both synchronizations
+are complete the browse lists look as shown in <link linkend="brsbex">:
+</p><div class="table"><a name="brsbex"></a><p class="title"><b>Table 10.2. Browse Subnet Example 2</b></p><table summary="Browse Subnet Example 2" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
+N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
+N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
+Servers with an (*) after them are non-authoritative names.
+</p><p>
+At this point users looking in their network neighborhood on
+subnets 1 or 2 will see all the servers on both, users on
+subnet 3 will still only see the servers on their own subnet.
+</p><p>
+The same sequence of events that occurred for N2_B now occurs
+for the Local Master Browser on subnet 3 (N3_D). When it
+synchronizes browse lists with the Domain Master Browser (N1_A)
+it gets both the server entries on subnet 1, and those on
+subnet 2. After N3_D has synchronized with N1_C and vica versa,
+the browse lists will appear as shown in <link linkend="brsex2">.
+</p><div class="table"><a name="brsex2"></a><p class="title"><b>Table 10.3. Browse Subnet Example 3</b></p><table summary="Browse Subnet Example 3" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
+N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
+N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*),
+N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
+Servers with an (*) after them are non-authoritative names.
+</p><p>
+At this point, users looking in their network neighborhood on
+subnets 1 or 3 will see all the servers on all subnets, while users on
+subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
+</p><p>
+Finally, the Local Master Browser for subnet 2 (N2_B) will sync again
+with the Domain Master Browser (N1_C) and will receive the missing
+server entries. Finally, as when a steady state (if no machines
+are removed or shut off) has been achieved, the browse lists will appear
+as shown in <link linkend="brsex3">.
+</p><div class="table"><a name="brsex3"></a><p class="title"><b>Table 10.4. Browse Subnet Example 4</b></p><table summary="Browse Subnet Example 4" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="justify">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="justify">N1_A, N1_B, N1_C, N1_D, N1_E,
+N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*),
+N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="justify">N2_A, N2_B, N2_C, N2_D, N1_A(*),
+N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*),
+N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="justify">N3_A, N3_B, N3_C, N3_D, N1_A(*),
+N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*),
+N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
+Servers with an (*) after them are non-authoritative names.
+</p><p>
+Synchronizations between the Domain Master Browser and Local
+Master Browsers will continue to occur, but this should remain a
+steady state operation.
+</p><p>
+If either router R1 or R2 fails, the following will occur:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Names of computers on each side of the inaccessible network fragments
+ will be maintained for as long as 36 minutes in the network neighborhood
+ lists.
+ </p></li><li><p>
+ Attempts to connect to these inaccessible computers will fail, but the
+ names will not be removed from the network neighborhood lists.
+ </p></li><li><p>
+ If one of the fragments is cut off from the WINS server, it will only
+ be able to access servers on its local subnet using subnet-isolated
+ broadcast NetBIOS name resolution. The effects are similar to that of
+ losing access to a DNS server.
+ </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902960"></a>Common Errors</h2></div></div><div></div></div><p>
+Many questions are asked on the mailing lists regarding browsing. The majority of browsing
+problems originate from incorrect configuration of NetBIOS name resolution. Some are of
+particular note.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902975"></a>How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba?</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2902987"></a>
+Samba's <b class="command">nmbd</b> process controls all browse list handling. Under normal circumstances it is
+safe to restart <b class="command">nmbd</b>. This will effectively flush the Samba NetBIOS name cache and cause it
+to be rebuilt. This does not make certain that a rogue machine name will not re-appear
+in the browse list. When <b class="command">nmbd</b> is taken out of service, another machine on the network will
+become the Browse Master. This new list may still have the rogue entry in it. If you really
+want to clear a rogue machine from the list, every machine on the network will need to be
+shut down and restarted after all machines are down. Failing a complete restart, the only
+other thing you can do is wait until the entry times out and is then flushed from the list.
+This may take a long time on some networks (perhaps months).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903041"></a>Server Resources Can Not Be Listed</h3></div></div><div></div></div><p>“<span class="quote">My Client Reports ‘<span class="quote">This server is not configured to list shared resources</span>’</span>”</p><p>
+Your guest account is probably invalid for some reason. Samba uses the
+guest account for browsing in <b class="command">smbd</b>. Check that your guest account is
+valid.
+</p><p>Also see <a class="indexterm" name="id2903074"></a><i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903097"></a>I get an <span class="errorname">`Unable to browse the network'</span> error</h3></div></div><div></div></div><p>This error can have multiple causes:
+<a class="indexterm" name="id2903114"></a>
+ </p><div class="itemizedlist"><ul type="disc"><li><p>There is no Local Master Browser. Configure <span class="application">nmbd</span>
+ or any other machine to serve as Local Master Browser.</p></li><li><p>You cannot log onto the machine that is the local master
+ browser. Can you logon to it as a guest user? </p></li><li><p>There is no IP connectivity to the Local Master Browser.
+ Can you reach it by broadcast?</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903157"></a>Browsing of Shares and Directories is Very Slow</h3></div></div><div></div></div><p>“<span class="quote">
+<a class="indexterm" name="id2903170"></a>
+There are only two machines on a test network. One a Samba server, the other a Windows XP machine.
+Authentication and logons work perfectly, but when I try to explore shares on the Samba server, the
+Windows XP client becomes unrespsonsive. Sometimes it does not respond for some minutes. Eventually,
+Windows Explorer will respond and displays files and directories without problem.
+display file and directory.</span>”
+</p><p>“<span class="quote">
+But, the share is immediately available from a command shell (<b class="command">cmd</b>, followed by
+exploration with dos command. Is this a Samba problem or is it a Windows problem? How can I solve this?
+</span>”</p><p>
+Here are a few possibilities:
+</p><div class="variablelist"><dl><dt><span class="term">Bad Networking Hardware</span></dt><dd><p>
+<a class="indexterm" name="id2903224"></a>
+<a class="indexterm" name="id2903233"></a>
+ Most common defective hardware problems center around low cost or defective HUBs, routers,
+ Network Interface Controllers (NICs) and bad wiring. If one piece of hardware is defective
+ the whole network may suffer. Bad networking hardware can cause data corruption. Most bad
+ networking hardware problems are accompanied by an increase in apparent network traffic,
+ but not all.
+ </p></dd><dt><span class="term">The Windows XP WebClient</span></dt><dd><p>
+ A number of sites have reported similar slow network browsing problems and found that when
+ the WebClient service is turned off, the problem dissapears. This is certainly something
+ that should be explored as it is a simple solution if it works.
+ </p></dd><dt><span class="term">Inconsistent WINS Configuration</span></dt><dd><p>
+ This type of problem is common when one client is configured to use a WINS server (that is
+ a TCP/IP configuration setting) and there is no WINS server on the network. Alternately,
+ this will happen is there is a WINS server and Samba is not configured to use it. The use of
+ WINS is highly recommended if the network is using NetBIOS over TCP/IP protocols. If use
+ of NetBIOS over TCP/IP is disabled on all clients, Samba should not be configured as a WINS
+ server neither should it be configured to use one.
+ </p></dd><dt><span class="term">Incorrect DNS Configuration</span></dt><dd><p>
+ If use of NetBIOS over TCP/IP is disabled, Active Directory is in use and the DNS server
+ has been incorrectly configured. Refer <link linkend="adsdnstech"> for more information.
+ </p></dd></dl></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and Other CIFS Clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and Other CIFS Clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and Other CIFS Clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><span class="contrib">OS/2</span><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id2975129">Macintosh Clients</a></dt><dt><a href="Other-Clients.html#id2975206">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975213">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></dt><dt><a href="Other-Clients.html#id2975348">Configuring Other Versions of OS/2</a></dt><dt><a href="Other-Clients.html#id2975411">Printer Driver Download for OS/2 Clients</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975516">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975524">Latest TCP/IP Stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id2975610">Delete .pwl Files After Password Change</a></dt><dt><a href="Other-Clients.html#id2975641">Configuring Windows for Workgroups Password Handling</a></dt><dt><a href="Other-Clients.html#id2975701">Password Case Sensitivity</a></dt><dt><a href="Other-Clients.html#id2975739">Use TCP/IP as Default Protocol</a></dt><dt><a href="Other-Clients.html#id2975757">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975803">Windows 95/98</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975876">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975901">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id2976103">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975129"></a>Macintosh Clients</h2></div></div><div></div></div><p>
+Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> has a CIFS Client/Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE.</ulink>
+They test it against Windows 95, Windows NT /200x/XP and Samba for
+compatibility issues. At the time of this writing, DAVE was at version
+4.1. Please refer to Thursby's Web site for more information regarding this
+product.
+</p><p>
+Alternatives There are two free implementations of AppleTalk for
+several kinds of UNIX machines and several more commercial ones.
+These products allow you to run file services and print services
+natively to Macintosh users, with no additional support required on
+the Macintosh. The two free implementations are
+<ulink url="http://www.umich.edu/~rsug/netatalk/">Netatalk,</ulink> and
+<ulink url="http://www.cs.mu.oz.au/appletalk/atalk.html">CAP.</ulink>
+What Samba offers MS Windows users, these packages offer to Macs.
+For more info on these packages, Samba, and Linux (and other UNIX-based systems), see
+<ulink url="http://www.eats.com/linux_mac_win.html">http://www.eats.com/linux_mac_win.html.</ulink>
+</p><p>Newer versions of the Macintosh (Mac OS X) include Samba.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975206"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975213"></a>Configuring OS/2 Warp Connect or OS/2 Warp 4</h3></div></div><div></div></div><p>Basically, you need three components:</p><div class="itemizedlist"><ul type="disc"><li>The File and Print Client (IBM Peer)</li><li>TCP/IP (Internet support) </li><li>The “<span class="quote">NetBIOS over TCP/IP</span>” driver (TCPBEUI)</li></ul></div><p>Installing the first two together with the base operating
+ system on a blank system is explained in the Warp manual. If Warp
+ has already been installed, but you now want to install the
+ networking support, use the “<span class="quote">Selective Install for Networking</span>”
+ object in the “<span class="quote">System Setup</span>” folder.</p><p>Adding the “<span class="quote">NetBIOS over TCP/IP</span>” driver is not described
+ in the manual and just barely in the online documentation. Start
+ <b class="command">MPTS.EXE</b>, click on <span class="guiicon">OK</span>, click on <span class="guimenu">Configure LAPS</span> and click
+ on <span class="guimenu">IBM OS/2 NETBIOS OVER TCP/IP</span> in <span class="guilabel">Protocols</span>. This line
+ is then moved to <span class="guilabel">Current Configuration</span>. Select that line,
+ click on <span class="guimenuitem">Change number</span> and increase it from 0 to 1. Save this
+ configuration.</p><p>If the Samba server is not on your local subnet, you
+ can optionally add IP names and addresses of these servers
+ to the <span class="guimenu">Names List</span>, or specify a WINS server (NetBIOS
+ Nameserver in IBM and RFC terminology). For Warp Connect, you
+ may need to download an update for <tt class="constant">IBM Peer</tt> to bring it on
+ the same level as Warp 4. See the Web page mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975348"></a>Configuring Other Versions of OS/2</h3></div></div><div></div></div><p>This sections deals with configuring OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x.</p><p>You can use the free Microsoft LAN Manager 2.2c Client for OS/2 that is
+ available from
+ <ulink url="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/">
+ ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</ulink>. In a nutshell, edit
+ the file <tt class="filename">\OS2VER</tt> in the root directory of the OS/2 boot partition and add the lines:</p><pre class="programlisting">
+ 20=setup.exe
+ 20=netwksta.sys
+ 20=netvdd.sys
+ </pre><p>before you install the client. Also, do not use the included NE2000 driver because it is buggy.
+ Try the NE2000 or NS2000 driver from <ulink url="ftp://ftp.cdrom.com/pub/os2/network/ndis/">
+ ftp://ftp.cdrom.com/pub/os2/network/ndis/</ulink> instead.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975411"></a>Printer Driver Download for OS/2 Clients</h3></div></div><div></div></div><p>Create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
+ world-readable. Copy your OS/2 driver files there. The <tt class="filename">.EA_</tt>
+ files must still be separate, so you will need to use the original install files
+ and not copy an installed driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then, add to your <tt class="filename">smb.conf</tt> a parameter,
+ <a class="indexterm" name="id2975450"></a><i class="parameter"><tt>os2 driver map</tt></i> = filename.
+ Next, in the file specified by <i class="replaceable"><tt>filename</tt></i>, map the
+ name of the NT driver name to the OS/2 driver name as follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.</p><p><i class="parameter"><tt>
+ HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
+ device name, the first attempt to download the driver will
+ actually download the files, but the OS/2 client will tell
+ you the driver is not available. On the second attempt, it
+ will work. This is fixed simply by adding the device name
+ to the mapping, after which it will work on the first attempt.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975516"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975524"></a>Latest TCP/IP Stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
+for Workgroups. The early TCP/IP stacks had lots of bugs.</p><p>
+Microsoft has released an incremental upgrade to their TCP/IP 32-bit
+VxD drivers. The latest release can be found on their ftp site at
+ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
+There is an update.txt file there that describes the problems that were
+fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
+<tt class="filename">TELNET.EXE</tt>,
+<tt class="filename">WSOCK.386</tt>,
+<tt class="filename">VNBT.386</tt>,
+<tt class="filename">WSTCP.386</tt>,
+<tt class="filename">TRACERT.EXE</tt>,
+<tt class="filename">NETSTAT.EXE</tt>, and
+<tt class="filename">NBTSTAT.EXE</tt>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975610"></a>Delete .pwl Files After Password Change</h3></div></div><div></div></div><p>
+Windows for Workgroups does a lousy job with passwords. When you change passwords on either
+the UNIX box or the PC, the safest thing to do is to delete the .pwl files in the Windows
+directory. The PC will complain about not finding the files, but will soon get over it,
+allowing you to enter the new password.
+</p><p>
+If you do not do this, you may find that Windows for Workgroups remembers and uses the old
+password, even if you told it a new one.
+</p><p>
+Often Windows for Workgroups will totally ignore a password you give it in a dialog box.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975641"></a>Configuring Windows for Workgroups Password Handling</h3></div></div><div></div></div><p>
+There is a program call <tt class="filename">admincfg.exe</tt>
+on the last disk (disk 8) of the WFW 3.11 disk set. To install it,
+type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
+Then add an icon for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
+This program allows you to control how WFW handles passwords, i.e.,
+Disable Password Caching and so on.
+for use with <a class="indexterm" name="id2975686"></a><i class="parameter"><tt>security</tt></i> = user.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975701"></a>Password Case Sensitivity</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server.
+UNIX passwords can be case-sensitive though. Check the <tt class="filename">smb.conf</tt> information on
+<a class="indexterm" name="id2975721"></a><i class="parameter"><tt>password level</tt></i> to specify what characters
+Samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975739"></a>Use TCP/IP as Default Protocol</h3></div></div><div></div></div><p>To support print queue reporting, you may find
+that you have to use TCP/IP as the default protocol under
+Windows for Workgroups. For some reason, if you leave NetBEUI as the default,
+it may break the print queue reporting on some systems.
+It is presumably a Windows for Workgroups bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975757"></a>Speed Improvement</h3></div></div><div></div></div><p>
+ Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
+the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
+<tt class="filename">SYSTEM.INI</tt> file under Windows for Workgroups to 3072 gives a
+big improvement.
+</p><p>
+My own experience with DefaultRcvWindow is that I get a much better
+performance with a large value (16384 or larger). Other people have
+reported that anything over 3072 slows things down enormously. One
+person even reported a speed drop of a factor of 30 when he went from
+3072 to 8192.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975803"></a>Windows 95/98</h2></div></div><div></div></div><p>
+When using Windows 95 OEM SR2, the following updates are recommended where Samba
+is being used. Please note that the above change will effect you once these
+updates have been installed.
+</p><p>
+There are more updates than the ones mentioned here. You are referred to the
+Microsoft Web site for all currently available updates to your specific version
+of Windows 95.
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
+Also, if using <span class="application">MS Outlook,</span> it is desirable to
+install the <b class="command">OLEUPD.EXE</b> fix. This
+fix may stop your machine from hanging for an extended period when exiting
+Outlook and you may notice a significant speedup when accessing network
+neighborhood services.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2975876"></a>Speed Improvement</h3></div></div><div></div></div><p>
+Configure the Windows 95 TCP/IP registry settings to give better
+performance. I use a program called <b class="command">MTUSPEED.exe</b> that I got off the
+Internet. There are various other utilities of this type freely available.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2975901"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
+There are several annoyances with Windows 2000 SP2. One of which
+only appears when using a Samba server to host user profiles
+to Windows 2000 SP2 clients in a Windows domain. This assumes
+that Samba is a member of the domain, but the problem will
+most likely occur if it is not.
+</p><p>
+In order to serve profiles successfully to Windows 2000 SP2
+clients (when not operating as a PDC), Samba must have
+<a class="indexterm" name="id2975922"></a><i class="parameter"><tt>nt acl support</tt></i> = no
+added to the file share which houses the roaming profiles.
+If this is not done, then the Windows 2000 SP2 client will
+complain about not being able to access the profile (Access
+Denied) and create multiple copies of it on disk (DOMAIN.user.001,
+DOMAIN.user.002, and so on). See the <tt class="filename">smb.conf</tt> man page
+for more details on this option. Also note that the
+<a class="indexterm" name="id2975950"></a><i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
+releases prior to Samba 2.2.2.
+</p><p>
+<link linkend="minimalprofile"> provides a minimal profile share.
+</p><div class="example"><a name="minimalprofile"></a><p class="title"><b>Example 38.1. Minimal profile share</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profile]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export/profile</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr><tr><td><i class="parameter"><tt>nt acl support = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr></table></div><p>
+The reason for this bug is that the Windows 200x SP2 client copies
+the security descriptor for the profile that contains
+the Samba server's SID, and not the domain SID. The client
+compares the SID for SAMBA\user and realizes it is
+different from the one assigned to DOMAIN\user. Hence, the reason
+for the <span class="errorname">access denied</span> message.
+</p><p>
+By disabling the <a class="indexterm" name="id2976065"></a><i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
+the Windows 200x client a response to the QuerySecurityDescriptor trans2 call, which causes the client
+to set a default ACL for the profile. This default ACL includes:
+</p><p><span class="emphasis"><em>DOMAIN\user “<span class="quote">Full Control</span>”</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using Winbind to
+create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976103"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
+NT 3.1 workstations, read <ulink url="http://support.microsoft.com/default.aspx?scid=kb;Q103765">this Microsoft Knowledge Base article.</ulink>
+
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2953044">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2953137">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2953271">Windows 9x/ME Policies</a></dt><dt><a href="PolicyMgmt.html#id2953383">Windows NT4-Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2953525">MS Windows 200x/XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a></dt><dt><a href="PolicyMgmt.html#id2953985">Management Tools</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2954096">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2954120">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2954165">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2954310">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954324">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
+This chapter summarizes the current state of knowledge derived from personal
+practice and knowledge from Samba mailing list subscribers. Before reproduction
+of posted information, every effort has been made to validate the information given.
+Where additional information was uncovered through this validation it is provided
+also.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953044"></a>Features and Benefits</h2></div></div><div></div></div><p>
+When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement
+Group Policies for users and groups. Then along came MS Windows NT4 and a few sites
+started to adopt this capability. How do we know that? By the number of “<span class="quote">booboos</span>”
+(or mistakes) administrators made and then requested help to resolve.
+</p><p>
+<a class="indexterm" name="id2953070"></a>
+<a class="indexterm" name="id2953078"></a>
+<a class="indexterm" name="id2953087"></a>
+By the time that MS Windows 2000 and Active Directory was released, administrators
+got the message: Group Policies are a good thing! They can help reduce administrative
+costs and actually make happier users. But adoption of the true
+potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
+and machines were picked up on rather slowly. This was obvious from the Samba
+mailing list as in 2000 and 2001 when there were few postings regarding GPOs and
+how to replicate them in a Samba environment.
+</p><p>
+Judging by the traffic volume since mid 2002, GPOs have become a standard part of
+the deployment in many sites. This chapter reviews techniques and methods that can
+be used to exploit opportunities for automation of control over user desktops and
+network client workstations.
+</p><p>
+A tool new to Samba the <b class="command">editreg</b> tool
+ may become an important part of the future Samba administrators'
+arsenal is described in this document.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953137"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
+Under MS Windows platforms, particularly those following the release of MS Windows
+NT4 and MS Windows 95, it is possible to create a type of file that would be placed
+in the NETLOGON share of a Domain Controller. As the client logs onto the network,
+this file is read and the contents initiate changes to the registry of the client
+machine. This file allows changes to be made to those parts of the registry that
+affect users, groups of users, or machines.
+</p><p>
+<a class="indexterm" name="id2953161"></a>
+For MS Windows 9x/ME, this file must be called <tt class="filename">Config.POL</tt> and may
+be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
+Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
+disappeared again with the introduction of MS Windows Me (Millennium Edition). From
+comments of MS Windows network administrators, it would appear that this tool became
+a part of the MS Windows Me Resource Kit.
+</p><p>
+<a class="indexterm" name="id2953195"></a>
+MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
+under <span class="guimenu">Start -> Programs -> Administrative Tools</span>.
+For MS Windows NT4 and later clients, this file must be called <tt class="filename">NTConfig.POL</tt>.
+</p><p>
+New with the introduction of MS Windows 2000 was the Microsoft Management Console
+or MMC. This tool is the new wave in the ever-changing landscape of Microsoft
+methods for management of network access and security. Every new Microsoft product
+or technology seems to make the old rules obsolete and introduces newer and more
+complex tools and methods. To Microsoft's credit, the MMC does appear to
+be a step forward, but improved functionality comes at a great price.
+</p><p>
+Before embarking on the configuration of network and system policies, it is highly
+advisable to read the documentation available from Microsoft's Web site regarding
+<ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">
+Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
+There are a large number of documents in addition to this old one that should also
+be read and understood. Try searching on the Microsoft Web site for “<span class="quote">Group Policies</span>”.
+</p><p>
+What follows is a brief discussion with some helpful notes. The information provided
+here is incomplete you are warned.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953271"></a>Windows 9x/ME Policies</h3></div></div><div></div></div><p>
+ You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME.
+ It can be found on the original full product Windows 98 installation CD under
+ <tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
+ Add/Remove Programs facility and then click on <span class="guiicon">Have Disk</span>.
+ </p><p>
+<a class="indexterm" name="id2953305"></a>
+ Use the Group Policy Editor to create a policy file that specifies the location of
+ user profiles and/or <tt class="filename">My Documents</tt>, and so on. Then save these
+ settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the
+ root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Windows 98 is configured to log onto
+ the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry
+ of the machine as it logs on.
+ </p><p>
+ Further details are covered in the Windows 98 Resource Kit documentation.
+ </p><p>
+ If you do not take the correct steps, then every so often Windows 9x/ME will check the
+ integrity of the registry and restore its settings from the back-up
+ copy of the registry it stores on each Windows 9x/ME machine. So, you will
+ occasionally notice things changing back to the original settings.
+ </p><p>
+ Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the
+ Windows 98 CDROM in <tt class="filename">\tools\reskit\netadmin\poledit</tt>.
+ Install group policies on a Windows 9x/Me client by double-clicking on
+ <tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
+ if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every
+ Windows 9x/Me machine that uses Group Policies.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953383"></a>Windows NT4-Style Policy Files</h3></div></div><div></div></div><p>
+ To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
+ Policy Editor, <b class="command">poledit.exe</b>, which is included with NT4 Server
+ but not with NT Workstation. There is a Policy Editor on an NT4
+ Workstation but it is not suitable for creating domain policies.
+ Furthermore, although the Windows 95 Policy Editor can be installed on an NT4
+ Workstation/Server, it will not work with NT clients. However, the files from
+ the NT Server will run happily enough on an NT4 Workstation.
+ </p><p>
+ You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
+ It is convenient to put the two <tt class="filename">*.adm</tt> files in the <tt class="filename">c:\winnt\inf</tt>
+ directory, which is where the binary will look for them unless told otherwise. This
+ directory is normally “<span class="quote">hidden.</span>”
+ </p><p>
+ The Windows NT policy editor is also included with the Service Pack 3 (and
+ later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>,
+ that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The Policy Editor,
+ <b class="command">poledit.exe</b>, and the associated template files (*.adm) should
+ be extracted as well. It is also possible to downloaded the policy template
+ files for Office97 and get a copy of the Policy Editor. Another possible
+ location is with the Zero Administration Kit available for download from Microsoft.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2953495"></a>Registry Spoiling</h4></div></div><div></div></div><p>
+ With NT4-style registry-based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. The settings that were in the
+ <tt class="filename">NTConfig.POL</tt> file were applied to the client machine registry and apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences downstream and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953525"></a>MS Windows 200x/XP Professional Policies</h3></div></div><div></div></div><p>
+ Windows NT4 system policies allow the setting of registry parameters specific to
+ users, groups and computers (client workstations) that are members of the NT4-style
+ domain. Such policy files will work with MS Windows 200x/XP clients also.
+ </p><p>
+ New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers
+ a superset of capabilities compared with NT4-style policies. Obviously, the tool used
+ to create them is different, and the mechanism for implementing them is much improved.
+ </p><p>
+<a class="indexterm" name="id2953554"></a>
+ The older NT4-style registry-based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
+ in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes the ability to set various security
+ configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+ users desktop (including the location of <tt class="filename">My Documents</tt> files (directory), as
+ well as intrinsics of where menu items will appear in the Start menu). An additional new
+ feature is the ability to make available particular software Windows applications to particular
+ users and/or groups.
+ </p><p>
+ Remember, NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
+ of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password
+ and selects the domain name to which the logon will attempt to take place. During the logon process,
+ the client machine reads the <tt class="filename">NTConfig.POL</tt> file from the NETLOGON share on
+ the authenticating server and modifies the local registry values according to the settings in this file.
+ </p><p>
+ Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
+ a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+ in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+ Directory Domain Controllers. The part that is stored in the Active Directory itself is called the
+ Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
+ known as the Group Policy Template (GPT).
+ </p><p>
+ With NT4 clients, the policy file is read and executed only as each user logs onto the network.
+ MS Windows 200x policies are much more complex GPOs are processed and applied at client machine
+ startup (machine specific part) and when the user logs onto the network, the user-specific part
+ is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
+ to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
+ the administrator to also set filters over the policy settings. No such equivalent capability
+ exists with NT4-style policy files.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2953643"></a>Administration of Windows 200x/XP Policies</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2953655"></a>
+<a class="indexterm" name="id2953663"></a>
+ Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
+ executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
+ <span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
+ Go to the Windows 200x/XP menu <span class="guimenu">Start->Programs->Administrative Tools</span>
+ and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
+ </p></li><li><p>
+ Select the domain or organizational unit (OU) that you wish to manage, then right-click
+ to open the context menu for that object, and select the <span class="guibutton">Properties</span>.
+ </p></li><li><p>
+ Left-click on the <span class="guilabel">Group Policy</span> tab, then
+ left-click on the New tab. Type a name
+ for the new policy you will create.
+ </p></li><li><p>
+ Left-click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
+ </p></li></ol></div><p>
+ All policy configuration options are controlled through the use of policy administrative
+ templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
+ Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
+ The latter introduces many new features as well as extended definition capabilities. It is
+ well beyond the scope of this documentation to explain how to program .adm files; for that
+ the administrator is referred to the Microsoft Windows Resource Kit for your particular
+ version of MS Windows.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
+ to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
+ use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+ </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953826"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
+Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not necessary.
+</p><p>
+<a class="indexterm" name="id2953848"></a>
+If you create a policy that will be automatically downloaded from validating Domain Controllers,
+you should name the file <tt class="filename">NTConfig.POL</tt>. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, it must be made individually to each workstation.
+</p><p>
+When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on
+the authenticating domain controller for the presence of the NTConfig.POL file. If one exists it is
+downloaded, parsed and then applied to the user's part of the registry.
+</p><p>
+<a class="indexterm" name="id2953887"></a>
+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally
+acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
+itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
+This has considerable advantage compared with the use of <tt class="filename">NTConfig.POL</tt> (NT4) style policy updates.
+</p><p>
+In addition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
+Common restrictions that are frequently used include:
+</p><p>
+<a class="indexterm" name="id2953928"></a>
+</p><div class="itemizedlist"><ul type="disc"><li>Logon hours</li><li>Password aging</li><li>Permitted logon from certain machines only</li><li>Account type (local or global)</li><li>User rights</li></ul></div><p>
+</p><p>
+Samba-3.0.0 doe not yet implement all account controls that are common to MS Windows NT4/200x/XP.
+While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password
+expirey is functional today. Most of the remaining controls at this time have only stub routines
+that may eventually be completed to provide actual control. Do not be misled by the fact that a
+parameter can be set using the NT4 Domain User Manager or in the <tt class="filename">NTConfig.POL</tt>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953985"></a>Management Tools</h2></div></div><div></div></div><p>
+Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools.
+The following sections describe a few key tools that will help you to create a low maintenance user
+environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954000"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2954011"></a>
+<a class="indexterm" name="id2954020"></a>
+<a class="indexterm" name="id2954028"></a>
+ A new tool called <b class="command">editreg</b> is under development. This tool can be used
+ to edit registry files (called <tt class="filename">NTUser.DAT</tt>) that are stored in user
+ and group profiles. <tt class="filename">NTConfig.POL</tt> files have the same structure as the
+ <tt class="filename">NTUser.DAT</tt> file and can be edited using this tool. <b class="command">editreg</b>
+ is being built with the intent to enable <tt class="filename">NTConfig.POL</tt> files to be saved in text format and to
+ permit the building of new <tt class="filename">NTConfig.POL</tt> files with extended capabilities. It is proving difficult
+ to realize this capability, so do not be surprised if this feature does not materialize. Formal
+ capabilities will be announced at the time that this tool is released for production use.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954096"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
+ The tools that may be used to configure these types of controls from the MS Windows environment are:
+ the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe).
+ Under MS Windows 200x/XP, this is done using the Microsoft Management Console (MMC) with appropriate
+ “<span class="quote">snap-ins,</span>” the registry editor, and potentially also the NT4 System and Group Policy Editor.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954120"></a>Samba PDC</h3></div></div><div></div></div><p>
+ With a Samba Domain Controller, the new tools for managing user account and policy information include:
+ <b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
+ The administrator should read the man pages for these tools and become familiar with their use.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954165"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
+The following attempts to document the order of processing the system and user policies following a system
+reboot and as part of the user logon:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
+ Convention Provider (MUP) start.
+ </p></li><li><p>
+ Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
+ and applied. The list may include GPOs that:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Apply to the location of machines in a Directory.</p></li><li><p>Apply only when settings have changed.</p></li><li><p>Depend on configuration of the scope of applicability: local,
+ site, domain, organizational unit, and so on.</p></li></ul></div><p>
+ No desktop user interface is presented until the above have been processed.
+ </p></li><li><p>
+ Execution of start-up scripts (hidden and synchronous by default).
+ </p></li><li><p>
+ A keyboard action to effect start of logon (Ctrl-Alt-Del).
+ </p></li><li><p>
+ User credentials are validated, user profile is loaded (depends on policy settings).
+ </p></li><li><p>
+ An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
+
+</p><div class="itemizedlist"><ul type="disc"><li>Is the user a Domain Member, thus subject to particular policies?</li><li>Loopback enablement, and the state of the loopback policy (Merge or Replace).</li><li>Location of the Active Directory itself.</li><li>Has the list of GPOs changed? No processing is needed if not changed.</li></ul></div><p>
+ </p></li><li><p>
+ User Policies are applied from Active Directory. Note: There are several types.
+ </p></li><li><p>
+ Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group
+ Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal
+ window.
+ </p></li><li><p>
+ The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
+ Domain), machine (system) policies are applied at start-up; user policies are applied at logon.
+ </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954310"></a>Common Errors</h2></div></div><div></div></div><p>
+Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following
+collection demonstrates only basic issues.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954324"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
+“<span class="quote">We have created the <tt class="filename">Config.POL</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
+It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not
+work any longer since we upgraded to Win XP Pro. Any hints?</span>”
+</p><p>
+Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to
+use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so it is in the
+correct format for your MS Windows XP Pro clients.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to Compile Samba"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and Other CIFS Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id2974513">HPUX</a></dt><dt><a href="Portability.html#id2974600">SCO UNIX</a></dt><dt><a href="Portability.html#id2974655">DNIX</a></dt><dt><a href="Portability.html#id2974825">Red Hat Linux</a></dt><dt><a href="Portability.html#id2974869">AIX</a></dt><dd><dl><dt><a href="Portability.html#id2974876">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id2974902">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id2974909">Locking Improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
+platforms provide is not always compatible. This chapter contains
+platform-specific information about compiling and using Samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974513"></a>HPUX</h2></div></div><div></div></div><p>
+HP's implementation of supplementary groups is non-standard (for
+historical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
+<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
+initgroups() reads the latter. Most system admins who know the ropes
+symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt>
+(hard link does not work for reasons too obtuse to go into here). initgroups() will complain if one of the
+groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
+ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
+60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
+GIDs.
+</p><p>
+If you encounter this problem, make sure the programs that are failing
+to initgroups() are run as users, not in any groups with GIDs outside the
+allowed range.
+</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
+</p><p>
+On HP-UX you must use gcc or the HP ANSI compiler. The free compiler
+that comes with HP-UX is not ANSI compliant and cannot compile Samba.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974600"></a>SCO UNIX</h2></div></div><div></div></div><p>
+If you run an old version of SCO UNIX, you may need to get important
+TCP/IP patches for Samba to work correctly. Without the patch, you may
+encounter corrupt data transfers using Samba.
+</p><p>
+The patch you need is UOD385 Connection Drivers SLS. It is available from
+SCO (<ulink url="ftp://ftp.sco.com/">ftp.sco.com</ulink>, directory SLS,
+files uod385a.Z and uod385a.ltr.Z).
+</p><p>
+The information provided here refers to an old version of SCO UNIX. If you require
+binaries for more recent SCO UNIX products, please contact SCO to obtain packages that are
+ready to install. You should also verify with SCO that your platform is up-to-date for the
+binary packages you will install. This is important if you wish to avoid data corruption
+problems with your installation. To build Samba for SCO UNIX products may
+require significant patching of Samba source code. It is much easier to obtain binary
+packages directly from SCO.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974655"></a>DNIX</h2></div></div><div></div></div><p>
+DNIX has a problem with seteuid() and setegid(). These routines are
+needed for Samba to work correctly, but they were left out of the DNIX
+C library for some reason.
+</p><p>
+For this reason Samba by default defines the macro NO_EID in the DNIX
+section of includes.h. This works around the problem in a limited way,
+but it is far from ideal, and some things still will not work right.
+</p><p>
+To fix the problem properly, you need to assemble the following two
+functions and then either add them to your C library or link them into
+Samba. Put the following in the file <tt class="filename">setegid.s</tt>:
+</p><pre class="programlisting">
+ .globl _setegid
+_setegid:
+ moveq #47,d0
+ movl #100,a0
+ moveq #1,d1
+ movl 4(sp),a1
+ trap #9
+ bccs 1$
+ jmp cerror
+1$:
+ clrl d0
+ rts
+</pre><p>
+Put this in the file <tt class="filename">seteuid.s</tt>:
+</p><pre class="programlisting">
+ .globl _seteuid
+_seteuid:
+ moveq #47,d0
+ movl #100,a0
+ moveq #0,d1
+ movl 4(sp),a1
+ trap #9
+ bccs 1$
+ jmp cerror
+1$:
+ clrl d0
+ rts
+</pre><p>
+After creating the above files, you then assemble them using
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b>
+</pre><p>
+that should produce the files <tt class="filename">seteuid.o</tt> and
+<tt class="filename">setegid.o</tt>
+</p><p>
+Then you need to add these to the LIBSM line in the DNIX section of
+the Samba Makefile. Your LIBSM line will then look something like this:
+</p><pre class="programlisting">
+LIBSM = setegid.o seteuid.o -ln
+</pre><p>
+You should then remove the line:
+</p><pre class="programlisting">
+#define NO_EID
+</pre><p>from the DNIX section of <tt class="filename">includes.h</tt>.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974825"></a>Red Hat Linux</h2></div></div><div></div></div><p>
+By default during installation, some versions of Red Hat Linux add an
+entry to <tt class="filename">/etc/hosts</tt> as follows:
+</p><pre class="programlisting">
+ 127.0.0.1 loopback "hostname"."domainname"
+</pre><p>
+</p><p>
+This causes Samba to loop back onto the loopback interface.
+The result is that Samba fails to communicate correctly with
+the world and therefore may fail to correctly negotiate who
+is the master browse list holder and who is the master browser.
+</p><p>
+Corrective Action: Delete the entry after the word "loopback"
+in the line starting 127.0.0.1.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974869"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974876"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
+Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
+Samba performance significantly.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2974902"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974909"></a>Locking Improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
+when running Samba on Solaris. The built-in file locking mechanism was
+not scalable. Performance would degrade to the point where processes would
+get into loops of trying to lock a file. It would try a lock, then fail,
+then try again. The lock attempt was failing before the grant was
+occurring. So the visible manifestation of this would be a handful of
+processes stealing all of the CPU, and when they were trussed they would
+be stuck if F_SETLKW64 loops.
+</p><p>
+Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7
+has not been released yet.
+</p><p>
+The patch revision for 2.6 is 105181-34, for 8 is 108528-19 and for 9 is 112233-04.
+</p><p>
+After the install of these patches, it is recommended to reconfigure
+and rebuild Samba.
+</p><p>Thanks to Joe Meslovich for reporting this.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
+Nsswitch on Solaris 9 refuses to use the Winbind NSS module. This behavior
+is fixed by Sun in patch 113476-05, which as of March 2003, is not in any
+roll-up packages.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to Compile Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and Other CIFS Clients</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM-Based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2954425">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2954459">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954500">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2955058">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt><a href="ProfileMgmt.html#id2956492">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2956822">Mandatory Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956917">Creating and Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956970">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2956999">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2958338">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2958351">Configuring Roaming Profiles for a Few Users or Groups</a></dt><dt><a href="ProfileMgmt.html#id2958416">Cannot Use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2958626">Changing the Default Profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954425"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Roaming profiles are feared by some, hated by a few, loved by many, and a Godsend for
+some administrators.
+</p><p>
+Roaming profiles allow an administrator to make available a consistent user desktop
+as the user moves from one machine to another. This chapter provides much information
+regarding how to configure and manage roaming profiles.
+</p><p>
+While roaming profiles might sound like nirvana to some, they are a real and tangible
+problem to others. In particular, users of mobile computing tools, where often there may not
+be a sustained network connection, are often better served by purely local profiles.
+This chapter provides information to help the Samba administrator deal with those
+situations.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954459"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x.
+</p></div><p>
+Before discussing how to configure roaming profiles, it is useful to see how
+Windows 9x/Me and Windows NT4/200x clients implement these features.
+</p><p>
+Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's
+profiles location. However, the response does not have room for a separate
+profiles location field, only the user's home share. This means that Windows 9x/Me
+profiles are restricted to being stored in the user's home directory.
+</p><p>
+Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields
+including a separate field for the location of the user's profiles.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954500"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
+This section documents how to configure Samba for MS Windows client profile support.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954513"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
+For example, to support Windows NT4/200x clients, set the followoing in the [global] section of the <tt class="filename">smb.conf</tt> file:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</tt></i></td></tr></table><p>
+
+This is typically implemented like:
+
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%L\Profiles\%u</tt></i></td></tr></table><p>
+where “<span class="quote">%L</span>” translates to the name of the Samba server and “<span class="quote">%u</span>” translates to the user name.
+</p><p>
+The default for this option is <tt class="filename">\\%N\%U\profile</tt>, namely <tt class="filename">\\sambaserver\username\profile</tt>.
+The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
+a Samba server for the profiles, you must make the share that is specified in the logon path
+browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
+semantics of “<span class="quote">%L</span>” and “<span class="quote">%N</span>”, as well as “<span class="quote">%U</span>” and “<span class="quote">%u</span>”.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended
+to not use the <i class="parameter"><tt>homes</tt></i> meta-service name as part of the profile share path.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954652"></a>Windows 9x/Me User Profiles</h4></div></div><div></div></div><p>
+To support Windows 9x/Me clients, you must use the <a class="indexterm" name="id2954664"></a><i class="parameter"><tt>logon home</tt></i>
+parameter. Samba has been fixed so <b class="userinput"><tt>net use /home</tt></b> now works as well and it, too, relies
+on the <b class="command">logon home</b> parameter.
+</p><p>
+By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home
+directory. But wait! There is a trick you can use. If you set the following in the
+<i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%U\.profiles</tt></i></td></tr></table><p>
+then your Windows 9x/Me clients will dutifully put their clients in a subdirectory
+of your home directory called <tt class="filename">.profiles</tt> (making them hidden).
+</p><p>
+Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work because of a feature in
+Windows 9x/Me. It removes any directory stuff off the end of the home directory area
+and only uses the server and share portion. That is, it looks like you
+specified <tt class="filename">\\%L\%U</tt> for <a class="indexterm" name="id2954767"></a><i class="parameter"><tt>logon home</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954783"></a>Mixed Windows 9x/Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
+You can support profiles for Windows 9x and Windows NT clients by setting both the
+<a class="indexterm" name="id2954795"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2954809"></a><i class="parameter"><tt>logon path</tt></i> parameters. For example:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%u\.profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%L\profiles\%u</tt></i></td></tr></table></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954850"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
+A question often asked is: “<span class="quote">How may I enforce use of local profiles?</span>” or
+“<span class="quote">How do I disable roaming profiles?</span>”
+</p><p>
+<a class="indexterm" name="id2954876"></a>
+There are three ways of doing this:
+<a class="indexterm" name="id2954885"></a>
+</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
+ Affect the following settings and ALL clients will be forced to use a local profile:
+ <a class="indexterm" name="id2954920"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2954933"></a><i class="parameter"><tt>logon path</tt></i>
+ </p></dd><dt><span class="term">MS Windows Registry</span></dt><dd><p>
+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP
+ machine to use only a local profile. This, of course, modifies registry settings. The full
+ path to the option is:
+</p><pre class="screen">
+Local Computer Policy\
+ Computer Configuration\
+ Administrative Templates\
+ System\
+ User Profiles\
+
+Disable: Only Allow Local User Profiles
+Disable: Prevent Roaming Profile Change from Propagating to the Server
+</pre><p>
+ </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>From the start menu right-click on <span class="guiicon">My Computer icon</span>,
+ select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
+ tab, select the profile you wish to change from
+ <span class="guimenu">Roaming</span> type to <span class="guimenu">Local</span>, and click on
+ <span class="guibutton">Change Type</span>.
+ </p></dd></dl></div><p>
+Consult the MS Windows registry guide for your particular MS Windows version for more information
+about which registry keys to change to enforce use of only local user profiles.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The specifics of how to convert a local profile to a roaming profile, or a roaming profile
+to a local one vary according to the version of MS Windows you are running. Consult the Microsoft MS
+Windows Resource Kit for your version of Windows for specific information.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955058"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955066"></a>Windows 9x/Me Profile Setup</h4></div></div><div></div></div><p>
+When a user first logs in on Windows 9X, the file user.DAT is created, as are folders
+<tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>, <tt class="filename">Programs</tt>, and
+<tt class="filename">Nethood</tt>. These directories and their contents will be merged with the local
+versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins, taking the
+most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i> options
+<a class="indexterm" name="id2955121"></a><i class="parameter"><tt>preserve case</tt></i> = yes,
+<a class="indexterm" name="id2955136"></a><i class="parameter"><tt>short preserve case</tt></i> = yes and
+<a class="indexterm" name="id2955150"></a><i class="parameter"><tt>case sensitive</tt></i> = no
+in order to maintain capital letters in shortcuts in any of the profile folders.
+</p><p>
+The <tt class="filename">user.DAT</tt> file contains all the user's preferences. If you wish to enforce a set of preferences,
+rename their <tt class="filename">user.DAT</tt> file to <tt class="filename">user.MAN</tt>, and deny them write access to this file.
+</p><div class="orderedlist"><ol type="1"><li><p>
+ On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> ->
+ <span class="guimenuitem">Passwords</span> and select the <span class="guilabel">User Profiles</span> tab.
+ Select the required level of roaming preferences. Press <span class="guibutton">OK</span>, but do not
+ allow the computer to reboot.
+ </p></li><li><p>
+ On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> ->
+ <span class="guimenuitem">Network</span> -> <span class="guimenuitem">Client for Microsoft Networks</span>
+ -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to NT Domain</span>. Then,
+ ensure that the Primary Logon is <span class="guilabel">Client for Microsoft Networks</span>. Press
+ <span class="guibutton">OK</span>, and this time allow the computer to reboot.
+ </p></li></ol></div><p> Under Windows 9x/ME, profiles are downloaded from the Primary Logon. If you have the Primary Logon
+as “<span class="quote">Client for Novell Networks</span>”, then the profiles and logon script will be downloaded from
+your Novell Server. If you have the Primary Logon as “<span class="quote">Windows Logon</span>”, then the profiles will
+be loaded from the local machine a bit against the concept of roaming profiles, it would seem! </p><p>
+You will now find that the Microsoft Networks Login box contains <tt class="constant">[user, password, domain]</tt> instead
+of just <tt class="constant">[user, password]</tt>. Type in the Samba server's domain name (or any other domain known to exist,
+but bear in mind that the user will be authenticated against this domain and profiles downloaded from it,
+if that domain logon server supports it), user name and user's password.
+</p><p> Once the user has been successfully validated, the Windows 9x/Me machine will inform you that
+<tt class="computeroutput">The user has not logged on before</tt> and asks you <tt class="computeroutput">Do you
+wish to save the user's preferences?</tt> Select <span class="guibutton">Yes</span>. </p><p> Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the
+contents of the directory specified in the <a class="indexterm" name="id2955374"></a><i class="parameter"><tt>logon path</tt></i> on
+the Samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created. </p><p> These folders will be cached locally on the client, and updated when the user logs off (if
+you haven't made them read-only by then). You will find that if the user creates further folders or
+shortcut, that the client will merge the profile contents downloaded with the contents of the profile
+directory already on the local client, taking the newest folders and shortcut from each set. </p><p> If you have made the folders/files read-only on the Samba server, then you will get errors from
+the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile.
+Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions
+and ownership rights on the profile directory contents, on the Samba server. </p><p> If you have problems creating user profiles, you can reset the user's local desktop cache, as
+shown below. When this user next logs in, the user will be told that he/she is logging in “<span class="quote">for
+ the first time</span>”.
+
+<a class="indexterm" name="id2955451"></a>
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Instead of logging in under the [user, password, domain] dialog, press <span class="guibutton">escape</span>.
+ </p></li><li><p>
+ Run the <b class="command">regedit.exe</b> program, and look in:
+ </p><p>
+ <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
+ </p><p>
+ You will find an entry for each user of ProfilePath. Note the contents of this key
+ (likely to be <tt class="filename">c:\windows\profiles\username</tt>), then delete the key
+ <i class="parameter"><tt>ProfilePath</tt></i> for the required user.
+ </p></li><li><p>
+ Exit the registry editor.
+ </p></li><li><p>
+ Search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt> directory, and delete it.
+ </p></li><li><p>
+ Log off the Windows 9x/Me client.
+ </p></li><li><p>
+ Check the contents of the profile path (see <a class="indexterm" name="id2955562"></a><i class="parameter"><tt>logon path</tt></i>
+ described above) and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt>
+ file for the user, making a backup if required.
+ </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Before deleting the contents of the directory listed in the <i class="parameter"><tt>ProfilePath</tt></i>
+(this is likely to be <tt class="filename">c:\windows\profiles\username)</tt>, ask the owner if they have
+any important files stored on their desktop or in their start menu. Delete the contents of the
+directory <i class="parameter"><tt>ProfilePath</tt></i> (making a backup if any of the files are needed).
+</p><p>
+This will have the effect of removing the local (read-only hidden system file) <tt class="filename">user.DAT</tt>
+in their profile directory, as well as the local “<span class="quote">desktop,</span>” “<span class="quote">nethood,</span>”
+“<span class="quote">start menu,</span>” and “<span class="quote">programs</span>” folders.
+</p></div><p>
+If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet
+sniffer program such as ethereal or <b class="command">netmon.exe</b>, and look for error messages.
+</p><p> If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or
+netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces
+provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955678"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p> When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile
+location can be now specified through the <a class="indexterm" name="id2955691"></a><i class="parameter"><tt>logon path</tt></i> parameter.
+</p><p> There is a parameter that is now available for use with NT Profiles: <a class="indexterm" name="id2955710"></a><i class="parameter"><tt>logon drive</tt></i>.
+This should be set to <tt class="filename">H:</tt> or any other drive, and should be used in conjunction with
+the new <a class="indexterm" name="id2955733"></a><i class="parameter"><tt>logon home</tt></i> parameter. </p><p> The entry for the NT4 profile is a directory not a file. The NT help on Profiles mentions that a
+directory is also created with a .PDS extension. The user, while logging in, must have write permission
+to create the full profile path (and the folder with the .PDS extension for those situations where it
+might be created.) </p><p> In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates
+<tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>,
+<tt class="filename">Nethood</tt>, <tt class="filename">Start Menu,</tt> and <tt class="filename">Programs</tt>.
+The profile itself is stored in a file <tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored
+in the .PDS directory, and its purpose is currently unknown. </p><p> You can use the <span class="application">System Control Panel</span> to copy a local profile onto
+a Samba server (see NT Help on Profiles; it is also capable of firing up the correct location in the
+<span class="application">System Control Panel</span> for you). The NT Help file also mentions that renaming
+<tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt> turns a profile into a mandatory one.
+</p><p> The case of the profile is significant. The file must be called <tt class="filename">NTuser.DAT</tt>
+or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>. </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955863"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p> You must first convert the profile from a local profile to a domain profile on the MS Windows
+workstation as follows: </p><div class="procedure"><ol type="1"><li><p> Log on as the <span class="emphasis"><em>local</em></span> workstation administrator. </p></li><li><p> Right-click on the <span class="guiicon">My Computer</span> Icon, select
+ <span class="guimenuitem">Properties</span>.</p></li><li><p> Click on the <span class="guilabel">User Profiles</span> tab.</p></li><li><p> Select the profile you wish to convert (click it once).</p></li><li><p> Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p> In the <span class="guilabel">Permitted to use</span> box, click on the
+ <span class="guibutton">Change</span> button. </p></li><li><p> Click on the <span class="guilabel">Look in</span> area that lists the machine name. When you click here, it will
+ open up a selection box. Click on the domain to which the profile must be accessible. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up.
+ For example, connect as <i class="replaceable"><tt>DOMAIN</tt></i>\root, password:
+ <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p> To make the profile capable of being used by anyone, select “<span class="quote">Everyone</span>”. </p></li><li><p> Click on <span class="guibutton">OK</span> and the Selection box will close. </p></li><li><p> Now click on <span class="guibutton">OK</span> to create the profile in the path
+ you nominated. </p></li></ol></div><p> Done. You now have a profile that can be edited using the Samba <b class="command">profiles</b> tool.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail
+data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable.
+</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2956079"></a>Windows XP Service Pack 1</h5></div></div><div></div></div><p>
+ There is a security check new to Windows XP (or maybe only Windows XP service pack 1).
+ It can be disabled via a group policy in the Active Directory. The policy is called:
+ </p><p>
+ <tt class="filename">Computer Configuration\Administrative Templates\System\User Profiles\Do not check for
+ user ownership of Roaming Profile Folders</tt>i
+ </p><p>
+ This should be set to <tt class="constant">Enabled</tt>.
+ </p><p>
+ Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this.
+ </p><p>If you cannot set group policies in Samba, then you may be able to set the policy locally on
+ each machine. If you want to try this, then do the following (N.B. I do not know for sure that this
+ will work in the same way as a domain group policy):
+ </p><div class="procedure"><ol type="1"><li><p>On the XP workstation, log in with an Administrative account.</p></li><li><p>Click on <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>.</p></li><li><p>Type <b class="command">mmc</b>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click on <span class="guimenu">File</span> -> <span class="guimenuitem">Add/Remove Snap-in</span> -> <span class="guimenuitem">Add</span>.</p></li><li><p>Double-click on <span class="guiicon">Group Policy</span>.</p></li><li><p>Click on <span class="guibutton">Finish</span> -> <span class="guibutton">Close</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>In the “<span class="quote">Console Root</span>” window expand <span class="guiicon">Local Computer Policy</span> ->
+ <span class="guiicon">Computer Configuration</span> -> <span class="guiicon">Administrative Templates</span> -> <span class="guiicon">System</span> -> <span class="guiicon">User Profiles</span>.</p></li><li><p>Double-click on <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span>.</p></li><li><p>Select <span class="guilabel">Enabled</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>Close the whole console. You do not need to save the settings (this refers to the
+ console settings rather than the policies you have changed).</p></li><li><p>Reboot.</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956404"></a>Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</h3></div></div><div></div></div><p> Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an
+evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere
+with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is
+that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite
+information that belongs to the newer version resulting in loss of profile information content when that
+user logs on again with the newer version of MS Windows. </p><p> If you then want to share the same Start Menu/Desktop with W9x/Me, you will need to specify a common
+location for the profiles. The <tt class="filename">smb.conf</tt> parameters that need to be common are <a class="indexterm" name="id2956443"></a><i class="parameter"><tt>logon path</tt></i> and <a class="indexterm" name="id2956457"></a><i class="parameter"><tt>logon home</tt></i>. </p><p> If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
+<tt class="filename">NTuser.DAT</tt> files in the same profile directory. </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956492"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p> There is nothing to stop you from specifying any path that you like for the location of users' profiles.
+Therefore, you could specify that the profile be stored on a Samba server, or any other SMB server,
+as long as that SMB server supports encrypted passwords. </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956509"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p> Unfortunately, the Resource Kit information is specific to the version of MS Windows NT4/200x. The
+correct resource kit is required for each platform. </p><p>Here is a quick guide:</p><div class="procedure"><ol type="1"><li><p> On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then select the
+ tab labeled <span class="guilabel">User Profiles</span>. </p></li><li><p> Select a user profile you want to migrate and click on it. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term “<span class="quote">migrate</span>” loosely. You can copy a profile to create a group
+ profile. You can give the user <i class="parameter"><tt>Everyone</tt></i> rights to the profile you copy this to. That
+ is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4
+ PDC.</p></div></li><li><p>Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labeled <span class="guilabel">Copy Profile to</span> add your new path, e.g.,
+ <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group “<span class="quote">Everyone</span>”, click on <span class="guibutton">OK</span>. This
+ closes the “<span class="quote">choose user</span>” box.</p></li><li><p>Now click on <span class="guibutton">OK</span>.</p></li></ol></div><p> Follow the above for every profile you need to migrate. </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956689"></a>Side Bar Notes</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2956700"></a>
+You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man
+page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956712"></a>moveuser.exe</h4></div></div><div></div></div><p> The Windows 200x professional resource kit has <b class="command">moveuser.exe</b>. <b class="command">moveuser.exe</b> changes the security of a profile
+from one user to another. This allows the account domain to change, and/or the user name to change.</p><p>
+This command is like the Samba <b class="command">profiles</b> tool.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956753"></a>Get SID</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2956764"></a>
+You can identify the SID by using <b class="command">GetSID.exe</b> from the Windows NT Server 4.0 Resource Kit. </p><p> Windows NT 4.0 stores the local profile information in the registry under the following key:
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt> </p><p> Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged
+on to this computer. (To find the profile information for the user whose locally cached profile you want
+to move, find the SID for the user with the <b class="command">GetSID.exe</b> utility.) Inside the appropriate user's subkey,
+you will see a string value named <i class="parameter"><tt>ProfileImagePath</tt></i>. </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956822"></a>Mandatory Profiles</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956832"></a>
+A Mandatory Profile is a profile that the user does not have the ability to overwrite. During the
+user's session, it may be possible to change the desktop environment, however, as the user logs out all changes
+made will be lost. If it is desired to not allow the user any ability to change the desktop environment,
+then this must be done through policy settings. See the previous chapter. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NO circumstances should the profile directory (or its contents) be made read-only
+as this may render the profile un-usable. Where it is essential to make a profile read-only
+within the UNIX file system, this can be done but then you absolutely must use the <b class="command">fake-permissions</b>
+VFS module to instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <link linkend="fakeperms">.
+</p></div><p> For MS Windows NT4/200x/XP, the above method can also be used to create mandatory profiles. To
+convert a group profile into a mandatory profile, simply locate the <tt class="filename">NTUser.DAT</tt> file in the copied profile
+and rename it to <tt class="filename">NTUser.MAN</tt>. </p><p> For MS Windows 9x/ME, it is the <tt class="filename">User.DAT</tt> file that must be renamed to
+<tt class="filename">User.MAN</tt> to effect a mandatory profile. </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956917"></a>Creating and Managing Group Profiles</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956929"></a>
+Most organizations are arranged into departments. There is a nice benefit in this fact since usually
+most users in a department require the same desktop applications and the same desktop layout. MS
+Windows NT4/200x/XP will allow the use of Group Profiles. A Group Profile is a profile that is created
+first using a template (example) user. Then using the profile migration tool (see above), the profile is
+assigned access rights for the user group that needs to be given access to the group profile. </p><p> The next step is rather important. Instead of assigning a group profile to users (Using User Manager)
+on a “<span class="quote">per user</span>” basis, the group itself is assigned the now modified profile. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Be careful with Group Profiles. If the user who is a member of a group also has a personal
+profile, then the result will be a fusion (merge) of the two. </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956970"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956982"></a>
+MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile
+does not already exist. Armed with a knowledge of where the default profile is located on the Windows
+workstation, and knowing which registry keys effect the path from which the default profile is created,
+it is possible to modify the default profile to one that has been optimized for the site. This has
+significant administrative advantages. </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956999"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p> To enable default per use profiles in Windows 9x/ME, you can either use the <span class="application">Windows
+98 System Policy Editor</span> or change the registry directly. </p><p> To enable default per user profiles in Windows 9x/ME, launch the <span class="application">System Policy
+Editor</span>, then select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>,
+next click on the <span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
+select <span class="guilabel">User Profiles</span>, and click on the enable box. Remember to save the registry
+changes. </p><p> To modify the registry directly, launch the <span class="application">Registry Editor</span>
+(<b class="command">regedit.exe</b>) and select the hive <tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now
+add a DWORD type key with the name “<span class="quote">User Profiles,</span>” to
+enable user profiles to set the value
+to 1; to disable user profiles set it to 0. </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2957101"></a>User Profile Handling with Windows 9x/Me</h4></div></div><div></div></div><p> When a user logs on to a Windows 9x/Me machine, the local profile path,
+<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
+for an existing entry for that user. </p><p> If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached
+version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified
+directory if the location has been modified) on the server for the User Profile. If a profile exists
+in both locations, the newer of the two is used. If the User Profile exists on the server, but does not
+exist on the local machine, the profile on the server is downloaded and used. If the User Profile only
+exists on the local machine, that copy is used. </p><p> If a User Profile is not found in either location, the Default User Profile from the Windows
+9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any
+changes that the user made are written to the user's local profile. If the user has a roaming profile,
+the changes are written to the user's profile on the server. </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957150"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p> On MS Windows NT4, the default user profile is obtained from the location
+<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
+<tt class="filename">C:\Windows NT\Profiles</tt>. Under this directory on a clean install there will be three
+(3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All
+Users,</tt> and <tt class="filename">Default
+User</tt>. </p><p> The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
+system users. The <tt class="filename">Default User</tt> directory contains menu entries that are customizable
+per user depending on the profile settings chosen/created. </p><p> When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: </p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings.</p></li><li><p>Default User settings (contains the default <tt class="filename">NTUser.DAT</tt> file).</p></li></ul></div><p> When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain,
+ the following steps are followed in respect of profile handling:
+
+<a class="indexterm" name="id2957258"></a>
+</p><div class="procedure"><ol type="1"><li><p> The users' account information that is obtained during the logon process
+ contains the location of the users' desktop profile. The profile path may be local to
+ the machine or it may be located on a network share. If there exists a profile at the
+ location of the path from the user account, then this profile is copied to the location
+ <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the settings
+ in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
+ location. </p></li><li><p> If the user account has a profile path, but at its location a profile does not
+ exist, then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
+ directory from reading the <tt class="filename">Default User</tt> profile. </p></li><li><p> If the NETLOGON share on the authenticating server (logon server) contains
+ a policy file (<tt class="filename">NTConfig.POL</tt>), then its contents are applied to the
+ <tt class="filename">NTUser.DAT</tt> which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt>
+ part of the registry.
+ </p></li><li><p> When the user logs out, if the profile is set to be a roaming profile it will be
+ written out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
+ recreated from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents. Thus,
+ should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the next
+ logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held in the
+ profile. The effect of this is known as tattooing.
+ </p></li></ol></div><p> MS Windows NT4 profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. A local
+profile will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming
+profile will also remain stored in the same way, unless the following registry key is created as shown: </p><pre class="screen"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+winlogon\"DeleteRoamingCache"=dword:0000000
+ </pre><p>
+In this case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be deleted
+on logout.</p><p> Under MS Windows NT4, default locations for common resources like <tt class="filename">My Documents</tt>
+may be redirected to a network share by modifying the following registry keys. These changes may be
+affected via use of the System Policy Editor. To do so may require that you create your own template
+extension for the policy editor to allow this to be done through the GUI. Another way to do this is by
+way of first creating a default user profile, then while logged in as that user, run <b class="command">regedt32</b> to edit
+the key settings. </p><p>
+The Registry Hive key that affects the behavior of folders that are part of the default user
+profile are controlled by entries on Windows NT4 is:
+</p><pre class="screen">
+HKEY_CURRENT_USER
+ \Software
+ \Microsoft
+ \Windows
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders
+</pre><p>
+<a class="indexterm" name="id2957503"></a>
+</p><p> The above hive key contains a list of automatically managed folders. The default entries are shown in <link linkend="ProfileLocs">. </p><div class="table"><a name="ProfileLocs"></a><p class="title"><b>Table 24.1. User Shell Folder Registry Keys Default Values</b></p><table summary="User Shell Folder Registry Keys Default Values" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu </td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p> The registry key that contains the location of the default profile settings is: </p><p> <tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders</tt> </p><p> The default entries are shown in <link linkend="regkeys">.</p><div class="table"><a name="regkeys"></a><p class="title"><b>Table 24.2. Defaults of Profile Settings Registry Keys</b></p><table summary="Defaults of Profile Settings Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><tbody><tr><td align="left">Common Desktop</td><td align="left">%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td align="left">Common Programs</td><td align="left">%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td align="left">Common Start Menu</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td align="left">Common Startup</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957772"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2957786"></a>
+MS Windows XP Home Edition does use default per user profiles, but cannot participate
+in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only
+from itself. While there are benefits in doing this, the beauty of those MS Windows clients that
+can participate in domain logon processes allows the administrator to create a global default
+profile and enforce it through the use of Group Policy Objects (GPOs).
+</p></div><p> When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from
+<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify or change the
+contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement
+since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. </p><p> When MS Windows 200x/XP participates in a domain security context, and if the default user profile is
+ not found, then the client will search for a default profile in the NETLOGON share of the authenticating
+ server. In MS Windows parlance,<tt class="filename">%LOGONSERVER%\NETLOGON\Default User,</tt> and if one
+exists there it will copy this to the workstation to the <tt class="filename">C:\Documents and Settings\</tt>
+under the Windows login name of the user. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt>
+<i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory should be created at the root
+of this share and must be called <tt class="filename">Default Profile</tt>. </p></div><p> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local
+default profile. </p><p> On logging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to the
+local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>. </p><p> Those wishing to modify the default behavior can do so through these three methods: </p><div class="itemizedlist"><ul type="disc"><li><p> Modify the registry keys on the local machine manually and place the new
+ default profile in the NETLOGON share root. This is not recommended as it is maintenance intensive.
+ </p></li><li><p> Create an NT4-style NTConfig.POL file that specified this behavior and locate
+ this file in the root of the NETLOGON share along with the new default profile. </p></li><li><p> Create a GPO that enforces this through Active Directory, and place the new
+ default profile in the NETLOGON share. </p></li></ul></div><p>The registry hive key that effects the behavior of folders that are part of the default user
+profile are controlled by entries on Windows 200x/XP is: </p><p> <tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
+Folders\</tt> </p><p>
+The above hive key contains a list of automatically managed folders. The default entries are shown
+in <link linkend="defregpthkeys">
+<a class="indexterm" name="id2957980"></a>
+</p><div class="table"><a name="defregpthkeys"></a><p class="title"><b>Table 24.3. Defaults of Default User Profile Paths Registry Keys</b></p><table summary="Defaults of Default User Profile Paths Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Cache</td><td align="left">%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td align="left">Cookies</td><td align="left">%USERPROFILE%\Cookies</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">History</td><td align="left">%USERPROFILE%\Local Settings\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td align="left">Local Settings</td><td align="left">%USERPROFILE%\Local Settings</td></tr><tr><td align="left">My Pictures</td><td align="left">%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">Personal</td><td align="left">%USERPROFILE%\My Documents</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu</td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td align="left">Templates</td><td align="left">%USERPROFILE%\Templates</td></tr></tbody></table></div><p> There is also an entry called “<span class="quote">Default</span>” that has no value set. The default entry is
+of type <tt class="constant">REG_SZ</tt>, all the others are of type <tt class="constant">REG_EXPAND_SZ</tt>. </p><p> It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will not be necessary to write
+the Outlook PST file over the network for every login and logout. </p><p> To set this to a network location, you could use the following examples: </p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p> This would store the folders in the user's home directory under a directory called <tt class="filename">Default
+Folders</tt>. You could also use: </p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
+in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
+in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the
+MS Windows user as seen by the Linux/UNIX file system. </p><p> Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it. </p><p> MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
+ A roaming profile will be cached locally unless the following registry key is created:
+
+<a class="indexterm" name="id2958308"></a>
+</p><p> </p><pre class="programlisting"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+ winlogon\"DeleteRoamingCache"=dword:00000001</pre><p>
+In this case, the local cache copy will be deleted on logout.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958338"></a>Common Errors</h2></div></div><div></div></div><p>
+The following are some typical errors, problems and questions that have been asked on the Samba mailing lists.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958351"></a>Configuring Roaming Profiles for a Few Users or Groups</h3></div></div><div></div></div><p>
+With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a
+global only setting. The default is to have roaming profiles and the default path will locate them in
+the user's home directory.
+</p><p>
+If disabled globally, then no one will have roaming profile ability. If enabled and you want it
+to apply only to certain machines, then on those machines on which roaming profile support is not wanted
+it is then necessary to disable roaming profile handling in the registry of each such machine.
+</p><p>
+With Samba-3, you can have a global profile setting in <tt class="filename">smb.conf</tt> and you can override this by
+per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 200xx). </p><p> In any case, you can configure only one profile per user. That profile can be either: </p><div class="itemizedlist"><ul type="disc"><li>A profile unique to that user.</li><li>A mandatory profile (one the user cannot change).</li><li>A group profile (really should be mandatory, that is unchangable).</li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958416"></a>Cannot Use Roaming Profiles</h3></div></div><div></div></div><p> A user requested the following: “<span class="quote"> I do not want Roaming profiles to be implemented. I want
+to give users a local profile alone. Please help me, I am totally lost with this error. For the past
+two days I tried everything, I googled around but found no useful pointers. Please help me. </span>”</p><p> The choices are: </p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p> I know of no registry keys that will allow
+ auto-deletion of LOCAL profiles on log out.</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p> As a user logs onto the network, a centrally
+ stored profile is copied to the workstation to form a local profile. This local profile
+ will persist (remain on the workstation disk) unless a registry key is changed that will
+ cause this profile to be automatically deleted on logout. </p></dd></dl></div><p>The roaming profile choices are: </p><div class="variablelist"><dl><dt><span class="term">Personal roaming profiles</span></dt><dd><p> These are typically stored in
+ a profile share on a central (or conveniently located local) server. </p><p> Workstations cache (store) a local copy of the profile. This cached
+ copy is used when the profile cannot be downloaded at next logon. </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile
+ server.</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p> Mandatory profiles can be created for
+ a user as well as for any group that a user is a member of. Mandatory profiles cannot be
+ changed by ordinary users. Only the administrator can change or reconfigure a mandatory
+ profile. </p></dd></dl></div><p> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are
+most often part of the profile and can be many GB in size. On average (in a well controlled environment),
+roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined
+environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a
+workstation but they harvest the fruits of folly (and ignorance). </p><p> The point of all the above is to show that roaming profiles and good controls of how they can be
+changed as well as good discipline make up for a problem-free site. </p><p> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This
+removes the need for a PST file. </p><p>Local profiles mean: </p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used by many users, then much local disk storage is needed
+ for local profiles.</p></li><li><p>Every workstation the user logs into has
+ its own profile; these can be very different from machine to machine.</p></li></ul></div><p> On the other hand, use of roaming profiles means: </p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drastically reduces network management overheads.</p></li><li><p>In the long run, users will experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958626"></a>Changing the Default Profile</h3></div></div><div></div></div><p>“<span class="quote">When the client logs onto the Domain Controller, it searches
+for a profile to download. Where do I put this default profile?</span>”</p><p>
+<a class="indexterm" name="id2958644"></a>
+First, the Samba server needs to be configured as a Domain Controller. This can be done by
+setting in <tt class="filename">smb.conf</tt>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 32 (or more)</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr></table><p> There must be a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable. It is
+a good idea to add a logon script to pre-set printer and drive connections. There is also a facility
+for automatically synchronizing the workstation time clock with that of the logon server (another good
+thing to do). </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> To invoke auto-deletion of roaming profile from the local workstation cache (disk storage), use
+the <span class="application">Group Policy Editor</span> to create a file called <tt class="filename">NTConfig.POL</tt>
+with the appropriate entries. This file needs to be located in the <i class="parameter"><tt>netlogon</tt></i>
+share root directory.</p></div><p> Windows clients need to be members of the domain. Workgroup machines do not use network logons
+so they do not interoperate with domain profiles. </p><p> For roaming profiles, add to <tt class="filename">smb.conf</tt>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%U</tt></i></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM-Based Distributed Authentication</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id2967624">Features and Benefits</a></dt><dt><a href="SWAT.html#id2967718">Guidelines and Technical Tips</a></dt><dd><dl><dt><a href="SWAT.html#id2967733">Validate SWAT Installation</a></dt><dt><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt><a href="SWAT.html#id2968330">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id2968458">Enabling SWAT Internationalization Support</a></dt></dl></dd><dt><a href="SWAT.html#id2968628">Overview and Quick Tour</a></dt><dd><dl><dt><a href="SWAT.html#id2968644">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id2968718">Global Settings</a></dt><dt><a href="SWAT.html#id2968838">Share Settings</a></dt><dt><a href="SWAT.html#id2968902">Printers Settings</a></dt><dt><a href="SWAT.html#id2968967">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id2969040">The Status Page</a></dt><dt><a href="SWAT.html#id2969092">The View Page</a></dt><dt><a href="SWAT.html#id2969115">The Password Change Page</a></dt></dl></dd></dl></div><p>
+There are many and varied opinions regarding the usefulness of SWAT.
+No matter how hard one tries to produce the perfect configuration tool, it remains
+an object of personal taste. SWAT is a tool that will allow Web-based configuration
+of Samba. It has a wizard that may help to get Samba configured
+quickly, it has context-sensitive help on each <tt class="filename">smb.conf</tt> parameter, it provides for monitoring of current state
+of connection information, and it allows network-wide MS Windows network password
+management.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2967624"></a>Features and Benefits</h2></div></div><div></div></div><p>
+SWAT is a facility that is part of the Samba suite. The main executable is called
+<b class="command">swat</b> and is invoked by the inter-networking super daemon.
+See <link linkend="xinetd"> for details.
+</p><p>
+SWAT uses integral samba components to locate parameters supported by the particular
+version of Samba. Unlike tools and utilities that are external to Samba, SWAT is always
+up to date as known Samba parameters change. SWAT provides context-sensitive help for each
+configuration parameter, directly from <b class="command">man</b> page entries.
+</p><p>
+There are network administrators who believe that it is a good idea to write systems
+documentation inside configuration files, and for them SWAT will aways be a nasty tool. SWAT
+does not store the configuration file in any intermediate form, rather, it stores only the
+parameter settings, so when SWAT writes the <tt class="filename">smb.conf</tt> file to disk, it will write only
+those parameters that are at other than the default settings. The result is that all comments,
+as well as parameters that are no longer supported, will be lost from the <tt class="filename">smb.conf</tt> file.
+Additionally, the parameters will be written back in internal ordering.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Before using SWAT, please be warned SWAT will completely replace your <tt class="filename">smb.conf</tt> with
+a fully-optimized file that has been stripped of all comments you might have placed there
+and only non-default settings will be written to the file.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2967718"></a>Guidelines and Technical Tips</h2></div></div><div></div></div><p>
+This section aims to unlock the dark secrets behind how SWAT may be made to work,
+may be made more secure, and how to solve Internationalization support problems.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2967733"></a>Validate SWAT Installation</h3></div></div><div></div></div><p>
+The very first step that should be taken before attempting to configure a host
+system for SWAT operation is to check that it is installed. This may seem a trivial
+point to some, however several Linux distributions do not install SWAT by default,
+even though they do ship an installable binary support package containing SWAT
+on the distribution media.
+</p><p>
+When you have configrmed that SWAT is installed it is necessary to validate
+that the installation includes the binary <b class="command">swat</b> file as well
+as all the supporting text and Web files. A number of operating system distributions
+in the past have failed to include the necessary support files, evne though the
+<b class="command">swat</b> binary executable file was installed.
+</p><p>
+Finally, when you are sure that SWAT has been fully installed, please check the SWAT
+has been enebled in the control file for the internetworking super-daemon (inetd or xinetd)
+that is used on your operating system platform.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2967782"></a>Locating the <b class="command">swat</b> File</h4></div></div><div></div></div><p>
+To validate that SWAT is installed, first locate the <b class="command">swat</b> binary
+file on the system. It may be found under the following directories:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/usr/local/samba/bin</tt> the default Samba location.</td></tr><tr><td><tt class="filename">/usr/sbin</tt> the default location on most Linux systems.</td></tr><tr><td><tt class="filename">/opt/samba/bin</tt></td></tr></table><p>
+</p><p>
+The actual location is much dependant on the choice of the operating system vendor, or as determined
+by the administrator who compiled and installed Samba.
+</p><p>
+There are a number methods that may be used to locate the <b class="command">swat</b> binary file.
+The following methods may be helpful:
+</p><p>
+If <b class="command">swat</b> is in your current operating system search path it will be easy to
+find it. You can ask what are the command-line options for <b class="command">swat</b> as shown here:
+</p><pre class="screen">
+frodo:~ # swat -?
+Usage: swat [OPTION...]
+ -a, --disable-authentication Disable authentication (demo mode)
+
+Help options:
+ -?, --help Show this help message
+ --usage Display brief usage message
+
+Common samba options:
+ -d, --debuglevel=DEBUGLEVEL Set debug level
+ -s, --configfile=CONFIGFILE Use alternative configuration file
+ -l, --log-basename=LOGFILEBASE Basename for log/debug files
+ -V, --version Print version
+</pre><p>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2967911"></a>Locating the SWAT Support Files</h4></div></div><div></div></div><p>
+Now that you have found that <b class="command">swat</b> is in the search path, it is easy
+to identify where the file is located. Here is another simple way this may be done:
+</p><pre class="screen">
+frodo:~ # whereis swat
+swat: /usr/sbin/swat /usr/share/man/man8/swat.8.gz
+</pre><p>
+</p><p>
+If the above measures fail to locate the <b class="command">swat</b> binary, another approach
+is needed. The following may be used:
+</p><pre class="screen">
+frodo:/ # find / -name swat -print
+/etc/xinetd.d/swat
+/usr/sbin/swat
+/usr/share/samba/swat
+frodo:/ #
+</pre><p>
+</p><p>
+This list shows that there is a control file for <b class="command">xinetd</b>, the internetwork
+super-daemon that is installed on this server. The location of the SWAT binary file is
+<tt class="filename">/usr/sbin/swat</tt>, and the support files for it are located under the
+directory <tt class="filename">/usr/share/samba/swat</tt>.
+</p><p>
+We must now check where <b class="command">swat</b> expects to find its support files. This can
+be done as follows:
+</p><pre class="screen">
+frodo:/ # strings /usr/sbin/swat | grep "/swat"
+/swat/
+...
+/usr/share/samba/swat
+frodo:/ #
+</pre><p>
+</p><p>
+The <tt class="filename">/usr/share/samba/swat/</tt> entry shown in this listing is the location of the
+support files. You should verify that the support files exist under this directory. A sample
+list is as shown:
+</p><pre class="screen">
+jht@frodo:/> find /usr/share/samba/swat -print
+/usr/share/samba/swat
+/usr/share/samba/swat/help
+/usr/share/samba/swat/lang
+/usr/share/samba/swat/lang/ja
+/usr/share/samba/swat/lang/ja/help
+/usr/share/samba/swat/lang/ja/help/welcome.html
+/usr/share/samba/swat/lang/ja/images
+/usr/share/samba/swat/lang/ja/images/home.gif
+...
+/usr/share/samba/swat/lang/ja/include
+/usr/share/samba/swat/lang/ja/include/header.nocss.html
+...
+/usr/share/samba/swat/lang/tr
+/usr/share/samba/swat/lang/tr/help
+/usr/share/samba/swat/lang/tr/help/welcome.html
+/usr/share/samba/swat/lang/tr/images
+/usr/share/samba/swat/lang/tr/images/home.gif
+...
+/usr/share/samba/swat/lang/tr/include
+/usr/share/samba/swat/lang/tr/include/header.html
+/usr/share/samba/swat/using_samba
+...
+/usr/share/samba/swat/images
+/usr/share/samba/swat/images/home.gif
+...
+/usr/share/samba/swat/include
+/usr/share/samba/swat/include/footer.html
+/usr/share/samba/swat/include/header.html
+jht@frodo:/>
+</pre><p>
+</p><p>
+If the files needed are not available it will be necessary to obtain and install them
+before SWAT can be used.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="xinetd"></a>Enabling SWAT for Use</h3></div></div><div></div></div><p>
+SWAT should be installed to run via the network super-daemon. Depending on which system
+your UNIX/Linux system has, you will have either an <b class="command">inetd</b>- or
+<b class="command">xinetd</b>-based system.
+</p><p>
+The nature and location of the network super-daemon varies with the operating system
+implementation. The control file (or files) can be located in the file
+<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet[d].d</tt>
+or similar.
+</p><p>
+The control entry for the older style file might be:
+<a class="indexterm" name="id2968135"></a>
+</p><pre class="programlisting">
+ # swat is the Samba Web Administration Tool
+ swat stream tcp nowait.400 root /usr/sbin/swat swat
+</pre><p>
+A control file for the newer style xinetd could be:
+</p><p>
+</p><pre class="programlisting">
+# default: off
+# description: SWAT is the Samba Web Admin Tool. Use swat \
+# to configure your Samba server. To use SWAT, \
+# connect to port 901 with your favorite web browser.
+service swat
+{
+ port = 901
+ socket_type = stream
+ wait = no
+ only_from = localhost
+ user = root
+ server = /usr/sbin/swat
+ log_on_failure += USERID
+ disable = yes
+}
+</pre><p>
+
+</p><p>
+Both of the above examples assume that the <b class="command">swat</b> binary has been
+located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above,
+SWAT will use a directory access point from which it will load its Help files
+as well as other control information. The default location for this on most Linux
+systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default
+location using Samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>.
+</p><p>
+Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user,
+the only permission allowed is to view certain aspects of configuration as well as
+access to the password change facility. The buttons that will be exposed to the non-root
+user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
+<span class="guibutton">PASSWORD</span>. The only page that allows
+change capability in this case is <span class="guibutton">PASSWORD</span>.
+</p><p>
+As long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span>, you should obtain
+full change and commit ability. The buttons that will be exposed include:
+<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
+<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968330"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2968341"></a>
+Many people have asked about how to setup SWAT with SSL to allow for secure remote
+administration of Samba. Here is a method that works, courtesy of Markus Krieger.
+</p><p>
+Modifications to the SWAT setup are as follows:
+</p><div class="procedure"><ol type="1"><li><p>
+ Install OpenSSL.
+ </p></li><li><p>
+ Generate certificate and private key.
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
+ /usr/share/doc/packages/stunnel/stunnel.cnf \
+ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
+</pre></li><li><p>
+ Remove swat-entry from [x]inetd.
+ </p></li><li><p>
+ Start <b class="command">stunnel</b>.
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
+ -l /usr/local/samba/bin/swat swat </tt></b>
+</pre></li></ol></div><p>
+Afterward, simply connect to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
+and the SSL connection is up.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968458"></a>Enabling SWAT Internationalization Support</h3></div></div><div></div></div><p>
+SWAT can be configured to display its messages to match the settings of
+the language configurations of your Web browser. It will be passed to SWAT
+in the Accept-Language header of the HTTP request.
+</p><p>
+
+</p><p>
+To enable this feature:
+</p><p>
+
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Install the proper <b class="command">msg</b> files from the Samba
+ <tt class="filename">source/po</tt> directory into $LIBDIR.
+ </p></li><li><p>
+ Set the correct locale value for <a class="indexterm" name="id2968509"></a><i class="parameter"><tt>display charset</tt></i>.
+ </p></li><li><p>
+ Set your browser's language setting.
+ </p></li></ul></div><p>
+
+</p><p>
+The name of msg file is same as the language ID sent by the browser. For
+example en means "English", ja means "Japanese", fr means "French.
+</p><p>
+
+</p><p>
+If you do not like some of messages, or there are no <b class="command">msg</b> files for
+your locale, you can create them simply by copying the <b class="command">en.msg</b> files
+to the dirertory for “<span class="quote">your language ID.msg</span>” and filling in proper strings
+to each “<span class="quote">msgstr</span>”. For example, in <tt class="filename">it.msg</tt>, the
+<b class="command">msg</b> file for the Italian locale, just set:
+</p><pre class="screen">
+msgid "Set Default"
+msgstr "Imposta Default"
+</pre><p>
+and so on. If you find a mistake or create a new <b class="command">msg</b> file, please email it
+to us so we will include this in the next release of Samba.
+</p><p>
+
+</p><p>
+Note that if you enable this feature and the <a class="indexterm" name="id2968601"></a><i class="parameter"><tt>display charset</tt></i> is not
+matched to your browser's setting, the SWAT display may be corrupted. In a future version of
+Samba, SWAT will always display messages with UTF-8 encoding. You will then not need to set
+this <tt class="filename">smb.conf</tt> file parameter.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2968628"></a>Overview and Quick Tour</h2></div></div><div></div></div><p>
+SWAT is a tools that many be used to configure Samba, or just to obtain useful links
+to important reference materials such as the contents of this book, as well as other
+documents that have been found useful for solving Windows networking problems.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968644"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
+The SWAT title page provides access to the latest Samba documentation. The manual page for
+each Samba component is accessible from this page, as are the Samba HOWTO-Collection (this
+document) as well as the O'Reilly book “<span class="quote">Using Samba.</span>”
+</p><p>
+Administrators who wish to validate their Samba configuration may obtain useful information
+from the man pages for the diagnostic utilities. These are available from the SWAT home page
+also. One diagnostic tool that is not mentioned on this page, but that is particularly
+useful is <ulink url="http://www.ethereal.com/">ethereal.</ulink>
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is not recommended
+as it runs SWAT without authentication and with full administrative ability. Allows
+changes to <tt class="filename">smb.conf</tt> as well as general operation with root privileges. The option that
+creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in a
+production environment.</em></span>
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968718"></a>Global Settings</h3></div></div><div></div></div><p>
+The <span class="guibutton">GLOBALS</span> button will expose a page that allows configuration of the global parameters
+in <tt class="filename">smb.conf</tt>. There are two levels of exposure of the parameters:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ <span class="guibutton">Basic</span> exposes common configuration options.
+ </p></li><li><p>
+ <span class="guibutton">Advanced</span> exposes configuration options needed in more
+ complex environments.
+ </p></li></ul></div><p>
+To switch to other than <span class="guibutton">Basic</span> editing ability, click on <span class="guibutton">Advanced</span>.
+You may also do this by clicking on the radio button, then click on the <span class="guibutton">Commit Changes</span> button.
+</p><p>
+After making any changes to configuration parameters, make sure that
+you click on the
+<span class="guibutton">Commit Changes</span> button before moving to another area, otherwise
+your changes will be lost.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+SWAT has context-sensitive help. To find out what each parameter is
+for, simply click on the
+<span class="guibutton">Help</span> link to the left of the configuration parameter.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968838"></a>Share Settings</h3></div></div><div></div></div><p>
+To effect a currently configured share, simply click on the pull down button between the
+<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
+select the share you wish to operate on, then to edit the settings
+click on the
+<span class="guibutton">Choose Share</span> button. To delete the share, simply press the
+<span class="guibutton">Delete Share</span> button.
+</p><p>
+To create a new share, next to the button labeled <span class="guibutton">Create Share</span> enter
+into the text field the name of the share to be created, then click on the
+<span class="guibutton">Create Share</span> button.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968902"></a>Printers Settings</h3></div></div><div></div></div><p>
+To affect a currently configured printer, simply click on the pull down button between the
+<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
+select the printer you wish to operate on, then to edit the settings
+click on the
+<span class="guibutton">Choose Printer</span> button. To delete the share, simply press the
+<span class="guibutton">Delete Printer</span> button.
+</p><p>
+To create a new printer, next to the button labeled <span class="guibutton">Create Printer</span> enter
+into the text field the name of the share to be created, then click on the
+<span class="guibutton">Create Printer</span> button.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2968967"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
+The purpose if the SWAT Wizard is to help the Microsoft-knowledgeable network administrator
+to configure Samba with a minimum of effort.
+</p><p>
+The Wizard page provides a tool for rewriting the <tt class="filename">smb.conf</tt> file in fully optimized format.
+This will also happen if you press the <span class="guibutton">Commit</span> button. The two differ
+since the <span class="guibutton">Rewrite</span> button ignores any changes that may have been made,
+while the <span class="guibutton">Commit</span> button causes all changes to be affected.
+</p><p>
+The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
+options that may be necessary to create a working Samba server.
+</p><p>
+Finally, there are a limited set of options that will determine what type of server Samba
+will be configured for, whether it will be a WINS server, participate as a WINS client, or
+operate with no WINS support. By clicking one button, you can elect to expose (or not) user
+home directories.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2969040"></a>The Status Page</h3></div></div><div></div></div><p>
+The status page serves a limited purpose. First, it allows control of the Samba daemons.
+The key daemons that create the Samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
+</p><p>
+The daemons may be controlled individually or as a total group. Additionally, you may set
+an automatic screen refresh timing. As MS Windows clients interact with Samba, new smbd processes
+will be continually spawned. The auto-refresh facility will allow you to track the changing
+conditions with minimal effort.
+</p><p>
+Lastly, the Status page may be used to terminate specific smbd client connections in order to
+free files that may be locked.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2969092"></a>The View Page</h3></div></div><div></div></div><p>
+This page allows the administrator to view the optimized <tt class="filename">smb.conf</tt> file and, if you are
+particularly masochistic, will permit you also to see all possible global configuration
+parameters and their settings.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2969115"></a>The Password Change Page</h3></div></div><div></div></div><p>
+The Password Change page is a popular tool that allows the creation, deletion, deactivation,
+and reactivation of MS Windows networking users on the local machine. Alternately, you can use
+this tool to change a local password for a user account.
+</p><p>
+When logged in as a non-root account, the user will have to provide the old password as well as
+the new password (twice). When logged in as <span class="emphasis"><em>root</em></span>, only the new password is
+required.
+</p><p>
+One popular use for this tool is to change user passwords across a range of remote MS Windows
+servers.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id2963987">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963987"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. Samba Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2885999">Features and Benefits</a></dt><dt><a href="ServerType.html#id2886097">Server Types</a></dt><dt><a href="ServerType.html#id2886186">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2886291">User Level Security</a></dt><dt><a href="ServerType.html#id2886413">Share Level Security</a></dt><dt><a href="ServerType.html#id2886525">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886821">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886928">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2887204">Password Checking</a></dt><dt><a href="ServerType.html#id2887400">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2887429">What Makes Samba a Server?</a></dt><dt><a href="ServerType.html#id2887468">What Makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2887504">What Makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2887542">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
+This chapter provides information regarding the types of server that Samba may be
+configured to be. A Microsoft network administrator who wishes to migrate to or
+use Samba will want to know the meaning, within a Samba context, of terms familiar to MS Windows
+administrator. This means that it is essential also to define how critical security
+modes function before we get into the details of how to configure the server itself.
+</p><p>
+The chapter provides an overview of the security modes of which Samba is capable
+and how they relate to MS Windows servers and clients.
+</p><p>
+A question often asked is, “<span class="quote">Why would I want to use Samba?</span>” Most chapters contain a section
+that highlights features and benefits. We hope that the information provided will help to
+answer this question. Be warned though, we want to be fair and reasonable, so not all
+features are positive towards Samba. The benefit may be on the side of our competition.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885999"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
+hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
+and fury befitting his anguish. The other looked at the stone and said, “<span class="quote">This is a garnet.
+I can turn that into a precious gem and some day it will make a princess very happy!</span>”
+</p><p>
+The moral of this tale: Two men, two very different perspectives regarding the same stone.
+Like it or not, Samba is like that stone. Treat it the right way and it can bring great
+pleasure, but if you are forced to use it and have no time for its secrets, then it can be
+a source of discomfort.
+</p><p>
+Samba started out as a project that sought to provide interoperability for MS Windows 3.x
+clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides
+features and functionality fit for large scale deployment. It also has some warts. In sections
+like this one we tell of both.
+</p><p>
+So, what are the benefits of features mentioned in this chapter?
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Samba-3 can replace an MS Windows NT4 Domain Controller.
+ </p></li><li><p>
+ Samba-3 offers excellent interoperability with MS Windows NT4-style
+ domains as well as natively with Microsoft Active Directory domains.
+ </p></li><li><p>
+ Samba-3 permits full NT4-style Interdomain Trusts.
+ </p></li><li><p>
+ Samba has security modes that permit more flexible
+ authentication than is possible with MS Windows NT4 Domain Controllers.
+ </p></li><li><p>
+ Samba-3 permits use of multiple account database backends.
+ </p></li><li><p>
+ The account (password) database backends can be distributed
+ and replicated using multiple methods. This gives Samba-3
+ greater flexibility than MS Windows NT4 and in many cases a
+ significantly higher utility than Active Directory domains
+ with MS Windows 200x.
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886097"></a>Server Types</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2886109"></a>
+Administrators of Microsoft networks often refer to three
+different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><div class="itemizedlist"><ul type="circle"><li>Primary Domain Controller</li><li>Backup Domain Controller</li><li>ADS Domain Controller</li></ul></div></li><li><p>Domain Member Server</p><div class="itemizedlist"><ul type="circle"><li>Active Directory Domain Server</li><li>NT4 Style Domain Domain Server</li></ul></div></li><li><p>Stand-alone Server</p></li></ul></div><p>
+The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
+pertinent information regarding Samba configuration for each of these server roles.
+The reader is strongly encouraged to become intimately familiar with the information
+presented.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886186"></a>Samba Security Modes</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2886196"></a>
+<a class="indexterm" name="id2886205"></a>
+In this section the function and purpose of Samba's security
+modes are described. An accurate understanding of how Samba implements each security
+mode as well as how to configure MS Windows clients for each mode will significantly
+reduce user complaints and administrator heartache.
+</p><p>
+In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>User Level</em></span>
+and <span class="emphasis"><em>Share Level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>.
+In implementing these two security levels, Samba provides flexibilities
+that are not available with Microsoft Windows NT4/200x servers. In actual fact, Samba implements
+<span class="emphasis"><em>Share Level</em></span> security only one way, but has four ways of implementing
+<span class="emphasis"><em>User Level</em></span> security. Collectively, we call the Samba implementations
+<span class="emphasis"><em>Security Modes</em></span>. They are known as: <span class="emphasis"><em>SHARE</em></span>, <span class="emphasis"><em>USER</em></span>,
+<span class="emphasis"><em>DOMAIN</em></span>, <span class="emphasis"><em>ADS</em></span>, and <span class="emphasis"><em>SERVER</em></span> modes.
+They are documented in this chapter.
+</p><p>
+An SMB server tells the client at startup what security level it is running. There are two options:
+Share Level and User Level. Which of these two the client receives affects the way the client then
+tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba
+server does security. This may sound strange, but it fits in with the client/server approach of SMB.
+In SMB everything is initiated and controlled by the client, and the server can only tell the client
+what is available and whether an action is allowed.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886291"></a>User Level Security</h3></div></div><div></div></div><p>
+We will describe User Level Security first, as its simpler.
+In User Level Security, the client will send a
+session setup request directly following protocol negotiation.
+This request provides a username and password. The server can either accept or reject that
+username/password combination. At this stage the server has no idea what
+share the client will eventually try to connect to, so it can't base the
+<span class="emphasis"><em>accept/reject</em></span> on anything other than:
+</p><div class="orderedlist"><ol type="1"><li><p>the username/password.</p></li><li><p>the name of the client machine.</p></li></ol></div><p>
+If the server accepts the username/password then the client expects to be able to
+mount shares (using a <span class="emphasis"><em>tree connection</em></span>) without specifying a
+password. It expects that all access rights will be as the username/password
+specified in the <span class="emphasis"><em>session setup</em></span>.
+</p><p>
+It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span>
+requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use
+as an authentication tag for that username/password. The client can maintain multiple
+authentication contexts in this way (WinDD is an example of an application that does this).
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886371"></a>Example Configuration</h4></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter that sets user level security is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr></table><p>
+This is the default setting since Samba-2.2.x.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886413"></a>Share Level Security</h3></div></div><div></div></div><p>
+In Share Level security, the client authenticates
+itself separately for each share. It sends a password along with each
+tree connection (share mount). It does not explicitly send a
+username with this operation. The client expects a password to be associated
+with each share, independent of the user. This means that Samba has to work out what
+username the client probably wants to use. It is never explicitly sent the username.
+Some commercial SMB servers such as NT actually associate passwords directly with
+shares in Share Level security, but Samba always uses the UNIX authentication scheme
+where it is a username/password pair that is authenticated, not a share/password pair.
+</p><p>
+To understand the MS Windows networking parallels, one should think
+in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
+or full access, with or without a password.
+</p><p>
+Many clients send a session setup even if the server is in Share Level security. They
+normally send a valid username but no password. Samba records this username in a list
+of possible usernames. When the client then does a tree connection it also adds to this list the name
+of the share they try to connect to (useful for home directories) and any users
+listed in the <a class="indexterm" name="id2886456"></a><i class="parameter"><tt>user</tt></i> parameter in the <tt class="filename">smb.conf</tt> file.
+The password is then checked in turn against these possible usernames. If a match is found
+then the client is authenticated as that user.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886481"></a>Example Configuration</h4></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter that sets Share Level security is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = share</tt></i></td></tr></table><p>
+There are reports that recent MS Windows clients do not like to work
+with share mode security servers. You are strongly discouraged from using Share Level security.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886525"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2886538"></a>
+When Samba is operating in <a class="indexterm" name="id2886546"></a><i class="parameter"><tt>security</tt></i> = domain mode,
+the Samba server has a domain security trust account (a machine account) and causes
+all authentication requests to be passed through to the Domain Controllers.
+In other words, this configuration makes the Samba server a Domain Member server.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886566"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
+Samba as a Domain Member Server
+</em></span></p><p>
+<a class="indexterm" name="id2886583"></a>
+This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = domain</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr></table><p>
+In order for this method to work, the Samba server needs to join the MS Windows NT
+security domain. This is done as follows:
+<a class="indexterm" name="id2886633"></a>
+<a class="indexterm" name="id2886644"></a>
+</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT Domain Controller, using
+ the Server Manager, add a machine account for the Samba server.
+ </p></li><li><p>On the UNIX/Linux system execute:</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>net rpc join -U administrator%password</tt></b></pre></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Samba-2.2.4 and later can auto-join a Windows NT4-style Domain just by executing:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> \
+ -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
+</pre><p>
+
+Samba-3 can do the same by executing:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
+</pre><p>
+It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the
+<i class="replaceable"><tt>PDC_NAME</tt></i> as it figures this out from the <tt class="filename">smb.conf</tt> file settings.
+</p></div><p>
+Use of this mode of authentication does require there to be a standard UNIX account
+for each user in order to assign a UID once the account has been authenticated by
+the remote Windows DC. This account can be blocked to prevent logons by clients other than
+MS Windows through means such as setting an invalid shell in the
+<tt class="filename">/etc/passwd</tt> entry.
+</p><p>
+An alternative to assigning UIDs to Windows users on a Samba member server is
+presented in <link linkend="winbind">.
+</p><p>
+For more information regarding Domain Membership, see <link linkend="domain-member">.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886821"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
+Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is
+possible if the domain is run in native mode. Active Directory in
+native mode perfectly allows NT4-style Domain Members. This is contrary to
+popular belief. Active Directory in native mode prohibits only the use of
+Backup Domain Controllers running MS Windows NT4.
+</p><p>
+If you are using Active Directory, starting with Samba-3 you can
+join as a native AD member. Why would you want to do that?
+Your security policy might prohibit the use of NT-compatible
+authentication protocols. All your machines are running Windows 2000
+and above and all use Kerberos. In this case Samba as an NT4-style
+domain would still require NT-compatible authentication data. Samba in
+AD-member mode can accept Kerberos tickets.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2886851"></a>Example Configuration</h4></div></div><div></div></div><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>realm = your.kerberos.REALM</tt></i></td></tr><tr><td><i class="parameter"><tt>security = ADS</tt></i></td></tr></table><p>
+The following parameter may be required:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = your.kerberos.server</tt></i></td></tr></table><p>
+Please refer to <link linkend="domain-member"> and <link linkend="ads-member">
+for more information regarding this configuration option.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2886928"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
+Server Security Mode is left over from the time when Samba was not capable of acting
+as a Domain Member server. It is highly recommended not to use this feature. Server
+security mode has many drawbacks that include:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Potential Account Lockout on MS Windows NT4/200x password servers.</p></li><li><p>Lack of assurance that the password server is the one specified.</p></li><li><p>Does not work with Winbind, which is particularly needed when storing profiles remotely.</p></li><li><p>This mode may open connections to the password server, and keep them open for extended periods.</p></li><li><p>Security on the Samba server breaks badly when the remote password server suddenly shuts down.</p></li><li><p>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</p></li></ul></div><p>
+In Server Security Mode the Samba server reports to the client that it is in User Level
+security. The client then does a session setup as described earlier.
+The Samba server takes the username/password that the client sends and attempts to login to the
+<a class="indexterm" name="id2886997"></a><i class="parameter"><tt>password server</tt></i> by sending exactly the same username/password that
+it got from the client. If that server is in User Level Security and accepts the password,
+then Samba accepts the client's connection. This allows the Samba server to use another SMB
+server as the <a class="indexterm" name="id2887017"></a><i class="parameter"><tt>password server</tt></i>.
+</p><p>
+You should also note that at the start of all this where the server tells the client
+what security level it is in, it also tells the client if it supports encryption. If it
+does, it supplies the client with a random cryptkey. The client will then send all
+passwords in encrypted form. Samba supports this type of encryption by default.
+</p><p>
+The parameter <a class="indexterm" name="id2887045"></a><i class="parameter"><tt>security</tt></i> = server means that Samba reports to clients that
+it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication
+requests to another <span class="emphasis"><em>user mode</em></span> server. This requires an additional
+parameter <a class="indexterm" name="id2887070"></a><i class="parameter"><tt>password server</tt></i> that points to the real authentication server.
+The real authentication server can be another Samba server, or it can be a Windows NT server,
+the latter being natively capable of encrypted password support.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+When Samba is running in <span class="emphasis"><em>Server Security Mode</em></span> it is essential that
+the parameter <span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine
+name of the target authentication server. Samba cannot determine this from NetBIOS name
+lookups because the choice of the target authentication server is arbitrary and cannot
+be determined from a domain name. In essence, a Samba server that is in
+<span class="emphasis"><em>Server Security Mode</em></span> is operating in what used to be known as
+workgroup mode.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2887114"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
+Using MS Windows NT as an Authentication Server
+</em></span></p><p>
+This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>encrypt passwords = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = server</tt></i></td></tr><tr><td><i class="parameter"><tt>password server = "NetBIOS_name_of_a_DC"</tt></i></td></tr></table><p>
+There are two ways of identifying whether or not a username and password pair is valid.
+One uses the reply information provided as part of the authentication messaging
+process, the other uses just an error code.
+</p><p>
+The downside of this mode of configuration is the fact that for security reasons Samba
+will send the password server a bogus username and a bogus password and if the remote
+server fails to reject the username and password pair then an alternative mode of
+identification of validation is used. Where a site uses password lock out after a
+certain number of failed authentication attempts this will result in user lockouts.
+</p><p>
+Use of this mode of authentication requires a standard UNIX account for the user.
+This account can be blocked to prevent logons by non-SMB/CIFS clients.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887204"></a>Password Checking</h2></div></div><div></div></div><p>
+MS Windows clients may use encrypted passwords as part of a challenge/response
+authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or cleartext strings for simple
+password-based authentication. It should be realized that with the SMB protocol,
+the password is passed over the network either in plain-text or encrypted, but
+not both in the same authentication request.
+</p><p>
+When encrypted passwords are used, a password that has been entered by the user
+is encrypted in two ways:
+</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the unicode of the password
+ string. This is known as the NT hash.
+ </p></li><li><p>The password is converted to upper case,
+ and then padded or truncated to 14 bytes. This string is
+ then appended with 5 bytes of NULL characters and split to
+ form two 56-bit DES keys to encrypt a “<span class="quote">magic</span>” 8-byte value.
+ The resulting 16 bytes form the LanMan hash.
+ </p></li></ul></div><p>
+MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
+pre-service pack 3 will use either mode of password authentication. All
+versions of MS Windows that follow these versions no longer support plain
+text passwords by default.
+</p><p>
+MS Windows clients have a habit of dropping network mappings that have been idle
+for 10 minutes or longer. When the user attempts to use the mapped drive
+connection that has been dropped, the client re-establishes the connection using
+a cached copy of the password.
+</p><p>
+When Microsoft changed the default password mode, support was dropped for caching
+of the plain-text password. This means that when the registry parameter is changed
+to re-enable use of plain-text passwords it appears to work, but when a dropped
+service connection mapping attempts to revalidate, this will fail if the remote
+authentication server does not support encrypted passwords. It is definitely not
+a good idea to re-enable plain-text password support in such clients.
+</p><p>
+The following parameters can be used to work around the issue of Windows 9x/Me clients
+upper-casing usernames and passwords before transmitting them to the SMB server
+when using cleartext authentication:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password level = integer</tt></i></td></tr><tr><td><i class="parameter"><tt>username level = integer</tt></i></td></tr></table><p>
+By default Samba will convert to lower case the username before attempting to lookup the user
+in the database of local system accounts. Because UNIX usernames conventionally
+only contain lower-case characters, the <a class="indexterm" name="id2887327"></a><i class="parameter"><tt>username level</tt></i> parameter
+is rarely needed.
+</p><p>
+However, passwords on UNIX systems often make use of mixed-case characters.
+This means that in order for a user on a Windows 9x/Me client to connect to a Samba
+server using cleartext authentication, the <a class="indexterm" name="id2887350"></a><i class="parameter"><tt>password level</tt></i>
+must be set to the maximum number of upper case letters that <span class="emphasis"><em>could</em></span>
+appear in a password. Note that if the server OS uses the traditional DES version
+of crypt(), a <a class="indexterm" name="id2887371"></a><i class="parameter"><tt>password level</tt></i> of 8 will result in case
+insensitive passwords as seen from Windows users. This will also result in longer
+login times as Samba has to compute the permutations of the password string and
+try them one by one until a match is located (or all combinations fail).
+</p><p>
+The best option to adopt is to enable support for encrypted passwords wherever
+Samba is used. Most attempts to apply the registry change to re-enable plain-text
+passwords will eventually lead to user complaints and unhappiness.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887400"></a>Common Errors</h2></div></div><div></div></div><p>
+We all make mistakes. It is okay to make mistakes, as long as they are made in the right places
+and at the right time. A mistake that causes lost productivity is seldom tolerated, however a mistake
+made in a developmental test lab is expected.
+</p><p>
+Here we look at common mistakes and misapprehensions that have been the subject of discussions
+on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting
+a Samba implementation. Some are the result of a misunderstanding of the English language. The
+English language, which has many phrases that are potentially vague and may be highly confusing
+to those for whom English is not their native tongue.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887429"></a>What Makes Samba a Server?</h3></div></div><div></div></div><p>
+To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is obvious, but entirely
+wrong all the same. It is assumed that <a class="indexterm" name="id2887445"></a><i class="parameter"><tt>security</tt></i> = server means that Samba
+will act as a server. Not so! This setting means that Samba will <span class="emphasis"><em>try</em></span>
+to use another SMB server as its source for user authentication alone.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887468"></a>What Makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter <a class="indexterm" name="id2887486"></a><i class="parameter"><tt>security</tt></i> = domain does not really make Samba behave
+as a Domain Controller. This setting means we want Samba to be a Domain Member.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887504"></a>What Makes Samba a Domain Member?</h3></div></div><div></div></div><p>
+Guess! So many others do. But whatever you do, do not think that <a class="indexterm" name="id2887516"></a><i class="parameter"><tt>security</tt></i> = user
+makes Samba act as a Domain Member. Read the manufacturer's manual before the warranty expires. See
+<link linkend="domain-member"> for more information.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887542"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
+ “<span class="quote">
+Why does server_validate() simply give up rather than re-establish its connection to the
+password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
+process passes along to its client workstation the session key it receives from the password
+server, which means the password hashes submitted by the client would not work on a subsequent
+connection whose session key would be different. So server_validate() must give up.</span>”
+</p><p>
+Indeed. That's why <a class="indexterm" name="id2887570"></a><i class="parameter"><tt>security</tt></i> = server
+is at best a nasty hack. Please use <a class="indexterm" name="id2887584"></a><i class="parameter"><tt>security</tt></i> = domain;
+<a class="indexterm" name="id2887597"></a><i class="parameter"><tt>security</tt></i> = server mode is also known as pass-through authentication.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Domain Control</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2896324">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2896363">Background</a></dt><dt><a href="StandAloneServer.html#id2896435">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2897068">Common Errors</a></dt></dl></div><p>
+Stand-alone Servers are independent of Domain Controllers on the network.
+They are not Domain Members and function more like workgroup servers. In many
+cases a Stand-alone Server is configured with a minimum of security control
+with the intent that all data served will be readily accessible to all users.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896324"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Stand-alone Servers can be as secure or as insecure as needs dictate. They can
+have simple or complex configurations. Above all, despite the hoopla about
+Domain Security they remain a common installation.
+</p><p>
+If all that is needed is a server for read-only files, or for
+printers alone, it may not make sense to effect a complex installation.
+For example: A drafting office needs to store old drawings and reference
+standards. Noone can write files to the server as it is legislatively
+important that all documents remain unaltered. A share mode read-only Stand-alone
+Server is an ideal solution.
+</p><p>
+Another situation that warrants simplicity is an office that has many printers
+that are queued off a single central server. Everyone needs to be able to print
+to the printers, there is no need to effect any access controls and no files will
+be served from the print server. Again, a share mode Stand-alone Server makes
+a great solution.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896363"></a>Background</h2></div></div><div></div></div><p>
+The term <span class="emphasis"><em>Stand-alone Server</em></span> means that it
+will provide local authentication and access control for all resources
+that are available from it. In general this means that there will be a
+local user database. In more technical terms, it means resources
+on the machine will be made available in either SHARE mode or in
+USER mode.
+</p><p>
+No special action is needed other than to create user accounts. Stand-alone
+servers do not provide network logon services. This means that machines that
+use this server do not perform a domain logon to it. Whatever logon facility
+the workstations are subject to is independent of this machine. It is, however,
+necessary to accommodate any network user so the logon name they use will
+be translated (mapped) locally on the Stand-alone Server to a locally known
+user name. There are several ways this can be done.
+</p><p>
+Samba tends to blur the distinction a little in respect of what is
+a Stand-alone Server. This is because the authentication database may be
+local or on a remote server, even if from the SMB protocol perspective
+the Samba server is not a member of a domain security context.
+</p><p>
+Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH),
+which maintains the UNIX-user database) the source of authentication may reside on
+another server. We would be inclined to call this the authentication server.
+This means that the Samba server may use the local UNIX/Linux system password database
+(<tt class="filename">/etc/passwd</tt> or <tt class="filename">/etc/shadow</tt>), may use a
+local smbpasswd file, or may use an LDAP backend, or even via PAM and Winbind another CIFS/SMB server
+for authentication.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896435"></a>Example Configuration</h2></div></div><div></div></div><p>
+The examples, <link linkend="simplynice">, and link linkend="SimplePrintServer"/>,
+are designed to inspire simplicity. It is too easy to attempt a high level of creativity
+and to introduce too much complexity in server and network design.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="RefDocServer"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
+Configuration of a read-only data server that everyone can access is very simple.
+<link linkend="simplynice"> is the <tt class="filename">smb.conf</tt> file that will do this. Assume that all the reference documents
+are stored in the directory <tt class="filename">/export</tt>, and the documents are owned by a user other than
+nobody. No home directories are shared, and there are no users in the <tt class="filename">/etc/passwd</tt>
+UNIX system database. This is a simple system to administer.
+</p><div class="example"><a name="simplynice"></a><p class="title"><b>Example 8.1. smb.conf for Reference Documentation Server</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>security = SHARE</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = guest</tt></i></td></tr><tr><td><i class="parameter"><tt>wins server = 192.168.1.1</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[data]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Data</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export</tt></i></td></tr><tr><td><i class="parameter"><tt>guest only = Yes</tt></i></td></tr></table></div><p>
+In <link linkend="simplynice"> above, the machine name is set to GANDALF, the workgroup is set to the name
+of the local workgroup (MIDEARTH) so the machine will appear together with systems with
+which users are familiar. The only password backend required is the “<span class="quote">guest</span>” backend to allow default
+unprivileged account names to be used. As there is a WINS server on this networki, we of obviously make use of it.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="SimplePrintServer"></a>Central Print Serving</h3></div></div><div></div></div><p>
+Configuration of a simple print server is easy if you have all the right tools
+on your system.
+</p><div class="orderedlist"><p class="title"><b> Assumptions:</b></p><ol type="1"><li><p>
+ The print server must require no administration.
+ </p></li><li><p>
+ The print spooling and processing system on our print server will be CUPS.
+ (Please refer to <link linkend="CUPS-printing"> for more information).
+ </p></li><li><p>
+ The print server will service only network printers. The network administrator
+ will correctly configure the CUPS environment to support the printers.
+ </p></li><li><p>
+ All workstations will use only postscript drivers. The printer driver
+ of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
+ </p></li></ol></div><p>
+In this example our print server will spool all incoming print jobs to
+<tt class="filename">/var/spool/samba</tt> until the job is ready to be submitted by
+Samba to the CUPS print processor. Since all incoming connections will be as
+the anonymous (guest) user, two things will be required:
+</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p>
+ The UNIX/Linux system must have a <b class="command">guest</b> account.
+ The default for this is usually the account <b class="command">nobody</b>.
+ To find the correct name to use for your version of Samba, do the
+ following:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep "guest account"</tt></b>
+</pre><p>
+ Make sure that this account exists in your system password
+ database (<tt class="filename">/etc/passwd</tt>).
+ </p></li><li><p>
+ The directory into which Samba will spool the file must have write
+ access for the guest account. The following commands will ensure that
+ this directory is available for use:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>mkdir /var/spool/samba</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chmod a+rwt /var/spool/samba</tt></b>
+</pre><p>
+ </p></li></ul></div><p>
+The contents of the <tt class="filename">smb.conf</tt> file is shown in <link linkend="AnonPtrSvr">.
+</p><p>
+</p><div class="example"><a name="AnonPtrSvr"></a><p class="title"><b>Example 8.2. smb.conf for Anonymous Printing</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>security = SHARE</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = guest</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = cups</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = root</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>use client driver = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2897019"></a>
+<a class="indexterm" name="id2897030"></a>
+On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
+intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
+it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
+handler in the <tt class="filename">/etc/mime.conv</tt> and <tt class="filename">/etc/mime.types</tt>
+files. Refer to <link linkend="cups-raw">.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897068"></a>Common Errors</h2></div></div><div></div></div><p>
+The greatest mistake so often made is to make a network configuration too complex.
+It pays to use the simplest solution that will meet the needs of the moment.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. MS Windows Network Configuration Guide</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support"><link rel="next" href="winbind.html" title="Chapter 21. Winbind: Use of Domain Accounts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@samba.org">tpot@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2948269">Features and Benefits</a></dt><dt><a href="VFS.html#id2948287">Discussion</a></dt><dt><a href="VFS.html#id2948540">Included Modules</a></dt><dd><dl><dt><a href="VFS.html#id2948547">audit</a></dt><dt><a href="VFS.html#id2948583">extd_audit</a></dt><dt><a href="VFS.html#fakeperms">fake_perms</a></dt><dt><a href="VFS.html#id2948756">recycle</a></dt><dt><a href="VFS.html#id2948986">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2949031">VFS Modules Available Elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2949053">DatabaseFS</a></dt><dt><a href="VFS.html#id2949115">vscan</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2948269"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Since Samba-3, there is support for stackable VFS (Virtual File System) modules.
+Samba passes each request to access the UNIX file system through the loaded VFS modules.
+This chapter covers all the modules that come with the Samba source and references to
+some external modules.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2948287"></a>Discussion</h2></div></div><div></div></div><p>
+If not supplied with your platform distribution binary Samba package you may have problems
+compiling these modules, as shared libraries are compiled and linked in different ways
+on different systems. They currently have been tested against GNU/Linux and IRIX.
+</p><p>
+To use the VFS modules, create a share similar to the one below. The
+important parameter is the <a class="indexterm" name="id2948308"></a><i class="parameter"><tt>vfs objects</tt></i> parameter where
+you can list one or more VFS modules by name. For example, to log all access
+to files and put deleted files in a recycle bin, see <link linkend="vfsrecyc">.
+
+</p><div class="example"><a name="vfsrecyc"></a><p class="title"><b>Example 20.1. smb.conf with VFS modules</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[audit]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Audited /data directory</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /data</tt></i></td></tr><tr><td><i class="parameter"><tt>vfs objects = audit recycle</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr></table></div><p>
+</p><p>
+The modules are used in the order in which they are specified.
+</p><p>
+Samba will attempt to load modules from the <tt class="filename">/lib</tt> directory in the root directory of the
+Samba installation (usually <tt class="filename">/usr/lib/samba/vfs</tt> or <tt class="filename">/usr/local/samba/lib/vfs
+</tt>).
+</p><p>
+Some modules can be used twice for the same share.
+This can be done using a configuration similar to the one shown in <link linkend="multimodule">.
+
+</p><div class="example"><a name="multimodule"></a><p class="title"><b>Example 20.2. smb.conf with multiple VFS modules</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[test]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = VFS TEST</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /data</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>vfs objects = example:example1 example example:test</tt></i></td></tr><tr><td><i class="parameter"><tt>example1: parameter = 1</tt></i></td></tr><tr><td><i class="parameter"><tt>example: parameter = 5</tt></i></td></tr><tr><td><i class="parameter"><tt>test: parameter = 7</tt></i></td></tr></table></div><p>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2948540"></a>Included Modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948547"></a>audit</h3></div></div><div></div></div><p>
+ A simple module to audit file access to the syslog
+ facility. The following operations are logged:
+ </p><div class="itemizedlist"><ul type="disc"><li>share</li><li>connect/disconnect</li><li>directory opens/create/remove</li><li>file open/close/rename/unlink/chmod</li></ul></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948583"></a>extd_audit</h3></div></div><div></div></div><p>
+ This module is identical with the <b class="command">audit</b> module above except
+ that it sends audit logs to both syslog as well as the <b class="command">smbd</b> log files. The
+ <a class="indexterm" name="id2948610"></a><i class="parameter"><tt>log level</tt></i> for this module is set in the <tt class="filename">smb.conf</tt> file.
+ </p><p>
+ Valid settings and the information that will be recorded are shown in <link linkend="xtdaudit">.
+ </p><div class="table"><a name="xtdaudit"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="fakeperms"></a>fake_perms</h3></div></div><div></div></div><p>
+ This module was created to allow Roaming Profile files and directories to be set (on the Samba server
+ under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
+ that the Profile files and directories are writable. This satisfies the client even though the files
+ will never be overwritten as the client logs out or shuts down.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948756"></a>recycle</h3></div></div><div></div></div><p>
+ A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
+ to the recycle directory instead of being deleted. This gives the same effect as the
+ <span class="guiicon">Recycle Bin</span> on Windows computers.
+ </p><p>
+ The <span class="guiicon">Recycle Bin</span> will not appear in <span class="application">Windows Explorer</span> views of the network file system
+ (share) nor on any mapped drive. Instead, a directory called <tt class="filename">.recycle</tt> will be
+ automatically created when the first file is deleted. Users can recover files from the
+ <tt class="filename">.recycle</tt> directory. If the <i class="parameter"><tt>recycle:keeptree</tt></i> has been
+ specified, deleted files will be found in a path identical with that from which the file was deleted.
+ </p><p>Supported options for the <b class="command">recycle</b> module are as follow:
+ </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>
+ Relative path of the directory where deleted files should be moved.
+ </p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>
+ Specifies whether the directory structure should be kept or if the files in the directory that is being
+ deleted should be kept seperately in the recycle bin.
+ </p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>
+ If this option is set, two files
+ with the same name that are deleted will both
+ be kept in the recycle bin. Newer deleted versions
+ of a file will be called “<span class="quote">Copy #x of <i class="replaceable"><tt>filename</tt></i></span>”.
+ </p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>
+ Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
+ </p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>
+ Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
+ </p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>
+ List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
+ </p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>
+ Contains a list of directories. When files from these directories are
+ deleted, they are not put into the
+ recycle bin but are deleted in the
+ regular way.
+ </p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>
+ Opposite of <i class="parameter"><tt>recycle:versions</tt></i>. If both options are specified, this one takes precedence.
+ </p></dd></dl></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948986"></a>netatalk</h3></div></div><div></div></div><p>
+ A netatalk module will ease co-existence of Samba and netatalk file sharing services.
+ </p><p>Advantages compared to the old netatalk module:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Does not care about creating .AppleDouble forks, just keeps them in sync.</p></li><li><p>If a share in <tt class="filename">smb.conf</tt> does not contain .AppleDouble item in hide or veto list, it will be added automatically.</p></li></ul></div><p>
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949031"></a>VFS Modules Available Elsewhere</h2></div></div><div></div></div><p>
+This section contains a listing of various other VFS modules that
+have been posted but do not currently reside in the Samba CVS
+tree for one reason or another (e.g., it is easy for the maintainer
+to have his or her own CVS tree).
+</p><p>
+No statements about the stability or functionality of any module
+should be implied due to its presence here.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949053"></a>DatabaseFS</h3></div></div><div></div></div><p>
+ URL: <ulink url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
+ </p><p>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer.</ulink></p><p>
+ I have created a VFS module that implements a fairly complete read-only
+ filesystem. It presents information from a database as a filesystem in
+ a modular and generic way to allow different databases to be used
+ (originally designed for organizing MP3s under directories such as
+ “<span class="quote">Artists,</span>” “<span class="quote">Song Keywords,</span>” and so on. I have since easily
+ applied it to a student
+ roster database.) The directory structure is stored in the
+ database itself and the module makes no assumptions about the database
+ structure beyond the table it requires to run.
+ </p><p>
+ Any feedback would be appreciated: comments, suggestions, patches,
+ and so on. If nothing else, hopefully it might prove useful for someone
+ else who wishes to create a virtual filesystem.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949115"></a>vscan</h3></div></div><div></div></div><p>URL: <ulink url="http://www.openantivirus.org/">http://www.openantivirus.org/</ulink></p><p>
+ <tt class="filename">samba-vscan</tt> is a proof-of-concept module for Samba, which
+ uses the VFS (virtual file system) features of Samba 2.2.x/3.0
+ alphaX. Of course, Samba has to be compiled with VFS support.
+ <tt class="filename">samba-vscan</tt> supports various virus scanners and is maintained
+ by Rainer Link.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. CUPS Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Winbind: Use of Domain Accounts</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 35. Reporting Bugs</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="problems.html" title="Chapter 34. Analyzing and Solving Samba Problems"><link rel="next" href="Appendixes.html" title="Part VI. Appendixes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 35. Reporting Bugs</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="Appendixes.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="bugreport"></a>Chapter 35. Reporting Bugs</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> 27 June 1997 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="bugreport.html#id2972309">Introduction</a></dt><dt><a href="bugreport.html#id2972372">General Information</a></dt><dt><a href="bugreport.html#id2972408">Debug Levels</a></dt><dt><a href="bugreport.html#id2972617">Internal Errors</a></dt><dt><a href="bugreport.html#id2972752">Attaching to a Running Process</a></dt><dt><a href="bugreport.html#id2972799">Patches</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972309"></a>Introduction</h2></div></div><div></div></div><p>Please report bugs using Samba's
+<ulink url="https://bugzilla.samba.org/">Bugzilla</ulink> facilities and
+take the time to read this file before you submit a bug
+report. Also, check to see if it has changed between releases, as we
+may be changing the bug reporting mechanism at some point.
+</p><p>
+Please do as much as you can yourself to help track down the
+bug. Samba is maintained by a dedicated group of people who volunteer
+their time, skills and efforts. We receive far more mail than
+we can possibly answer, so you have a much higher chance of a response
+and a fix if you send us a “<span class="quote">developer friendly</span>” bug report that lets
+us fix it fast.
+</p><p>
+Do not assume that if you post the bug to the comp.protocols.smb
+newsgroup or the mailing list that we will read it. If you suspect that your
+problem is not a bug but a configuration problem, it is better to send
+it to the Samba mailing list, as there are thousands of other users on
+that list who may be able to help you.
+</p><p>
+You may also like to look though the recent mailing list archives,
+which are conveniently accessible on the Samba Web pages
+at <ulink url="http://samba.org/samba/">http://samba.org/samba/</ulink>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972372"></a>General Information</h2></div></div><div></div></div><p>
+Before submitting a bug report, check your config for silly
+errors. Look in your log files for obvious messages that tell
+you've misconfigured something. Run testparm to check your config
+file for correct syntax.
+</p><p>
+ Have you looked through <link linkend="diagnosis">? This is extremely important.
+</p><p>
+If you include part of a log file with your bug report, then be sure to
+annotate it with exactly what you were doing on the client at the
+time and exactly what the results were.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972408"></a>Debug Levels</h2></div></div><div></div></div><p>
+If the bug has anything to do with Samba behaving incorrectly as a
+server (like refusing to open a file), then the log files will probably
+be quite useful. Depending on the problem, a log level of between 3 and
+10 showing the problem may be appropriate. A higher level gives more
+detail, but may use too much disk space.
+</p><p>
+To set the debug level, use the <a class="indexterm" name="id2972430"></a><i class="parameter"><tt>log level</tt></i> in your
+<tt class="filename">smb.conf</tt>. You may also find it useful to set the log
+level higher for just one machine and keep separate logs for each machine.
+To do this, add the following lines to your main <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>log level = 10</tt></i></td></tr><tr><td><i class="parameter"><tt>log file = /usr/local/samba/lib/log.%m</tt></i></td></tr><tr><td><i class="parameter"><tt>include = /usr/local/samba/lib/smb.conf.%m</tt></i></td></tr></table><p>
+and create a file <tt class="filename">/usr/local/samba/lib/smb.conf.<i class="replaceable"><tt>machine</tt></i></tt> where
+<i class="replaceable"><tt>machine</tt></i> is the name of the client you wish to debug. In that file
+put any <tt class="filename">smb.conf</tt> commands you want, for example
+<a class="indexterm" name="id2972521"></a><i class="parameter"><tt>log level</tt></i> may be useful. This also allows you to
+experiment with different security systems, protocol levels and so on, on just
+one machine.
+</p><p>
+The <tt class="filename">smb.conf</tt> entry <a class="indexterm" name="id2972548"></a><i class="parameter"><tt>log level</tt></i>
+is synonymous with the parameter <a class="indexterm" name="id2972562"></a><i class="parameter"><tt>debuglevel</tt></i> that has
+been used in older versions of Samba and is being retained for backward
+compatibility of <tt class="filename">smb.conf</tt> files.
+</p><p>
+As the <a class="indexterm" name="id2972588"></a><i class="parameter"><tt>log level</tt></i> value is increased, you will record
+a significantly greater level of debugging information. For most
+debugging operations, you may not need a setting higher than
+<tt class="constant">3</tt>. Nearly
+all bugs can be tracked at a setting of <tt class="constant">10</tt>, but be
+prepared for a large volume of log data.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972617"></a>Internal Errors</h2></div></div><div></div></div><p>
+If you get the message “<span class="quote"><span class="errorname">INTERNAL ERROR</span></span>” in your log files,
+it means that Samba got an unexpected signal while running. It is probably a
+segmentation fault and almost certainly means a bug in Samba (unless
+you have faulty hardware or system software).
+</p><p>
+If the message came from smbd, it will probably be accompanied by
+a message that details the last SMB message received by smbd. This
+information is often useful in tracking down the problem so please
+include it in your bug report.
+</p><p>
+You should also detail how to reproduce the problem, if
+possible. Please make this reasonably detailed.
+</p><p>
+<a class="indexterm" name="id2972657"></a>
+You may also find that a core file appeared in a <tt class="filename">corefiles</tt>
+subdirectory of the directory where you keep your Samba log
+files. This file is the most useful tool for tracking down the bug. To
+use it, you do this:
+<a class="indexterm" name="id2972676"></a>
+<a class="indexterm" name="id2972684"></a>
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>gdb smbd core</tt></b>
+</pre><p>
+adding appropriate paths to smbd and core so gdb can find them. If you
+do not have gdb, try <b class="userinput"><tt>dbx</tt></b>. Then within the debugger,
+use the command <b class="command">where</b> to give a stack trace of where the
+problem occurred. Include this in your report.
+</p><p>
+If you know any assembly language, do a <b class="command">disass</b> of the routine
+where the problem occurred (if its in a library routine, then
+disassemble the routine that called it) and try to work out exactly
+where the problem is by looking at the surrounding code. Even if you
+do not know assembly, including this information in the bug report can be
+useful.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972752"></a>Attaching to a Running Process</h2></div></div><div></div></div><p>
+Unfortunately, some UNIXes (in particular some recent Linux kernels)
+refuse to dump a core file if the task has changed uid (which smbd
+does often). To debug with this sort of system, you could try to attach
+to the running process using
+<b class="userinput"><tt>gdb smbd <i class="replaceable"><tt>PID</tt></i></tt></b> where you get
+<i class="replaceable"><tt>PID</tt></i> from <span class="application">smbstatus</span>.
+Then use <b class="command">c</b> to continue and try to cause the core dump
+using the client. The debugger should catch the fault and tell you
+where it occurred.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972799"></a>Patches</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2972810"></a>
+<a class="indexterm" name="id2972818"></a>
+The best sort of bug report is one that includes a fix! If you send us
+patches, please use <b class="userinput"><tt>diff -u</tt></b> format if your version of
+diff supports it, otherwise use <b class="userinput"><tt>diff -c4</tt></b>. Make sure
+you do the diff against a clean version of the source and let me know
+exactly what version you used.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="problems.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Appendixes.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 34. Analyzing and Solving Samba Problems </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part VI. Appendixes</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 36. How to Compile Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Appendixes.html" title="Part VI. Appendixes"><link rel="next" href="Portability.html" title="Chapter 37. Portability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 36. How to Compile Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Appendixes.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="compiling"></a>Chapter 36. How to Compile Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> 22 May 2001 </p></div><div><p class="pubdate"> 18 March 2003 </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="compiling.html#id2972995">Access Samba Source Code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id2973003">Introduction</a></dt><dt><a href="compiling.html#id2973049">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id2973311">Accessing the Samba Sources via rsync and ftp</a></dt><dt><a href="compiling.html#id2973389">Verifying Samba's PGP Signature</a></dt><dt><a href="compiling.html#id2973553">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id2973768">Compiling Samba with Active Directory Support</a></dt></dl></dd><dt><a href="compiling.html#id2973958">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id2974312">Alternative: Starting smbd as a Daemon</a></dt></dl></dd></dl></div><p>
+You can obtain the Samba source from the
+<ulink url="http://samba.org/">Samba Website.</ulink> To obtain a development version,
+you can download Samba from CVS or using <b class="command">rsync</b>.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972995"></a>Access Samba Source Code via CVS</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2973003"></a>Introduction</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2973014"></a>
+Samba is developed in an open environment. Developers use
+Concurrent Versioning System (CVS) to “<span class="quote">checkin</span>” (also known as
+“<span class="quote">commit</span>”) new source code. Samba's various CVS branches can
+be accessed via anonymous CVS using the instructions
+detailed in this chapter.
+</p><p>
+This chapter is a modified version of the instructions found at
+<ulink url="http://samba.org/samba/cvs.html">http://samba.org/samba/cvs.html</ulink>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2973049"></a>CVS Access to samba.org</h3></div></div><div></div></div><p>
+The machine samba.org runs a publicly accessible CVS
+repository for access to the source code of several packages,
+including Samba, rsync, distcc, ccache, and jitterbug. There are two main ways
+of accessing the CVS server on this host:
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2973065"></a>Access via CVSweb</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2973076"></a>
+You can access the source code via your favorite WWW browser. This allows you to access
+the contents of individual files in the repository and also to look at the revision
+history and commit logs of individual files. You can also ask for a diff
+listing between any two versions on the repository.
+</p><p>
+Use the URL:
+<ulink url="http://samba.org/cgi-bin/CVSweb">http://samba.org/cgi-bin/CVSweb</ulink>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2973106"></a>Access via CVS</h4></div></div><div></div></div><p>
+You can also access the source code via a
+normal CVS client. This gives you much more control over what you can
+do with the repository and allows you to checkout whole source trees
+and keep them up-to-date via normal CVS commands. This is the
+preferred method of access if you are a developer and not
+just a casual browser.
+</p><p>
+To download the latest CVS source code, point your
+browser at the URL :
+<ulink url="http://www.cyclic.com/">http://www.cyclic.com/</ulink>.
+and click on the “<span class="quote">How to get CVS</span>” link. CVS is free software under
+the GNU GPL (as is Samba). Note that there are several graphical CVS clients
+that provide a graphical interface to the sometimes mundane CVS commands.
+Links to theses clients are also available from the Cyclic Web site.
+</p><p>
+To gain access via anonymous CVS, use the following steps.
+For this example it is assumed that you want a copy of the
+Samba source code. For the other source code repositories
+on this system just substitute the correct package name.
+</p><div class="procedure"><p class="title"><b>Procedure 36.1. Retrieving Samba using CVS</b></p><ol type="1"><li><p>
+ Install a recent copy of CVS. All you really need is a
+ copy of the CVS client binary.
+ </p></li><li><p>
+ Run the command:
+ </p><p>
+ <b class="userinput"><tt>cvs -d :pserver:cvs@samba.org:/cvsroot login</tt></b>
+ </p></li><li><p>
+ When it asks you for a password, type <b class="userinput"><tt>cvs</tt></b>.
+ </p></li><li><p>
+ Run the command
+ </p><p>
+ <b class="userinput"><tt>cvs -d :pserver:CVS@samba.org:/cvsroot co samba</tt></b>.
+ </p><p>
+ This will create a directory called <tt class="filename">samba</tt> containing the
+ latest Samba source code (i.e., the HEAD tagged CVS branch). This
+ currently corresponds to the 3.0 development tree.
+ </p><p>
+ CVS branches other then HEAD can be obtained by using the
+ <tt class="option">-r</tt> and defining a tag name. A list of branch tag names
+ can be found on the “<span class="quote">Development</span>” page of the Samba Web site. A common
+ request is to obtain the latest 3.0 release code. This could be done by
+ using the following command:
+ </p><p>
+ <b class="userinput"><tt>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_3_0 samba</tt></b>.
+ </p></li><li><p>
+ Whenever you want to merge in the latest code changes, use
+ the following command from within the Samba directory:
+ </p><p>
+ <b class="userinput"><tt>cvs update -d -P</tt></b>
+ </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2973311"></a>Accessing the Samba Sources via rsync and ftp</h2></div></div><div></div></div><p>
+ <a class="indexterm" name="id2973323"></a>
+ <a class="indexterm" name="id2973331"></a>
+ <i class="parameter"><tt>pserver.samba.org</tt></i> also exports unpacked copies of most parts of the CVS
+ tree at <ulink url="ftp://pserver.samba.org/pub/unpacked">ftp://pserver.samba.org/pub/unpacked</ulink> and also via anonymous rsync at
+ <ulink url="rsync://pserver.samba.org/ftp/unpacked/">rsync://pserver.samba.org/ftp/unpacked/</ulink>. I recommend using rsync rather than ftp.
+ See <ulink url="http://rsync.samba.org/">the rsync homepage</ulink> for more info on rsync.
+ </p><p>
+ The disadvantage of the unpacked trees is that they do not support automatic
+ merging of local changes like CVS does. <b class="command">rsync</b> access is most convenient
+ for an initial install.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2973389"></a>Verifying Samba's PGP Signature</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2973401"></a>
+It is strongly recommended that you verify the PGP signature for any source file before
+installing it. Even if you're not downloading from a mirror site, verifying PGP signatures
+should be a standard reflex. Many people today use the GNU GPG toolset in place of PGP.
+GPG can substitute for PGP.
+</p><p>
+With that said, go ahead and download the following files:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>wget http://us1.samba.org/samba/ftp/samba-pubkey.asc</tt></b>
+</pre><p>
+<a class="indexterm" name="id2973459"></a>
+The first file is the PGP signature for the Samba source file; the other is the Samba public
+PGP key itself. Import the public PGP key with:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>gpg --import samba-pubkey.asc</tt></b>
+</pre><p>
+and verify the Samba source code integrity with:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>gzip -d samba-2.2.8a.tar.gz</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>gpg --verify samba-2.2.8a.tar.asc</tt></b>
+</pre><p>
+If you receive a message like, “<span class="quote">Good signature from Samba Distribution Verification Key...</span>”
+then all is well. The warnings about trust relationships can be ignored. An
+example of what you would not want to see would be:
+</p><pre class="screen">
+ gpg: BAD signature from “<span class="quote">Samba Distribution Verification Key</span>”
+</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2973553"></a>Building the Binaries</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2973564"></a>
+ To build the binaries, first run the program <b class="userinput"><tt>./configure
+ </tt></b> in the source directory. This should automatically
+ configure Samba for your operating system. If you have unusual
+ needs, then you may wish to run</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>./configure --help
+</tt></b></pre><p>first to see what special options you can enable. Now execute <b class="userinput"><tt>./configure</tt></b> with any arguments it might need:</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>./configure <i class="replaceable"><tt>[... arguments ...]</tt></i></tt></b></pre><p>Executing</p><p>
+<a class="indexterm" name="id2973641"></a>
+ </p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make</tt></b></pre><p>will create the binaries. Once it is successfully
+ compiled you can use</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make install</tt></b></pre><p>to install the binaries and manual pages. You can
+ separately install the binaries and/or man pages using</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make installbin
+</tt></b></pre><p>and</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make installman
+ </tt></b></pre><p>Note that if you are upgrading from a previous version
+ of Samba you might like to know that the old versions of
+ the binaries will be renamed with an “<span class="quote">.old</span>” extension. You
+ can go back to the previous version with</p><pre class="screen"><tt class="prompt">root# </tt><b class="userinput"><tt>make revert
+</tt></b></pre><p>if you find this version a disaster!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2973768"></a>Compiling Samba with Active Directory Support</h3></div></div><div></div></div><p>In order to compile Samba with ADS support, you need to have installed
+ on your system:</p><div class="itemizedlist"><ul type="disc"><li><p>The MIT or Heimdal kerberos development libraries
+ (either install from the sources or use a package).</p></li><li><p>The OpenLDAP development libraries.</p></li></ul></div><p>If your kerberos libraries are in a non-standard location, then
+ remember to add the configure option
+ <tt class="option">--with-krb5=<i class="replaceable"><tt>DIR</tt></i></tt>.</p><p>After you run configure, make sure that
+ <tt class="filename">include/config.h</tt> it generates contain lines like
+ this:</p><pre class="programlisting">
+#define HAVE_KRB5 1
+#define HAVE_LDAP 1
+</pre><p>If it does not, configure did not find your KRB5 libraries or
+ your LDAP libraries. Look in <tt class="filename">config.log</tt> to figure
+ out why and fix it.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2973849"></a>Installing the Required Packages for Debian</h4></div></div><div></div></div><p>On Debian, you need to install the following packages:</p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li>libkrb5-dev</li><li>krb5-user</li></ul></div><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2973878"></a>Installing the Required Packages for Red Hat Linux</h4></div></div><div></div></div><p>On Red Hat Linux, this means you should have at least: </p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li>krb5-workstation (for kinit)</li><li>krb5-libs (for linking with)</li><li>krb5-devel (because you are compiling from source)</li></ul></div><p>
+ </p><p>in addition to the standard development environment.</p><p>If these files are not installed on your system, you should check the installation
+ CDs to find which has them and install the files using your tool of choice. If in doubt
+ about what tool to use, refer to the Red Hat Linux documentation.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2973928"></a>SuSE Linux Package Requirements</h4></div></div><div></div></div><p>SuSE Linux installs Heimdal packages that may be required to allow you to build
+ binary packages. You should verify that the development libraries have been installed on
+ your system.
+ </p><p>SuSE Linux Samba RPMs support Kerberos. Please refer to the documentation for
+ your SuSE Linux system for information regading SuSE Linux specific configuration.
+ Additionally, SuSE are very active in the maintenance of Samba packages that provide
+ the maximum capabilities that are available. You should consider using SuSE provided
+ packages where they are available.
+ </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2973958"></a>Starting the <span class="application">smbd</span> and <span class="application">nmbd</span></h2></div></div><div></div></div><p>
+ <a class="indexterm" name="id2973982"></a>
+ You must choose to start <span class="application">smbd</span> and <span class="application">nmbd</span> either
+ as daemons or from <span class="application">inetd</span>. Don't try
+ to do both! Either you can put them in <tt class="filename">
+ inetd.conf</tt> and have them started on demand
+ by <span class="application">inetd</span> or <span class="application">xinetd</span>,
+ or you can start them as
+ daemons either from the command line or in <tt class="filename">
+ /etc/rc.local</tt>. See the man pages for details
+ on the command line options. Take particular care to read
+ the bit about what user you need to have to start
+ Samba. In many cases, you must be root.</p><p>The main advantage of starting <span class="application">smbd</span>
+ and <span class="application">nmbd</span> using the recommended daemon method
+ is that they will respond slightly more quickly to an initial connection
+ request.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974066"></a>Starting from inetd.conf</h3></div></div><div></div></div><a class="indexterm" name="id2974074"></a><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The following will be different if
+ you use NIS, NIS+ or LDAP to distribute services maps.</p></div><p>Look at your <tt class="filename">/etc/services</tt>.
+ What is defined at port 139/tcp? If nothing is defined,
+ then add a line like this:</p><pre class="programlisting">netbios-ssn 139/tcp</pre><p>Similarly for 137/udp, you should have an entry like:</p><pre class="programlisting">netbios-ns 137/udp</pre><p>Next, edit your <tt class="filename">/etc/inetd.conf</tt>
+ and add two lines like this:</p><pre class="programlisting">
+ netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+ netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
+ </pre><p>The exact syntax of <tt class="filename">/etc/inetd.conf</tt>
+ varies between UNIXes. Look at the other entries in inetd.conf
+ for a guide. </p><p>
+ <a class="indexterm" name="id2974166"></a>
+ Some distributions use xinetd instead of inetd. Consult the
+ xinetd manual for configuration information.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Some UNIXes already have entries like netbios_ns
+ (note the underscore) in <tt class="filename">/etc/services</tt>.
+ You must edit <tt class="filename">/etc/services</tt> or
+ <tt class="filename">/etc/inetd.conf</tt> to make them consistent.
+ </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2974210"></a>
+ On many systems you may need to use the
+ <a class="indexterm" name="id2974219"></a><i class="parameter"><tt>interfaces</tt></i> option in <tt class="filename">smb.conf</tt> to specify the IP
+ address and netmask of your interfaces. Run
+ <span class="application">ifconfig</span>
+ as root if you do not know what the broadcast is for your
+ net. <span class="application">nmbd</span> tries to determine it at run
+ time, but fails on some UNIXes.
+ </p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Many UNIXes only accept around five
+ parameters on the command line in <tt class="filename">inetd.conf</tt>.
+ This means you shouldn't use spaces between the options and
+ arguments, or you should use a script and start the script
+ from <b class="command">inetd</b>.</p></div><p>Restart <span class="application">inetd</span>, perhaps just send
+ it a HUP. </p><pre class="screen">
+ <tt class="prompt">root# </tt><b class="userinput"><tt>killall -HUP inetd</tt></b>
+ </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2974312"></a>Alternative: Starting <span class="application">smbd</span> as a Daemon</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2974330"></a>
+ To start the server as a daemon, you should create
+ a script something like this one, perhaps calling
+ it <tt class="filename">startsmb</tt>.</p><pre class="programlisting">
+ #!/bin/sh
+ /usr/local/samba/bin/smbd -D
+ /usr/local/samba/bin/nmbd -D
+ </pre><p>Make it executable with <b class="command">chmod
+ +x startsmb</b></p><p>You can then run <b class="command">startsmb</b> by
+ hand or execute it from <tt class="filename">/etc/rc.local</tt>.
+ </p><p>To kill it, send a kill signal to the processes
+ <span class="application">nmbd</span> and <span class="application">smbd</span>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you use the SVR4 style init system,
+ you may like to look at the <tt class="filename">examples/svr4-startup</tt>
+ script to make Samba fit into that system.</p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Appendixes.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Portability.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part VI. Appendixes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 37. Portability</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 33. The Samba Checklist</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="next" href="problems.html" title="Chapter 34. Analyzing and Solving Samba Problems"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 33. The Samba Checklist</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="diagnosis"></a>Chapter 33. The Samba Checklist</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">Wed Jan 15</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="diagnosis.html#id2969273">Introduction</a></dt><dt><a href="diagnosis.html#id2969311">Assumptions</a></dt><dt><a href="diagnosis.html#id2969546">The Tests</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2969273"></a>Introduction</h2></div></div><div></div></div><p>
+This file contains a list of tests you can perform to validate your
+Samba server. It also tells you what the likely cause of the problem
+is if it fails any one of these steps. If it passes all these tests,
+then it is probably working fine.
+</p><p>
+You should do all the tests, in the order shown. We have tried to
+carefully choose them so later tests only use capabilities verified in
+the earlier tests. However, do not stop at the first error as there
+have been some instances when continuing with the tests has helped
+to solve a problem.
+</p><p>
+If you send one of the Samba mailing lists an email saying, “<span class="quote">it does not work</span>”
+and you have not followed this test procedure, you should not be surprised
+if your email is ignored.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2969311"></a>Assumptions</h2></div></div><div></div></div><p>
+In all of the tests, it is assumed you have a Samba server called
+BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP.
+</p><p>
+The procedure is similar for other types of clients.
+</p><p>
+It is also assumed you know the name of an available share in your
+<tt class="filename">smb.conf</tt>. I will assume this share is called <i class="parameter"><tt>tmp</tt></i>.
+You can add a <i class="parameter"><tt>tmp</tt></i> share like this by adding the
+lines shown in <link linkend="tmpshare">.
+</p><div class="example"><a name="tmpshare"></a><p class="title"><b>Example 33.1. smb.conf with [tmp] share</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[tmp]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = temporary files </tt></i></td></tr><tr><td><i class="parameter"><tt>path = /tmp</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr></table></div><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+These tests assume version 3.0.0 or later of the Samba suite.
+Some commands shown did not exist in earlier versions.
+</p></div><p>
+Please pay attention to the error messages you receive. If any error message
+reports that your server is being unfriendly, you should first check that your
+IP name resolution is correctly set up. Make sure your <tt class="filename">/etc/resolv.conf</tt>
+file points to name servers that really do exist.
+</p><p>
+Also, if you do not have DNS server access for name resolution, please check
+that the settings for your <tt class="filename">smb.conf</tt> file results in <b class="command">dns proxy = no</b>. The
+best way to check this is with <b class="command">testparm smb.conf</b>.
+</p><p>
+<a class="indexterm" name="id2969474"></a>
+It is helpful to monitor the log files during testing by using the
+<b class="command">tail -F log_file_name</b> in a separate
+terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X).
+Relevant log files can be found (for default installations) in
+<tt class="filename">/usr/local/samba/var</tt>. Also, connection logs from
+machines can be found here or possibly in <tt class="filename">/var/log/samba</tt>,
+depending on how or if you specified logging in your <tt class="filename">smb.conf</tt> file.
+</p><p>
+If you make changes to your <tt class="filename">smb.conf</tt> file while going through these test,
+remember to restart <span class="application">smbd</span> and <span class="application">nmbd</span>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2969546"></a>The Tests</h2></div></div><div></div></div><div class="procedure"><p class="title"><b>Procedure 33.1. Diagnosing your Samba server</b></p><ol type="1"><li><p>
+<a class="indexterm" name="id2969570"></a>
+In the directory in which you store your <tt class="filename">smb.conf</tt> file, run the command
+<b class="command">testparm smb.conf</b>. If it reports any errors, then your <tt class="filename">smb.conf</tt>
+configuration file is faulty.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Your <tt class="filename">smb.conf</tt> file may be located in: <tt class="filename">/etc/samba</tt>
+or in <tt class="filename">/usr/local/samba/lib</tt>.
+</p></div></li><li><p>
+Run the command <b class="command">ping BIGSERVER</b> from the PC and
+<b class="command">ping ACLIENT</b> from the UNIX box. If you do not get a valid response,
+then your TCP/IP software is not correctly installed.
+</p><p>
+You will need to start a “<span class="quote">dos prompt</span>” window on the PC to run ping.
+</p><p>
+If you get a message saying “<span class="quote"><span class="errorname">host not found</span></span>” or similar, then your DNS
+software or <tt class="filename">/etc/hosts</tt> file is not correctly setup.
+It is possible to run Samba without DNS entries for the server and client, but it is assumed
+you do have correct entries for the remainder of these tests.
+</p><p>
+Another reason why ping might fail is if your host is running firewall
+software. You will need to relax the rules to let in the workstation
+in question, perhaps by allowing access from another subnet (on Linux
+this is done via the appropriate firewall maintenance commands <b class="command">ipchains</b>
+or <b class="command">iptables</b>).
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Modern Linux distributions install ipchains/iptables by default.
+This is a common problem that is often overlooked.
+</p></div><p>
+If you wish to check what firewall rules may be present in a system under test, simply run
+<b class="command">iptables -L -v</b> or if <i class="parameter"><tt>ipchains</tt></i>-based firewall rules are in use,
+<b class="command">ipchains -L -v</b>.
+</p><p>
+Here is a sample listing from a system that has an external ethernet interface (eth1) on which Samba
+is not active, and an internal (private network) interface (eth0) on which Samba is active:
+</p><pre class="screen">
+frodo:~ # iptables -L -v
+Chain INPUT (policy DROP 98496 packets, 12M bytes)
+ pkts bytes target prot opt in out source destination
+ 187K 109M ACCEPT all -- lo any anywhere anywhere
+ 892K 125M ACCEPT all -- eth0 any anywhere anywhere
+1399K 1380M ACCEPT all -- eth1 any anywhere anywhere \
+ state RELATED,ESTABLISHED
+
+Chain FORWARD (policy DROP 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 978K 1177M ACCEPT all -- eth1 eth0 anywhere anywhere \
+ state RELATED,ESTABLISHED
+ 658K 40M ACCEPT all -- eth0 eth1 anywhere anywhere
+ 0 0 LOG all -- any any anywhere anywhere \
+ LOG level warning
+
+Chain OUTPUT (policy ACCEPT 2875K packets, 1508M bytes)
+ pkts bytes target prot opt in out source destination
+
+Chain reject_func (0 references)
+ pkts bytes target prot opt in out source destinat
+</pre><p>
+</p></li><li><p>
+Run the command: <b class="command">smbclient -L BIGSERVER</b>
+on the UNIX box. You should get back a list of available shares.
+</p><p>
+If you get an error message containing the string “<span class="quote">Bad password</span>”, then
+you probably have either an incorrect <i class="parameter"><tt>hosts allow</tt></i>,
+<i class="parameter"><tt>hosts deny</tt></i> or <i class="parameter"><tt>valid users</tt></i> line in your
+<tt class="filename">smb.conf</tt>, or your guest account is not valid. Check what your guest account is using <span class="application">testparm</span> and
+temporarily remove any <i class="parameter"><tt>hosts allow</tt></i>, <i class="parameter"><tt>hosts deny</tt></i>,
+<i class="parameter"><tt>valid users</tt></i> or <i class="parameter"><tt>invalid users</tt></i> lines.
+</p><p>
+If you get a message “<span class="quote"><span class="errorname">connection refused</span></span>” response, then the <b class="command">smbd</b> server may
+not be running. If you installed it in <tt class="filename">inetd.conf</tt>, then you probably edited
+that file incorrectly. If you installed it as a daemon, then check that
+it is running, and check that the netbios-ssn port is in a LISTEN
+state using <b class="command">netstat -a</b>.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2969931"></a>
+<a class="indexterm" name="id2969939"></a>
+Some UNIX/Linux systems use <b class="command">xinetd</b> in place of
+<b class="command">inetd</b>. Check your system documentation for the location
+of the control files for your particular system implementation of
+the network super daemon.
+</p></div><p>
+If you get a message saying “<span class="quote"><span class="errorname">session request failed</span></span>”, the server refused the
+connection. If it says “<span class="quote">Your server software is being unfriendly</span>”, then
+it's probably because you have invalid command line parameters to <span class="application">smbd</span>,
+or a similar fatal problem with the initial startup of <span class="application">smbd</span>. Also
+check your config file (<tt class="filename">smb.conf</tt>) for syntax errors with <span class="application">testparm</span>
+and that the various directories where Samba keeps its log and lock
+files exist.
+</p><p>
+There are a number of reasons for which smbd may refuse or decline
+a session request. The most common of these involve one or more of
+the <tt class="filename">smb.conf</tt> file entries as shown in <link linkend="modif1">.
+</p><p>
+</p><div class="example"><a name="modif1"></a><p class="title"><b>Example 33.2. Configuration for only allowing connections from a certain subnet</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[globals]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>hosts deny = ALL</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = xxx.xxx.xxx.xxx/yy</tt></i></td></tr><tr><td><i class="parameter"><tt>interfaces = eth0</tt></i></td></tr><tr><td><i class="parameter"><tt>bind interfaces only = Yes</tt></i></td></tr><tr><td>...</td></tr></table></div><p>
+</p><p>
+In the above, no allowance has been made for any session requests that
+will automatically translate to the loopback adapter address 127.0.0.1.
+To solve this problem, change these lines as shown in <link linkend="modif2">.
+</p><p>
+</p><div class="example"><a name="modif2"></a><p class="title"><b>Example 33.3. Configuration for allowing connections from a certain subnet and localhost</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[globals]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>hosts deny = ALL</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = xxx.xxx.xxx.xxx/yy 127.</tt></i></td></tr><tr><td><i class="parameter"><tt>interfaces = eth0 lo</tt></i></td></tr><tr><td>...</td></tr></table></div><p>
+</p><p>
+<a class="indexterm" name="id2970193"></a>
+Another common cause of these two errors is having something already running
+<a class="indexterm" name="id2970203"></a>
+on port <tt class="constant">139</tt>, such as Samba (<span class="application">smbd</span> is running from <span class="application">inetd</span> already) or
+something like Digital's Pathworks. Check your <tt class="filename">inetd.conf</tt> file before trying
+to start <span class="application">smbd</span> as a daemon it can avoid a lot of frustration!
+</p><p>
+And yet another possible cause for failure of this test is when the subnet mask
+and/or broadcast address settings are incorrect. Please check that the
+network interface IP Address/Broadcast Address/Subnet Mask settings are
+correct and that Samba has correctly noted these in the <tt class="filename">log.nmbd</tt> file.
+</p></li><li><p>
+Run the command: <b class="command">nmblookup -B BIGSERVER __SAMBA__</b>.
+You should get back the IP address of your Samba server.
+</p><p>
+If you do not, then nmbd is incorrectly installed. Check your <tt class="filename">inetd.conf</tt>
+if you run it from there, or that the daemon is running and listening to udp port 137.
+</p><p>
+One common problem is that many inetd implementations can't take many
+parameters on the command line. If this is the case, then create a
+one-line script that contains the right parameters and run that from
+inetd.
+</p></li><li><p>
+Run the command: <b class="command">nmblookup -B ACLIENT `*'</b>
+</p><p>
+You should get the PC's IP address back. If you do not then the client
+software on the PC isn't installed correctly, or isn't started, or you
+got the name of the PC wrong.
+</p><p>
+If ACLIENT does not resolve via DNS then use the IP address of the
+client in the above test.
+</p></li><li><p>
+Run the command: <b class="command">nmblookup -d 2 '*'</b>
+</p><p>
+This time we are trying the same as the previous test but are trying
+it via a broadcast to the default broadcast address. A number of
+NetBIOS/TCP/IP hosts on the network should respond, although Samba may
+not catch all of the responses in the short time it listens. You
+should see the “<span class="quote"><span class="errorname">got a positive name query response</span></span>”
+messages from several hosts.
+</p><p>
+If this does not give a similar result to the previous test, then
+nmblookup isn't correctly getting your broadcast address through its
+automatic mechanism. In this case you should experiment with the
+<a class="indexterm" name="id2970377"></a><i class="parameter"><tt>interfaces</tt></i> option in <tt class="filename">smb.conf</tt> to manually configure your IP
+address, broadcast and netmask.
+</p><p>
+If your PC and server aren't on the same subnet, then you will need to use the
+<tt class="option">-B</tt> option to set the broadcast address to that of the PCs subnet.
+</p><p>
+This test will probably fail if your subnet mask and broadcast address are
+not correct. (Refer to TEST 3 notes above).
+</p></li><li><p>
+<a class="indexterm" name="id2970428"></a>
+Run the command: <b class="command">smbclient //BIGSERVER/TMP</b>. You should
+then be prompted for a password. You should use the password of the account
+with which you are logged into the UNIX box. If you want to test with
+another account, then add the <tt class="option">-U accountname</tt> option to the end of
+the command line. For example, <b class="command">smbclient //bigserver/tmp -Ujohndoe</b>.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+It is possible to specify the password along with the username as follows:
+<b class="command">smbclient //bigserver/tmp -Ujohndoe%secret</b>.
+</p></div><p>
+Once you enter the password, you should get the <tt class="prompt">smb></tt> prompt. If you
+do not, then look at the error message. If it says “<span class="quote"><span class="errorname">invalid network
+name</span></span>”, then the service <i class="parameter"><tt>tmp</tt></i> is not correctly setup in your <tt class="filename">smb.conf</tt>.
+</p><p>
+If it says “<span class="quote"><span class="errorname">bad password</span></span>”, then the likely causes are:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ You have shadow passwords (or some other password system) but didn't
+ compile in support for them in <span class="application">smbd</span>.
+ </p></li><li><p>
+ Your <a class="indexterm" name="id2970549"></a><i class="parameter"><tt>valid users</tt></i> configuration is incorrect.
+ </p></li><li><p>
+ You have a mixed case password and you haven't enabled the <a class="indexterm" name="id2970572"></a><i class="parameter"><tt>password level</tt></i> option at a high enough level.
+ </p></li><li><p>
+ The <a class="indexterm" name="id2970595"></a><i class="parameter"><tt>path</tt></i> line in <tt class="filename">smb.conf</tt> is incorrect. Check it with <span class="application">testparm</span>.
+ </p></li><li><p>
+ You enabled password encryption but didn't map UNIX to Samba users. Run:
+ <b class="command">smbpasswd -a username</b>
+ </p></li></ol></div><p>
+Once connected, you should be able to use the commands <b class="command">dir</b>, <b class="command">get</b>,
+<b class="command">put</b> and so on. Type <b class="command">help command</b> for instructions. You should
+especially check that the amount of free disk space shown is correct when you type <b class="command">dir</b>.
+</p></li><li><p>
+On the PC, type the command <b class="command">net view \\BIGSERVER</b>. You will
+need to do this from within a dos prompt window. You should get back a
+list of shares available on the server.
+</p><p>
+If you get a message “<span class="quote"><span class="errorname">network name not found</span></span>” or similar error, then netbios
+name resolution is not working. This is usually caused by a problem in <b class="command">nmbd</b>.
+To overcome it, you could do one of the following (you only need to choose one of them):
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Fixup the <span class="application">nmbd</span> installation.
+</p></li><li><p>
+ Add the IP address of BIGSERVER to the <b class="command">wins server</b> box in the
+ advanced TCP/IP setup on the PC.
+</p></li><li><p>
+ Enable Windows name resolution via DNS in the advanced section of the TCP/IP setup.
+</p></li><li><p>
+ Add BIGSERVER to your lmhosts file on the PC.
+</p></li></ol></div><p>
+If you get a message “<span class="quote"><span class="errorname">invalid network name</span></span>” or
+“<span class="quote"><span class="errorname">bad password error</span></span>”, then apply the
+same fixes as for the <b class="command">smbclient -L</b> test above. In
+particular, make sure your <b class="command">hosts allow</b> line is correct (see the man pages).
+</p><p>
+Also, do not overlook that fact that when the workstation requests the
+connection to the Samba server, it will attempt to connect using the
+name with which you logged onto your Windows machine. You need to make
+sure that an account exists on your Samba server with that exact same
+name and password.
+</p><p>
+If you get a message “<span class="quote"><span class="errorname">specified computer is not receiving requests</span></span>” or similar,
+it probably means that the host is not contactable via TCP services.
+Check to see if the host is running TCP wrappers, and if so add an entry in
+the <tt class="filename">hosts.allow</tt> file for your client (or subnet, and so on.)
+</p></li><li><p>
+Run the command <b class="command">net use x: \\BIGSERVER\TMP</b>. You should
+be prompted for a password, then you should get a <tt class="computeroutput">command completed
+successfully</tt> message. If not, then your PC software is incorrectly
+installed or your <tt class="filename">smb.conf</tt> is incorrect. Make sure your <i class="parameter"><tt>hosts allow</tt></i>
+and other config lines in <tt class="filename">smb.conf</tt> are correct.
+</p><p>
+It's also possible that the server can't work out what user name to connect you as.
+To see if this is the problem, add the line
+<a class="indexterm" name="id2970891"></a><i class="parameter"><tt>user</tt></i> = username to the
+<i class="parameter"><tt>[tmp]</tt></i> section of
+<tt class="filename">smb.conf</tt> where <i class="parameter"><tt>username</tt></i> is the
+username corresponding to the password you typed. If you find this
+fixes things, you may need the username mapping option.
+</p><p>
+It might also be the case that your client only sends encrypted passwords
+and you have <a class="indexterm" name="id2970934"></a><i class="parameter"><tt>encrypt passwords</tt></i> = no in <tt class="filename">smb.conf</tt>.
+Change this to "yes" to fix this.
+</p></li><li><p>
+Run the command <b class="command">nmblookup -M <i class="parameter"><tt>testgroup</tt></i></b> where
+<i class="parameter"><tt>testgroup</tt></i> is the name of the workgroup that your Samba server and
+Windows PCs belong to. You should get back the IP address of the
+master browser for that workgroup.
+</p><p>
+If you do not, then the election process has failed. Wait a minute to
+see if it is just being slow, then try again. If it still fails after
+that, then look at the browsing options you have set in <tt class="filename">smb.conf</tt>. Make
+sure you have <a class="indexterm" name="id2971004"></a><i class="parameter"><tt>preferred master</tt></i> = yes to ensure that
+an election is held at startup.
+</p></li><li><p>
+>From file manager, try to browse the server. Your Samba server should
+appear in the browse list of your local workgroup (or the one you
+specified in <tt class="filename">smb.conf</tt>). You should be able to double click on the name
+of the server and get a list of shares. If you get the error message “<span class="quote">invalid password</span>”,
+ you are probably running Windows NT and it
+is refusing to browse a server that has no encrypted password
+capability and is in User Level Security mode. In this case, either set
+<a class="indexterm" name="id2971052"></a><i class="parameter"><tt>security</tt></i> = server and
+<a class="indexterm" name="id2971066"></a><i class="parameter"><tt>password server</tt></i> = Windows_NT_Machine in your
+<tt class="filename">smb.conf</tt> file, or make sure <a class="indexterm" name="id2971087"></a><i class="parameter"><tt>encrypt passwords</tt></i> is
+set to “<span class="quote">yes</span>”.
+</p></li></ol></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="troubleshooting.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="problems.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part V. Troubleshooting </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 34. Analyzing and Solving Samba Problems</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Domain Membership</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"><link rel="next" href="StandAloneServer.html" title="Chapter 8. Stand-alone Servers"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. Domain Membership</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="domain-member"></a>Chapter 7. Domain Membership</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="domain-member.html#id2893185">Features and Benefits</a></dt><dt><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt><a href="domain-member.html#id2894113">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2894194">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2894926">Why Is This Better Than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2895131">Configure smb.conf</a></dt><dt><a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt><a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2895840">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2895877">Sharing User ID Mappings between Samba Domain Members</a></dt><dt><a href="domain-member.html#id2896009">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2896038">Cannot Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2896072">Adding Machine to Domain Fails</a></dt><dt><a href="domain-member.html#id2896237">I Can't Join a Windows 2003 PDC</a></dt></dl></dd></dl></div><p>
+Domain Membership is a subject of vital concern. Samba must be able to
+participate as a member server in a Microsoft Domain Security context, and
+Samba must be capable of providing Domain machine member trust accounts,
+otherwise it would not be able to offer a viable option for many users.
+</p><p>
+This chapter covers background information pertaining to Domain Membership,
+the Samba configuration for it, and MS Windows client procedures for joining a
+domain. Why is this necessary? Because both are areas in which there exists
+within the current MS Windows networking world and particularly in the
+UNIX/Linux networking and administration world, a considerable level of
+misinformation, incorrect understanding and a lack of knowledge. Hopefully
+this chapter will fill the voids.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2893185"></a>Features and Benefits</h2></div></div><div></div></div><p>
+MS Windows workstations and servers that want to participate in Domain Security need to
+be made Domain Members. Participating in Domain Security is often called
+<span class="emphasis"><em>Single Sign On</em></span> or <span class="acronym">SSO</span> for short. This
+chapter describes the process that must be followed to make a workstation
+(or another server be it an <span class="application">MS Windows NT4 / 200x</span>
+server) or a Samba server a member of an MS Windows Domain Security context.
+</p><p>
+<a class="indexterm" name="id2893226"></a>
+Samba-3 can join an MS Windows NT4-style domain as a native member server, an
+MS Windows Active Directory Domain as a native member server, or a Samba Domain
+Control network. Domain Membership has many advantages:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+<a class="indexterm" name="id2893250"></a>
+ MS Windows workstation users get the benefit of SSO.
+ </p></li><li><p>
+ Domain user access rights and file ownership/access controls can be set
+ from the single Domain Security Account Manager (SAM) database
+ (works with Domain Member servers as well as with MS Windows workstations
+ that are Domain Members).
+ </p></li><li><p>
+ Only <span class="application">MS Windows NT4/200x/XP Professional</span>
+ workstations that are Domain Members can use network logon facilities.
+ </p></li><li><p>
+ Domain Member workstations can be better controlled through the use of
+ Policy files (<tt class="filename">NTConfig.POL</tt>) and Desktop Profiles.
+ </p></li><li><p>
+ Through the use of logon scripts, users can be given transparent access to network
+ applications that run off application servers.
+ </p></li><li><p>
+ Network administrators gain better application and user access management
+ abilities because there is no need to maintain user accounts on any network
+ client or server, other than the central Domain database
+ (either NT4/Samba SAM style Domain, NT4 Domain that is backended with an
+ LDAP directory, or via an Active Directory infrastructure).
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="machine-trust-accounts"></a>MS Windows Workstation/Server Machine Trust Accounts</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2893338"></a>
+A Machine Trust Account is an account that is used to authenticate a client
+machine (rather than a user) to the Domain Controller server. In Windows terminology,
+this is known as a “<span class="quote">Computer Account.</span>” The purpose of the machine account
+is to prevent a rogue user and Domain Controller from colluding to gain access to a
+domain member workstation.
+</p><p>
+The password of a Machine Trust Account acts as the shared secret for
+secure communication with the Domain Controller. This is a security
+feature to prevent an unauthorized machine with the same NetBIOS name
+from joining the domain and gaining access to domain user/group
+accounts. Windows NT/200x/XP Professional clients use machine trust
+accounts, but Windows 9x/Me/XP Home clients do not. Hence, a
+Windows 9x/Me/XP Home client is never a true member of a Domain
+because it does not possess a Machine Trust Account, and, thus, has no
+shared secret with the Domain Controller.
+</p><p>
+A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry.
+The introduction of MS Windows 2000 saw the introduction of Active Directory,
+the new repository for Machine Trust Accounts. A Samba PDC, however, stores
+each Machine Trust Account in two parts,
+as follows:
+
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ A Domain Security Account (stored in the
+ <a class="indexterm" name="id2893387"></a><i class="parameter"><tt>passdb backend</tt></i> that has been configured in the
+ <tt class="filename">smb.conf</tt> file. The precise nature of the account information that is
+ stored depends on the type of backend database that has been chosen.
+ </p><p>
+ The older format of this data is the <tt class="filename">smbpasswd</tt> database
+ that contains the UNIX login ID, the UNIX user identifier (UID), and the
+ LanMan and NT encrypted passwords. There is also some other information in
+ this file that we do not need to concern ourselves with here.
+ </p><p>
+ The two newer database types are called ldapsam, and
+ tdbsam. Both store considerably more data than the
+ older <tt class="filename">smbpasswd</tt> file did. The extra information
+ enables new user account controls to be implemented.
+ </p></li><li><p>
+ A corresponding UNIX account, typically stored in
+ <tt class="filename">/etc/passwd</tt>. Work is in progress to allow a
+ simplified mode of operation that does not require UNIX user accounts, but
+ this may not be a feature of the early releases of Samba-3.
+ </p></li></ul></div><p>
+</p><p>
+<a class="indexterm" name="id2893465"></a>
+There are three ways to create Machine Trust Accounts:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Manual creation from the UNIX/Linux command line. Here, both the Samba and
+ corresponding UNIX account are created by hand.
+ </p></li><li><p>
+ <a class="indexterm" name="id2893494"></a>
+ Using the MS Windows NT4 Server Manager, either from an NT4 Domain Member
+ server, or using the Nexus toolkit available from the Microsoft Web site.
+ This tool can be run from any MS Windows machine as long as the user is
+ logged on as the administrator account.
+ </p></li><li><p>
+ “<span class="quote">On-the-fly</span>” creation. The Samba Machine Trust Account is automatically
+ created by Samba at the time the client is joined to the domain.
+ (For security, this is the recommended method.) The corresponding UNIX
+ account may be created automatically or manually.
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893524"></a>Manual Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
+The first step in manually creating a Machine Trust Account is to manually
+create the corresponding UNIX account in <tt class="filename">/etc/passwd</tt>.
+This can be done using <b class="command">vipw</b> or another “<span class="quote">add user</span>” command
+that is normally used to create new UNIX accounts. The following is an example for
+a Linux-based Samba server:
+</p><p>
+<a class="indexterm" name="id2893561"></a>
+<a class="indexterm" name="id2893570"></a>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/sbin/useradd -g machines -d /dev/null -c <i class="replaceable"><tt>"machine nickname"</tt></i> \
+ -s /bin/false <i class="replaceable"><tt>machine_name</tt></i>$ </tt></b>
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>passwd -l <i class="replaceable"><tt>machine_name</tt></i>$</tt></b>
+</pre><p>
+</p><p>In the above example above there is an existing system group “<span class="quote">machines</span>” which is used
+as the primary group for all machine accounts. In the following examples the “<span class="quote">machines</span>” group has
+numeric GID equal 100.</p><p>
+<a class="indexterm" name="id2893643"></a>
+On *BSD systems, this can be done using the <b class="command">chpass</b> utility:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>chpass -a \
+'<i class="replaceable"><tt>machine_name</tt></i>$:*:101:100::0:0:Windows <i class="replaceable"><tt>machine_name</tt></i>:/dev/null:/sbin/nologin'</tt></b>
+</pre><p>
+</p><p>
+The <tt class="filename">/etc/passwd</tt> entry will list the machine name
+with a “<span class="quote">$</span>” appended, will not have a password, will have a null shell and no
+home directory. For example, a machine named “<span class="quote">doppy</span>” would have an
+<tt class="filename">/etc/passwd</tt> entry like this:
+</p><pre class="programlisting">
+doppy$:x:505:100:<i class="replaceable"><tt>machine_nickname</tt></i>:/dev/null:/bin/false
+</pre><p>
+Above, <i class="replaceable"><tt>machine_nickname</tt></i> can be any
+descriptive name for the client, i.e., BasementComputer.
+<i class="replaceable"><tt>machine_name</tt></i> absolutely must be the NetBIOS
+name of the client to be joined to the domain. The “<span class="quote">$</span>” must be
+appended to the NetBIOS name of the client or Samba will not recognize
+this as a Machine Trust Account.
+</p><p>
+Now that the corresponding UNIX account has been created, the next step is to create
+the Samba account for the client containing the well-known initial
+Machine Trust Account password. This can be done using the
+<b class="command">smbpasswd</b> command
+as shown here:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -a -m <i class="replaceable"><tt>machine_name</tt></i></tt></b>
+</pre><p>
+</p><p>
+where <i class="replaceable"><tt>machine_name</tt></i> is the machine's NetBIOS
+name. The RID of the new machine account is generated from the UID of
+the corresponding UNIX account.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Join the client to the domain immediately</h3><p>
+Manually creating a Machine Trust Account using this method is the
+equivalent of creating a Machine Trust Account on a Windows NT PDC using
+<a class="indexterm" name="id2893821"></a>
+the <span class="application">Server Manager</span>. From the time at which the
+account is created to the time the client joins the domain and
+changes the password, your domain is vulnerable to an intruder joining
+your domain using a machine with the same NetBIOS name. A PDC inherently
+trusts members of the domain and will serve out a large degree of user
+information to such clients. You have been warned!
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2893846"></a>Managing Domain Machine Accounts using NT4 Server Manager</h3></div></div><div></div></div><p>
+A working <a class="indexterm" name="id2893857"></a><i class="parameter"><tt>add machine script</tt></i> script is essential
+for machine trust accounts to be automatically created. This applies no matter whether
+one uses automatic account creation, or if one wishes to use the NT4 Domain Server Manager.
+</p><p>
+<a class="indexterm" name="id2893879"></a>
+If the machine from which you are trying to manage the domain is an
+<span class="application">MS Windows NT4 workstation or MS Windows 200x/XP Professional</span>,
+the tool of choice is the package called <b class="command">SRVTOOLS.EXE</b>.
+When executed in the target directory it will unpack <b class="command">SrvMgr.exe</b>
+and <b class="command">UsrMgr.exe</b> (both are domain management tools for MS Windows NT4 workstation).
+</p><p>
+<a class="indexterm" name="id2893924"></a>
+If your workstation is a <span class="application">Microsoft Windows 9x/Me</span> family product
+ you should download the <b class="command">Nexus.exe</b> package from the Microsoft web site.
+When executed from the target directory this will unpack the same tools but for use on
+this platform.
+</p><p>
+Further information about these tools may be obtained from the following locations:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;173673">http://support.microsoft.com/default.aspx?scid=kb;en-us;173673</ulink></td></tr><tr><td><ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;172540">http://support.microsoft.com/default.aspx?scid=kb;en-us;172540</ulink></td></tr></table><p>
+</p><p>
+Launch the <b class="command">srvmgr.exe</b> (Server Manager for Domains) and follow these steps:
+</p><div class="procedure"><p class="title"><b>Procedure 7.1. Server Manager Account Machine Account Management</b></p><ol type="1"><li><p>
+ From the menu select <span class="guimenu">Computer</span>.
+ </p></li><li><p>
+ Click <span class="guimenuitem">Select Domain</span>.
+ </p></li><li><p>
+ Click the name of the domain you wish to administer in the
+ <span class="guilabel">Select Domain</span> panel and then click
+ <span class="guibutton">OK</span>.
+ </p></li><li><p>
+ Again from the menu select <span class="guimenu">Computer</span>.
+ </p></li><li><p>
+ Select <span class="guimenuitem">Add to Domain</span>.
+ </p></li><li><p>
+ In the dialog box, click the radio button to
+ <span class="guilabel">Add NT Workstation of Server</span>, then
+ enter the machine name in the field provided, and click the
+ <span class="guibutton">Add</span> button.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894113"></a>On-the-Fly Creation of Machine Trust Accounts</h3></div></div><div></div></div><p>
+The second (and recommended) way of creating Machine Trust Accounts is
+simply to allow the Samba server to create them as needed when the client
+is joined to the domain.
+</p><p>Since each Samba Machine Trust Account requires a corresponding UNIX account, a method
+for automatically creating the UNIX account is usually supplied; this requires configuration of the
+add machine script option in <tt class="filename">smb.conf</tt>. This method is not required, however, corresponding UNIX
+accounts may also be created manually.
+</p><p>
+Here is an example for a Red Hat Linux system.
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td># <...remainder of parameters...></td></tr><tr><td><i class="parameter"><tt>add machine script = /usr/sbin/useradd -d /dev/null -g 100 \</tt></i></td></tr><tr><td><i class="parameter"><tt> -s /bin/false -M %u</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894194"></a>Making an MS Windows Workstation or Server a Domain Member</h3></div></div><div></div></div><p>
+The procedure for making an MS Windows workstation or server a member of the domain varies
+with the version of Windows.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2894206"></a>Windows 200x/XP Professional Client</h4></div></div><div></div></div><p>
+ When the user elects to make the client a Domain Member, Windows 200x prompts for
+ an account and password that has privileges to create machine accounts in the domain.
+ A Samba Administrator Account (i.e., a Samba account that has <tt class="constant">root</tt> privileges on the
+ Samba server) must be entered here; the operation will fail if an ordinary user
+ account is given.
+ </p><p>
+ For security reasons, the password for this Administrator Account should be set
+ to a password that is other than that used for the root user in <tt class="filename">/etc/passwd</tt>.
+ </p><p>
+ The name of the account that is used to create Domain Member machine accounts can be
+ anything the network administrator may choose. If it is other than <tt class="constant">root</tt>
+ then this is easily mapped to <tt class="constant">root</tt> in the file named in the <tt class="filename">smb.conf</tt> parameter
+ <a class="indexterm" name="id2894264"></a><i class="parameter"><tt>username map</tt></i> = /etc/samba/smbusers.
+ </p><p>
+ The session key of the Samba Administrator Account acts as an encryption key for setting the password of the machine trust
+ account. The Machine Trust Account will be created on-the-fly, or updated if it already exists.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2894288"></a>Windows NT4 Client</h4></div></div><div></div></div><p>
+ If the Machine Trust Account was created manually, on the
+ Identification Changes menu enter the domain name, but do not
+ check the box <span class="guilabel">Create a Computer Account in the Domain</span>.
+ In this case, the existing Machine Trust Account is used to join the machine
+ to the domain.
+ </p><p>
+ If the Machine Trust Account is to be created on-the-fly, on the Identification Changes menu enter the domain
+ name and check the box <span class="guilabel">Create a Computer Account in the Domain</span>. In this case, joining
+ the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba Administrator Account when
+ prompted).
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2894329"></a>Samba Client</h4></div></div><div></div></div><p>Joining a Samba client to a domain is documented in
+ <link linkend="domain-member-server">.
+ </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domain-member-server"></a>Domain Member Server</h2></div></div><div></div></div><p>
+This mode of server operation involves the Samba machine being made a member
+of a domain security context. This means by definition that all user
+authentication will be done from a centrally defined authentication regime.
+The authentication regime may come from an NT3/4-style (old domain technology)
+server, or it may be provided from an Active Directory server (ADS) running on
+MS Windows 2000 or later.
+</p><p>
+<span class="emphasis"><em>
+Of course it should be clear that the authentication backend itself could be
+from any distributed directory architecture server that is supported by Samba.
+This can be LDAP (from OpenLDAP), or Sun's iPlanet, or NetWare Directory
+Server, and so on.
+</em></span>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
+When Samba is configured to use an LDAP, or other identity management and/or
+directory service, it is Samba that continues to perform user and machine
+authentication. It should be noted that the LDAP server does not perform
+authentication handling in place of what Samba is designed to do.
+</div><p>
+Please refer to <link linkend="samba-pdc">, for more information regarding
+how to create a domain machine account for a Domain Member server as well as for
+information on how to enable the Samba Domain Member machine to join the domain
+and be fully trusted by it.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894418"></a>Joining an NT4-type Domain with Samba-3</h3></div></div><div></div></div><p><link linkend="assumptions"> lists names that have been used in the remainder of this chapter.</p><div class="table"><a name="assumptions"></a><p class="title"><b>Table 7.1. Assumptions</b></p><table summary="Assumptions" border="1"><colgroup><col align="right"><col align="left"></colgroup><tbody><tr><td align="right">NetBIOS name:</td><td align="left">SERV1</td></tr><tr><td align="right">Windows 200x/NT domain name:</td><td align="left">MIDEARTH</td></tr><tr><td align="right">Domain's PDC NetBIOS name:</td><td align="left">DOMPDC</td></tr><tr><td align="right">Domain's BDC NetBIOS names:</td><td align="left">DOMBDC1 and DOMBDC2</td></tr></tbody></table></div><p>
+First, you must edit your <tt class="filename">smb.conf</tt> file to tell Samba it should now use domain security.
+</p><p>
+ Change (or add) your
+ <a class="indexterm" name="id2894532"></a><i class="parameter"><tt>security</tt></i> line in the [global] section
+of your <tt class="filename">smb.conf</tt> to read:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = domain</tt></i></td></tr></table><p>
+</p><p>
+Next change the <a class="indexterm" name="id2894576"></a><i class="parameter"><tt>workgroup</tt></i> line in the <i class="parameter"><tt>[global]</tt></i>
+section to read:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr></table><p>
+</p><p>
+This is the name of the domain we are joining.
+</p><p>
+You must also have the parameter <a class="indexterm" name="id2894625"></a><i class="parameter"><tt>encrypt passwords</tt></i>
+set to <tt class="constant">yes</tt> in order for your users to authenticate to the NT PDC.
+This is the defaulty setting if this parameter is not specified. There is no need to specify this
+parameter, but if it is specified in the <tt class="filename">smb.conf</tt> file, it must be set to <tt class="constant">Yes</tt>.
+</p><p>
+Finally, add (or modify) a <a class="indexterm" name="id2894664"></a><i class="parameter"><tt>password server</tt></i> line in the [global]
+section to read:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = DOMPDC DOMBDC1 DOMBDC2</tt></i></td></tr></table><p>
+</p><p>
+These are the primary and backup Domain Controllers Samba
+will attempt to contact in order to authenticate users. Samba will
+try to contact each of these servers in order, so you may want to
+rearrange this list in order to spread out the authentication load
+among Domain Controllers.
+</p><p>
+Alternately, if you want smbd to automatically determine
+the list of Domain Controllers to use for authentication, you may
+set this line to be:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = *</tt></i></td></tr></table><p>
+</p><p>
+This method allows Samba to use exactly the same mechanism that NT does. The
+method either uses broadcast-based name resolution, performs a WINS database
+lookup in order to find a Domain Controller against which to authenticate,
+or locates the Domain Controller using DNS name resolution.
+</p><p>
+To join the domain, run this command:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net join -S DOMPDC -U<i class="replaceable"><tt>Administrator%password</tt></i></tt></b>
+</pre><p>
+</p><p>
+If the <tt class="option">-S DOMPDC</tt> argument is not given, the domain name will be obtained from <tt class="filename">smb.conf</tt>.
+</p><p>
+The machine is joining the domain DOM, and the PDC for that domain (the only machine
+that has write access to the domain SAM database) is DOMPDC, therefore use the <tt class="option">-S</tt>
+option. The <i class="replaceable"><tt>Administrator%password</tt></i> is the login name and
+password for an account that has the necessary privilege to add machines to the
+domain. If this is successful, you will see the message in your terminal window the
+text shown below. Where the older NT4 style domain architecture is used:
+</p><pre class="screen">
+<tt class="computeroutput">Joined domain DOM.</tt>
+</pre><p>
+</p><p>
+Where Active Directory is used:
+</p><pre class="screen">
+<tt class="computeroutput">Joined SERV1 to realm MYREALM.</tt>
+</pre><p>
+</p><p>
+Refer to the <b class="command">net</b> man page for further information.
+</p><p>
+This process joins the server to the domain without having to create the machine
+trust account on the PDC beforehand.
+</p><p>
+This command goes through the machine account password change protocol, then writes
+the new (random) machine account password for this Samba server into a file in the
+same directory in which a smbpasswd file would be normally stored:
+</p><pre class="screen">
+<tt class="filename">/usr/local/samba/private/secrets.tdb</tt>
+or
+<tt class="filename">/etc/samba/secrets.tdb</tt>.
+</pre><p>
+</p><p>
+This file is created and owned by root and is not readable by any other user. It is
+the key to the Domain-level security for your system, and should be treated as carefully
+as a shadow password file.
+</p><p>
+Finally, restart your Samba daemons and get ready for clients to begin using domain
+security. The way you can restart your Samba daemons depends on your distribution,
+but in most cases the following will suffice:
+</p><pre class="screen">
+<tt class="prompt">root# </tt>/etc/init.d/samba restart
+</pre><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2894926"></a>Why Is This Better Than <i class="parameter"><tt>security = server</tt></i>?</h3></div></div><div></div></div><p>
+Currently, domain security in Samba does not free you from
+having to create local UNIX users to represent the users attaching
+to your server. This means that if Domain user <tt class="constant">DOM\fred
+</tt> attaches to your Domain Security Samba server, there needs
+to be a local UNIX user fred to represent that user in the UNIX
+file system. This is similar to the older Samba security mode
+<a class="indexterm" name="id2894953"></a><i class="parameter"><tt>security</tt></i> = server,
+where Samba would pass through the authentication request to a Windows
+NT server in the same way as a Windows 95 or Windows 98 server would.
+</p><p>
+Please refer to <link linkend="winbind">, for information on a system
+to automatically assign UNIX UIDs and GIDs to Windows NT Domain users and groups.
+</p><p>
+The advantage to Domain-level security is that the
+authentication in Domain-level security is passed down the authenticated
+RPC channel in exactly the same way that an NT server would do it. This
+means Samba servers now participate in domain trust relationships in
+exactly the same way NT servers do (i.e., you can add Samba servers into
+a resource domain and have the authentication passed on from a resource
+domain PDC to an account domain PDC).
+</p><p>
+In addition, with <a class="indexterm" name="id2894999"></a><i class="parameter"><tt>security</tt></i> = server, every Samba
+daemon on a server has to keep a connection open to the
+authenticating server for as long as that daemon lasts. This can drain
+the connection resources on a Microsoft NT server and cause it to run
+out of available connections. With <a class="indexterm" name="id2895018"></a><i class="parameter"><tt>security</tt></i> = domain,
+however, the Samba daemons connect to the PDC/BDC only for as long
+as is necessary to authenticate the user and then drop the connection,
+thus conserving PDC connection resources.
+</p><p>
+And finally, acting in the same manner as an NT server
+authenticating to a PDC means that as part of the authentication
+reply, the Samba server gets the user identification information such
+as the user SID, the list of NT groups the user belongs to, and so on.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Much of the text of this document was first published in the Web magazine
+<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html</ulink>
+<span class="emphasis"><em>Doing the NIS/NT Samba</em></span>.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ads-member"></a>Samba ADS Domain Membership</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2895091"></a>
+<a class="indexterm" name="id2895100"></a>
+<a class="indexterm" name="id2895111"></a>
+<a class="indexterm" name="id2895119"></a>
+This is a rough guide to setting up Samba-3 with Kerberos authentication against a
+Windows 200x KDC. A familiarity with Kerberos is assumed.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2895131"></a>Configure <tt class="filename">smb.conf</tt></h3></div></div><div></div></div><p>
+You must use at least the following three options in <tt class="filename">smb.conf</tt>:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>realm = your.kerberos.REALM</tt></i></td></tr><tr><td><i class="parameter"><tt>security = ADS</tt></i></td></tr><tr><td># The following parameter need only be specified if present.</td></tr><tr><td># The default setting is not present is Yes.</td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr></table><p>
+In case samba cannot correctly identify the appropriate ADS server using the realm name, use the
+<a class="indexterm" name="id2895201"></a><i class="parameter"><tt>password server</tt></i> option in <tt class="filename">smb.conf</tt>:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>password server = your.kerberos.server</tt></i></td></tr></table><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+You do <span class="emphasis"><em>not</em></span> need a smbpasswd file, and older clients will be authenticated as
+if <a class="indexterm" name="id2895249"></a><i class="parameter"><tt>security</tt></i> = domain, although it will not do any harm and
+allows you to have local users not in the domain.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2895267"></a>Configure <tt class="filename">/etc/krb5.conf</tt></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2895283"></a>
+<a class="indexterm" name="id2895292"></a>
+With both MIT and Heimdal Kerberos, this is unnecessary, and may be detrimental. All ADS
+domains will automatically create SRV records in the DNS zone <i class="parameter"><tt>_kerberos.REALM.NAME</tt></i> for
+each KDC in the realm. MIT's, as well as Heimdal's, KRB5 libraries default to checking
+for these records, so they will automatically find the KDCs. In addition,
+<tt class="filename">krb5.conf</tt> only allows specifying a single KDC, even there if there is more
+than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available.
+</p><p>
+When manually configuring <tt class="filename">krb5.conf</tt>, the minimal configuration is:
+</p><pre class="programlisting">
+[libdefaults]
+ default_realm = YOUR.KERBEROS.REALM
+
+ [realms]
+ YOUR.KERBEROS.REALM = {
+ kdc = your.kerberos.server
+ }
+</pre><p>
+When using Heimdal versions before 0.6 use the following configuration settings:
+</p><pre class="screen">
+[libdefaults]
+ default_realm = YOUR.KERBEROS.REALM
+ default_etypes = des-cbc-crc des-cbc-md5
+ default_etypes_des = des-cbc-crc des-cbc-md5
+
+ [realms]
+ YOUR.KERBEROS.REALM = {
+ kdc = your.kerberos.server
+ }
+</pre><p>
+</p><p>
+<a class="indexterm" name="id2895372"></a>
+Test your config by doing a <b class="userinput"><tt>kinit
+<i class="replaceable"><tt>USERNAME</tt></i>@<i class="replaceable"><tt>REALM</tt></i></tt></b> and
+making sure that your password is accepted by the Win2000 KDC.
+</p><p>
+With Heimdal versions earlier than 0.6.x you only can use newly created accounts
+in ADS or accounts that have had the password changed once after migration, or
+in case of <tt class="constant">Administrator</tt> after installation. At the
+moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6
+(and no default etypes in krb5.conf). Unfortunatly this whole area is still
+in a state of flux.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The realm must be in uppercase or you will get “<span class="quote"><span class="errorname">Cannot find KDC for
+requested realm while getting initial credentials</span></span>” error (Kerberos
+is case-sensitive!).
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Time between the two servers must be synchronized. You will get a
+“<span class="quote"><span class="errorname">kinit(v5): Clock skew too great while getting initial credentials</span></span>”
+if the time difference is more than five minutes.
+</p></div><p>
+Clock skew limits are configurable in the Kerberos protocols. The default setting is
+five minutes.
+</p><p>
+You also must ensure that you can do a reverse DNS lookup on the IP
+address of your KDC. Also, the name that this reverse lookup maps to
+must either be the NetBIOS name of the KDC (i.e., the hostname with no
+domain attached) or it can alternately be the NetBIOS name followed by the realm.
+</p><p>
+The easiest way to ensure you get this right is to add a
+<tt class="filename">/etc/hosts</tt> entry mapping the IP address of your KDC to
+its NetBIOS name. If you do not get this correct then you will get a
+<span class="errorname">local error</span> when you try to join the realm.
+</p><p>
+If all you want is Kerberos support in <span class="application">smbclient</span> then you can skip
+directly to <link linkend="ads-test-smbclient"> now.
+<link linkend="ads-create-machine-account"> and <link linkend="ads-test-server">
+are needed only if you want Kerberos support for <span class="application">smbd</span> and <span class="application">winbindd</span>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-create-machine-account"></a>Create the Computer Account</h3></div></div><div></div></div><p>
+As a user who has write permission on the Samba private directory (usually root), run:
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>net ads join -U Administrator%password</tt></b>
+</pre><p>
+</p><p>
+When making a Windows client a member of an ADS domain within a complex organization, you
+may want to create the machine account within a particular organizational unit. Samba-3 permits
+this to be done using the following syntax:
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>kinit Administrator@your.kerberos.REALM</tt></b>
+<tt class="prompt">root# </tt> <b class="userinput"><tt>net ads join “<span class="quote">organizational_unit</span>”</tt></b>
+</pre><p>
+</p><p>
+For example, you may want to create the machine account in a container called “<span class="quote">Servers</span>”
+under the organizational directory “<span class="quote">Computers\BusinessUnit\Department</span>” like this:
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>net ads join "Computers\BusinessUnit\Department\Servers"</tt></b>
+</pre><p>
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2895653"></a>Possible Errors</h4></div></div><div></div></div><p>
+</p><div class="variablelist"><dl><dt><span class="term"><span class="errorname">ADS support not compiled in</span></span></dt><dd><p>Samba must be reconfigured (remove config.cache) and recompiled
+ (make clean all install) after the Kerberos libiraries and headers files are installed.
+ </p></dd><dt><span class="term"><span class="errorname">net ads join prompts for user name</span></span></dt><dd><p>You need to login to the domain using <b class="userinput"><tt>kinit
+ <i class="replaceable"><tt>USERNAME</tt></i>@<i class="replaceable"><tt>REALM</tt></i></tt></b>.
+ <i class="replaceable"><tt>USERNAME</tt></i> must be a user who has rights to add a machine
+ to the domain. </p></dd><dt><span class="term">Unsupported encryption/or checksum types</span></dt><dd><p>
+ Make sure that the <tt class="filename">/etc/krb5.conf</tt> is correctly configured
+ for the type and version of Kerberos installed on the system.
+ </p></dd></dl></div><p>
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-server"></a>Testing Server Setup</h3></div></div><div></div></div><p>
+If the join was successful, you will see a new computer account with the
+NetBIOS name of your Samba server in Active Directory (in the “<span class="quote">Computers</span>”
+folder under Users and Computers.
+</p><p>
+On a Windows 2000 client, try <b class="userinput"><tt>net use * \\server\share</tt></b>. You should
+be logged in with Kerberos without needing to know a password. If this fails then run
+<b class="userinput"><tt>klist tickets</tt></b>. Did you get a ticket for the server? Does it have
+an encryption type of DES-CBC-MD5?
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
+Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding.
+</div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ads-test-smbclient"></a>Testing with <span class="application">smbclient</span></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2895811"></a>
+On your Samba server try to login to a Win2000 server or your Samba
+server using <span class="application">smbclient</span> and Kerberos. Use <span class="application">smbclient</span> as usual, but
+specify the <tt class="option">-k</tt> option to choose Kerberos authentication.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2895840"></a>Notes</h3></div></div><div></div></div><p>
+You must change administrator password at least once after DC
+install, to create the right encryption types.
+</p><p>
+Windows 200x does not seem to create the <i class="parameter"><tt>_kerberos._udp</tt></i> and <i class="parameter"><tt>_ldap._tcp</tt></i> in
+the default DNS setup. Perhaps this will be fixed later in service packs.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2895877"></a>Sharing User ID Mappings between Samba Domain Members</h2></div></div><div></div></div><p>
+Samba maps UNIX users and groups (identified by UIDs and GIDs) to Windows users and groups (identified by SIDs).
+These mappings are done by the <i class="parameter"><tt>idmap</tt></i> subsystem of Samba.
+</p><p>
+In some cases it is useful to share these mappings between Samba Domain Members,
+so <span class="emphasis"><em>name->id</em></span> mapping is identical on all machines.
+This may be needed in particular when sharing files over both CIFS and NFS.
+</p><p>To use the <span class="emphasis"><em>LDAP</em></span> <i class="parameter"><tt>ldap idmap suffix</tt></i>, set:</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>ldap idmap suffix = ou=Idmap,dc=quenya,dc=org</tt></i></td></tr></table><p>See the <tt class="filename">smb.conf</tt> man page entry for the <a class="indexterm" name="id2895952"></a><i class="parameter"><tt>ldap idmap suffix</tt></i>
+parameter for further information.</p><p>
+Do not forget to specify also the <a class="indexterm" name="id2895971"></a><i class="parameter"><tt>ldap admin dn</tt></i>
+and to make certain to set the LDAP administrative password into the <tt class="filename">secrets.tdb</tt> using:
+</p><pre class="screen">
+<tt class="prompt">root# </tt> smbpasswd -w ldap-admin-password
+</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896009"></a>Common Errors</h2></div></div><div></div></div><p>
+In the process of adding/deleting/re-adding Domain Member machine accounts, there are
+many traps for the unwary player and many “<span class="quote">little</span>” things that can go wrong.
+It is particularly interesting how often subscribers on the Samba mailing list have concluded
+after repeated failed attempts to add a machine account that it is necessary to “<span class="quote">re-install</span>”
+MS Windows on the machine. In truth, it is seldom necessary to reinstall because of this type
+of problem. The real solution is often quite simple and with an understanding of how MS Windows
+networking functions, it is easy to overcome.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896038"></a>Cannot Add Machine Back to Domain</h3></div></div><div></div></div><p>
+“<span class="quote">A Windows workstation was re-installed. The original domain machine
+account was deleted and added immediately. The workstation will not join the domain if I use
+the same machine name. Attempts to add the machine fail with a message that the machine already
+exists on the network I know it does not. Why is this failing?</span>”
+</p><p>
+The original name is still in the NetBIOS name cache and must expire after machine account
+deletion before adding that same name as a Domain Member again. The best advice is to delete
+the old account and then add the machine with a new name.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896072"></a>Adding Machine to Domain Fails</h3></div></div><div></div></div><p>
+“<span class="quote">Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a
+message that, <span class="errorname">`The machine could not be added at this time, there is a network problem.
+Please try again later.'</span> Why?</span>”
+</p><p>
+You should check that there is an <a class="indexterm" name="id2896099"></a><i class="parameter"><tt>add machine script</tt></i> in your <tt class="filename">smb.conf</tt>
+file. If there is not, please add one that is appropriate for your OS platform. If a script
+has been defined, you will need to debug its operation. Increase the <a class="indexterm" name="id2896124"></a><i class="parameter"><tt>log level</tt></i>
+in the <tt class="filename">smb.conf</tt> file to level 10, then try to rejoin the domain. Check the logs to see which
+operation is failing.
+</p><p>
+Possible causes include:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ The script does not actually exist, or could not be located in the path specified.
+ </p><p>
+ <span class="emphasis"><em>Corrective action:</em></span> Fix it. Make sure when run manually
+ that the script will add both the UNIX system account and the Samba SAM account.
+ </p></li><li><p>
+ The machine could not be added to the UNIX system accounts file <tt class="filename">/etc/passwd</tt>.
+ </p><p>
+ <span class="emphasis"><em>Corrective action:</em></span> Check that the machine name is a legal UNIX
+ system account name. If the UNIX utility <b class="command">useradd</b> is called,
+ then make sure that the machine name you are trying to add can be added using this
+ tool. <b class="command">Useradd</b> on some systems will not allow any upper case characters
+ nor will it allow spaces in the name.
+ </p></li></ul></div><p>
+The <a class="indexterm" name="id2896217"></a><i class="parameter"><tt>add machine script</tt></i> does not create the
+machine account in the Samba backend database, it is there only to create a UNIX system
+account to which the Samba backend database account can be mapped.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896237"></a>I Can't Join a Windows 2003 PDC</h3></div></div><div></div></div><p>Windows 2003 requires SMB signing. Client side SMB signing has been implemented in Samba-3.0.
+ Set <a class="indexterm" name="id2896249"></a><i class="parameter"><tt>client use spnego</tt></i> = yes when communicating
+ with a Windows 2003 server.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-bdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="StandAloneServer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. Backup Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Stand-alone Servers</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Group Mapping MS Windows and UNIX</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Group Mapping MS Windows and UNIX</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Group Mapping MS Windows and UNIX</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2909551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2909853">Default Users, Groups and Relative Identifiers</a></dt><dt><a href="groupmapping.html#id2910488">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2910567">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2910581">Sample smb.conf Add Group Script</a></dt><dt><a href="groupmapping.html#id2910716">Script to Configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2910824">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2910839">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2910907">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2910933">Adding Domain Users to the Power Users Group</a></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2909098"></a>
+ Starting with Samba-3, new group mapping functionality is available to create associations
+ between Windows group SIDs and UNIX groups. The <b class="command">groupmap</b> subcommand
+ included with the <span class="application">net</span> tool can be used to manage these associations.
+ </p><p>
+ The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide
+ which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map
+ to a UNIX group that has a value other than the default (<tt class="constant">-1</tt>) will be exposed
+ in group selection lists in tools that access domain users and groups.
+ </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ <a class="indexterm" name="id2909148"></a>
+ The <i class="parameter"><tt>domain admin group</tt></i> parameter has been removed in Samba-3 and should no longer
+ be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership in the
+ <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations
+ (in default configurations).
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2909181"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ Samba allows the administrator to create MS Windows NT4/200x group accounts and to
+ arbitrarily associate them with UNIX/Linux group accounts.
+ </p><p>
+<a class="indexterm" name="id2909199"></a>
+<a class="indexterm" name="id2909207"></a>
+ Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
+ Appropriate interface scripts should be provided in <tt class="filename">smb.conf</tt> if it is desired that UNIX/Linux system
+ accounts should be automatically created when these tools are used. In the absence of these scripts, and
+ so long as <b class="command">winbindd</b> is running, Samba group accounts that are created using these
+ tools will be allocated UNIX UIDs/GIDs from the ID range specified by the
+ <a class="indexterm" name="id2909237"></a><i class="parameter"><tt>idmap uid</tt></i>/<a class="indexterm" name="id2909250"></a><i class="parameter"><tt>idmap gid</tt></i>
+ parameters in the <tt class="filename">smb.conf</tt> file.
+ </p><div class="figure"><a name="idmap-sid2gid"></a><p class="title"><b>Figure 12.1. IDMAP: group SID to GID resolution.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-sid2gid.png" width="270" alt="IDMAP: group SID to GID resolution."></div></div><div class="figure"><a name="idmap-gid2sid"></a><p class="title"><b>Figure 12.2. IDMAP: GID resolution to matching SID.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-gid2sid.png" width="270" alt="IDMAP: GID resolution to matching SID."></div></div><p>
+ In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
+ <link linkend="idmap-sid2gid"> and <link linkend="idmap-gid2sid">. The <b class="command">net groupmap</b> is
+ used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">.
+ </p><div class="figure"><a name="idmap-store-gid2sid"></a><p class="title"><b>Figure 12.3. IDMAP storing group mappings.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-store-gid2sid.png" width="270" alt="IDMAP storing group mappings."></div></div><p>
+ <a class="indexterm" name="id2909453"></a>
+ <a class="indexterm" name="id2909460"></a>
+ Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make
+ direct calls to the UNIX/Linux system tools (the shadow utilities, <b class="command">groupadd</b>,
+ <b class="command">groupdel</b>, and <b class="command">groupmod</b>), the resulting UNIX/Linux group names will be subject
+ to any limits imposed by these tools. If the tool does not allow upper case characters
+ or space characters, then the creation of an MS Windows NT4/200x style group of
+ <span class="emphasis"><em>Engineering Managers</em></span> will attempt to create an identically named
+ UNIX/Linux group, an attempt that will of course fail.
+ </p><p>
+ <a class="indexterm" name="id2909513"></a>
+ <a class="indexterm" name="id2909521"></a>
+ There are several possible work-arounds for the operating system tools limitation. One
+ method is to use a script that generates a name for the UNIX/Linux system group that
+ fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID)
+ back to the calling Samba interface. This will provide a dynamic work-around solution.
+ </p><p>
+ Another work-around is to manually create a UNIX/Linux group, then manually create the
+ MS Windows NT4/200x group on the Samba server and then use the <b class="command">net groupmap</b>
+ tool to connect the two to each other.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2909551"></a>Discussion</h2></div></div><div></div></div><p>
+ When installing <span class="application">MS Windows NT4/200x</span> on a computer, the installation
+ program creates default users and groups, notably the <tt class="constant">Administrators</tt> group,
+ and gives that group privileges necessary privileges to perform essential system tasks,
+ such as the ability to change the date and time or to kill (or close) any process running on the
+ local machine.
+ </p><p>
+ <a class="indexterm" name="id2909584"></a>
+ The <tt class="constant">Administrator</tt> user is a member of the <tt class="constant">Administrators</tt> group, and thus inherits
+ <tt class="constant">Administrators</tt> group privileges. If a <tt class="constant">joe</tt> user is created to be a member of the
+ <tt class="constant">Administrators</tt> group, <tt class="constant">joe</tt> has exactly the same rights as the user,
+ <tt class="constant">Administrator</tt>.
+ </p><p>
+ When an MS Windows NT4/200x/XP machine is made a Domain Member, the “<span class="quote">Domain Admins</span>” group of the
+ PDC is added to the local <tt class="constant">Administrators</tt> group of the workstation. Every member of the
+ <tt class="constant">Domain Administrators</tt> group inherits the rights of the local <tt class="constant">Administrators</tt> group when
+ logging on the workstation.
+ </p><p>
+ The following steps describe how to make Samba PDC users members of the <tt class="constant">Domain Admins</tt> group?
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Create a UNIX group (usually in <tt class="filename">/etc/group</tt>), let's call it <tt class="constant">domadm</tt>.
+ </p></li><li><p>
+ Add to this group the users that must be “<span class="quote">Administrators</span>”. For example,
+ if you want <tt class="constant">joe, john</tt> and <tt class="constant">mary</tt> to be administrators,
+ your entry in <tt class="filename">/etc/group</tt> will look like this:
+ </p><pre class="programlisting">
+ domadm:x:502:joe,john,mary
+ </pre><p>
+ </p></li><li><p>
+ Map this domadm group to the “<span class="quote">Domain Admins</span>” group by running the command:
+ </p><p>
+ </p><pre class="screen">
+ <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup=“<span class="quote">Domain Admins</span>” UNIXgroup=domadm</tt></b>
+ </pre><p>
+ </p><p>
+ <a class="indexterm" name="id2909766"></a>
+ The quotes around “<span class="quote">Domain Admins</span>” are necessary due to the space in the group name.
+ Also make sure to leave no white-space surrounding the equal character (=).
+ </p></li></ol></div><p>
+ Now <tt class="constant">joe, john</tt> and <tt class="constant">mary</tt> are domain administrators.
+ </p><p>
+ <a class="indexterm" name="id2909799"></a>
+ It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as
+ making any UNIX group a Windows domain group. For example, if you wanted to include a
+ UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine,
+ you would flag that group as a domain group by running the following on the Samba PDC:
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" UNIXgroup=acct</tt></b>
+</pre><p>
+ </p><p>
+ Be aware that the RID parameter is a unsigned 32-bit integer that should
+ normally start at 1000. However, this RID must not overlap with any RID assigned
+ to a user. Verification for this is done differently depending on the passdb backend
+ you are using. Future versions of the tools may perform the verification automatically,
+ but for now the burden is on you.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909853"></a>Default Users, Groups and Relative Identifiers</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2909865"></a>
+<a class="indexterm" name="id2909875"></a>
+ When first installed, Microsoft Windows NT4/200x/XP are preconfigured with certain User, Group, and
+ Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued
+ integrity of operation. Samba must be provisioned with certain essential Domain Groups that require
+ the appropriate RID value. When Samba-3 is configured to use <tt class="constant">tdbsam</tt> the essential
+ Domain Groups are automatically created. It is the LDAP administrators' responsibility to create
+ (provision) the default NT Groups.
+ </p><p>
+ Each essential Domain Group must be assigned its respective well-kown RID. The default Users, Groups,
+ Aliases, and RIDs are shown in <link linkend="WKURIDS">.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
+ When the <i class="parameter"><tt>passdb backend</tt></i> uses LDAP (<tt class="constant">ldapsam</tt>) it is the
+ admininstrators' responsibility to create the essential Domain Groups, and to assign each its default RID.
+ </div><p>
+ It is permissible to create any Domain Group that may be necessary, just make certain that the essential
+ Domain Groups (well known) have been created and assigned its default RID. Other groups you create may
+ be assigned any arbitrary RID you care to use.
+ </p><p>
+ Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group
+ will be available for use as an NT Domain Group.
+ </p><p>
+ </p><div class="table"><a name="WKURIDS"></a><p class="title"><b>Table 12.1. Well-Known User Default RIDs</b></p><table summary="Well-Known User Default RIDs" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Well-Known Entity</th><th align="left">RID</th><th align="left">Type</th><th align="center">Essential</th></tr></thead><tbody><tr><td align="left">Domain Administrator</td><td align="left">500</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Guest</td><td align="left">501</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain KRBTGT</td><td align="left">502</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Admins</td><td align="left">512</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Users</td><td align="left">513</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Guests</td><td align="left">514</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Computers</td><td align="left">515</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Controllers</td><td align="left">516</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Certificate Admins</td><td align="left">517</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Schema Admins</td><td align="left">518</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Enterprise Admins</td><td align="left">519</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Policy Admins</td><td align="left">520</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Builtin Admins</td><td align="left">544</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin users</td><td align="left">545</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Guests</td><td align="left">546</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Power Users</td><td align="left">547</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Account Operators</td><td align="left">548</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin System Operators</td><td align="left">549</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Print Operators</td><td align="left">550</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Backup Operators</td><td align="left">551</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Replicator</td><td align="left">552</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin RAS Servers</td><td align="left">553</td><td align="left">Alias</td><td align="center">No</td></tr></tbody></table></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910488"></a>Example Configuration</h3></div></div><div></div></div><p>
+ You can list the various groups in the mapping database by executing
+ <b class="command">net groupmap list</b>. Here is an example:
+ </p><a class="indexterm" name="id2910510"></a><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b>
+Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
+Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
+Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
+</pre><p>
+ </p><p>
+ For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910567"></a>Configuration Scripts</h2></div></div><div></div></div><p>
+ Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
+ (i.e., prepared by someone else for general use).
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910581"></a>Sample <tt class="filename">smb.conf</tt> Add Group Script</h3></div></div><div></div></div><p>
+ A script to create complying group names for use by the Samba group interfaces
+ is provided in <link linkend="smbgrpadd.sh">.
+ </p><a class="indexterm" name="id2910610"></a><p>
+</p><div class="example"><a name="smbgrpadd.sh"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting">
+
+#!/bin/bash
+
+# Add the group using normal system groupadd tool.
+groupadd smbtmpgrp00
+
+thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
+
+# Now change the name to what we want for the MS Windows networking end
+cp /etc/group /etc/group.bak
+cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
+
+# Now return the GID as would normally happen.
+echo $thegid
+exit 0
+</pre></div><p>
+</p><p>
+ The <tt class="filename">smb.conf</tt> entry for the above script would be something like that in <link linkend="smbgrpadd">.
+</p><div class="example"><a name="smbgrpadd"></a><p class="title"><b>Example 12.2. Configuration of smb.conf for the add group script.</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>add group script = /path_to_tool/smbgrpadd.sh %g</tt></i></td></tr><tr><td>...</td></tr></table></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910716"></a>Script to Configure Group Mapping</h3></div></div><div></div></div><p>
+ In our example we have created a UNIX/Linux group called <span class="emphasis"><em>ntadmin</em></span>.
+ Our script will create the additional groups <span class="emphasis"><em>Orks</em></span>, <span class="emphasis"><em>Elves</em></span>, and <span class="emphasis"><em>Gnomes</em></span>.
+ It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database.
+ For the sake of concenience we elect to save this script as a file called <tt class="filename">initGroups.sh</tt>.
+ This script is given in <link linkend="set-group-map">.
+ </p><p>
+<a class="indexterm" name="id2910771"></a>
+</p><div class="example"><a name="set-group-map"></a><p class="title"><b>Example 12.3. Script to Set Group Mapping</b></p><pre class="programlisting">
+#!/bin/bash
+
+net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+groupadd Orks
+groupadd Elves
+groupadd Gnomes
+
+net groupmap add ntgroup="Orks" unixgroup=Orks type=d
+net groupmap add ntgroup="Elves" unixgroup=Elves type=d
+net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
+</pre></div><p>
+</p><p>
+ Of course it is expected that the administrator will modify this to suit local needs.
+ For information regarding the use of the <b class="command">net groupmap</b> tool please
+ refer to the man page.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910824"></a>Common Errors</h2></div></div><div></div></div><p>
+At this time there are many little surprises for the unwary administrator. In a real sense
+it is imperative that every step of automated control scripts must be carefully tested
+manually before putting them into active service.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910839"></a>Adding Groups Fails</h3></div></div><div></div></div><p>
+ This is a common problem when the <b class="command">groupadd</b> is called directly
+ by the Samba interface script for the <a class="indexterm" name="id2910858"></a><i class="parameter"><tt>add group script</tt></i> in
+ the <tt class="filename">smb.conf</tt> file.
+ </p><p>
+ The most common cause of failure is an attempt to add an MS Windows group account
+ that has either an upper case character and/or a space character in it.
+ </p><p>
+ There are three possible work-arounds. First, use only group names that comply
+ with the limitations of the UNIX/Linux <b class="command">groupadd</b> system tool.
+ Second, it involves the use of the script mentioned earlier in this chapter, and
+ third is the option is to manually create a UNIX/Linux group account that can substitute
+ for the MS Windows group name, then use the procedure listed above to map that group
+ to the MS Windows group.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910907"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><a class="indexterm" name="id2910916"></a><p>
+ Samba-3 does not support nested groups from the MS Windows control environment.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910933"></a>Adding <span class="emphasis"><em>Domain Users</em></span> to the <span class="emphasis"><em>Power Users</em></span> Group</h3></div></div><div></div></div><p>“<span class="quote">
+ What must I do to add Domain Users to the Power Users group?
+ </span>”</p><a class="indexterm" name="id2910956"></a><p>
+ The Power Users group is a group that is local to each Windows 200x/XP Professional workstation.
+ You cannot add the Domain Users group to the Power Users group automatically, it must be done on
+ each workstation by logging in as the local workstation <span class="emphasis"><em>administrator</em></span> and
+ then using the following procedure:
+ </p><div class="procedure"><ol type="1"><li><p>
+ Click <span class="guimenu">Start -> Control Panel -> Users and Passwords</span>.
+ </p></li><li><p>
+ Click the <span class="guimenuitem">Advanced</span> tab.
+ </p></li><li><p>
+ Click the <span class="guibutton">Advanced</span> button.
+ </p></li><li><p>
+ Click <tt class="constant">Groups</tt>.
+ </p></li><li><p>
+ Double click <tt class="constant">Power Users</tt>. This will launch the panel to add users or groups
+ to the local machine <tt class="constant">Power Uses</tt> group.
+ </p></li><li><p>
+ Click the <span class="guibutton">Add</span> button.
+ </p></li><li><p>
+ Select the domain from which the <tt class="constant">Domain Users</tt> group is to be added.
+ </p></li><li><p>
+ Double click the <tt class="constant">Domain Users</tt> group.
+ </p></li><li><p>
+ Click the <span class="guibutton">Ok</span> button. If a logon box is presented during this process
+ please remember to enter the connect as <tt class="constant">DOMAIN\UserName</tt>. i.e., For the
+ domain <tt class="constant">MIDEARTH</tt> and the user <tt class="constant">root</tt> enter
+ <tt class="constant">MIDEARTH\root</tt>.
+ </p></li></ol></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>SAMBA Project Documentation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><meta name="description" content="
+This book is a collection of HOWTOs added to Samba documentation over the years.
+Samba is always under development, and so is its' documentation. This release of the
+documentation represents a major revision or layout as well as contents.
+The most recent version of this document can be found at
+http://www.samba.org/
+on the "Documentation" page. Please send updates to
+Jelmer Vernooij,
+John H. Terpstra or
+Gerald (Jerry) Carter.
+
+The Samba-Team would like to express sincere thanks to the many people who have with
+or without their knowledge contributed to this update. The size and scope of this
+project would not have been possible without significant community contribution. A not
+insignificant number of ideas for inclusion (if not content itself) has been obtained
+from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
+Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
+"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="pr01.html" title="Legal Notice"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SAMBA Project Documentation</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>SAMBA Project Documentation</h1></div><div><div class="authorgroup"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3></div></div><div><p class="pubdate">Monday April 21, 2003</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>
+This book is a collection of HOWTOs added to Samba documentation over the years.
+Samba is always under development, and so is its' documentation. This release of the
+documentation represents a major revision or layout as well as contents.
+The most recent version of this document can be found at
+<ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
+on the "Documentation" page. Please send updates to
+<ulink url="mailto:jelmer@samba.org">Jelmer Vernooij</ulink>,
+<ulink url="mailto:jht@samba.org">John H. Terpstra</ulink> or
+<ulink url="mailto:jerry@samba.org">Gerald (Jerry) Carter</ulink>.
+</p><p>
+The Samba-Team would like to express sincere thanks to the many people who have with
+or without their knowledge contributed to this update. The size and scope of this
+project would not have been possible without significant community contribution. A not
+insignificant number of ideas for inclusion (if not content itself) has been obtained
+from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
+Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
+</p></div></div></div><div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="pr01.html">Legal Notice</a></dt><dt><a href="pr02.html">Attributions</a></dt><dt>I. <a href="introduction.html">General Installation</a></dt><dd><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2875896">Background</a></dt><dt><a href="IntroSMB.html#id2875954">Terminology</a></dt><dt><a href="IntroSMB.html#id2876091">Related Projects</a></dt><dt><a href="IntroSMB.html#id2876169">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2876258">Epilogue</a></dt><dt><a href="IntroSMB.html#id2876344">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2876533">Obtaining and Installing Samba</a></dt><dt><a href="install.html#id2876568">Configuring Samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2876606">Configuration file syntax</a></dt><dt><a href="install.html#id2876766">Example Configuration</a></dt><dt><a href="install.html#id2885184">SWAT</a></dt></dl></dd><dt><a href="install.html#id2885250">List Shares Available on the Server</a></dt><dt><a href="install.html#id2885315">Connect with a UNIX Client</a></dt><dt><a href="install.html#id2885433">Connect from a Remote SMB Client</a></dt><dt><a href="install.html#id2885526">What If Things Don't Work?</a></dt><dt><a href="install.html#id2885557">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2885570">Large Number of smbd Processes</a></dt><dt><a href="install.html#id2885679">Error Message: open_oplock_ipc</a></dt><dt><a href="install.html#id2885717">The network name cannot be found</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2885815">Note</a></dt></dl></dd></dl></dd><dt>II. <a href="type.html">Server Configuration Basics</a></dt><dd><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2885999">Features and Benefits</a></dt><dt><a href="ServerType.html#id2886097">Server Types</a></dt><dt><a href="ServerType.html#id2886186">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2886291">User Level Security</a></dt><dt><a href="ServerType.html#id2886413">Share Level Security</a></dt><dt><a href="ServerType.html#id2886525">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886821">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886928">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2887204">Password Checking</a></dt><dt><a href="ServerType.html#id2887400">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2887429">What Makes Samba a Server?</a></dt><dt><a href="ServerType.html#id2887468">What Makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2887504">What Makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2887542">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2870050">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2870321">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2870336">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2889080">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2889458">Domain Control Example Configuration</a></dt><dt><a href="samba-pdc.html#id2889951">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2889989">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890004">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2890570">Common Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890577">$ Cannot Be Included in Machine Name</a></dt><dt><a href="samba-pdc.html#id2890661">Joining Domain Fails Because of Existing Machine Account</a></dt><dt><a href="samba-pdc.html#id2890722">The System Cannot Log You On (C000019B)</a></dt><dt><a href="samba-pdc.html#id2890822">The Machine Trust Account Is Not Accessible</a></dt><dt><a href="samba-pdc.html#id2890899">Account Disabled</a></dt><dt><a href="samba-pdc.html#id2890932">Domain Controller Unavailable</a></dt><dt><a href="samba-pdc.html#id2890954">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2891162">Features and Benefits</a></dt><dt><a href="samba-bdc.html#id2891552">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2891580">MS Windows NT4-style Domain Control</a></dt><dt><a href="samba-bdc.html#id2891874">LDAP Configuration Notes</a></dt><dt><a href="samba-bdc.html#id2892094">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2892115">What Qualifies a Domain Controller on the Network?</a></dt><dt><a href="samba-bdc.html#id2892157">How does a Workstation find its Domain Controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892538">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892768">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892791">Machine Accounts Keep Expiring</a></dt><dt><a href="samba-bdc.html#id2892845">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2892880">How Do I Replicate the smbpasswd File?</a></dt><dt><a href="samba-bdc.html#id2892948">Can I Do This All with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2893185">Features and Benefits</a></dt><dt><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt><a href="domain-member.html#id2894113">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2894194">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2894926">Why Is This Better Than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2895131">Configure smb.conf</a></dt><dt><a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt><a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2895840">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2895877">Sharing User ID Mappings between Samba Domain Members</a></dt><dt><a href="domain-member.html#id2896009">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2896038">Cannot Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2896072">Adding Machine to Domain Fails</a></dt><dt><a href="domain-member.html#id2896237">I Can't Join a Windows 2003 PDC</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2896324">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2896363">Background</a></dt><dt><a href="StandAloneServer.html#id2896435">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2897068">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2897131">Note</a></dt></dl></dd></dl></dd><dt>III. <a href="optional.html">Advanced Configuration</a></dt><dd><dl><dt>10. <a href="NetworkBrowsing.html">Network Browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2897285">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2888743">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2900135">DOMAIN Browsing Configuration</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt><a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a></dt><dt><a href="NetworkBrowsing.html#id2900727">Note about Broadcast Addresses</a></dt><dt><a href="NetworkBrowsing.html#id2900745">Multiple Interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2900780">Use of the Remote Announce Parameter</a></dt><dt><a href="NetworkBrowsing.html#id2900939">Use of the Remote Browse Sync Parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901016">WINS The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a></dt><dt><a href="NetworkBrowsing.html#id2901481">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2901518">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901602">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901616">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2901696">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901872">Technical Overview of Browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901926">Browsing Support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2902057">Problem Resolution</a></dt><dt><a href="NetworkBrowsing.html#id2902187">Cross-Subnet Browsing</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2902960">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2902975">How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2903041">Server Resources Can Not Be Listed</a></dt><dt><a href="NetworkBrowsing.html#id2903097">I get an `Unable to browse the network' error</a></dt><dt><a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt></dl></dd></dl></dd><dt>11. <a href="passdb.html">Account Information Databases</a></dt><dd><dl><dt><a href="passdb.html#id2903592">Features and Benefits</a></dt><dd><dl><dt><a href="passdb.html#id2903640">Backward Compatibility Backends</a></dt><dt><a href="passdb.html#id2903800">New Backends</a></dt></dl></dd><dt><a href="passdb.html#passdbtech">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2904193">Important Notes About Security</a></dt><dt><a href="passdb.html#id2904429">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2904747">The smbpasswd Command</a></dt><dt><a href="passdb.html#pdbeditthing">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2905334">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2905385">Plaintext</a></dt><dt><a href="passdb.html#id2905425">smbpasswd Encrypted Password Database</a></dt><dt><a href="passdb.html#id2905552">tdbsam</a></dt><dt><a href="passdb.html#id2905605">ldapsam</a></dt><dt><a href="passdb.html#id2907687">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2908781">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2908788">Users Cannot Logon</a></dt><dt><a href="passdb.html#id2908830">Users Being Added to the Wrong Backend Database</a></dt><dt><a href="passdb.html#id2908922">Configuration of auth methods</a></dt></dl></dd></dl></dd><dt>12. <a href="groupmapping.html">Group Mapping MS Windows and UNIX</a></dt><dd><dl><dt><a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2909551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2909853">Default Users, Groups and Relative Identifiers</a></dt><dt><a href="groupmapping.html#id2910488">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2910567">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2910581">Sample smb.conf Add Group Script</a></dt><dt><a href="groupmapping.html#id2910716">Script to Configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2910824">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2910839">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2910907">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2910933">Adding Domain Users to the Power Users Group</a></dt></dl></dd></dl></dd><dt>13. <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2911341">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2911525">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="AccessControls.html#id2911956">Managing Directories</a></dt><dt><a href="AccessControls.html#id2912050">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2912290">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt><a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt><a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2913585">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2913670">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2913978">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2913986">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2914042">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2914124">Viewing File Ownership</a></dt><dt><a href="AccessControls.html#id2914264">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914515">Modifying File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt><a href="AccessControls.html#id2915106">Interaction with the Standard Samba File Attribute Mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2915195">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2915209">Users Cannot Write to a Public Share</a></dt><dt><a href="AccessControls.html#id2915635">File Operations Done as root with force user Set</a></dt><dt><a href="AccessControls.html#id2915690">MS Word with Samba Changes Owner of File</a></dt></dl></dd></dl></dd><dt>14. <a href="locking.html">File and Record Locking</a></dt><dd><dl><dt><a href="locking.html#id2915945">Features and Benefits</a></dt><dt><a href="locking.html#id2916001">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2916148">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2916856">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2916978">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2917407">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2917632">Workstation Service Entries</a></dt><dt><a href="locking.html#id2917660">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2917740">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2917769">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2917850">locking.tdb Error Messages</a></dt><dt><a href="locking.html#id2917884">Problems Saving Files in MS Office on Windows XP</a></dt><dt><a href="locking.html#id2917904">Long Delays Deleting Files Over Network with XP SP1</a></dt></dl></dd><dt><a href="locking.html#id2917935">Additional Reading</a></dt></dl></dd><dt>15. <a href="securing-samba.html">Securing Samba</a></dt><dd><dl><dt><a href="securing-samba.html#id2918114">Introduction</a></dt><dt><a href="securing-samba.html#id2918159">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2918244">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2918263">Using Host-Based Protection</a></dt><dt><a href="securing-samba.html#id2918364">User-Based Protection</a></dt><dt><a href="securing-samba.html#id2918424">Using Interface Protection</a></dt><dt><a href="securing-samba.html#id2918507">Using a Firewall</a></dt><dt><a href="securing-samba.html#id2918564">Using IPC$ Share-Based Denials </a></dt><dt><a href="securing-samba.html#id2918648">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2918707">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2918731">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2918750">Smbclient Works on Localhost, but the Network Is Dead</a></dt><dt><a href="securing-samba.html#id2918774">Why Can Users Access Home Directories of Other Users?</a></dt></dl></dd></dl></dd><dt>16. <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2919130">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2919159">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2919243">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2919270">Creating an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919342">Completing an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919402">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919600">Configuring Samba NT-Style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="InterdomainTrusts.html#id2919809">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919952">NT4-Style Domain Trusts with Windows 2000</a></dt><dt><a href="InterdomainTrusts.html#id2920058">Common Errors</a></dt></dl></dd><dt>17. <a href="msdfs.html">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="msdfs.html#id2920158">Features and Benefits</a></dt><dt><a href="msdfs.html#id2920447">Common Errors</a></dt><dd><dl><dt><a href="msdfs.html#id2920488">MSDFS UNIX Path Is Case-Critical</a></dt></dl></dd></dl></dd><dt>18. <a href="printing.html">Classical Printing Support</a></dt><dd><dl><dt><a href="printing.html#id2920666">Features and Benefits</a></dt><dt><a href="printing.html#id2920765">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2920831">Client to Samba Print Job Processing</a></dt><dt><a href="printing.html#id2920903">Printing Related Configuration Parameters</a></dt></dl></dd><dt><a href="printing.html#id2920998">Simple Print Configuration</a></dt><dd><dl><dt><a href="printing.html#id2921211">Verifing Configuration with testparm</a></dt><dt><a href="printing.html#id2921327">Rapid Configuration Validation</a></dt></dl></dd><dt><a href="printing.html#id2921667">Extended Printing Configuration</a></dt><dd><dl><dt><a href="printing.html#id2922020">Detailed Explanation Settings</a></dt></dl></dd><dt><a href="printing.html#id2924414">Printing Developments Since Samba-2.2</a></dt><dd><dl><dt><a href="printing.html#id2924566">Point'n'Print Client Drivers on Samba Servers</a></dt><dt><a href="printing.html#id2924710">The Obsoleted [printer$] Section</a></dt><dt><a href="printing.html#id2924810">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt><a href="printing.html#id2925355">The [print$] Share Directory</a></dt></dl></dd><dt><a href="printing.html#id2925525">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2925644">Add Printer Wizard Driver Installation</a></dt><dt><a href="printing.html#inst-rpc">Installing Print Drivers Using rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2927518">Client Driver Installation Procedure</a></dt><dd><dl><dt><a href="printing.html#id2927537">First Client Driver Installation</a></dt><dt><a href="printing.html#id2927769">Setting Device Modes on New Printers</a></dt><dt><a href="printing.html#id2928112">Additional Client Driver Installation</a></dt><dt><a href="printing.html#id2928220">Always Make First Client Connection as root or printer admin</a></dt></dl></dd><dt><a href="printing.html#id2928404">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2928430">Setting Default Print Options for Client Drivers</a></dt><dt><a href="printing.html#id2928854">Supporting Large Numbers of Printers</a></dt><dt><a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2929458">Error Message: Cannot connect under a different Name</a></dt><dt><a href="printing.html#id2929564">Take Care When Assembling Driver Files</a></dt><dt><a href="printing.html#id2929923">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2930008">Avoiding Common Client Driver Misconfiguration</a></dt></dl></dd><dt><a href="printing.html#id2930033">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2930071">What is Imprints?</a></dt><dt><a href="printing.html#id2930113">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2930132">The Imprints Server</a></dt><dt><a href="printing.html#id2930153">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2930314">Adding Network Printers without User Interaction</a></dt><dt><a href="printing.html#id2930639">The addprinter Command</a></dt><dt><a href="printing.html#id2930686">Migration of Classical Printing to Samba</a></dt><dt><a href="printing.html#id2930861">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2930884">Common Errors</a></dt><dd><dl><dt><a href="printing.html#id2930892">I Give My Root Password but I Do Not Get Access</a></dt><dt><a href="printing.html#id2930943">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></dt></dl></dd></dl></dd><dt>19. <a href="CUPS-printing.html">CUPS Printing Support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931072">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931079">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2931130">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2931182">Basic CUPS Support Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2931526">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932089">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2932110">Central Spooling vs. Peer-to-Peer Printing</a></dt><dt><a href="CUPS-printing.html#id2932163">Raw Print Serving Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2932223">Installation of Windows Client Drivers</a></dt><dt><a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt><a href="CUPS-printing.html#id2932552">Driver Upload Methods</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932699">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2933354">Ghostscript the Software RIP for Non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2933497">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2933573">Using Windows-Formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2933679">CUPS Also Uses PPDs for Non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2934287">Filtering Overview</a></dt><dt><a href="CUPS-printing.html#id2934481">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2934591">pstops</a></dt><dt><a href="CUPS-printing.html#id2934715">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2934912">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2934991">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2935143">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a></dt><dt><a href="CUPS-printing.html#id2935673">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2935688">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2935752">Raw Printing</a></dt><dt><a href="CUPS-printing.html#id2935861">application/octet-stream Printing</a></dt><dt><a href="CUPS-printing.html#id2936129">PostScript Printer Descriptions (PPDs) for Non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a></dt><dt><a href="CUPS-printing.html#id2936743">Examples for Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2937128">Sources of CUPS Drivers/PPDs</a></dt><dt><a href="CUPS-printing.html#id2937265">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937358">Network Printing (Purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937377">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2937434">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937618">Network Printing (Windows Clients UNIX/Samba Print
+Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2937834">Samba Receiving Jobfiles and Passing Them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937924">Network PostScript RIP</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938025">PPDs for Non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2938085">PPDs for Non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938166">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938184">Printer Drivers Running in Kernel Mode Cause Many
+Problems</a></dt><dt><a href="CUPS-printing.html#id2938229">Workarounds Impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2938250">CUPS: A Magical Stone?</a></dt><dt><a href="CUPS-printing.html#id2938313">PostScript Drivers with No Major Problems Even in Kernel
+Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938378">Configuring CUPS for Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938397">cupsaddsmb: The Unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2938514">Prepare Your smb.conf for cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939044">Recognizing Different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939174">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939204">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939274">Caveats to be Considered</a></dt><dt><a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt><a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a></dt><dt><a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2940352">How to Recognize If cupsaddsmb Completed Successfully</a></dt><dt><a href="CUPS-printing.html#id2940450">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2940538">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2940801">Avoiding Critical PostScript Driver Settings on the Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2941083">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941229">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941358">Producing an Example by Querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a></dt><dt><a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt><a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943322">Trivial Database Files</a></dt><dt><a href="CUPS-printing.html#id2943400">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2943470">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2943528">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943860">foomatic-rip and Foomatic Explained</a></dt><dt><a href="CUPS-printing.html#id2944657">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945207">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2945248">Setting Up Quotas</a></dt><dt><a href="CUPS-printing.html#id2945318">Correct and Incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2945366">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2945495">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2945665">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2945745">Future Developments</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945799">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2946030">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946094">CUPS Configuration Settings Explained</a></dt><dt><a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt><a href="CUPS-printing.html#id2946367">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2946425">Printing from CUPS to Windows Attached Printers</a></dt><dt><a href="CUPS-printing.html#id2946721">More CUPS-Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2946814">Common Errors</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946820">Windows 9x/ME Client Can't Install Driver</a></dt><dt><a href="CUPS-printing.html#id2946839">cupsaddsmb Keeps Asking for Root Password in Never-ending Loop</a></dt><dt><a href="CUPS-printing.html#id2946889">cupsaddsmb Errors</a></dt><dt><a href="CUPS-printing.html#id2946973">Client Can't Connect to Samba Printer</a></dt><dt><a href="CUPS-printing.html#id2947002">New Account Reconnection from Windows 200x/XP Troubles</a></dt><dt><a href="CUPS-printing.html#id2947106">Avoid Being Connected to the Samba Server as the Wrong User</a></dt><dt><a href="CUPS-printing.html#id2947158">Upgrading to CUPS Drivers from Adobe Drivers</a></dt><dt><a href="CUPS-printing.html#id2947200">Can't Use cupsaddsmb on Samba Server Which Is a PDC</a></dt><dt><a href="CUPS-printing.html#id2947239">Deleted Windows 200x Printer Driver Is Still Shown</a></dt><dt><a href="CUPS-printing.html#id2947278">Windows 200x/XP "Local Security Policies"</a></dt><dt><a href="CUPS-printing.html#id2947293">Administrator Cannot Install Printers for All Local Users</a></dt><dt><a href="CUPS-printing.html#id2947323">Print Change Notify Functions on NT-clients</a></dt><dt><a href="CUPS-printing.html#id2947350">WinXP-SP1</a></dt><dt><a href="CUPS-printing.html#id2947402">Print Options for All Users Can't Be Set on Windows 200x/XP</a></dt><dt><a href="CUPS-printing.html#id2947717">Most Common Blunders in Driver Settings on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2947779">cupsaddsmb Does Not Work with Newly Installed Printer</a></dt><dt><a href="CUPS-printing.html#id2947835">Permissions on /var/spool/samba/ Get Reset After Each Reboot</a></dt><dt><a href="CUPS-printing.html#id2947951">Print Queue Called lp Mis-handles Print Jobs</a></dt><dt><a href="CUPS-printing.html#id2948008">Location of Adobe PostScript Driver Files for cupsaddsmb</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2948065">Overview of the CUPS Printing Processes</a></dt></dl></dd><dt>20. <a href="VFS.html">Stackable VFS modules</a></dt><dd><dl><dt><a href="VFS.html#id2948269">Features and Benefits</a></dt><dt><a href="VFS.html#id2948287">Discussion</a></dt><dt><a href="VFS.html#id2948540">Included Modules</a></dt><dd><dl><dt><a href="VFS.html#id2948547">audit</a></dt><dt><a href="VFS.html#id2948583">extd_audit</a></dt><dt><a href="VFS.html#fakeperms">fake_perms</a></dt><dt><a href="VFS.html#id2948756">recycle</a></dt><dt><a href="VFS.html#id2948986">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2949031">VFS Modules Available Elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2949053">DatabaseFS</a></dt><dt><a href="VFS.html#id2949115">vscan</a></dt></dl></dd></dl></dd><dt>21. <a href="winbind.html">Winbind: Use of Domain Accounts</a></dt><dd><dl><dt><a href="winbind.html#id2949352">Features and Benefits</a></dt><dt><a href="winbind.html#id2949476">Introduction</a></dt><dt><a href="winbind.html#id2949558">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2949633">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2949664">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2949693">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2949726">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2949752">Name Service Switch</a></dt><dt><a href="winbind.html#id2949887">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2949965">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2949998">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2950035">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2950042">Introduction</a></dt><dt><a href="winbind.html#id2950108">Requirements</a></dt><dt><a href="winbind.html#id2950191">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2951948">Conclusion</a></dt><dt><a href="winbind.html#id2951967">Common Errors</a></dt><dd><dl><dt><a href="winbind.html#id2952021">NSCD Problem Warning</a></dt><dt><a href="winbind.html#id2952067">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></dd><dt>22. <a href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952277">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952449">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952467">Remote Management from NoMachine.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2952700">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952929">Adding Printers without User Intervention</a></dt></dl></dd></dl></dd><dt>23. <a href="PolicyMgmt.html">System and Account Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2953044">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2953137">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2953271">Windows 9x/ME Policies</a></dt><dt><a href="PolicyMgmt.html#id2953383">Windows NT4-Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2953525">MS Windows 200x/XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a></dt><dt><a href="PolicyMgmt.html#id2953985">Management Tools</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2954096">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2954120">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2954165">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2954310">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954324">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="ProfileMgmt.html">Desktop Profile Management</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954425">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2954459">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954500">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2955058">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt><a href="ProfileMgmt.html#id2956492">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2956822">Mandatory Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956917">Creating and Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956970">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2956999">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2958338">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2958351">Configuring Roaming Profiles for a Few Users or Groups</a></dt><dt><a href="ProfileMgmt.html#id2958416">Cannot Use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2958626">Changing the Default Profile</a></dt></dl></dd></dl></dd><dt>25. <a href="pam.html">PAM-Based Distributed Authentication</a></dt><dd><dl><dt><a href="pam.html#id2958910">Features and Benefits</a></dt><dt><a href="pam.html#id2959235">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2959266">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2960262">Example System Configurations</a></dt><dt><a href="pam.html#id2960612">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2960701">Remote CIFS Authentication Using winbindd.so</a></dt><dt><a href="pam.html#id2960824">Password Synchronization Using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2961283">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2961296">pam_winbind Problem</a></dt><dt><a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></dd><dt>26. <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2961659">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2961683">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2961747">Name Resolution in a Pure UNIX/Linux World</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2961804">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2961955">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id2961999">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id2962064">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2962179">Name Resolution as Used within MS Windows Networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2962531">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id2962597">The LMHOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962844">HOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962877">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id2962910">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2963026">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2963041">Pinging Works Only in One Way</a></dt><dt><a href="integrate-ms-networks.html#id2963083">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id2963134">Samba Server Name Change Problem</a></dt></dl></dd></dl></dd><dt>27. <a href="unicode.html">Unicode/Charsets</a></dt><dd><dl><dt><a href="unicode.html#id2963374">Features and Benefits</a></dt><dt><a href="unicode.html#id2963419">What Are Charsets and Unicode?</a></dt><dt><a href="unicode.html#id2963499">Samba and Charsets</a></dt><dt><a href="unicode.html#id2963627">Conversion from Old Names</a></dt><dt><a href="unicode.html#id2963643">Japanese Charsets</a></dt><dt><a href="unicode.html#id2963781">Common Errors</a></dt><dd><dl><dt><a href="unicode.html#id2963788">CP850.so Can't Be Found</a></dt></dl></dd></dl></dd><dt>28. <a href="Backup.html">Samba Backup Techniques</a></dt><dd><dl><dt><a href="Backup.html#id2963903">Note</a></dt><dt><a href="Backup.html#id2963917">Features and Benefits</a></dt></dl></dd><dt>29. <a href="SambaHA.html">High Availability Options</a></dt><dd><dl><dt><a href="SambaHA.html#id2963987">Note</a></dt></dl></dd></dl></dd><dt>IV. <a href="migration.html">Migration and Updating</a></dt><dd><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2964134">Quick Migration Guide</a></dt><dt><a href="upgrading-to-3.0.html#id2964257">New Features in Samba-3</a></dt><dt><a href="upgrading-to-3.0.html#id2964410">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2964433">Removed Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964564">New Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964983">Modified Parameters (Changes in Behavior):</a></dt></dl></dd><dt><a href="upgrading-to-3.0.html#id2965064">New Functionality</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2965071">Databases</a></dt><dt><a href="upgrading-to-3.0.html#id2965324">Changes in Behavior</a></dt><dt><a href="upgrading-to-3.0.html#id2965395">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a></dt><dt><a href="upgrading-to-3.0.html#id2965577">LDAP</a></dt></dl></dd></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966015">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966040">Objectives</a></dt><dt><a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id2966757">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966862">Planning for Success</a></dt><dt><a href="NT4Migration.html#id2967145">Samba-3 Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id2967624">Features and Benefits</a></dt><dt><a href="SWAT.html#id2967718">Guidelines and Technical Tips</a></dt><dd><dl><dt><a href="SWAT.html#id2967733">Validate SWAT Installation</a></dt><dt><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt><a href="SWAT.html#id2968330">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id2968458">Enabling SWAT Internationalization Support</a></dt></dl></dd><dt><a href="SWAT.html#id2968628">Overview and Quick Tour</a></dt><dd><dl><dt><a href="SWAT.html#id2968644">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id2968718">Global Settings</a></dt><dt><a href="SWAT.html#id2968838">Share Settings</a></dt><dt><a href="SWAT.html#id2968902">Printers Settings</a></dt><dt><a href="SWAT.html#id2968967">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id2969040">The Status Page</a></dt><dt><a href="SWAT.html#id2969092">The View Page</a></dt><dt><a href="SWAT.html#id2969115">The Password Change Page</a></dt></dl></dd></dl></dd></dl></dd><dt>V. <a href="troubleshooting.html">Troubleshooting</a></dt><dd><dl><dt>33. <a href="diagnosis.html">The Samba Checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id2969273">Introduction</a></dt><dt><a href="diagnosis.html#id2969311">Assumptions</a></dt><dt><a href="diagnosis.html#id2969546">The Tests</a></dt></dl></dd><dt>34. <a href="problems.html">Analyzing and Solving Samba Problems</a></dt><dd><dl><dt><a href="problems.html#id2971255">Diagnostics Tools</a></dt><dd><dl><dt><a href="problems.html#id2971276">Debugging with Samba Itself</a></dt><dt><a href="problems.html#id2971441">Tcpdump</a></dt><dt><a href="problems.html#id2971477">Ethereal</a></dt><dt><a href="problems.html#id2971621">The Windows Network Monitor</a></dt></dl></dd><dt><a href="problems.html#id2971938">Useful URLs</a></dt><dt><a href="problems.html#id2971978">Getting Mailing List Help</a></dt><dt><a href="problems.html#id2972155">How to Get Off the Mailing Lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id2972309">Introduction</a></dt><dt><a href="bugreport.html#id2972372">General Information</a></dt><dt><a href="bugreport.html#id2972408">Debug Levels</a></dt><dt><a href="bugreport.html#id2972617">Internal Errors</a></dt><dt><a href="bugreport.html#id2972752">Attaching to a Running Process</a></dt><dt><a href="bugreport.html#id2972799">Patches</a></dt></dl></dd></dl></dd><dt>VI. <a href="Appendixes.html">Appendixes</a></dt><dd><dl><dt>36. <a href="compiling.html">How to Compile Samba</a></dt><dd><dl><dt><a href="compiling.html#id2972995">Access Samba Source Code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id2973003">Introduction</a></dt><dt><a href="compiling.html#id2973049">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id2973311">Accessing the Samba Sources via rsync and ftp</a></dt><dt><a href="compiling.html#id2973389">Verifying Samba's PGP Signature</a></dt><dt><a href="compiling.html#id2973553">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id2973768">Compiling Samba with Active Directory Support</a></dt></dl></dd><dt><a href="compiling.html#id2973958">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id2974312">Alternative: Starting smbd as a Daemon</a></dt></dl></dd></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id2974513">HPUX</a></dt><dt><a href="Portability.html#id2974600">SCO UNIX</a></dt><dt><a href="Portability.html#id2974655">DNIX</a></dt><dt><a href="Portability.html#id2974825">Red Hat Linux</a></dt><dt><a href="Portability.html#id2974869">AIX</a></dt><dd><dl><dt><a href="Portability.html#id2974876">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id2974902">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id2974909">Locking Improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and Other CIFS Clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975129">Macintosh Clients</a></dt><dt><a href="Other-Clients.html#id2975206">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975213">Configuring OS/2 Warp Connect or OS/2 Warp 4</a></dt><dt><a href="Other-Clients.html#id2975348">Configuring Other Versions of OS/2</a></dt><dt><a href="Other-Clients.html#id2975411">Printer Driver Download for OS/2 Clients</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975516">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975524">Latest TCP/IP Stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id2975610">Delete .pwl Files After Password Change</a></dt><dt><a href="Other-Clients.html#id2975641">Configuring Windows for Workgroups Password Handling</a></dt><dt><a href="Other-Clients.html#id2975701">Password Case Sensitivity</a></dt><dt><a href="Other-Clients.html#id2975739">Use TCP/IP as Default Protocol</a></dt><dt><a href="Other-Clients.html#id2975757">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975803">Windows 95/98</a></dt><dd><dl><dt><a href="Other-Clients.html#id2975876">Speed Improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id2975901">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id2976103">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id2976235">Comparisons</a></dt><dt><a href="speed.html#id2976281">Socket Options</a></dt><dt><a href="speed.html#id2976372">Read Size</a></dt><dt><a href="speed.html#id2976422">Max Xmit</a></dt><dt><a href="speed.html#id2976477">Log Level</a></dt><dt><a href="speed.html#id2976507">Read Raw</a></dt><dt><a href="speed.html#id2976592">Write Raw</a></dt><dt><a href="speed.html#id2976655">Slow Logins</a></dt><dt><a href="speed.html#id2976683">Client Tuning</a></dt><dt><a href="speed.html#id2976707">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt><a href="speed.html#id2976766">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id2976885">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id2976952">Websites</a></dt><dt><a href="Further-Resources.html#id2977349">Related updates from Microsoft</a></dt></dl></dd></dl></dd><dt><a href="ix01.html">Index</a></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>5.1. <a href="samba-pdc.html#domain-example">An Example Domain.</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsing1">Cross-Subnet Browsing Example.</a></dt><dt>11.1. <a href="passdb.html#idmap-sid2uid">IDMAP: Resolution of SIDs to UIDs.</a></dt><dt>11.2. <a href="passdb.html#idmap-uid2sid">IDMAP: Resolution of UIDs to SIDs.</a></dt><dt>12.1. <a href="groupmapping.html#idmap-sid2gid">IDMAP: group SID to GID resolution.</a></dt><dt>12.2. <a href="groupmapping.html#idmap-gid2sid">IDMAP: GID resolution to matching SID.</a></dt><dt>12.3. <a href="groupmapping.html#idmap-store-gid2sid">IDMAP storing group mappings.</a></dt><dt>13.1. <a href="AccessControls.html#access1">Overview of UNIX permissions field.</a></dt><dt>16.1. <a href="InterdomainTrusts.html#trusts1">Trusts overview.</a></dt><dt>19.1. <a href="CUPS-printing.html#1small">Windows printing to a local printer.</a></dt><dt>19.2. <a href="CUPS-printing.html#2small">Printing to a PostScript printer.</a></dt><dt>19.3. <a href="CUPS-printing.html#3small">Ghostscript as a RIP for non-postscript printers.</a></dt><dt>19.4. <a href="CUPS-printing.html#4small">Pre-filtering in CUPS to form PostScript.</a></dt><dt>19.5. <a href="CUPS-printing.html#5small">Adding device-specific print options.</a></dt><dt>19.6. <a href="CUPS-printing.html#6small">PostScript to intermediate raster format.</a></dt><dt>19.7. <a href="CUPS-printing.html#7small">CUPS-raster production using Ghostscript.</a></dt><dt>19.8. <a href="CUPS-printing.html#small8">Image format to CUPS-raster format conversion.</a></dt><dt>19.9. <a href="CUPS-printing.html#small9">Raster to printer-specific formats.</a></dt><dt>19.10. <a href="CUPS-printing.html#cupsomatic-dia">cupsomatic/foomatic Processing versus Native CUPS.</a></dt><dt>19.11. <a href="CUPS-printing.html#pdftosocket">PDF to socket chain.</a></dt><dt>19.12. <a href="CUPS-printing.html#pdftoepsonusb">PDF to USB chain.</a></dt><dt>19.13. <a href="CUPS-printing.html#small11">Print driver execution on the client.</a></dt><dt>19.14. <a href="CUPS-printing.html#small12">Print driver execution on the server.</a></dt><dt>19.15. <a href="CUPS-printing.html#13small">Printing via CUPS/Samba server.</a></dt><dt>19.16. <a href="CUPS-printing.html#small14">cupsaddsmb flowchart.</a></dt><dt>19.17. <a href="CUPS-printing.html#cups1">Filtering chain 1.</a></dt><dt>19.18. <a href="CUPS-printing.html#cups2">Filtering chain with cupsomatic</a></dt><dt>19.19. <a href="CUPS-printing.html#a_small">CUPS printing overview.</a></dt><dt>34.1. <a href="problems.html#ethereal1">Starting a capture.</a></dt><dt>34.2. <a href="problems.html#ethereal2">Main ethereal data window.</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>6.1. <a href="samba-bdc.html#pdc-bdc-table">Domain Backend Account Distribution Options</a></dt><dt>7.1. <a href="domain-member.html#assumptions">Assumptions</a></dt><dt>10.1. <a href="NetworkBrowsing.html#browsubnet">Browse Subnet Example 1</a></dt><dt>10.2. <a href="NetworkBrowsing.html#brsbex">Browse Subnet Example 2</a></dt><dt>10.3. <a href="NetworkBrowsing.html#brsex2">Browse Subnet Example 3</a></dt><dt>10.4. <a href="NetworkBrowsing.html#brsex3">Browse Subnet Example 4</a></dt><dt>11.1. <a href="passdb.html#attribobjclPartA">Attributes in the sambaSamAccount objectclass (LDAP) Part A</a></dt><dt>11.2. <a href="passdb.html#attribobjclPartB">Attributes in the sambaSamAccount objectclass (LDAP) Part B</a></dt><dt>11.3. <a href="passdb.html#ldappwsync">Possible ldap passwd sync values</a></dt><dt>11.4. <a href="passdb.html#mysqlpbe">Basic smb.conf options for MySQL passdb backend</a></dt><dt>11.5. <a href="passdb.html#moremysqlpdbe">MySQL field names for MySQL passdb backend</a></dt><dt>12.1. <a href="groupmapping.html#WKURIDS">Well-Known User Default RIDs</a></dt><dt>13.1. <a href="AccessControls.html#id2911975">Managing Directories with UNIX and Windows</a></dt><dt>13.2. <a href="AccessControls.html#ugbc">User and Group Based Controls</a></dt><dt>13.3. <a href="AccessControls.html#fdpbc">File and Directory Permission Based Controls</a></dt><dt>13.4. <a href="AccessControls.html#mcoc">Other Controls</a></dt><dt>18.1. <a href="printing.html#printOptions">Default Printing Settings</a></dt><dt>19.1. <a href="CUPS-printing.html#cups-ppds">PPDs shipped with CUPS</a></dt><dt>20.1. <a href="VFS.html#xtdaudit">Extended Auditing Log Information</a></dt><dt>24.1. <a href="ProfileMgmt.html#ProfileLocs">User Shell Folder Registry Keys Default Values</a></dt><dt>24.2. <a href="ProfileMgmt.html#regkeys">Defaults of Profile Settings Registry Keys</a></dt><dt>24.3. <a href="ProfileMgmt.html#defregpthkeys">Defaults of Default User Profile Paths Registry Keys</a></dt><dt>25.1. <a href="pam.html#smbpassoptions">Options recognized by pam_smbpass</a></dt><dt>26.1. <a href="integrate-ms-networks.html#uniqnetbiosnames">Unique NetBIOS Names</a></dt><dt>26.2. <a href="integrate-ms-networks.html#netbiosnamesgrp">Group Names</a></dt><dt>30.1. <a href="upgrading-to-3.0.html#tdbfiledesc">TDB File Descriptions</a></dt><dt>31.1. <a href="NT4Migration.html#majtypes">The Three Major Site Types</a></dt><dt>31.2. <a href="NT4Migration.html#natconchoices">Nature of the Conversion Choices</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>2.1. <a href="install.html#smbconfminimal">A minimal smb.conf</a></dt><dt>2.2. <a href="install.html#simple-example">Another simple smb.conf File</a></dt><dt>5.1. <a href="samba-pdc.html#pdc-example">smb.conf for being a PDC</a></dt><dt>5.2. <a href="samba-pdc.html#PDC-config">smb.conf for being a PDC</a></dt><dt>6.1. <a href="samba-bdc.html#minimalPDC">Minimal smb.conf for a PDC in Use With a BDC LDAP Server on PDC.</a></dt><dt>6.2. <a href="samba-bdc.html#mulitldapcfg">Multiple LDAP Servers in smb.conf</a></dt><dt>6.3. <a href="samba-bdc.html#minim-bdc">Minimal setup for being a BDC</a></dt><dt>8.1. <a href="StandAloneServer.html#simplynice">smb.conf for Reference Documentation Server</a></dt><dt>8.2. <a href="StandAloneServer.html#AnonPtrSvr">smb.conf for Anonymous Printing</a></dt><dt>10.1. <a href="NetworkBrowsing.html#dmbexample">Domain Master Browser smb.conf</a></dt><dt>10.2. <a href="NetworkBrowsing.html#lmbexample">Local master browser smb.conf</a></dt><dt>10.3. <a href="NetworkBrowsing.html#nombexample">smb.conf for not being a Master Browser</a></dt><dt>10.4. <a href="NetworkBrowsing.html#remsmb">Local Master Browser smb.conf</a></dt><dt>10.5. <a href="NetworkBrowsing.html#xremmb">smb.conf for not being a master browser</a></dt><dt>11.1. <a href="passdb.html#idmapbackendexample">Example configuration with the LDAP idmap backend</a></dt><dt>11.2. <a href="passdb.html#confldapex">Configuration with LDAP</a></dt><dt>11.3. <a href="passdb.html#mysqlsam">Example configuration for the MySQL passdb backend</a></dt><dt>12.1. <a href="groupmapping.html#smbgrpadd.sh">smbgrpadd.sh</a></dt><dt>12.2. <a href="groupmapping.html#smbgrpadd">Configuration of smb.conf for the add group script.</a></dt><dt>12.3. <a href="groupmapping.html#set-group-map">Script to Set Group Mapping</a></dt><dt>13.1. <a href="AccessControls.html#id2912202">Example File</a></dt><dt>14.1. <a href="locking.html#far1">Share with some files oplocked</a></dt><dt>14.2. <a href="locking.html#far3">Configuration with oplock break contention limit</a></dt><dt>17.1. <a href="msdfs.html#dfscfg">smb.conf with DFS configured</a></dt><dt>18.1. <a href="printing.html#simpleprc">Simple configuration with BSD printing</a></dt><dt>18.2. <a href="printing.html#extbsdpr">Extended BSD Printing Configuration</a></dt><dt>18.3. <a href="printing.html#prtdollar">[print\$] example</a></dt><dt>19.1. <a href="CUPS-printing.html#cups-exam-simple">Simplest printing-related smb.conf</a></dt><dt>19.2. <a href="CUPS-printing.html#overridesettings">Overriding global CUPS settings for one printer</a></dt><dt>19.3. <a href="CUPS-printing.html#cupsadd-ex">smb.conf for cupsaddsmb usage</a></dt><dt>20.1. <a href="VFS.html#vfsrecyc">smb.conf with VFS modules</a></dt><dt>20.2. <a href="VFS.html#multimodule">smb.conf with multiple VFS modules</a></dt><dt>21.1. <a href="winbind.html#winbindcfg">smb.conf for Winbind set-up</a></dt><dt>33.1. <a href="diagnosis.html#tmpshare">smb.conf with [tmp] share</a></dt><dt>33.2. <a href="diagnosis.html#modif1">Configuration for only allowing connections from a certain subnet</a></dt><dt>33.3. <a href="diagnosis.html#modif2">Configuration for allowing connections from a certain subnet and localhost</a></dt><dt>38.1. <a href="Other-Clients.html#minimalprofile">Minimal profile share</a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="pr01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Legal Notice</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. How to Install and Test SAMBA</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"><link rel="next" href="FastStart.html" title="Chapter 3. Fast Start for the Impatient"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. How to Install and Test SAMBA</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="install"></a>Chapter 2. How to Install and Test SAMBA</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Karl</span> <span class="surname">Auer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:kauer@biplane.com.au">kauer@biplane.com.au</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="install.html#id2876533">Obtaining and Installing Samba</a></dt><dt><a href="install.html#id2876568">Configuring Samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2876606">Configuration file syntax</a></dt><dt><a href="install.html#id2876766">Example Configuration</a></dt><dt><a href="install.html#id2885184">SWAT</a></dt></dl></dd><dt><a href="install.html#id2885250">List Shares Available on the Server</a></dt><dt><a href="install.html#id2885315">Connect with a UNIX Client</a></dt><dt><a href="install.html#id2885433">Connect from a Remote SMB Client</a></dt><dt><a href="install.html#id2885526">What If Things Don't Work?</a></dt><dt><a href="install.html#id2885557">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2885570">Large Number of smbd Processes</a></dt><dt><a href="install.html#id2885679">Error Message: open_oplock_ipc</a></dt><dt><a href="install.html#id2885717">The network name cannot be found</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876533"></a>Obtaining and Installing Samba</h2></div></div><div></div></div><p>
+ Binary packages of Samba are included in almost any Linux or
+ UNIX distribution. There are also some packages available at
+ <ulink url="http://samba.org/">the Samba homepage</ulink>. Refer to
+ the manual of your operating system for details on installing packages
+ for your specific operating system.
+ </p><p>If you need to compile Samba from source, check
+ <link linkend="compiling">.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2876568"></a>Configuring Samba (smb.conf)</h2></div></div><div></div></div><p>
+ Samba's configuration is stored in the <tt class="filename">smb.conf</tt> file, which
+ usually resides in <tt class="filename">/etc/samba/smb.conf</tt>
+ or <tt class="filename">/usr/local/samba/lib/smb.conf</tt>. You can either
+ edit this file yourself or do it using one of the many graphical
+ tools that are available, such as the Web-based interface SWAT, that
+ is included with Samba.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2876606"></a>Configuration file syntax</h3></div></div><div></div></div><p>The <tt class="filename">smb.conf</tt> file uses the same syntax as the various old
+ .ini files in Windows 3.1: Each file consists of various sections,
+ which are started by putting the section name between brackets ([])
+ on a new line. Each contains zero or more key/value-pairs seperated by an
+ equality sign (=). The file is just a plain-text file, so you can
+ open and edit it with your favorite editing tool.</p><p>Each section in the <tt class="filename">smb.conf</tt> file represents a share
+ on the Samba server. The section “<span class="quote">global</span>” is special, since it
+ contains settings that apply to the whole Samba server and not
+ to one share in particular.</p><p><link linkend="smbconfminimal"> contains a very minimal <tt class="filename">smb.conf</tt>.
+ <a class="indexterm" name="id2876667"></a>
+</p><div class="example"><a name="smbconfminimal"></a><p class="title"><b>Example 2.1. A minimal smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = WKG</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = MYNAME</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share1]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /tmp</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share2]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /my_shared_folder</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Some random files</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2876766"></a>Example Configuration</h3></div></div><div></div></div><p>
+ There are sample configuration files in the examples subdirectory in the
+ distribution. It is suggested you read them carefully so you can see how the options
+ go together in practice. See the man page for all the options.
+ It might be worthwhile to start out with the smb.conf.default
+ configuration file and adapt it to your needs. It contains plenty of
+ comments.
+ </p><p>
+ The simplest useful configuration file would contain something like shown in
+ <link linkend="simple-example">.
+ </p><p>
+ <a class="indexterm" name="id2876804"></a>
+ </p><div class="example"><a name="simple-example"></a><p class="title"><b>Example 2.2. Another simple smb.conf File</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr></table></div><p>
+ </p><p>
+ This will allow connections by anyone with an account on the server, using either
+ their login name or <i class="parameter"><tt>homes</tt></i> as the service name.
+ (Note: The workgroup that Samba should appear in must also be set. The default
+ workgroup name is WORKGROUP.)
+ </p><p>
+ Make sure you put the <tt class="filename">smb.conf</tt> file in the correct place.
+ </p><p>
+ For more information about security settings for the
+ <i class="parameter"><tt>[homes]</tt></i> share please refer to
+ <link linkend="securing-samba">.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2876922"></a>Test Your Config File with <b class="command">testparm</b></h4></div></div><div></div></div><p>
+ It's important to validate the contents of the <tt class="filename">smb.conf</tt> file using the <span class="application">testparm</span> program.
+ If testparm runs correctly, it will list the loaded services. If not, it will give an error message.
+ Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command:
+ </p><pre class="screen">
+ <tt class="prompt">root# </tt> testparm /etc/samba/smb.conf
+ </pre><p>Testparm will parse your configuration file and report
+ any unknown parameters or incorrect syntax. </p><p>
+ Always run testparm again whenever the <tt class="filename">smb.conf</tt> file is changed!
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885184"></a>SWAT</h3></div></div><div></div></div><p>
+ <a class="indexterm" name="id2885194"></a>
+ SWAT is a Web-based interface that can be used to facilitate the configuration of Samba.
+ SWAT might not be available in the Samba package that shipped with your platform,
+ but in a separate package. Please read the SWAT manpage
+ on compiling, installing and configuring SWAT from source.
+ </p><p>
+ To launch SWAT, just run your favorite Web browser and point it to
+ <ulink url="http://localhost:901/">http://localhost:901/</ulink>.
+ Replace <i class="replaceable"><tt>localhost</tt></i> with the name of the computer on which
+ Samba is running if that is a different computer than your browser.
+ </p><p>
+ SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote
+ machine leaves your connection open to password sniffing as passwords will be sent over the wire in the clear.
+ </p><p>More information about SWAT can be found in <link linkend="SWAT">.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885250"></a>List Shares Available on the Server</h2></div></div><div></div></div><p>
+ To list shares that are available from the configured Samba server execute the
+ following command:
+ </p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L <i class="replaceable"><tt>yourhostname</tt></i></tt></b>
+</pre><p>You should see a list of shares available on your server. If you do not, then
+ something is incorrectly configured. This method can also be used to see what shares
+ are available on other SMB servers, such as Windows 2000.</p><p>If you choose user-level security you may find that Samba requests a password
+ before it will list the shares. See the <b class="command">smbclient</b> man page for details.
+ You can force it to list the shares without a password by adding the option
+ <tt class="option">-N</tt> to the command line. </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885315"></a>Connect with a UNIX Client</h2></div></div><div></div></div><p>
+ Enter the following command:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>smbclient <i class="replaceable"><tt> //yourhostname/aservice</tt></i></tt></b>
+</pre><p>Typically <i class="replaceable"><tt>yourhostname</tt></i> is the name of the host on which <span class="application">smbd</span>
+ has been installed. The <i class="replaceable"><tt>aservice</tt></i> is any service that has been defined in the <tt class="filename">smb.conf</tt>
+ file. Try your user name if you just have a <i class="parameter"><tt>[homes]</tt></i> section in the <tt class="filename">smb.conf</tt> file.</p><p>Example: If the UNIX host is called <i class="replaceable"><tt>bambi</tt></i> and a valid login name
+ is <i class="replaceable"><tt>fred</tt></i>, you would type:</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>smbclient //<i class="replaceable"><tt>bambi</tt></i>/<i class="replaceable"><tt>fred</tt></i></tt></b>
+</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885433"></a>Connect from a Remote SMB Client</h2></div></div><div></div></div><p>Now that Samba is working correctly locally, you can try to
+ access it from other clients. Within a few minutes, the Samba host
+ should be listed in the Network Neighborhood on all Windows
+ clients of its subnet. Try browsing the server from another client
+ or 'mounting' it.</p><p>Mounting disks from a DOS, Windows or OS/2 client can be done by running a command such as:</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>net use d: \\servername\service</tt></b>
+</pre><p>Try printing, e.g.</p><p>
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>net use lpt1: \\servername\spoolservice</tt></b>
+</pre><p>
+</p><pre class="screen"><tt class="prompt">C:\> </tt><b class="userinput"><tt>print filename</tt></b>
+</pre></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885526"></a>What If Things Don't Work?</h2></div></div><div></div></div><p>You might want to read <link linkend="diagnosis">.
+ If you are still stuck, refer to <link linkend="problems">.
+ Samba has been successfully installed at thousands of sites worldwide.
+ It is unlikely that your particular problem is unique, so it might be
+ productive to perform an Internet search to see if someone else has encountered
+ your problem and has found a way to overcome it.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885557"></a>Common Errors</h2></div></div><div></div></div><p>
+The following questions and issues are raised repeatedly on the Samba mailing list.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885570"></a>Large Number of smbd Processes</h3></div></div><div></div></div><p>
+Samba consists of three core programs: <span class="application">nmbd</span>, <span class="application">smbd</span>, and <span class="application">winbindd</span>. <span class="application">nmbd</span> is the name server message daemon,
+<span class="application">smbd</span> is the server message daemon, and <span class="application">winbindd</span> is the daemon that handles communication with Domain Controllers.
+</p><p>
+If Samba is <span class="emphasis"><em>not</em></span> running as a WINS server, then there will be one single instance of
+ <span class="application">nmbd</span> running on your system. If it is running as a WINS server then there will be
+two instances one to handle the WINS requests.
+</p><p>
+<span class="application">smbd</span> handles all connection requests. It spawns a new process for each client
+connection made. That is why you may see so many of them, one per client connection.
+</p><p>
+<span class="application">winbindd</span> will run as one or two daemons, depending on whether or not it is being
+run in <span class="emphasis"><em>split mode</em></span> (in which case there will be two instances).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885679"></a>Error Message: open_oplock_ipc</h3></div></div><div></div></div><p>An error message is observed in the log files when <span class="application">smbd</span> is started: “<span class="quote">open_oplock_ipc: Failed to get local UDP socket
+ for address 100007f. Error was Cannot assign requested.</span>”</p><p>Your loopback device isn't working correctly. Make sure it is configured correctly. The loopback
+ device is an internal (virtual) network device with the IP address <span class="emphasis"><em>127.0.0.1</em></span>.
+ Read your OS documentation for details on how to configure the loopback on your system.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2885717"></a>“<span class="quote"><span class="errorname">The network name cannot be found</span></span>”</h3></div></div><div></div></div><p>
+ This error can be caused by one of these misconfigurations:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>You specified an nonexisting path
+ for the share in <tt class="filename">smb.conf</tt>.</p></li><li><p>The user you are trying to access the share with does not
+ have sufficient permissions to access the path for
+ the share. Both read (r) and access (x) should be possible.</p></li><li><p>The share you are trying to access does not exist.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="IntroSMB.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="FastStart.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. Introduction to Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Fast Start for the Impatient</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 26. Integrating MS Windows Networks with Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="pam.html" title="Chapter 25. PAM-Based Distributed Authentication"><link rel="next" href="unicode.html" title="Chapter 27. Unicode/Charsets"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 26. Integrating MS Windows Networks with Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="integrate-ms-networks"></a>Chapter 26. Integrating MS Windows Networks with Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (Jan 01 2001) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="integrate-ms-networks.html#id2961659">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2961683">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2961747">Name Resolution in a Pure UNIX/Linux World</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2961804">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2961955">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id2961999">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id2962064">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2962179">Name Resolution as Used within MS Windows Networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2962531">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id2962597">The LMHOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962844">HOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962877">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id2962910">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2963026">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2963041">Pinging Works Only in One Way</a></dt><dt><a href="integrate-ms-networks.html#id2963083">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id2963134">Samba Server Name Change Problem</a></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2961626"></a>
+This section deals with NetBIOS over TCP/IP name to IP address resolution. If
+your MS Windows clients are not configured to use NetBIOS over TCP/IP, then this
+section does not apply to your installation. If your installation
+involves the use of
+NetBIOS over TCP/IP then this section may help you to resolve networking problems.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
+over Logical Link Control (LLC). On modern networks it is highly advised
+to not run NetBEUI at all. Note also there is no such thing as
+NetBEUI over TCP/IP the existence of such a protocol is a complete
+and utter misapprehension.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961659"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Many MS Windows network administrators have never been exposed to basic TCP/IP
+networking as it is implemented in a UNIX/Linux operating system. Likewise, many UNIX and
+Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP-based
+networking (and may have no desire to be either).
+</p><p>
+This chapter gives a short introduction to the basics of how a name can be resolved to
+its IP address for each operating system environment.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961683"></a>Background Information</h2></div></div><div></div></div><p>
+Since the introduction of MS Windows 2000, it is possible to run MS Windows networking
+without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
+name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
+TCP/IP is disabled on MS Windows 2000 and later clients, then only the TCP port 445 will be
+used and the UDP port 137 and TCP port 139 will not.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+When using Windows 2000 or later clients, if NetBIOS over TCP/IP is not disabled, then
+the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
+Name Service or WINS), TCP port 139 and TCP port 445 (for actual file and print traffic).
+</p></div><p>
+When NetBIOS over TCP/IP is disabled, the use of DNS is essential. Most installations that
+disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
+<a class="indexterm" name="id2961722"></a>
+Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
+<a class="indexterm" name="id2961735"></a>
+Use of DHCP with ADS is recommended as a further means of maintaining central control
+over the client workstation network configuration.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961747"></a>Name Resolution in a Pure UNIX/Linux World</h2></div></div><div></div></div><p>
+The key configuration files covered in this section are:
+</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/hosts</tt></p></li><li><p><tt class="filename">/etc/resolv.conf</tt></p></li><li><p><tt class="filename">/etc/host.conf</tt></p></li><li><p><tt class="filename">/etc/nsswitch.conf</tt></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961804"></a><tt class="filename">/etc/hosts</tt></h3></div></div><div></div></div><p>
+This file contains a static list of IP addresses and names.
+</p><pre class="programlisting">
+127.0.0.1 localhost localhost.localdomain
+192.168.1.1 bigbox.quenya.org bigbox alias4box
+</pre><p>
+The purpose of <tt class="filename">/etc/hosts</tt> is to provide a
+name resolution mechanism so uses do not need to remember
+IP addresses.
+</p><p>
+Network packets that are sent over the physical network transport
+layer communicate not via IP addresses but rather using the Media
+Access Control address, or MAC address. IP addresses are currently
+32 bits in length and are typically presented as four (4) decimal
+numbers that are separated by a dot (or period). For example, 168.192.1.1.
+</p><p>
+<a class="indexterm" name="id2961857"></a>
+MAC Addresses use 48 bits (or 6 bytes) and are typically represented
+as two-digit hexadecimal numbers separated by colons: 40:8e:0a:12:34:56.
+</p><p>
+Every network interface must have a MAC address. Associated with
+a MAC address may be one or more IP addresses. There is no
+relationship between an IP address and a MAC address; all such assignments
+are arbitrary or discretionary in nature. At the most basic level, all
+network communications take place using MAC addressing. Since MAC
+addresses must be globally unique and generally remain fixed for
+any particular interface, the assignment of an IP address makes sense
+from a network management perspective. More than one IP address can
+be assigned per MAC address. One address must be the primary IP
+address
+this is the address that will be returned in the ARP reply.
+</p><p>
+When a user or a process wants to communicate with another machine,
+the protocol implementation ensures that the “<span class="quote">machine name</span>” or “<span class="quote">host
+name</span>” is resolved to an IP address in a manner that is controlled
+by the TCP/IP configuration control files. The file
+<tt class="filename">/etc/hosts</tt> is one such file.
+</p><p>
+When the IP address of the destination interface has been
+determined, a protocol called ARP/RARP is used to identify
+the MAC address of the target interface. ARP stands for Address
+Resolution Protocol and is a broadcast-oriented method that
+uses User Datagram Protocol (UDP) to send a request to all
+interfaces on the local network segment using the all 1s MAC
+address. Network interfaces are programmed to respond to two
+MAC addresses only; their own unique address and the address
+ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
+contain the MAC address and the primary IP address for each
+interface.
+</p><p>
+<a class="indexterm" name="id2961931"></a>
+The <tt class="filename">/etc/hosts</tt> file is foundational to all
+UNIX/Linux TCP/IP installations and as a minimum will contain
+the localhost and local network interface IP addresses and the
+primary names by which they are known within the local machine.
+This file helps to prime the pump so a basic level of name
+resolution can exist before any other method of name resolution
+becomes available.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961955"></a><tt class="filename">/etc/resolv.conf</tt></h3></div></div><div></div></div><p>
+This file tells the name resolution libraries:
+</p><div class="itemizedlist"><ul type="disc"><li><p>The name of the domain to which the machine
+ belongs.
+ </p></li><li><p>The name(s) of any domains that should be
+ automatically searched when trying to resolve unqualified
+ host names to their IP address.
+ </p></li><li><p>The name or IP address of available Domain
+ Name Servers that may be asked to perform name-to-address
+ translation lookups.
+ </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961999"></a><tt class="filename">/etc/host.conf</tt></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2962014"></a>
+<tt class="filename">/etc/host.conf</tt> is the primary means by
+which the setting in <tt class="filename">/etc/resolv.conf</tt> may be effected. It is a
+critical configuration file. This file controls the order by
+which name resolution may proceed. The typical structure is:
+</p><pre class="programlisting">
+order hosts,bind
+multi on
+</pre><p>
+then both addresses should be returned. Please refer to the
+man page for <tt class="filename">host.conf</tt> for further details.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962064"></a><tt class="filename">/etc/nsswitch.conf</tt></h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2962078"></a>
+This file controls the actual name resolution targets. The
+file typically has resolver object specifications as follows:
+</p><pre class="programlisting">
+# /etc/nsswitch.conf
+#
+# Name Service Switch configuration file.
+#
+
+passwd: compat
+# Alternative entries for password authentication are:
+# passwd: compat files nis ldap winbind
+shadow: compat
+group: compat
+
+hosts: files nis dns
+# Alternative entries for host name resolution are:
+# hosts: files dns nis nis+ hesiod db compat ldap wins
+networks: nis files dns
+
+ethers: nis files
+protocols: nis files
+rpc: nis files
+services: nis files
+</pre><p>
+Of course, each of these mechanisms requires that the appropriate
+facilities and/or services are correctly configured.
+</p><p>
+It should be noted that unless a network request/message must be
+sent, TCP/IP networks are silent. All TCP/IP communications assume a
+principal of speaking only when necessary.
+</p><p>
+<a class="indexterm" name="id2962123"></a>
+Starting with version 2.2.0, Samba has Linux support for extensions to
+the name service switch infrastructure so Linux clients will
+be able to obtain resolution of MS Windows NetBIOS names to IP
+Addresses. To gain this functionality, Samba needs to be compiled
+with appropriate arguments to the make command (i.e., <b class="userinput"><tt>make
+nsswitch/libnss_wins.so</tt></b>). The resulting library should
+then be installed in the <tt class="filename">/lib</tt> directory and
+the <i class="parameter"><tt>wins</tt></i> parameter needs to be added to the “<span class="quote">hosts:</span>” line in
+the <tt class="filename">/etc/nsswitch.conf</tt> file. At this point, it
+will be possible to ping any MS Windows machine by its NetBIOS
+machine name, as long as that machine is within the workgroup to
+which both the Samba machine and the MS Windows machine belong.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2962179"></a>Name Resolution as Used within MS Windows Networking</h2></div></div><div></div></div><p>
+MS Windows networking is predicated about the name each machine
+is given. This name is known variously (and inconsistently) as
+the “<span class="quote">computer name,</span>” “<span class="quote">machine name,</span>” “<span class="quote">networking name,</span>” “<span class="quote">netbios name,</span>”
+or “<span class="quote">SMB name.</span>” All terms mean the same thing with the exception of
+“<span class="quote">netbios name</span>” that can also apply to the name of the workgroup or the
+domain name. The terms “<span class="quote">workgroup</span>” and “<span class="quote">domain</span>” are really just a
+simple name with which the machine is associated. All NetBIOS names
+are exactly 16 characters in length. The 16<sup>th</sup> character is reserved.
+It is used to store a one-byte value that indicates service level
+information for the NetBIOS name that is registered. A NetBIOS machine
+name is, therefore, registered for each service type that is provided by
+the client/server.
+</p><p>
+<link linkend="uniqnetbiosnames"> and <link linkend="netbiosnamesgrp"> list typical NetBIOS name/service type registrations.
+</p><div class="table"><a name="uniqnetbiosnames"></a><p class="title"><b>Table 26.1. Unique NetBIOS Names</b></p><table summary="Unique NetBIOS Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">MACHINENAME<00></td><td align="justify">Server Service is running on MACHINENAME</td></tr><tr><td align="left">MACHINENAME<03></td><td align="justify">Generic Machine Name (NetBIOS name)</td></tr><tr><td align="left">MACHINENAME<20></td><td align="justify">LanMan Server service is running on MACHINENAME</td></tr><tr><td align="left">WORKGROUP<1b></td><td align="justify">Domain Master Browser</td></tr></tbody></table></div><div class="table"><a name="netbiosnamesgrp"></a><p class="title"><b>Table 26.2. Group Names</b></p><table summary="Group Names" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">WORKGROUP<03></td><td align="justify">Generic Name registered by all members of WORKGROUP</td></tr><tr><td align="left">WORKGROUP<1c></td><td align="justify">Domain Controllers / Netlogon Servers</td></tr><tr><td align="left">WORKGROUP<1d></td><td align="justify">Local Master Browsers</td></tr><tr><td align="left">WORKGROUP<1e></td><td align="justify">Internet Name Resolvers</td></tr></tbody></table></div><p>
+<a class="indexterm" name="id2962414"></a>
+It should be noted that all NetBIOS machines register their own
+names as per the above. This is in vast contrast to TCP/IP
+installations where traditionally the system administrator will
+determine in the <tt class="filename">/etc/hosts</tt> or in the DNS database what names
+are associated with each IP address.
+</p><p>
+<a class="indexterm" name="id2962438"></a>
+One further point of clarification should be noted. The <tt class="filename">/etc/hosts</tt>
+file and the DNS records do not provide the NetBIOS name type information
+that MS Windows clients depend on to locate the type of service that may
+be needed. An example of this is what happens when an MS Windows client
+wants to locate a domain logon server. It finds this service and the IP
+address of a server that provides it by performing a lookup (via a
+NetBIOS broadcast) for enumeration of all machines that have
+registered the name type *<1c>. A logon request is then sent to each
+IP address that is returned in the enumerated list of IP addresses.
+Whichever machine first replies, it then ends up providing the logon services.
+</p><p>
+The name “<span class="quote">workgroup</span>” or “<span class="quote">domain</span>” really can be confusing since these
+have the added significance of indicating what is the security
+architecture of the MS Windows network. The term “<span class="quote">workgroup</span>” indicates
+that the primary nature of the network environment is that of a
+peer-to-peer design. In a WORKGROUP, all machines are responsible for
+their own security, and generally such security is limited to the use of
+just a password (known as Share Level security). In most situations
+with peer-to-peer networking, the users who control their own machines
+will simply opt to have no security at all. It is possible to have
+User Level Security in a WORKGROUP environment, thus requiring the use
+of a user name and a matching password.
+</p><p>
+MS Windows networking is thus predetermined to use machine names
+for all local and remote machine message passing. The protocol used is
+called Server Message Block (SMB) and this is implemented using
+the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
+be encapsulated using LLC (Logical Link Control) protocol in which case
+the resulting protocol is called NetBEUI (Network Basic Extended User
+Interface). NetBIOS can also be run over IPX (Internetworking Packet
+Exchange) protocol as used by Novell NetWare, and it can be run
+over TCP/IP protocols in which case the resulting protocol is called
+NBT or NetBT, the NetBIOS over TCP/IP.
+</p><p>
+MS Windows machines use a complex array of name resolution mechanisms.
+Since we are primarily concerned with TCP/IP, this demonstration is
+limited to this area.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962531"></a>The NetBIOS Name Cache</h3></div></div><div></div></div><p>
+All MS Windows machines employ an in-memory buffer in which is
+stored the NetBIOS names and IP addresses for all external
+machines that machine has communicated with over the
+past 10-15 minutes. It is more efficient to obtain an IP address
+for a machine from the local cache than it is to go through all the
+configured name resolution mechanisms.
+</p><p>
+If a machine whose name is in the local name cache has been shut
+down before the name had been expired and flushed from the cache, then
+an attempt to exchange a message with that machine will be subject
+to time-out delays. Its name is in the cache, so a name resolution
+lookup will succeed, but the machine cannot respond. This can be
+frustrating for users but is a characteristic of the protocol.
+</p><p>
+<a class="indexterm" name="id2962566"></a>
+<a class="indexterm" name="id2962574"></a>
+The MS Windows utility that allows examination of the NetBIOS
+name cache is called “<span class="quote">nbtstat</span>”. The Samba equivalent of this
+is called <b class="command">nmblookup</b>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962597"></a>The LMHOSTS File</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2962608"></a>
+This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in the directory
+<tt class="filename">C:\WINNT\SYSTEM32\DRIVERS\ETC</tt> and contains the IP Address
+and the machine name in matched pairs. The <tt class="filename">LMHOSTS</tt> file
+performs NetBIOS name to IP address mapping.
+</p><p>
+It typically looks like this:
+</p><pre class="programlisting">
+# Copyright (c) 1998 Microsoft Corp.
+#
+# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
+# over TCP/IP) stack for Windows98
+#
+# This file contains the mappings of IP addresses to NT computernames
+# (NetBIOS) names. Each entry should be kept on an individual line.
+# The IP address should be placed in the first column followed by the
+# corresponding computername. The address and the computername
+# should be separated by at least one space or tab. The "#" character
+# is generally used to denote the start of a comment (see the exceptions
+# below).
+#
+# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
+# files and offers the following extensions:
+#
+# #PRE
+# #DOM:<domain>
+# #INCLUDE <filename>
+# #BEGIN_ALTERNATE
+# #END_ALTERNATE
+# \0xnn (non-printing character support)
+#
+# Following any entry in the file with the characters "#PRE" will cause
+# the entry to be preloaded into the name cache. By default, entries are
+# not preloaded, but are parsed only after dynamic name resolution fails.
+#
+# Following an entry with the "#DOM:<domain>" tag will associate the
+# entry with the domain specified by <domain>. This effects how the
+# browser and logon services behave in TCP/IP environments. To preload
+# the host name associated with #DOM entry, it is necessary to also add a
+# #PRE to the line. The <domain> is always preloaded although it will not
+# be shown when the name cache is viewed.
+#
+# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
+# software to seek the specified <filename> and parse it as if it were
+# local. <filename> is generally a UNC-based name, allowing a
+# centralized lmhosts file to be maintained on a server.
+# It is ALWAYS necessary to provide a mapping for the IP address of the
+# server prior to the #INCLUDE. This mapping must use the #PRE directive.
+# In addition the share "public" in the example below must be in the
+# LanManServer list of "NullSessionShares" in order for client machines to
+# be able to read the lmhosts file successfully. This key is under
+# \machine\system\currentcontrolset\services\lanmanserver\
+# parameters\nullsessionshares
+# in the registry. Simply add "public" to the list found there.
+#
+# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
+# statements to be grouped together. Any single successful include
+# will cause the group to succeed.
+#
+# Finally, non-printing characters can be embedded in mappings by
+# first surrounding the NetBIOS name in quotations, then using the
+# \0xnn notation to specify a hex value for a non-printing character.
+#
+# The following example illustrates all of these extensions:
+#
+# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
+# 102.54.94.102 "appname \0x14" #special app server
+# 102.54.94.123 popular #PRE #source server
+# 102.54.94.117 localsrv #PRE #needed for the include
+#
+# #BEGIN_ALTERNATE
+# #INCLUDE \\localsrv\public\lmhosts
+# #INCLUDE \\rhino\public\lmhosts
+# #END_ALTERNATE
+#
+# In the above example, the "appname" server contains a special
+# character in its name, the "popular" and "localsrv" server names are
+# preloaded, and the "rhino" server name is specified so it can be used
+# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
+# system is unavailable.
+#
+# Note that the whole file is parsed including comments on each lookup,
+# so keeping the number of comments to a minimum will improve performance.
+# Therefore it is not advisable to simply add lmhosts file entries onto the
+# end of this file.
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962844"></a>HOSTS File</h3></div></div><div></div></div><p>
+This file is usually located in MS Windows NT 4.0 or Windows 200x/XP in
+the directory <tt class="filename">C:\WINNT\SYSTEM32\DRIVERS\ETC</tt> and contains
+the IP Address and the IP hostname in matched pairs. It can be
+used by the name resolution infrastructure in MS Windows, depending
+on how the TCP/IP environment is configured. This file is in
+every way the equivalent of the UNIX/Linux <tt class="filename">/etc/hosts</tt> file.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962877"></a>DNS Lookup</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2962888"></a>
+This capability is configured in the TCP/IP setup area in the network
+configuration facility. If enabled, an elaborate name resolution sequence
+is followed, the precise nature of which is dependant on how the NetBIOS
+Node Type parameter is configured. A Node Type of 0 means that
+NetBIOS broadcast (over UDP broadcast) is used if the name
+that is the subject of a name lookup is not found in the NetBIOS name
+cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
+Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
+WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
+lookup is used.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962910"></a>WINS Lookup</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2962921"></a>
+A WINS (Windows Internet Name Server) service is the equivalent of the
+rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
+the names and IP addresses that are registered by a Windows client
+if the TCP/IP setup has been given at least one WINS Server IP Address.
+</p><p>
+To configure Samba to be a WINS server, the following parameter needs
+to be added to the <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = Yes</tt></i></td></tr></table><p>
+To configure Samba to use a WINS server, the following parameters are
+needed in the <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>wins support = No</tt></i></td></tr><tr><td><i class="parameter"><tt>wins server = xxx.xxx.xxx.xxx</tt></i></td></tr></table><p>
+where <i class="replaceable"><tt>xxx.xxx.xxx.xxx</tt></i> is the IP address
+of the WINS server.
+</p><p>For information about setting up Samba as a WINS server, read
+<link linkend="NetworkBrowsing">.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963026"></a>Common Errors</h2></div></div><div></div></div><p>
+TCP/IP network configuration problems find every network administrator sooner or later.
+The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
+carelessness. Of course, no one is ever deliberately careless!
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963041"></a>Pinging Works Only in One Way</h3></div></div><div></div></div><p>
+ “<span class="quote">I can ping my Samba server from Windows, but I cannot ping my Windows
+ machine from the Samba server.</span>”
+ </p><p>
+ <span class="emphasis"><em>Answer:</em></span> The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
+ Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
+ The machines were on a local network with no external connections.
+ </p><p>
+ Due to inconsistent netmasks, the Windows machine was on network 192.168.1.0/24, while
+ the Samba server was on network 192.168.1.128/25 logically a different network.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963083"></a>Very Slow Network Connections</h3></div></div><div></div></div><p>
+ A common cause of slow network response includes:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Client is configured to use DNS and the DNS server is down.</p></li><li><p>Client is configured to use remote DNS server, but the
+ remote connection is down.</p></li><li><p>Client is configured to use a WINS server, but there is no WINS server.</p></li><li><p>Client is not configured to use a WINS server, but there is a WINS server.</p></li><li><p>Firewall is filtering our DNS or WINS traffic.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963134"></a>Samba Server Name Change Problem</h3></div></div><div></div></div><p>
+ “<span class="quote">The name of the Samba server was changed, Samba was restarted, Samba server cannot be
+ pinged by new name from MS Windows NT4 Workstation, but it does still respond to ping using
+ the old name. Why?</span>”
+ </p><p>
+ From this description, three things are obvious:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>WINS is not in use, only broadcast-based name resolution is used.</p></li><li><p>The Samba server was renamed and restarted within the last 10-15 minutes.</p></li><li><p>The old Samba server name is still in the NetBIOS name cache on the MS Windows NT4 Workstation.</p></li></ul></div><p>
+ To find what names are present in the NetBIOS name cache on the MS Windows NT4 machine,
+ open a <b class="command">cmd</b> shell and then:
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>nbtstat -n</tt></b>
+
+ NetBIOS Local Name Table
+
+ Name Type Status
+------------------------------------------------
+FRODO <03> UNIQUE Registered
+ADMINSTRATOR <03> UNIQUE Registered
+FRODO <00> UNIQUE Registered
+SARDON <00> GROUP Registered
+FRODO <20> UNIQUE Registered
+FRODO <1F> UNIQUE Registered
+
+
+<tt class="prompt">C:\> </tt>nbtstat -c
+
+ NetBIOS Remote Cache Name Table
+
+ Name Type Host Address Life [sec]
+--------------------------------------------------------------
+GANDALF <20> UNIQUE 192.168.1.1 240
+
+<tt class="prompt">C:\> </tt>
+</pre><p>
+ </p><p>
+ In the above example, GANDALF is the Samba server and FRODO is the MS Windows NT4 Workstation.
+ The first listing shows the contents of the Local Name Table (i.e., Identity information on
+ the MS Windows workstation) and the second shows the NetBIOS name in the NetBIOS name cache.
+ The name cache contains the remote machines known to this workstation.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pam.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="unicode.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 25. PAM-Based Distributed Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 27. Unicode/Charsets</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part I. General Installation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="pr02.html" title="Attributions"><link rel="next" href="IntroSMB.html" title="Chapter 1. Introduction to Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part I. General Installation</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="introduction"></a>General Installation</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2875813"></a>Preparing Samba for Configuration</h1></div></div><div></div></div><p>This section of the Samba-HOWTO-Collection contains general info on how to install samba
+and how to configure the parts of samba you will most likely need.
+PLEASE read this.</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2875896">Background</a></dt><dt><a href="IntroSMB.html#id2875954">Terminology</a></dt><dt><a href="IntroSMB.html#id2876091">Related Projects</a></dt><dt><a href="IntroSMB.html#id2876169">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2876258">Epilogue</a></dt><dt><a href="IntroSMB.html#id2876344">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2876533">Obtaining and Installing Samba</a></dt><dt><a href="install.html#id2876568">Configuring Samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2876606">Configuration file syntax</a></dt><dt><a href="install.html#id2876766">Example Configuration</a></dt><dt><a href="install.html#id2885184">SWAT</a></dt></dl></dd><dt><a href="install.html#id2885250">List Shares Available on the Server</a></dt><dt><a href="install.html#id2885315">Connect with a UNIX Client</a></dt><dt><a href="install.html#id2885433">Connect from a Remote SMB Client</a></dt><dt><a href="install.html#id2885526">What If Things Don't Work?</a></dt><dt><a href="install.html#id2885557">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2885570">Large Number of smbd Processes</a></dt><dt><a href="install.html#id2885679">Error Message: open_oplock_ipc</a></dt><dt><a href="install.html#id2885717">The network name cannot be found</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2885815">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr02.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="IntroSMB.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Attributions </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 1. Introduction to Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id2977419"></a>Index</h2></div></div><div></div></div><div class="index"><div class="indexdiv"><h3>Symbols</h3><dl><dt>"Printers" folder, <a href="CUPS-printing.html#id2939274">Caveats to be Considered</a>, <a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt>"raw" printing, <a href="CUPS-printing.html#id2932163">Raw Print Serving Vendor Drivers on Windows Clients</a></dt><dt>/etc/cups/mime.convs, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt>/etc/cups/mime.types, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt>/etc/host.conf, <a href="integrate-ms-networks.html#id2961999">/etc/host.conf</a></dt><dt>/etc/hosts, <a href="integrate-ms-networks.html#id2961804">/etc/hosts</a></dt><dt>/etc/krb5.conf, <a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt><dt>/etc/nsswitch.conf, <a href="integrate-ms-networks.html#id2962064">/etc/nsswitch.conf</a></dt><dt>8.3 file names, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></div><div class="indexdiv"><h3>A</h3><dl><dt>Account Controls, <a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a></dt><dt>ACLs, <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt><dd><dl><dt>File System, <a href="AccessControls.html#id2912050">File and Directory Access Control</a></dt><dt>POSIX, <a href="AccessControls.html">File, Directory and Share Access Controls</a>, <a href="AccessControls.html#id2911341">Features and Benefits</a></dt><dt>share, <a href="AccessControls.html#id2911341">Features and Benefits</a></dt><dt>Windows, <a href="AccessControls.html#id2911341">Features and Benefits</a></dt></dl></dd><dt>Active Directory, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dt>add group script, <a href="groupmapping.html#id2910839">Adding Groups Fails</a></dt><dt>add machine script, <a href="samba-pdc.html#id2890822">The Machine Trust Account Is Not Accessible</a>, <a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="domain-member.html#id2896072">Adding Machine to Domain Fails</a></dt><dt>add printer command, <a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt>add printer wizard, <a href="CUPS-printing.html#id2932552">Driver Upload Methods</a></dt><dt>add user script, <a href="passdb.html#id2904429">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt>admin users, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="AccessControls.html#id2915635">File Operations Done as root with force user Set</a></dt><dt>Administrator, <a href="groupmapping.html#id2909551">Discussion</a></dt><dt>ADS (see Active Directory)</dt><dt>application/cups.vnd-postscript, <a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/octet-stream, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a>, <a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id2935861">application/octet-stream Printing</a></dt><dt>application/pdf, <a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt>application/postscript, <a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt>application/vnd.cups-raster, <a href="CUPS-printing.html#id2936129">PostScript Printer Descriptions (PPDs) for Non-PS Printers</a></dt><dt>application/vnd.cups-raw, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt>auth methods, <a href="passdb.html#id2908922">Configuration of auth methods</a>, <a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a></dt></dl></div><div class="indexdiv"><h3>B</h3><dl><dt>bad hardware, <a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt><dt>brlock.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>browsable, <a href="printing.html#id2920998">Simple Print Configuration</a></dt><dt>browse list, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id2901872">Technical Overview of Browsing</a></dt><dt>browseable, <a href="printing.html#id2920998">Simple Print Configuration</a>, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt>browsing problems, <a href="NetworkBrowsing.html#id2903097">I get an `Unable to browse the network' error</a></dt></dl></div><div class="indexdiv"><h3>C</h3><dl><dt>case sensitive, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a>, <a href="ProfileMgmt.html#id2955066">Windows 9x/Me Profile Setup</a></dt><dt>chpass, <a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt><dt>client use spnego, <a href="domain-member.html#id2896237">I Can't Join a Windows 2003 PDC</a></dt><dt>comment, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt>Config.POL, <a href="PolicyMgmt.html#id2953137">Creating and Managing System Policies</a></dt><dt>configure, <a href="compiling.html#id2973553">Building the Binaries</a></dt><dt>connections.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>core files, <a href="bugreport.html#id2972617">Internal Errors</a></dt><dt>create mask, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>csc policy, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>CUPS</dt><dd><dl><dt>Page Accounting, <a href="CUPS-printing.html#id2945207">Page Accounting with CUPS</a></dt><dt>quotas, <a href="CUPS-printing.html#id2945248">Setting Up Quotas</a></dt></dl></dd><dt>CUPS-PPD, <a href="CUPS-printing.html#id2944109">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>cupsaddsmb, <a href="CUPS-printing.html#id2932552">Driver Upload Methods</a>, <a href="CUPS-printing.html#id2938397">cupsaddsmb: The Unknown Utility</a>, <a href="CUPS-printing.html#id2939274">Caveats to be Considered</a>, <a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id2940450">cupsaddsmb with a Samba PDC</a>, <a href="CUPS-printing.html#id2940538">cupsaddsmb Flowchart</a></dt><dt>cupsomatic, <a href="CUPS-printing.html#id2933573">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a>, <a href="CUPS-printing.html#id2944109">cupsomatic, pdqomatic, lpdomatic, directomatic</a></dt><dt>CVS, <a href="compiling.html#id2973003">Introduction</a></dt><dd><dl><dt>web, <a href="compiling.html#id2973065">Access via CVSweb</a></dt></dl></dd></dl></div><div class="indexdiv"><h3>D</h3><dl><dt>daemon, <a href="compiling.html#id2974312">Alternative: Starting smbd as a Daemon</a></dt><dt>DDK, <a href="CUPS-printing.html#id2938313">PostScript Drivers with No Major Problems Even in Kernel
+Mode</a>, <a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dt>debug, <a href="bugreport.html#id2972617">Internal Errors</a></dt><dt>debug level, <a href="problems.html#id2971276">Debugging with Samba Itself</a>, <a href="speed.html#id2976477">Log Level</a></dt><dt>debuglevel, <a href="bugreport.html#id2972408">Debug Levels</a></dt><dt>default case, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>default profile, <a href="ProfileMgmt.html#id2956970">Default Profile for Windows Users</a>, <a href="ProfileMgmt.html#id2958626">Changing the Default Profile</a></dt><dt>delete printer command, <a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt>delete roaming profiles, <a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt><dt>DHCP, <a href="integrate-ms-networks.html#id2961683">Background Information</a></dt><dt>diff, <a href="bugreport.html#id2972799">Patches</a></dt><dt>directory mask, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt>directory security mask, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>Directory Separators, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>display charset, <a href="unicode.html#id2963499">Samba and Charsets</a>, <a href="SWAT.html#id2968458">Enabling SWAT Internationalization Support</a></dt><dt>DNS, <a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a>, <a href="integrate-ms-networks.html#id2962877">DNS Lookup</a></dt><dd><dl><dt>Active Directory, <a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt><dt>Dynamic, <a href="integrate-ms-networks.html#id2961683">Background Information</a></dt></dl></dd><dt>dns proxy, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>domain admin group, <a href="groupmapping.html">Group Mapping MS Windows and UNIX</a></dt><dt>Domain Admins group, <a href="groupmapping.html#id2909551">Discussion</a></dt><dt>domain logons, <a href="samba-pdc.html#id2889080">Preparing for Domain Control</a></dt><dt>domain master, <a href="samba-pdc.html#id2890004">Domain Network Logon Service</a>, <a href="samba-bdc.html#id2892538">Example Configuration</a>, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a></dt><dt>Domain Member, <a href="ServerType.html#id2886525">Domain Security Mode (User Level Security)</a></dt><dd><dl><dt>joining, <a href="ServerType.html#id2886566">Example Configuration</a></dt></dl></dd><dt>domain security, <a href="samba-pdc.html#id2870050">Features and Benefits</a></dt><dt>Domain Users group, <a href="groupmapping.html#id2910933">Adding Domain Users to the Power Users Group</a></dt><dt>dont descend, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>dos charset, <a href="unicode.html#id2963499">Samba and Charsets</a>, <a href="unicode.html#id2963643">Japanese Charsets</a>, <a href="unicode.html#id2963788">CP850.so Can't Be Found</a></dt><dt>dos filemode, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt>dos filetime resolution, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>dos filetimes, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>Drive Identification, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></div><div class="indexdiv"><h3>E</h3><dl><dt>editreg, <a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a></dt><dt>EMF, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2937377">From Windows Clients to an NT Print Server</a>, <a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt><dt>encrypt passwords, <a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a>, <a href="passdb.html#id2905425">smbpasswd Encrypted Password Database</a>, <a href="pam.html#id2960612">smb.conf PAM Configuration</a>, <a href="upgrading-to-3.0.html#id2964134">Quick Migration Guide</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>encrypted passwords, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#id2908611">Using Plaintext Passwords or Encrypted Password</a></dt><dt>enhanced browsing, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>enumports command, <a href="printing.html#id2929923">Samba and Printer Ports</a></dt><dt>EPM (see ESP meta packager)</dt><dt>ESC/P, <a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt><dt>ESP</dt><dd><dl><dt>Ghostscript, <a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a></dt><dt>meta packager, <a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dt>Print Pro, <a href="CUPS-printing.html#id2937128">Sources of CUPS Drivers/PPDs</a>, <a href="CUPS-printing.html#id2939204">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt></dl></dd><dt>Event Viewer, <a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt>Extended Attributes, <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt></dl></div><div class="indexdiv"><h3>F</h3><dl><dt>fake oplocks, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>File Naming Conventions, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>File System, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dd><dl><dt>case sensitivity, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>feature comparison, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>UNIX, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>Windows, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>flush name cache, <a href="NetworkBrowsing.html#id2902975">How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba?</a></dt><dt>foomatic, <a href="CUPS-printing.html#id2933573">Using Windows-Formatted Vendor PPDs</a>, <a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a>, <a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a>, <a href="CUPS-printing.html#id2943860">foomatic-rip and Foomatic Explained</a>, <a href="CUPS-printing.html#id2944020">Foomatic's Strange Name</a></dt><dt>foomatic-rip, <a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a>, <a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id2943860">foomatic-rip and Foomatic Explained</a>, <a href="CUPS-printing.html#id2944302">The Grand Unification Achieved</a></dt><dt>force create mode, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>force directory mode, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>force directory security mode, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>force group, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt>force security mode, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>force user, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="AccessControls.html#id2915635">File Operations Done as root with force user Set</a>, <a href="locking.html#id2916637">Beware of Force User</a></dt><dt>ftp, <a href="compiling.html#id2973311">Accessing the Samba Sources via rsync and ftp</a></dt></dl></div><div class="indexdiv"><h3>G</h3><dl><dt>gdb, <a href="bugreport.html#id2972617">Internal Errors</a></dt><dt>GDI, <a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2937377">From Windows Clients to an NT Print Server</a>, <a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt><dt>genlogon.pl, <a href="AdvancedNetworkManagement.html#id2952700">Network Logon Script Magic</a></dt><dt>GhostScript, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id2933354">Ghostscript the Software RIP for Non-PostScript Printers</a></dt><dd><dl><dt>(see also PostScript)</dt></dl></dd><dt>Ghostscript</dt><dd><dl><dt>ESP (see ESP GhostScript)</dt></dl></dd><dt>GID, <a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt>GPG, <a href="compiling.html#id2973389">Verifying Samba's PGP Signature</a></dt><dt>GPOs, <a href="PolicyMgmt.html#id2953044">Features and Benefits</a>, <a href="PolicyMgmt.html#id2953525">MS Windows 200x/XP Professional Policies</a>, <a href="PolicyMgmt.html#id2953643">Administration of Windows 200x/XP Policies</a>, <a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a>, <a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt><dt>group policies, <a href="PolicyMgmt.html#id2953044">Features and Benefits</a></dt><dt>group policy objects (see GPOs)</dt><dt>group profiles, <a href="ProfileMgmt.html#id2956917">Creating and Managing Group Profiles</a></dt><dt>groupadd, <a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt>groupdel, <a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt>groups</dt><dd><dl><dt>domain, <a href="groupmapping.html#id2909551">Discussion</a></dt><dt>mapping, <a href="groupmapping.html">Group Mapping MS Windows and UNIX</a></dt><dt>nested, <a href="groupmapping.html#id2910907">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd><dt>guest account, <a href="NetworkBrowsing.html#id2902057">Problem Resolution</a>, <a href="NetworkBrowsing.html#id2903041">Server Resources Can Not Be Listed</a>, <a href="printing.html#ptrsect">The [printers] Section</a></dt><dt>guest ok, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a></dt></dl></div><div class="indexdiv"><h3>H</h3><dl><dt>hide dot files, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>hide files, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>hide unreadable, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt>hide unwriteable files, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt>host msdfs, <a href="msdfs.html#id2920158">Features and Benefits</a></dt><dt>hosts allow, <a href="securing-samba.html#id2918263">Using Host-Based Protection</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a></dt><dt>hosts deny, <a href="securing-samba.html#id2918263">Using Host-Based Protection</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a></dt></dl></div><div class="indexdiv"><h3>I</h3><dl><dt>idmap backend, <a href="samba-bdc.html#id2892538">Example Configuration</a></dt><dt>idmap gid, <a href="groupmapping.html#id2909181">Features and Benefits</a>, <a href="winbind.html#id2952067">Winbind Is Not Resolving Users and Groups</a>, <a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt><dt>idmap uid, <a href="groupmapping.html#id2909181">Features and Benefits</a>, <a href="winbind.html#id2952067">Winbind Is Not Resolving Users and Groups</a>, <a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt><dt>ifconfig, <a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt>imprints, <a href="CUPS-printing.html#id2932552">Driver Upload Methods</a></dt><dt>inetd, <a href="diagnosis.html#id2969546">The Tests</a>, <a href="compiling.html#id2973958">Starting the smbd and nmbd</a>, <a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt>initGroups.sh, <a href="groupmapping.html#id2910716">Script to Configure Group Mapping</a>, <a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt><dt>Interdomain Trusts, <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt>Completing, <a href="InterdomainTrusts.html#id2919342">Completing an NT4 Domain Trust</a></dt><dt>creating, <a href="InterdomainTrusts.html#id2919243">Native MS Windows NT4 Trusts Configuration</a></dt><dt>Facilities, <a href="InterdomainTrusts.html#id2919402">Inter-Domain Trust Facilities</a></dt></dl></dd><dt>interfaces, <a href="NetworkBrowsing.html#id2900745">Multiple Interfaces</a>, <a href="NetworkBrowsing.html#id2902057">Problem Resolution</a>, <a href="diagnosis.html#id2969546">The Tests</a>, <a href="compiling.html#id2974066">Starting from inetd.conf</a></dt><dt>invalid users, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt>IPP, <a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a></dt></dl></div><div class="indexdiv"><h3>K</h3><dl><dt>KDC, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dt>Kerberos, <a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt>/etc/krb5.conf, <a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt></dl></dd><dt>kinit, <a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt></dl></div><div class="indexdiv"><h3>L</h3><dl><dt>ldap admin dn, <a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a>, <a href="domain-member.html#id2895877">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap delete dn, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap filter, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap group suffix, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap idmap suffix, <a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a>, <a href="domain-member.html#id2895877">Sharing User ID Mappings between Samba Domain Members</a>, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap machine suffix, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap passwd sync, <a href="passdb.html#id2906239">Configuring Samba</a>, <a href="passdb.html#id2907513">Password Synchronization</a></dt><dt>ldap ssl, <a href="passdb.html#id2906239">Configuring Samba</a>, <a href="passdb.html#id2906746">Security and sambaSamAccount</a></dt><dt>ldap suffix, <a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a>, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>ldap user suffix, <a href="passdb.html#id2906239">Configuring Samba</a></dt><dt>libnss_wins.so, <a href="integrate-ms-networks.html#id2962064">/etc/nsswitch.conf</a></dt><dt>Links</dt><dd><dl><dt>hard, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>soft, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt></dl></dd><dt>Linuxprinting.org, <a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a></dt><dt>lm announce, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>lm interval, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>LMB (see Local Master Browser)</dt><dt>LMHOSTS, <a href="integrate-ms-networks.html#id2962597">The LMHOSTS File</a></dt><dt>load printers, <a href="printing.html#id2921327">Rapid Configuration Validation</a>, <a href="printing.html#id2922033">The [global] Section</a></dt><dt>local master, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a></dt><dt>Local Master Browser, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id2900780">Use of the Remote Announce Parameter</a></dt><dt>locking, <a href="locking.html#id2916001">Discussion</a></dt><dt>locking.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>log files</dt><dd><dl><dt>monitoring, <a href="diagnosis.html#id2969311">Assumptions</a></dt></dl></dd><dt>log level, <a href="domain-member.html#id2896072">Adding Machine to Domain Fails</a>, <a href="NetworkBrowsing.html#id2902057">Problem Resolution</a>, <a href="VFS.html#id2948583">extd_audit</a>, <a href="bugreport.html#id2972408">Debug Levels</a></dt><dt>logon drive, <a href="ProfileMgmt.html#id2955678">Windows NT4 Workstation</a></dt><dt>logon home, <a href="passdb.html#id2906904">LDAP Special Attributes for sambaSamAccounts</a>, <a href="ProfileMgmt.html#id2954652">Windows 9x/Me User Profiles</a>, <a href="ProfileMgmt.html#id2954783">Mixed Windows 9x/Me and Windows NT4/200x User Profiles</a>, <a href="ProfileMgmt.html#id2954850">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id2955678">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt>logon path, <a href="passdb.html#id2906904">LDAP Special Attributes for sambaSamAccounts</a>, <a href="ProfileMgmt.html#id2954783">Mixed Windows 9x/Me and Windows NT4/200x User Profiles</a>, <a href="ProfileMgmt.html#id2954850">Disabling Roaming Profile Support</a>, <a href="ProfileMgmt.html#id2955066">Windows 9x/Me Profile Setup</a>, <a href="ProfileMgmt.html#id2955678">Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt>logon script, <a href="passdb.html#id2906904">LDAP Special Attributes for sambaSamAccounts</a></dt><dt>lpadmin, <a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a>, <a href="CUPS-printing.html#id2945248">Setting Up Quotas</a></dt><dt>lppause command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt>lpq cache time, <a href="printing.html#id2922033">The [global] Section</a></dt><dt>lpq command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt>lpresume command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt>lprm command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt>lpstat, <a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt></dl></div><div class="indexdiv"><h3>M</h3><dl><dt>MAC Addresses, <a href="integrate-ms-networks.html#id2961804">/etc/hosts</a></dt><dt>Machine Trust Accounts, <a href="samba-pdc.html#id2870050">Features and Benefits</a>, <a href="samba-bdc.html#id2892791">Machine Accounts Keep Expiring</a>, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt>creating, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt></dl></dd><dt>make, <a href="compiling.html#id2973553">Building the Binaries</a></dt><dt>mandatory profiles, <a href="ProfileMgmt.html#id2956822">Mandatory Profiles</a></dt><dt>mangling method, <a href="unicode.html#id2963643">Japanese Charsets</a></dt><dt>map to guest, <a href="printing.html#id2925021">[print$] Section Parameters</a>, <a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a>, <a href="CUPS-printing.html#id2947002">New Account Reconnection from Windows 200x/XP Troubles</a>, <a href="CUPS-printing.html#id2947106">Avoid Being Connected to the Samba Server as the Wrong User</a></dt><dt>max xmit, <a href="speed.html#id2976422">Max Xmit</a></dt><dt>messages.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>MIME, <a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a>, <a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a>, <a href="CUPS-printing.html#id2934287">Filtering Overview</a>, <a href="CUPS-printing.html#id2935861">application/octet-stream Printing</a></dt><dd><dl><dt>filters, <a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a></dt><dt>raw, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt></dl></dd><dt>minimal configuration, <a href="install.html#id2876606">Configuration file syntax</a></dt><dt>msdfs root, <a href="msdfs.html#id2920158">Features and Benefits</a></dt></dl></div><div class="indexdiv"><h3>N</h3><dl><dt>name resolve order, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>nbtstat, <a href="integrate-ms-networks.html#id2962531">The NetBIOS Name Cache</a></dt><dt>net</dt><dd><dl><dt>groupmap, <a href="groupmapping.html#id2910488">Example Configuration</a>, <a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt><dt>rpc, <a href="ServerType.html#id2886566">Example Configuration</a>, <a href="samba-bdc.html#id2891162">Features and Benefits</a>, <a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt></dl></dd><dt>NetBIOS, <a href="NetworkBrowsing.html#id2897285">Features and Benefits</a>, <a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a>, <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a>, <a href="integrate-ms-networks.html#id2962179">Name Resolution as Used within MS Windows Networking</a></dt><dt>NetBIOS-less, <a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a></dt><dt>Nexus.exe, <a href="samba-pdc.html#id2870050">Features and Benefits</a>, <a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt>nmblookup, <a href="integrate-ms-networks.html#id2962531">The NetBIOS Name Cache</a></dt><dt>NoMachine.Com, <a href="AdvancedNetworkManagement.html#id2952467">Remote Management from NoMachine.Com</a></dt><dt>nt acl support, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914124">Viewing File Ownership</a>, <a href="AccessControls.html#id2914264">Viewing File or Directory Permissions</a>, <a href="AccessControls.html#id2914515">Modifying File or Directory Permissions</a>, <a href="Other-Clients.html#id2975901">Windows 2000 Service Pack 2</a></dt><dt>NTConfig.POL, <a href="PolicyMgmt.html#id2953271">Windows 9x/ME Policies</a>, <a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a>, <a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a>, <a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a></dt><dt>ntdrivers.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>ntforms.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTFS, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>ntprinters.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>NTUser.DAT, <a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a></dt></dl></div><div class="indexdiv"><h3>O</h3><dl><dt>obey pam restrictions, <a href="pam.html#id2960612">smb.conf PAM Configuration</a></dt><dt>only user, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="securing-samba.html#id2918774">Why Can Users Access Home Directories of Other Users?</a></dt><dt>oplock break wait time, <a href="locking.html#id2916729">Advanced Samba Opportunistic Locking Parameters</a>, <a href="locking.html#id2917088">Disabling Kernel Oplocks</a></dt><dt>oplock contention limit, <a href="locking.html#id2916729">Advanced Samba Opportunistic Locking Parameters</a></dt><dt>os level, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a>, <a href="NetworkBrowsing.html#id2900135">DOMAIN Browsing Configuration</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a></dt><dt>os2 driver map, <a href="Other-Clients.html#id2975411">Printer Driver Download for OS/2 Clients</a></dt></dl></div><div class="indexdiv"><h3>P</h3><dl><dt>page_log, <a href="CUPS-printing.html#id2945495">The page_log File Syntax</a></dt><dt>passdb backend, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="passdb.html">Account Information Databases</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="passdb.html#pdbeditthing">The pdbedit Command</a>, <a href="passdb.html#id2906239">Configuring Samba</a>, <a href="passdb.html#id2907797">Configuring</a>, <a href="passdb.html#id2908788">Users Cannot Logon</a>, <a href="passdb.html#id2908922">Configuration of auth methods</a>, <a href="pam.html#id2960701">Remote CIFS Authentication Using winbindd.so</a>, <a href="upgrading-to-3.0.html#id2964134">Quick Migration Guide</a>, <a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a></dt><dt>password level, <a href="ServerType.html#id2887204">Password Checking</a>, <a href="diagnosis.html#id2969546">The Tests</a>, <a href="Other-Clients.html#id2975701">Password Case Sensitivity</a>, <a href="speed.html#id2976655">Slow Logins</a></dt><dt>password server, <a href="ServerType.html#id2886928">Server Security (User Level Security)</a>, <a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a>, <a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id2895131">Configure smb.conf</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>patch, <a href="bugreport.html#id2972799">Patches</a></dt><dt>path, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a>, <a href="printing.html#id2923371">Print Commands</a>, <a href="printing.html#id2924810">Creating the [print$] Share</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a>, <a href="printing.html#id2925355">The [print$] Share Directory</a>, <a href="CUPS-printing.html#id2937834">Samba Receiving Jobfiles and Passing Them to CUPS</a>, <a href="CUPS-printing.html#id2946030">Auto-Deletion or Preservation of CUPS Spool Files</a>, <a href="CUPS-printing.html#id2947835">Permissions on /var/spool/samba/ Get Reset After Each Reboot</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>PCL, <a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a>, <a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a>, <a href="CUPS-printing.html#id2937924">Network PostScript RIP</a></dt><dt>pdbedit, <a href="passdb.html#id2903800">New Backends</a>, <a href="passdb.html#acctmgmttools">Account Management Tools</a>, <a href="passdb.html#pdbeditthing">The pdbedit Command</a>, <a href="passdb.html#XMLpassdb">XML</a>, <a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a>, <a href="NT4Migration.html#id2966502">Steps in Migration Process</a>, <a href="NT4Migration.html#id2967145">Samba-3 Implementation Choices</a></dt><dt>PDF, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2933497">PostScript Printer Description (PPD) Specification</a></dt><dt>pdf, <a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt>PDL, <a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt>permissions</dt><dd><dl><dt>file/directory ACLs, <a href="AccessControls.html#id2913986">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt>share, <a href="AccessControls.html#id2912290">Share Definition Access Controls</a></dt><dt>share ACLs, <a href="AccessControls.html#id2913585">Access Controls on Shares</a></dt><dt>UNIX file and directory, <a href="AccessControls.html#id2911341">Features and Benefits</a></dt></dl></dd><dt>PGP, <a href="compiling.html#id2973389">Verifying Samba's PGP Signature</a></dt><dt>PJL, <a href="CUPS-printing.html#id2937924">Network PostScript RIP</a>, <a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a>, <a href="CUPS-printing.html#id2945366">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt>point 'n' print, <a href="CUPS-printing.html#id2932223">Installation of Windows Client Drivers</a>, <a href="CUPS-printing.html#id2932552">Driver Upload Methods</a>, <a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a>, <a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt>PostScript, <a href="CUPS-printing.html#id2932699">Advanced Intelligent Printing with PostScript Driver Download</a>, <a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a>, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a>, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id2934481">Prefilters</a>, <a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a>, <a href="CUPS-printing.html#id2937924">Network PostScript RIP</a>, <a href="CUPS-printing.html#id2938250">CUPS: A Magical Stone?</a>, <a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dd><dl><dt>(see also Ghostscript)</dt><dt>RIP, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt></dl></dd><dt>PPD, <a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a>, <a href="CUPS-printing.html#id2933497">PostScript Printer Description (PPD) Specification</a>, <a href="CUPS-printing.html#id2936129">PostScript Printer Descriptions (PPDs) for Non-PS Printers</a>, <a href="CUPS-printing.html#id2938025">PPDs for Non-PS Printers on UNIX</a>, <a href="CUPS-printing.html#id2938085">PPDs for Non-PS Printers on Windows</a>, <a href="CUPS-printing.html#id2938250">CUPS: A Magical Stone?</a>, <a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a></dt><dd><dl><dt>CUPS (see CUPS-PPD)</dt></dl></dd><dt>preferred master, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a>, <a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a>, <a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>preserve case, <a href="ProfileMgmt.html#id2955066">Windows 9x/Me Profile Setup</a></dt><dt>print command, <a href="printing.html#id2922033">The [global] Section</a>, <a href="printing.html#id2923428">Default UNIX System Printing Commands</a>, <a href="printing.html#id2924063">Custom Print Commands</a>, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a>, <a href="CUPS-printing.html#id2946367">Manual Configuration</a></dt><dt>printable, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a></dt><dt>printcap, <a href="printing.html#id2923428">Default UNIX System Printing Commands</a>, <a href="CUPS-printing.html#id2931182">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt>printcap name, <a href="printing.html#id2922033">The [global] Section</a></dt><dt>printer admin, <a href="printing.html#id2922033">The [global] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a>, <a href="printing.html#id2925644">Add Printer Wizard Driver Installation</a>, <a href="printing.html#id2927537">First Client Driver Installation</a>, <a href="printing.html#id2927769">Setting Device Modes on New Printers</a>, <a href="printing.html#id2928220">Always Make First Client Connection as root or printer admin</a>, <a href="printing.html#id2928430">Setting Default Print Options for Client Drivers</a>, <a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a>, <a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id2947402">Print Options for All Users Can't Be Set on Windows 200x/XP</a></dt><dt>printing, <a href="printing.html#id2922033">The [global] Section</a>, <a href="printing.html#id2923428">Default UNIX System Printing Commands</a>, <a href="printing.html#id2924063">Custom Print Commands</a>, <a href="CUPS-printing.html#id2931182">Basic CUPS Support Configuration</a>, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a>, <a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a>, <a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a>, <a href="CUPS-printing.html#id2946198">Pre-Conditions</a>, <a href="CUPS-printing.html#id2946367">Manual Configuration</a></dt><dt>printing.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>PrintPro (see ESP Print Pro)</dt><dt>public, <a href="printing.html#ptrsect">The [printers] Section</a></dt></dl></div><div class="indexdiv"><h3>Q</h3><dl><dt>queue resume command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a></dt><dt>queuepause command, <a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a></dt></dl></div><div class="indexdiv"><h3>R</h3><dl><dt>raw printing, <a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a>, <a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt>read list, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt>read only, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a>, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt>read raw, <a href="speed.html#id2976507">Read Raw</a></dt><dt>read size, <a href="speed.html#id2976372">Read Size</a></dt><dt>Relative Identifier (see RID)</dt><dt>remote announce, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id2888743">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id2900780">Use of the Remote Announce Parameter</a>, <a href="NetworkBrowsing.html#id2901926">Browsing Support in Samba</a></dt><dt>remote browse sync, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id2888743">How Browsing Functions</a>, <a href="NetworkBrowsing.html#id2900939">Use of the Remote Browse Sync Parameter</a></dt><dt>replication, <a href="samba-pdc.html#id2870050">Features and Benefits</a></dt><dd><dl><dt>browse lists, <a href="NetworkBrowsing.html#id2902187">Cross-Subnet Browsing</a></dt><dt>SAM, <a href="samba-pdc.html#id2870336">Domain Controller Types</a>, <a href="samba-bdc.html#id2891162">Features and Benefits</a>, <a href="samba-bdc.html#id2891580">MS Windows NT4-style Domain Control</a>, <a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a>, <a href="samba-bdc.html#id2892845">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a>, <a href="samba-bdc.html#id2892880">How Do I Replicate the smbpasswd File?</a></dt><dt>WINS, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a>, <a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a>, <a href="NetworkBrowsing.html#id2901481">WINS Replication</a></dt></dl></dd><dt>RID, <a href="groupmapping.html#id2909853">Default Users, Groups and Relative Identifiers</a></dt><dt>roaming profiles, <a href="ProfileMgmt.html#id2954850">Disabling Roaming Profile Support</a></dt><dt>root preexec, <a href="NT4Migration.html#id2966369">Logon Scripts</a></dt><dt>rpcclient</dt><dd><dl><dt>adddriver, <a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id2941229">Understanding the rpcclient man Page</a>, <a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt>enumdrivers, <a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt>enumports, <a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dt>enumprinters, <a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a>, <a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt><dt>getdriver, <a href="CUPS-printing.html#id2941358">Producing an Example by Querying a Windows Box</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt>getprinter, <a href="CUPS-printing.html#id2941358">Producing an Example by Querying a Windows Box</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a>, <a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt><dt>setdriver, <a href="CUPS-printing.html#id2939274">Caveats to be Considered</a>, <a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a>, <a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a>, <a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a>, <a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a>, <a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt></dl></dd><dt>rsync, <a href="compiling.html#id2973311">Accessing the Samba Sources via rsync and ftp</a></dt><dt>rundll32, <a href="AdvancedNetworkManagement.html#id2952929">Adding Printers without User Intervention</a></dt></dl></div><div class="indexdiv"><h3>S</h3><dl><dt>SAM, <a href="samba-pdc.html#id2870050">Features and Benefits</a>, <a href="samba-pdc.html#id2870336">Domain Controller Types</a>, <a href="domain-member.html#id2893185">Features and Benefits</a>, <a href="winbind.html#id2949998">Result Caching</a></dt><dt>SAM backend</dt><dd><dl><dt>LDAP, <a href="samba-bdc.html#id2891162">Features and Benefits</a></dt><dt>ldapsam, <a href="samba-bdc.html#id2891162">Features and Benefits</a>, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#id2905605">ldapsam</a></dt><dt>ldapsam_compat, <a href="passdb.html#id2903592">Features and Benefits</a></dt><dt>mysqlsam, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#id2907687">MySQL</a></dt><dt>non-LDAP, <a href="samba-bdc.html#id2891162">Features and Benefits</a></dt><dt>smbpasswd, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#id2905425">smbpasswd Encrypted Password Database</a></dt><dt>tdbsam, <a href="samba-bdc.html#id2891162">Features and Benefits</a>, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#id2905552">tdbsam</a></dt><dt>xmlsam, <a href="passdb.html#id2903592">Features and Benefits</a>, <a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a>, <a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt>schannel, <a href="samba-pdc.html#id2890954">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>secrets.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>security, <a href="ServerType.html#id2886186">Samba Security Modes</a>, <a href="ServerType.html#id2886525">Domain Security Mode (User Level Security)</a>, <a href="ServerType.html#id2886928">Server Security (User Level Security)</a>, <a href="ServerType.html#id2887429">What Makes Samba a Server?</a>, <a href="ServerType.html#id2887468">What Makes Samba a Domain Controller?</a>, <a href="ServerType.html#id2887504">What Makes Samba a Domain Member?</a>, <a href="ServerType.html#id2887542">Constantly Losing Connections to Password Server</a>, <a href="samba-pdc.html#id2889080">Preparing for Domain Control</a>, <a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a>, <a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a>, <a href="domain-member.html#id2894926">Why Is This Better Than security = server?</a>, <a href="domain-member.html#id2895131">Configure smb.conf</a>, <a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a>, <a href="CUPS-printing.html#id2946839">cupsaddsmb Keeps Asking for Root Password in Never-ending Loop</a>, <a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a>, <a href="diagnosis.html#id2969546">The Tests</a>, <a href="Other-Clients.html#id2975641">Configuring Windows for Workgroups Password Handling</a></dt><dt>security mask, <a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a>, <a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt>Security Mode, <a href="ServerType.html#id2886186">Samba Security Modes</a></dt><dt>Server Manager, <a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a>, <a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a>, <a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt>Server Type, <a href="ServerType.html#id2886097">Server Types</a></dt><dd><dl><dt>Domain Member, <a href="ServerType.html#id2886566">Example Configuration</a>, <a href="samba-bdc.html#id2892538">Example Configuration</a>, <a href="domain-member.html#id2893185">Features and Benefits</a></dt></dl></dd><dt>sessionid.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>share_info.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>short preserve case, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a>, <a href="ProfileMgmt.html#id2955066">Windows 9x/Me Profile Setup</a></dt><dt>Short-Cuts, <a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt>show add printer wizard, <a href="printing.html#id2922033">The [global] Section</a>, <a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt>SID, <a href="samba-pdc.html#id2870050">Features and Benefits</a>, <a href="samba-pdc.html#id2890722">The System Cannot Log You On (C000019B)</a>, <a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a>, <a href="passdb.html#passdbtech">Technical Information</a>, <a href="groupmapping.html#id2909181">Features and Benefits</a>, <a href="ProfileMgmt.html#id2956689">Side Bar Notes</a>, <a href="ProfileMgmt.html#id2956753">Get SID</a>, <a href="NT4Migration.html#id2966432">Profile Migration/Creation</a></dt><dt>signing, <a href="samba-pdc.html#id2890954">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt><dt>simple configuration, <a href="install.html#id2876766">Example Configuration</a></dt><dt>Single Sign On, <a href="CUPS-printing.html#id2939274">Caveats to be Considered</a></dt><dt>slow browsing, <a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt><dt>smbclient, <a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>smbgrpadd.sh, <a href="groupmapping.html#id2910581">Sample smb.conf Add Group Script</a></dt><dt>socket options, <a href="speed.html#id2976281">Socket Options</a></dt><dt>spooling</dt><dd><dl><dt>central, <a href="CUPS-printing.html#id2932110">Central Spooling vs. Peer-to-Peer Printing</a></dt><dt>peer-to-peer, <a href="CUPS-printing.html#id2932110">Central Spooling vs. Peer-to-Peer Printing</a></dt></dl></dd><dt>spooling-only, <a href="CUPS-printing.html#id2932163">Raw Print Serving Vendor Drivers on Windows Clients</a></dt><dt>SRVTOOLS.EXE, <a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a>, <a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt>strict locking, <a href="locking.html#id2916001">Discussion</a></dt><dt>swat, <a href="install.html#id2885184">SWAT</a></dt><dd><dl><dt>enable, <a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt>security, <a href="SWAT.html#id2968330">Securing SWAT through SSL</a></dt></dl></dd><dt>System Policy Editor, <a href="PolicyMgmt.html#id2953137">Creating and Managing System Policies</a>, <a href="PolicyMgmt.html#id2953643">Administration of Windows 200x/XP Policies</a></dt></dl></div><div class="indexdiv"><h3>T</h3><dl><dt>TDB, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a>, <a href="CUPS-printing.html#id2943322">Trivial Database Files</a></dt><dd><dl><dt>backing up (see tdbbackup)</dt></dl></dd><dt>tdbbackup, <a href="CUPS-printing.html#id2943528">Using tdbbackup</a></dt><dt>template homedir, <a href="winbind.html#id2951551">Linux/FreeBSD-specific PAM configuration</a></dt><dt>testparm, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>text/plain, <a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt>total print jobs, <a href="printing.html#id2922033">The [global] Section</a></dt></dl></div><div class="indexdiv"><h3>U</h3><dl><dt>UDP, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a></dt><dt>UID, <a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt>unexpected.tdb, <a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt>(see also TDB)</dt></dl></dd><dt>unix charset, <a href="unicode.html#id2963499">Samba and Charsets</a></dt><dt>UNIX charset, <a href="unicode.html#id2963643">Japanese Charsets</a></dt><dt>use client driver, <a href="printing.html#id2922033">The [global] Section</a></dt><dt>user, <a href="ServerType.html#id2886413">Share Level Security</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>User Accounts</dt><dd><dl><dt>Adding/Deleting, <a href="passdb.html#id2904747">The smbpasswd Command</a>, <a href="passdb.html#pdbeditthing">The pdbedit Command</a>, <a href="passdb.html#id2906668">Accounts and Groups Management</a></dt></dl></dd><dt>User Management, <a href="passdb.html#id2904747">The smbpasswd Command</a>, <a href="passdb.html#pdbeditthing">The pdbedit Command</a>, <a href="passdb.html#id2906668">Accounts and Groups Management</a></dt><dt>User Manager, <a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a>, <a href="InterdomainTrusts.html#id2919809">Samba as the Trusting Domain</a>, <a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt>useradd, <a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt><dt>username, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt>username level, <a href="ServerType.html#id2887204">Password Checking</a></dt><dt>username map, <a href="domain-member.html#id2894206">Windows 200x/XP Professional Client</a></dt><dt>users, <a href="securing-samba.html#id2918774">Why Can Users Access Home Directories of Other Users?</a></dt></dl></div><div class="indexdiv"><h3>V</h3><dl><dt>valid users, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="diagnosis.html#id2969546">The Tests</a></dt><dt>veto files, <a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt><dt>vfs objects, <a href="VFS.html#id2948287">Discussion</a></dt><dt>vipw, <a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt></dl></div><div class="indexdiv"><h3>W</h3><dl><dt>WebClient, <a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt><dt>winbind separator, <a href="winbind.html#id2950807">Starting and Testing the winbindd Daemon</a></dt><dt>winbindd, <a href="samba-bdc.html#id2892538">Example Configuration</a></dt><dt>windows registry settings</dt><dd><dl><dt>default profile locations, <a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a>, <a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt><dt>profile path, <a href="ProfileMgmt.html#id2955066">Windows 9x/Me Profile Setup</a></dt><dt>roaming profiles, <a href="ProfileMgmt.html#id2954850">Disabling Roaming Profile Support</a></dt></dl></dd><dt>WINS, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a>, <a href="integrate-ms-networks.html#id2962910">WINS Lookup</a></dt><dt>wins hook, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>wins proxy, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt>wins server, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id2901016">WINS The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a></dt><dt>wins support, <a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a>, <a href="NetworkBrowsing.html#id2901016">WINS The Windows Internetworking Name Server</a>, <a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a></dt><dt>workgroup, <a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a>, <a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a>, <a href="NetworkBrowsing.html#id2901926">Browsing Support in Samba</a></dt><dt>write list, <a href="AccessControls.html#id2912329">User and Group-Based Controls</a>, <a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt>write raw, <a href="speed.html#id2976592">Write Raw</a></dt><dt>writeable, <a href="printing.html#ptrsect">The [printers] Section</a>, <a href="printing.html#id2923024">Any [my_printer_name] Section</a></dt><dt>WYSIWYG, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a></dt></dl></div><div class="indexdiv"><h3>X</h3><dl><dt>X Window System, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a></dt><dt>xinetd, <a href="compiling.html#id2974066">Starting from inetd.conf</a> (see inetd)</dt><dt>Xprint, <a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a>, <a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a></dt></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email"><<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2915945">Features and Benefits</a></dt><dt><a href="locking.html#id2916001">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2916148">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2916856">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2916978">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2917407">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2917632">Workstation Service Entries</a></dt><dt><a href="locking.html#id2917660">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2917740">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2917769">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2917850">locking.tdb Error Messages</a></dt><dt><a href="locking.html#id2917884">Problems Saving Files in MS Office on Windows XP</a></dt><dt><a href="locking.html#id2917904">Long Delays Deleting Files Over Network with XP SP1</a></dt></dl></dd><dt><a href="locking.html#id2917935">Additional Reading</a></dt></dl></div><p>
+One area that causes trouble for many network administrators is locking.
+The extent of the problem is readily evident from searches over the Internet.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2915945"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Samba provides all the same locking semantics that MS Windows clients expect
+and that MS Windows NT4/200x servers also provide.
+</p><p>
+The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers
+a range of functions that are all categorized under this one term.
+</p><p>
+Opportunistic locking is a desirable feature when it can enhance the
+perceived performance of applications on a networked client. However, the
+opportunistic locking protocol is not robust and, therefore, can
+encounter problems when invoked beyond a simplistic configuration or
+on extended slow or faulty networks. In these cases, operating
+system management of opportunistic locking and/or recovering from
+repetitive errors can offset the perceived performance advantage that
+it is intended to provide.
+</p><p>
+The MS Windows network administrator needs to be aware that file and record
+locking semantics (behavior) can be controlled either in Samba or by way of registry
+settings on the MS Windows client.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Sometimes it is necessary to disable locking control settings on both the Samba
+server as well as on each MS Windows client!
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916001"></a>Discussion</h2></div></div><div></div></div><p>
+There are two types of locking that need to be performed by an SMB server.
+The first is <span class="emphasis"><em>record locking</em></span> that allows a client to lock
+a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span>
+that are specified when a file is open.
+</p><p>
+Record locking semantics under UNIX are very different from record locking under
+Windows. Versions of Samba before 2.2 have tried to use the native fcntl() UNIX
+system call to implement proper record locking between different Samba clients.
+This cannot be fully correct for several reasons. The simplest is the fact
+that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
+depending on the client OS. The UNIX locking only supports byte ranges up to 2^31.
+So it is not possible to correctly satisfy a lock request above 2^31. There are
+many more differences, too many to be listed here.
+</p><p>
+Samba 2.2 and above implements record locking completely independent of the
+underlying UNIX system. If a byte range lock that the client requests happens
+to fall into the range of 0-2^31, Samba hands this request down to the UNIX system.
+All other locks cannot be seen by UNIX, anyway.
+</p><p>
+Strictly speaking, an SMB server should check for locks before every read and write call on
+a file. Unfortunately with the way fcntl() works, this can be slow and may overstress
+the <b class="command">rpc.lockd</b>. This is almost always unnecessary as clients are supposed to
+independently make locking calls before reads and writes if locking is
+important to them. By default, Samba only makes locking calls when explicitly asked
+to by a client, but if you set <a class="indexterm" name="id2916068"></a><i class="parameter"><tt>strict locking</tt></i> = yes, it
+will make lock checking calls on <span class="emphasis"><em>every</em></span> read and write call.
+</p><p>
+You can also disable byte range locking completely by using
+<a class="indexterm" name="id2916093"></a><i class="parameter"><tt>locking</tt></i> = no.
+This is useful for those shares that do not support locking or do not need it
+(such as CDROMs). In this case, Samba fakes the return codes of locking calls to
+tell clients that everything is okay.
+</p><p>
+The second class of locking is the <span class="emphasis"><em>deny modes</em></span>. These
+are set by an application when it opens a file to determine what types of
+access should be allowed simultaneously with its open. A client may ask for
+<tt class="constant">DENY_NONE</tt>, <tt class="constant">DENY_READ</tt>,
+<tt class="constant">DENY_WRITE</tt>, or <tt class="constant">DENY_ALL</tt>. There are also special compatibility
+modes called <tt class="constant">DENY_FCB</tt> and <tt class="constant">DENY_DOS</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916148"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
+Opportunistic locking (Oplocks) is invoked by the Windows file system
+(as opposed to an API) via registry entries (on the server and the client)
+for the purpose of enhancing network performance when accessing a file
+residing on a server. Performance is enhanced by caching the file
+locally on the client that allows:
+</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p>
+ The client reads the local copy of the file, eliminating network latency.
+ </p></dd><dt><span class="term">Write caching:</span></dt><dd><p>
+ The client writes to the local copy of the file, eliminating network latency.
+ </p></dd><dt><span class="term">Lock caching:</span></dt><dd><p>
+ The client caches application locks locally, eliminating network latency.
+ </p></dd></dl></div><p>
+The performance enhancement of oplocks is due to the opportunity of
+exclusive access to the file even if it is opened with deny-none
+because Windows monitors the file's status for concurrent access from
+other processes.
+</p><div class="variablelist"><p class="title"><b>Windows defines 4 kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock</span></dt><dd><p>
+ The redirector sees that the file was opened with deny
+ none (allowing concurrent access), verifies that no
+ other process is accessing the file, checks that
+ oplocks are enabled, then grants deny-all/read-write/exclusive
+ access to the file. The client now performs
+ operations on the cached local file.
+ </p><p>
+ If a second process attempts to open the file, the open
+ is deferred while the redirector “<span class="quote">breaks</span>” the original
+ oplock. The oplock break signals the caching client to
+ write the local file back to the server, flush the
+ local locks and discard read-ahead data. The break is
+ then complete, the deferred open is granted, and the
+ multiple processes can enjoy concurrent file access as
+ dictated by mandatory or byte-range locking options.
+ However, if the original opening process opened the
+ file with a share mode other than deny-none, then the
+ second process is granted limited or no access, despite
+ the oplock break.
+ </p></dd><dt><span class="term">Level2 Oplock</span></dt><dd><p>
+ Performs like a Level1 oplock, except caching is only
+ operative for reads. All other operations are performed
+ on the server disk copy of the file.
+ </p></dd><dt><span class="term">Filter Oplock</span></dt><dd><p>
+ Does not allow write or delete file access.
+ </p></dd><dt><span class="term">Batch Oplock</span></dt><dd><p>
+ Manipulates file openings and closings and allows caching
+ of file attributes.
+ </p></dd></dl></div><p>
+An important detail is that oplocks are invoked by the file system, not
+an application API. Therefore, an application can close an oplocked
+file, but the file system does not relinquish the oplock. When the
+oplock break is issued, the file system then simply closes the file in
+preparation for the subsequent open by the second process.
+</p><p>
+<span class="emphasis"><em>Opportunistic locking</em></span> is actually an improper name for this feature.
+The true benefit of this feature is client-side data caching, and
+oplocks is merely a notification mechanism for writing data back to the
+networked storage disk. The limitation of opportunistic locking is the
+reliability of the mechanism to process an oplock break (notification)
+between the server and the caching client. If this exchange is faulty
+(usually due to timing out for any number of reasons), then the
+client-side caching benefit is negated.
+</p><p>
+The actual decision that a user or administrator should consider is
+whether it is sensible to share among multiple users data that will
+be cached locally on a client. In many cases the answer is no.
+Deciding when to cache or not cache data is the real question, and thus
+“<span class="quote">opportunistic locking</span>” should be treated as a toggle for client-side
+caching. Turn it “<span class="quote">on</span>” when client-side caching is desirable and
+reliable. Turn it “<span class="quote">off</span>” when client-side caching is redundant,
+unreliable or counter-productive.
+</p><p>
+Opportunistic locking is by default set to “<span class="quote">on</span>” by Samba on all
+configured shares, so careful attention should be given to each case to
+determine if the potential benefit is worth the potential for delays.
+The following recommendations will help to characterize the environment
+where opportunistic locking may be effectively configured.
+</p><p>
+Windows opportunistic locking is a lightweight performance-enhancing
+feature. It is not a robust and reliable protocol. Every
+implementation of opportunistic locking should be evaluated as a
+tradeoff between perceived performance and reliability. Reliability
+decreases as each successive rule above is not enforced. Consider a
+share with oplocks enabled, over a wide area network, to a client on a
+South Pacific atoll, on a high-availability server, serving a
+mission-critical multi-user corporate database during a tropical
+storm. This configuration will likely encounter problems with oplocks.
+</p><p>
+Oplocks can be beneficial to perceived client performance when treated
+as a configuration toggle for client-side data caching. If the data
+caching is likely to be interrupted, then oplock usage should be
+reviewed. Samba enables opportunistic locking by default on all
+shares. Careful attention should be given to the client usage of
+shared data on the server, the server network reliability and the
+opportunistic locking configuration of each share.
+In mission critical high availability environments, data integrity is
+often a priority. Complex and expensive configurations are implemented
+to ensure that if a client loses connectivity with a file server, a
+failover replacement will be available immediately to provide
+continuous data availability.
+</p><p>
+Windows client failover behavior is more at risk of application
+interruption than other platforms because it is dependent upon an
+established TCP transport connection. If the connection is interrupted
+ as in a file server failover a new session must be established.
+It is rare for Windows client applications to be coded to recover
+correctly from a transport connection loss, therefore, most applications
+will experience some sort of interruption at worst, abort and
+require restarting.
+</p><p>
+If a client session has been caching writes and reads locally due to
+opportunistic locking, it is likely that the data will be lost when the
+application restarts or recovers from the TCP interrupt. When the TCP
+connection drops, the client state is lost. When the file server
+recovers, an oplock break is not sent to the client. In this case, the
+work from the prior session is lost. Observing this scenario with
+oplocks disabled and with the client writing data to the file server
+real-time, the failover will provide the data on disk as it
+existed at the time of the disconnect.
+</p><p>
+In mission-critical high-availability environments, careful attention
+should be given to opportunistic locking. Ideally, comprehensive
+testing should be done with all affected applications with oplocks
+enabled and disabled.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916474"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
+Opportunistic locking is most effective when it is confined to shares
+that are exclusively accessed by a single user, or by only one user at
+a time. Because the true value of opportunistic locking is the local
+client caching of data, any operation that interrupts the caching
+mechanism will cause a delay.
+</p><p>
+Home directories are the most obvious examples of where the performance
+benefit of opportunistic locking can be safely realized.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916498"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
+As each additional user accesses a file in a share with opportunistic
+locking enabled, the potential for delays and resulting perceived poor
+performance increases. When multiple users are accessing a file on a
+share that has oplocks enabled, the management impact of sending and
+receiving oplock breaks and the resulting latency while other clients
+wait for the caching client to flush data offset the performance gains
+of the caching user.
+</p><p>
+As each additional client attempts to access a file with oplocks set,
+the potential performance improvement is negated and eventually results
+in a performance bottleneck.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916527"></a>UNIX or NFS Client-Accessed Files</h4></div></div><div></div></div><p>
+Local UNIX and NFS clients access files without a mandatory
+file-locking mechanism. Thus, these client platforms are incapable of
+initiating an oplock break request from the server to a Windows client
+that has a file cached. Local UNIX or NFS file access can therefore
+write to a file that has been cached by a Windows client, which
+exposes the file to likely data corruption.
+</p><p>
+If files are shared between Windows clients, and either local UNIX
+or NFS users, turn opportunistic locking off.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916553"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
+The biggest potential performance improvement for opportunistic locking
+occurs when the client-side caching of reads and writes delivers the
+most differential over sending those reads and writes over the wire.
+This is most likely to occur when the network is extremely slow,
+congested, or distributed (as in a WAN). However, network latency also
+has a high impact on the reliability of the oplock break
+mechanism, and thus increases the likelihood of encountering oplock
+problems that more than offset the potential perceived performance
+gain. Of course, if an oplock break never has to be sent, then this is
+the most advantageous scenario to utilize opportunistic locking.
+</p><p>
+If the network is slow, unreliable, or a WAN, then do not configure
+opportunistic locking if there is any chance of multiple users
+regularly opening the same file.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916586"></a>Multi-User Databases</h4></div></div><div></div></div><p>
+Multi-user databases clearly pose a risk due to their very nature
+they are typically heavily accessed by numerous users at random
+intervals. Placing a multi-user database on a share with opportunistic
+locking enabled will likely result in a locking management bottleneck
+on the Samba server. Whether the database application is developed
+in-house or a commercially available product, ensure that the share
+has opportunistic locking disabled.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916611"></a>PDM Data Shares</h4></div></div><div></div></div><p>
+Process Data Management (PDM) applications such as IMAN, Enovia and
+Clearcase are increasing in usage with Windows client platforms, and
+therefore SMB datastores. PDM applications manage multi-user
+environments for critical data security and access. The typical PDM
+environment is usually associated with sophisticated client design
+applications that will load data locally as demanded. In addition, the
+PDM application will usually monitor the data-state of each client.
+In this case, client-side data caching is best left to the local
+application and PDM server to negotiate and maintain. It is
+appropriate to eliminate the client OS from any caching tasks, and the
+server from any oplock management, by disabling opportunistic locking on
+the share.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916637"></a>Beware of Force User</h4></div></div><div></div></div><p>
+Samba includes an <tt class="filename">smb.conf</tt> parameter called <a class="indexterm" name="id2916656"></a><i class="parameter"><tt>force user</tt></i> that changes
+the user accessing a share from the incoming user to whatever user is
+defined by the smb.conf variable. If opportunistic locking is enabled
+on a share, the change in user access causes an oplock break to be sent
+to the client, even if the user has not explicitly loaded a file. In
+cases where the network is slow or unreliable, an oplock break can
+become lost without the user even accessing a file. This can cause
+apparent performance degradation as the client continually reconnects
+to overcome the lost oplock break.
+</p><p>
+Avoid the combination of the following:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2916692"></a><i class="parameter"><tt>force user</tt></i> in the <tt class="filename">smb.conf</tt> share configuration.
+ </p></li><li><p>
+ Slow or unreliable networks
+ </p></li><li><p>
+ Opportunistic locking enabled
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916729"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
+Samba provides opportunistic locking parameters that allow the
+administrator to adjust various properties of the oplock mechanism to
+account for timing and usage levels. These parameters provide good
+versatility for implementing oplocks in environments where they would
+likely cause problems. The parameters are:
+<a class="indexterm" name="id2916746"></a><i class="parameter"><tt>oplock break wait time</tt></i>,
+<a class="indexterm" name="id2916760"></a><i class="parameter"><tt>oplock contention limit</tt></i>.
+</p><p>
+For most users, administrators and environments, if these parameters
+are required, then the better option is to simply turn oplocks off.
+The Samba SWAT help text for both parameters reads: “<span class="quote">Do not change
+this parameter unless you have read and understood the Samba oplock code.</span>”
+This is good advice.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916790"></a>Mission-Critical High-Availability</h4></div></div><div></div></div><p>
+In mission-critical high-availability environments, data integrity is
+often a priority. Complex and expensive configurations are implemented
+to ensure that if a client loses connectivity with a file server, a
+failover replacement will be available immediately to provide
+continuous data availability.
+</p><p>
+Windows client failover behavior is more at risk of application
+interruption than other platforms because it is dependant upon an
+established TCP transport connection. If the connection is interrupted
+ as in a file server failover a new session must be established.
+It is rare for Windows client applications to be coded to recover
+correctly from a transport connection loss, therefore, most applications
+will experience some sort of interruption at worst, abort and
+require restarting.
+</p><p>
+If a client session has been caching writes and reads locally due to
+opportunistic locking, it is likely that the data will be lost when the
+application restarts, or recovers from the TCP interrupt. When the TCP
+connection drops, the client state is lost. When the file server
+recovers, an oplock break is not sent to the client. In this case, the
+work from the prior session is lost. Observing this scenario with
+oplocks disabled, and the client was writing data to the file server
+real-time, then the failover will provide the data on disk as it
+existed at the time of the disconnect.
+</p><p>
+In mission-critical high-availability environments, careful attention
+should be given to opportunistic locking. Ideally, comprehensive
+testing should be done with all effected applications with oplocks
+enabled and disabled.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916856"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
+Opportunistic locking is a unique Windows file locking feature. It is
+not really file locking, but is included in most discussions of Windows
+file locking, so is considered a de facto locking feature.
+Opportunistic locking is actually part of the Windows client file
+caching mechanism. It is not a particularly robust or reliable feature
+when implemented on the variety of customized networks that exist in
+enterprise computing.
+</p><p>
+Like Windows, Samba implements opportunistic locking as a server-side
+component of the client caching mechanism. Because of the lightweight
+nature of the Windows feature design, effective configuration of
+opportunistic locking requires a good understanding of its limitations,
+and then applying that understanding when configuring data access for
+each particular customized network and client usage state.
+</p><p>
+Opportunistic locking essentially means that the client is allowed to download and cache
+a file on their hard drive while making changes; if a second client wants to access the
+file, the first client receives a break and must synchronize the file back to the server.
+This can give significant performance gains in some cases; some programs insist on
+synchronizing the contents of the entire file back to the server for a single change.
+</p><p>
+Level1 Oplocks (also known as just plain “<span class="quote">oplocks</span>”) is another term for opportunistic locking.
+</p><p>
+Level2 Oplocks provides opportunistic locking for a file that will be treated as
+<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or
+on files that the client has no initial intention to write to at time of opening the file.
+</p><p>
+Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
+Samba's oplocked files, although this has provided better integration of MS Windows network
+file locking with the underlying OS, SGI IRIX and Linux are the only two OSs that are
+oplock-aware at this time.
+</p><p>
+Unless your system supports kernel oplocks, you should disable oplocks if you are
+accessing the same files from both UNIX/Linux and SMB clients. Regardless, oplocks should
+always be disabled if you are sharing a database file (e.g., Microsoft Access) between
+multiple clients, as any break the first client receives will affect synchronization of
+the entire file (not just the single record), which will result in a noticeable performance
+impairment and, more likely, problems accessing the database in the first place. Notably,
+Microsoft Outlook's personal folders (*.pst) react quite badly to oplocks. If in doubt,
+disable oplocks and tune your system from that point.
+</p><p>
+If client-side caching is desirable and reliable on your network, you will benefit from
+turning on oplocks. If your network is slow and/or unreliable, or you are sharing your
+files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people
+will be accessing the same files frequently, you probably will not benefit from the overhead
+of your client sending oplock breaks and will instead want to disable oplocks for the share.
+</p><p>
+Another factor to consider is the perceived performance of file access. If oplocks provide no
+measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916978"></a>Example Configuration</h3></div></div><div></div></div><p>
+In the following section we examine two distinct aspects of Samba locking controls.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2916991"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
+You can disable oplocks on a per-share basis with the following:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[acctdata]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplocks = False</tt></i></td></tr><tr><td><i class="parameter"><tt>level2 oplocks = False</tt></i></td></tr></table><p>
+</p><p>
+The default oplock type is Level1. Level2 oplocks are enabled on a per-share basis
+in the <tt class="filename">smb.conf</tt> file.
+</p><p>
+Alternately, you could disable oplocks on a per-file basis within the share:
+</p><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/</tt></i></td></tr></table><p>
+</p><p>
+If you are experiencing problems with oplocks as apparent from Samba's log entries,
+you may want to play it safe and disable oplocks and Level2 oplocks.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2917088"></a>Disabling Kernel Oplocks</h4></div></div><div></div></div><p>
+Kernel oplocks is an <tt class="filename">smb.conf</tt> parameter that notifies Samba (if
+the UNIX kernel has the capability to send a Windows client an oplock
+break) when a UNIX process is attempting to open the file that is
+cached. This parameter addresses sharing files between UNIX and
+Windows with oplocks enabled on the Samba server: the UNIX process
+can open the file that is Oplocked (cached) by the Windows client and
+the smbd process will not send an oplock break, which exposes the file
+to the risk of data corruption. If the UNIX kernel has the ability to
+send an oplock break, then the kernel oplocks parameter enables Samba
+to send the oplock break. Kernel oplocks are enabled on a per-server
+basis in the <tt class="filename">smb.conf</tt> file.
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>kernel oplocks = yes</tt></i></td></tr></table><p>
+The default is no.
+</p><p>
+Veto opLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for
+which oplocks are disabled. When a Windows client opens a file that
+has been configured for veto oplocks, the client will not be granted
+the oplock, and all operations will be executed on the original file on
+disk instead of a client-cached file copy. By explicitly identifying
+files that are shared with UNIX processes and disabling oplocks for
+those files, the server-wide Oplock configuration can be enabled to
+allow Windows clients to utilize the performance benefit of file
+caching without the risk of data corruption. Veto Oplocks can be
+enabled on a per-share basis, or globally for the entire server, in the
+<tt class="filename">smb.conf</tt> file as shown in <link linkend="far1">.
+</p><p>
+</p><div class="example"><a name="far1"></a><p class="title"><b>Example 14.1. Share with some files oplocked</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>veto oplock files = /filename.htm/*.txt/</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>veto oplock files = /*.exe/filename.ext/</tt></i></td></tr></table></div><p>
+</p><p>
+<a class="indexterm" name="id2917246"></a><i class="parameter"><tt>oplock break wait time</tt></i> is an <tt class="filename">smb.conf</tt> parameter
+that adjusts the time interval for Samba to reply to an oplock break request. Samba recommends:
+“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>”
+Oplock break Wait Time can only be configured globally in the <tt class="filename">smb.conf</tt> file as shown below.
+</p><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>oplock break wait time = 0 (default)</tt></i></td></tr></table><p>
+</p><p>
+<span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the
+response of the Samba server to grant an oplock if the configured
+number of contending clients reaches the limit specified by the parameter. Samba recommends
+“<span class="quote">Do not change this parameter unless you have read and understood the Samba oplock code.</span>”
+Oplock break Contention Limit can be enable on a per-share basis, or globally for
+the entire server, in the <tt class="filename">smb.conf</tt> file as shown in <link linkend="far3">.
+</p><p>
+</p><div class="example"><a name="far3"></a><p class="title"><b>Example 14.2. Configuration with oplock break contention limit</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplock break contention limit = 2 (default)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[share_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>oplock break contention limit = 2 (default)</tt></i></td></tr></table></div><p>
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917407"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
+There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
+workstation computer that can affect any application attempting to access shared database files
+across a network. This is a result of a default setting configured in the Windows 2000/XP
+operating system known as <span class="emphasis"><em>opportunistic locking</em></span>. When a workstation
+attempts to access shared data files located on another Windows 2000/XP computer,
+the Windows 2000/XP operating system will attempt to increase performance by locking the
+files and caching information locally. When this occurs, the application is unable to
+properly function, which results in an “<span class="quote">Access Denied</span>”
+ error message being displayed during network operations.
+</p><p>
+All Windows operating systems in the NT family that act as database servers for data files
+(meaning that data files are stored there and accessed by other Windows PCs) may need to
+have opportunistic locking disabled in order to minimize the risk of data file corruption.
+This includes Windows 9x/Me, Windows NT, Windows 200x, and Windows XP.
+</p><p>
+If you are using a Windows NT family workstation in place of a server, you must also
+disable opportunistic locking (oplocks) on that workstation. For example, if you use a
+PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
+have data files located on it that are accessed from other Windows PCs, you may need to
+disable oplocks on that system.
+</p><p>
+The major difference is the location in the Windows registry where the values for disabling
+oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location
+may be used.
+</p><p>
+You can verify (change or add, if necessary) this registry value using the Windows
+Registry Editor. When you change this registry value, you will have to reboot the PC
+to ensure that the new setting goes into effect.
+</p><p>
+The location of the client registry entry for opportunistic locking has changed in
+Windows 2000 from the earlier location in Microsoft Windows NT.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks
+in earlier versions of Windows.
+</p></div><p>
+You can also deny the granting of opportunistic locks by changing the following registry entries:
+</p><p>
+</p><pre class="programlisting">
+ HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\MRXSmb\Parameters\
+
+ OplocksDisabled REG_DWORD 0 or 1
+ Default: 0 (not disabled)
+</pre><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The OplocksDisabled registry value configures Windows clients to either request or not
+request opportunistic locks on a remote file. To disable oplocks, the value of
+ OplocksDisabled must be set to 1.
+</p></div><p>
+</p><pre class="programlisting">
+ HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanServer\Parameters
+
+ EnableOplocks REG_DWORD 0 or 1
+ Default: 1 (Enabled by Default)
+
+ EnableOpLockForceClose REG_DWORD 0 or 1
+ Default: 0 (Disabled by Default)
+</pre><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The EnableOplocks value configures Windows-based servers (including Workstations sharing
+files) to allow or deny opportunistic locks on local files.
+</p></div><p>
+To force closure of open oplocks on close or program exit, EnableOpLockForceClose must be set to 1.
+</p><p>
+An illustration of how Level2 oplocks work:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Station 1 opens the file requesting oplock.
+ </p></li><li><p>
+ Since no other station has the file open, the server grants station 1 exclusive oplock.
+ </p></li><li><p>
+ Station 2 opens the file requesting oplock.
+ </p></li><li><p>
+ Since station 1 has not yet written to the file, the server asks station 1 to break
+ to Level2 oplock.
+ </p></li><li><p>
+ Station 1 complies by flushing locally buffered lock information to the server.
+ </p></li><li><p>
+ Station 1 informs the server that it has Broken to Level2 Oplock (alternately,
+ station 1 could have closed the file).
+ </p></li><li><p>
+ The server responds to station 2's open request, granting it Level2 oplock.
+ Other stations can likewise open the file and obtain Level2 oplock.
+ </p></li><li><p>
+ Station 2 (or any station that has the file open) sends a write request SMB.
+ The server returns the write response.
+ </p></li><li><p>
+ The server asks all stations that have the file open to break to none, meaning no
+ station holds any oplock on the file. Because the workstations can have no cached
+ writes or locks at this point, they need not respond to the break-to-none advisory;
+ all they need do is invalidate locally cashed read-ahead data.
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917632"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
+ \HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanWorkstation\Parameters
+
+ UseOpportunisticLocking REG_DWORD 0 or 1
+ Default: 1 (true)
+</pre><p>
+This indicates whether the redirector should use opportunistic-locking (oplock) performance
+enhancement. This parameter should be disabled only to isolate problems.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917660"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
+ \HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanServer\Parameters
+
+ EnableOplocks REG_DWORD 0 or 1
+ Default: 1 (true)
+</pre><p>
+This specifies whether the server allows clients to use oplocks on files. Oplocks are a
+significant performance enhancement, but have the potential to cause lost cached
+data on some networks, particularly wide area networks.
+</p><pre class="programlisting">
+ MinLinkThroughput REG_DWORD 0 to infinite bytes per second
+ Default: 0
+</pre><p>
+This specifies the minimum link throughput allowed by the server before it disables
+raw and opportunistic locks for this connection.
+</p><pre class="programlisting">
+ MaxLinkDelay REG_DWORD 0 to 100,000 seconds
+ Default: 60
+</pre><p>
+This specifies the maximum time allowed for a link delay. If delays exceed this number,
+the server disables raw I/O and opportunistic locking for this connection.
+</p><pre class="programlisting">
+ OplockBreakWait REG_DWORD 10 to 180 seconds
+ Default: 35
+</pre><p>
+This specifies the time that the server waits for a client to respond to an oplock break
+request. Smaller values can allow detection of crashed clients more quickly but can
+potentially cause loss of cached data.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917740"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
+If you have applied all of the settings discussed in this chapter but data corruption problems
+and other symptoms persist, here are some additional things to check out.
+</p><p>
+We have credible reports from developers that faulty network hardware, such as a single
+faulty network card, can cause symptoms similar to read caching and data corruption.
+If you see persistent data corruption even after repeated reindexing, you may have to
+rebuild the data files in question. This involves creating a new data file with the
+same definition as the file to be rebuilt and transferring the data from the old file
+to the new one. There are several known methods for doing this that can be found in
+our Knowledge Base.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917769"></a>Common Errors</h2></div></div><div></div></div><p>
+In some sites, locking problems surface as soon as a server is installed; in other sites
+locking problems may not surface for a long time. Almost without exception, when a locking
+problem does surface it will cause embarrassment and potential data corruption.
+</p><p>
+Over the past few years there have been a number of complaints on the Samba mailing lists
+that have claimed that Samba caused data corruption. Three causes have been identified
+so far:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Incorrect configuration of opportunistic locking (incompatible with the application
+ being used. This is a common problem even where MS Windows NT4 or MS Windows
+ 200x-based servers were in use. It is imperative that the software application vendors'
+ instructions for configuration of file locking should be followed. If in doubt,
+ disable oplocks on both the server and the client. Disabling of all forms of file
+ caching on the MS Windows client may be necessary also.
+ </p></li><li><p>
+ Defective network cards, cables, or HUBs/Switched. This is generally a more
+ prevalent factor with low cost networking hardware, although occasionally there
+ have also been problems with incompatibilities in more up-market hardware.
+ </p></li><li><p>
+ There have been some random reports of Samba log files being written over data
+ files. This has been reported by very few sites (about five in the past three years)
+ and all attempts to reproduce the problem have failed. The Samba Team has been
+ unable to catch this happening and thus has not been able to isolate any particular
+ cause. Considering the millions of systems that use Samba, for the sites that have
+ been affected by this as well as for the Samba Team this is a frustrating and
+ a vexing challenge. If you see this type of thing happening, please create a bug
+ report on Samba <ulink url="https://bugzilla.samba.org">Bugzilla</ulink> without delay.
+ Make sure that you give as much information as you possibly can help isolate the
+ cause and to allow replication of the problem (an essential step in problem isolation and correction).
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917850"></a>locking.tdb Error Messages</h3></div></div><div></div></div><p>
+ “<span class="quote">
+ We are seeing lots of errors in the Samba logs, like:
+<pre class="programlisting">
+tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
+ 0x4d6f4b61 at offset=36116
+</pre>
+
+ What do these mean?
+ </span>”
+ </p><p>
+ This error indicated a corrupted tdb. Stop all instances of smbd, delete locking.tdb, and restart smbd.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917884"></a>Problems Saving Files in MS Office on Windows XP</h3></div></div><div></div></div><p>This is a bug in Windows XP. More information can be
+ found in <ulink url="http://support.microsoft.com/?id=812937">Microsoft Knowledge Base article 812937.</ulink></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917904"></a>Long Delays Deleting Files Over Network with XP SP1</h3></div></div><div></div></div><p>“<span class="quote">It sometimes takes approximately 35 seconds to delete files over the network after XP SP1 has been applied.</span>”</p><p>This is a bug in Windows XP. More information can be found in <ulink url="http://support.microsoft.com/?id=811492">
+ Microsoft Knowledge Base article 811492.</ulink></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2917935"></a>Additional Reading</h2></div></div><div></div></div><p>
+You may want to check for an updated version of this white paper on our Web site from
+time to time. Many of our white papers are updated as information changes. For those papers,
+the last edited date is always at the top of the paper.
+</p><p>
+Section of the Microsoft MSDN Library on opportunistic locking:
+</p><p>
+Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development >
+Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems
+> About File Systems > Opportunistic Locks, Microsoft Corporation.
+<ulink url="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</ulink>
+</p><p>
+ Microsoft Knowledge Base Article Q224992 “<span class="quote">Maintaining Transactional Integrity
+with OPLOCKS</span>”,
+Microsoft Corporation, April 1999, <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</ulink>.
+</p><p>
+Microsoft Knowledge Base Article Q296264 “<span class="quote">Configuring Opportunistic Locking in Windows 2000</span>”,
+Microsoft Corporation, April 2001, <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</ulink>.
+</p><p>
+Microsoft Knowledge Base Article Q129202 “<span class="quote">PC Ext: Explanation of Opportunistic Locking on Windows NT</span>”,
+Microsoft Corporation, April 1995, <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</ulink>.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. File, Directory and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. Securing Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2964134">Quick Migration Guide</a></dt><dt><a href="upgrading-to-3.0.html#id2964257">New Features in Samba-3</a></dt><dt><a href="upgrading-to-3.0.html#id2964410">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2964433">Removed Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964564">New Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964983">Modified Parameters (Changes in Behavior):</a></dt></dl></dd><dt><a href="upgrading-to-3.0.html#id2965064">New Functionality</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2965071">Databases</a></dt><dt><a href="upgrading-to-3.0.html#id2965324">Changes in Behavior</a></dt><dt><a href="upgrading-to-3.0.html#id2965395">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a></dt><dt><a href="upgrading-to-3.0.html#id2965577">LDAP</a></dt></dl></dd></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966015">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966040">Objectives</a></dt><dt><a href="NT4Migration.html#id2966502">Steps in Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id2966757">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id2966862">Planning for Success</a></dt><dt><a href="NT4Migration.html#id2967145">Samba-3 Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id2967624">Features and Benefits</a></dt><dt><a href="SWAT.html#id2967718">Guidelines and Technical Tips</a></dt><dd><dl><dt><a href="SWAT.html#id2967733">Validate SWAT Installation</a></dt><dt><a href="SWAT.html#xinetd">Enabling SWAT for Use</a></dt><dt><a href="SWAT.html#id2968330">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id2968458">Enabling SWAT Internationalization Support</a></dt></dl></dd><dt><a href="SWAT.html#id2968628">Overview and Quick Tour</a></dt><dd><dl><dt><a href="SWAT.html#id2968644">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id2968718">Global Settings</a></dt><dt><a href="SWAT.html#id2968838">Share Settings</a></dt><dt><a href="SWAT.html#id2968902">Printers Settings</a></dt><dt><a href="SWAT.html#id2968967">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id2969040">The Status Page</a></dt><dt><a href="SWAT.html#id2969092">The View Page</a></dt><dt><a href="SWAT.html#id2969115">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships"><link rel="next" href="printing.html" title="Chapter 18. Classical Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="msdfs"></a>Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Shirish</span> <span class="surname">Kalele</span></h3><div class="affiliation"><span class="orgname">Samba Team & Veritas Software<br></span><div class="address"><p><br>
+ <tt class="email"><<a href="mailto:samba@samba.org">samba@samba.org</a>></tt><br>
+ </p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">12 Jul 2000</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="msdfs.html#id2920158">Features and Benefits</a></dt><dt><a href="msdfs.html#id2920447">Common Errors</a></dt><dd><dl><dt><a href="msdfs.html#id2920488">MSDFS UNIX Path Is Case-Critical</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920158"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ The Distributed File System (DFS) provides a means of separating the logical
+ view of files and directories that users see from the actual physical locations
+ of these resources on the network. It allows for higher availability, smoother
+ storage expansion, load balancing, and so on.
+ </p><p>
+ For information about DFS, refer to the
+<ulink url="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp">Microsoft documentation</ulink>.
+ This document explains how to host a DFS tree on a UNIX machine (for DFS-aware
+ clients to browse) using Samba.
+ </p><p>
+ To enable SMB-based DFS for Samba, configure it with the <tt class="option">--with-msdfs</tt>
+ option. Once built, a Samba server can be made a DFS server by setting the global
+ Boolean <a class="indexterm" name="id2920201"></a><i class="parameter"><tt>host msdfs</tt></i>
+ parameter in the <tt class="filename">smb.conf</tt> file. You designate a share as a DFS
+ root using the Share Level Boolean <a class="indexterm" name="id2920223"></a><i class="parameter"><tt>msdfs root</tt></i> parameter. A DFS root directory on Samba hosts DFS
+ links in the form of symbolic links that point to other servers. For example, a symbolic link
+ <tt class="filename">junction->msdfs:storage1\share1</tt> in the share directory acts
+ as the DFS junction. When DFS-aware clients attempt to access the junction link,
+ they are redirected to the storage location (in this case, <i class="parameter"><tt>\\storage1\share1</tt></i>).
+ </p><p>
+ DFS trees on Samba work with all DFS-aware clients ranging from Windows 95 to 200x.
+ <link linkend="dfscfg"> shows how to setup a DFS tree on a Samba server.
+ In the <tt class="filename">/export/dfsroot</tt> directory, you set up your DFS links to
+ other servers on the network.
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cd /export/dfsroot</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chown root /export/dfsroot</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chmod 755 /export/dfsroot</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s msdfs:storageA\\shareA linka</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s msdfs:serverB\\share,serverC\\share linkb</tt></b>
+</pre><p>
+</p><p>
+</p><div class="example"><a name="dfscfg"></a><p class="title"><b>Example 17.1. smb.conf with DFS configured</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = GANDALF</tt></i></td></tr><tr><td><i class="parameter"><tt>host msdfs = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[dfs]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /export/dfsroot</tt></i></td></tr><tr><td><i class="parameter"><tt>msdfs root = yes</tt></i></td></tr></table></div><p>
+</p><p>You should set up the permissions and ownership of
+ the directory acting as the DFS root so that only designated
+ users can create, delete or modify the msdfs links. Also note
+ that symlink names should be all lowercase. This limitation exists
+ to have Samba avoid trying all the case combinations to get at
+ the link name. Finally, set up the symbolic links to point to the
+ network shares you want and start Samba.</p><p>Users on DFS-aware clients can now browse the DFS tree
+ on the Samba server at \\samba\dfs. Accessing
+ links linka or linkb (which appear as directories to the client)
+ takes users directly to the appropriate shares on the network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920447"></a>Common Errors</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Windows clients need to be rebooted
+ if a previously mounted non-DFS share is made a DFS
+ root or vice versa. A better way is to introduce a
+ new share and make it the DFS root.</p></li><li><p>Currently, there's a restriction that msdfs
+ symlink names should all be lowercase.</p></li><li><p>For security purposes, the directory
+ acting as the root of the DFS tree should have ownership
+ and permissions set so only designated users can
+ modify the symbolic links in the directory.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920488"></a>MSDFS UNIX Path Is Case-Critical</h3></div></div><div></div></div><p>
+ A network administrator sent advice to the Samba mailing list
+ after a long sessions trying to determine why DFS was not working.
+ His advice is worth noting.
+ </p><p>“<span class="quote">
+ I spent some time trying to figure out why my particular
+ dfs root wasn't working. I noted in the documenation that
+ the symlink should be in all lowercase. It should be
+ amended that the entire path to the symlink should all be
+ in lowercase as well.
+ </span>”</p><p>
+ For example, I had a share defined as such:
+
+ </p><pre class="screen">
+ [pub]
+ path = /export/home/Shares/public_share
+ msdfs root = yes
+ </pre><p>
+
+ and I could not make my Windows 9x/Me (with the dfs client installed)
+ follow this symlink:
+
+ </p><pre class="screen">
+ damage1 -> msdfs:damage\test-share
+ </pre><p>
+ </p><p>
+ Running a debug level of 10 reveals:
+
+ </p><pre class="programlisting">
+ [2003/08/20 11:40:33, 5] msdfs/msdfs.c:is_msdfs_link(176)
+ is_msdfs_link: /export/home/shares/public_share/* does not exist.
+ </pre><p>
+
+ Curious. So I changed the directory name from .../Shares/... to
+ .../shares/... (along with my service definition) and it worked!
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="InterdomainTrusts.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 16. Interdomain Trust Relationships </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 18. Classical Printing Support</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part III. Advanced Configuration</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"><link rel="next" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part III. Advanced Configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="optional"></a>Advanced Configuration</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2897160"></a>Valuable Nuts and Bolts Information</h1></div></div><div></div></div><p>
+Samba has several features that you might want or might not want to use. The chapters in this part each cover specific Samba features.
+</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>10. <a href="NetworkBrowsing.html">Network Browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2897285">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2887786">What Is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#netdiscuss">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2888109">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2888380">TCP/IP without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#adsdnstech">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2888743">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#DMB">Configuring WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2900135">DOMAIN Browsing Configuration</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to Be the Master</a></dt><dt><a href="NetworkBrowsing.html#id2900550">Making Samba the Domain Master</a></dt><dt><a href="NetworkBrowsing.html#id2900727">Note about Broadcast Addresses</a></dt><dt><a href="NetworkBrowsing.html#id2900745">Multiple Interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2900780">Use of the Remote Announce Parameter</a></dt><dt><a href="NetworkBrowsing.html#id2900939">Use of the Remote Browse Sync Parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901016">WINS The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901208">WINS Server Configuration</a></dt><dt><a href="NetworkBrowsing.html#id2901481">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2901518">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901602">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901616">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2901696">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2901872">Technical Overview of Browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2901926">Browsing Support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2902057">Problem Resolution</a></dt><dt><a href="NetworkBrowsing.html#id2902187">Cross-Subnet Browsing</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2902960">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2902975">How Can One Flush the Samba NetBIOS Name Cache without Restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2903041">Server Resources Can Not Be Listed</a></dt><dt><a href="NetworkBrowsing.html#id2903097">I get an `Unable to browse the network' error</a></dt><dt><a href="NetworkBrowsing.html#id2903157">Browsing of Shares and Directories is Very Slow</a></dt></dl></dd></dl></dd><dt>11. <a href="passdb.html">Account Information Databases</a></dt><dd><dl><dt><a href="passdb.html#id2903592">Features and Benefits</a></dt><dd><dl><dt><a href="passdb.html#id2903640">Backward Compatibility Backends</a></dt><dt><a href="passdb.html#id2903800">New Backends</a></dt></dl></dd><dt><a href="passdb.html#passdbtech">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2904193">Important Notes About Security</a></dt><dt><a href="passdb.html#id2904429">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2904747">The smbpasswd Command</a></dt><dt><a href="passdb.html#pdbeditthing">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2905334">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2905385">Plaintext</a></dt><dt><a href="passdb.html#id2905425">smbpasswd Encrypted Password Database</a></dt><dt><a href="passdb.html#id2905552">tdbsam</a></dt><dt><a href="passdb.html#id2905605">ldapsam</a></dt><dt><a href="passdb.html#id2907687">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2908781">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2908788">Users Cannot Logon</a></dt><dt><a href="passdb.html#id2908830">Users Being Added to the Wrong Backend Database</a></dt><dt><a href="passdb.html#id2908922">Configuration of auth methods</a></dt></dl></dd></dl></dd><dt>12. <a href="groupmapping.html">Group Mapping MS Windows and UNIX</a></dt><dd><dl><dt><a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2909551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2909853">Default Users, Groups and Relative Identifiers</a></dt><dt><a href="groupmapping.html#id2910488">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2910567">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2910581">Sample smb.conf Add Group Script</a></dt><dt><a href="groupmapping.html#id2910716">Script to Configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2910824">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2910839">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2910907">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2910933">Adding Domain Users to the Power Users Group</a></dt></dl></dd></dl></dd><dt>13. <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2911341">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2911525">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2911543">MS Windows NTFS Comparison with UNIX File Systems</a></dt><dt><a href="AccessControls.html#id2911956">Managing Directories</a></dt><dt><a href="AccessControls.html#id2912050">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2912290">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2912329">User and Group-Based Controls</a></dt><dt><a href="AccessControls.html#id2912779">File and Directory Permissions-Based Controls</a></dt><dt><a href="AccessControls.html#id2913187">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2913585">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2913670">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2913978">MS Windows Access Control Lists and UNIX Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2913986">Managing UNIX Permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2914042">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2914124">Viewing File Ownership</a></dt><dt><a href="AccessControls.html#id2914264">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914515">Modifying File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2914698">Interaction with the Standard Samba create mask Parameters</a></dt><dt><a href="AccessControls.html#id2915106">Interaction with the Standard Samba File Attribute Mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2915195">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2915209">Users Cannot Write to a Public Share</a></dt><dt><a href="AccessControls.html#id2915635">File Operations Done as root with force user Set</a></dt><dt><a href="AccessControls.html#id2915690">MS Word with Samba Changes Owner of File</a></dt></dl></dd></dl></dd><dt>14. <a href="locking.html">File and Record Locking</a></dt><dd><dl><dt><a href="locking.html#id2915945">Features and Benefits</a></dt><dt><a href="locking.html#id2916001">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2916148">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2916856">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2916978">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2917407">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2917632">Workstation Service Entries</a></dt><dt><a href="locking.html#id2917660">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2917740">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2917769">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2917850">locking.tdb Error Messages</a></dt><dt><a href="locking.html#id2917884">Problems Saving Files in MS Office on Windows XP</a></dt><dt><a href="locking.html#id2917904">Long Delays Deleting Files Over Network with XP SP1</a></dt></dl></dd><dt><a href="locking.html#id2917935">Additional Reading</a></dt></dl></dd><dt>15. <a href="securing-samba.html">Securing Samba</a></dt><dd><dl><dt><a href="securing-samba.html#id2918114">Introduction</a></dt><dt><a href="securing-samba.html#id2918159">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2918244">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2918263">Using Host-Based Protection</a></dt><dt><a href="securing-samba.html#id2918364">User-Based Protection</a></dt><dt><a href="securing-samba.html#id2918424">Using Interface Protection</a></dt><dt><a href="securing-samba.html#id2918507">Using a Firewall</a></dt><dt><a href="securing-samba.html#id2918564">Using IPC$ Share-Based Denials </a></dt><dt><a href="securing-samba.html#id2918648">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2918707">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2918731">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2918750">Smbclient Works on Localhost, but the Network Is Dead</a></dt><dt><a href="securing-samba.html#id2918774">Why Can Users Access Home Directories of Other Users?</a></dt></dl></dd></dl></dd><dt>16. <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2919130">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2919159">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2919243">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2919270">Creating an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919342">Completing an NT4 Domain Trust</a></dt><dt><a href="InterdomainTrusts.html#id2919402">Inter-Domain Trust Facilities</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919600">Configuring Samba NT-Style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></dt><dt><a href="InterdomainTrusts.html#id2919809">Samba as the Trusting Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2919952">NT4-Style Domain Trusts with Windows 2000</a></dt><dt><a href="InterdomainTrusts.html#id2920058">Common Errors</a></dt></dl></dd><dt>17. <a href="msdfs.html">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="msdfs.html#id2920158">Features and Benefits</a></dt><dt><a href="msdfs.html#id2920447">Common Errors</a></dt><dd><dl><dt><a href="msdfs.html#id2920488">MSDFS UNIX Path Is Case-Critical</a></dt></dl></dd></dl></dd><dt>18. <a href="printing.html">Classical Printing Support</a></dt><dd><dl><dt><a href="printing.html#id2920666">Features and Benefits</a></dt><dt><a href="printing.html#id2920765">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2920831">Client to Samba Print Job Processing</a></dt><dt><a href="printing.html#id2920903">Printing Related Configuration Parameters</a></dt></dl></dd><dt><a href="printing.html#id2920998">Simple Print Configuration</a></dt><dd><dl><dt><a href="printing.html#id2921211">Verifing Configuration with testparm</a></dt><dt><a href="printing.html#id2921327">Rapid Configuration Validation</a></dt></dl></dd><dt><a href="printing.html#id2921667">Extended Printing Configuration</a></dt><dd><dl><dt><a href="printing.html#id2922020">Detailed Explanation Settings</a></dt></dl></dd><dt><a href="printing.html#id2924414">Printing Developments Since Samba-2.2</a></dt><dd><dl><dt><a href="printing.html#id2924566">Point'n'Print Client Drivers on Samba Servers</a></dt><dt><a href="printing.html#id2924710">The Obsoleted [printer$] Section</a></dt><dt><a href="printing.html#id2924810">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt><a href="printing.html#id2925355">The [print$] Share Directory</a></dt></dl></dd><dt><a href="printing.html#id2925525">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2925644">Add Printer Wizard Driver Installation</a></dt><dt><a href="printing.html#inst-rpc">Installing Print Drivers Using rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2927518">Client Driver Installation Procedure</a></dt><dd><dl><dt><a href="printing.html#id2927537">First Client Driver Installation</a></dt><dt><a href="printing.html#id2927769">Setting Device Modes on New Printers</a></dt><dt><a href="printing.html#id2928112">Additional Client Driver Installation</a></dt><dt><a href="printing.html#id2928220">Always Make First Client Connection as root or printer admin</a></dt></dl></dd><dt><a href="printing.html#id2928404">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2928430">Setting Default Print Options for Client Drivers</a></dt><dt><a href="printing.html#id2928854">Supporting Large Numbers of Printers</a></dt><dt><a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2929458">Error Message: Cannot connect under a different Name</a></dt><dt><a href="printing.html#id2929564">Take Care When Assembling Driver Files</a></dt><dt><a href="printing.html#id2929923">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2930008">Avoiding Common Client Driver Misconfiguration</a></dt></dl></dd><dt><a href="printing.html#id2930033">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2930071">What is Imprints?</a></dt><dt><a href="printing.html#id2930113">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2930132">The Imprints Server</a></dt><dt><a href="printing.html#id2930153">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2930314">Adding Network Printers without User Interaction</a></dt><dt><a href="printing.html#id2930639">The addprinter Command</a></dt><dt><a href="printing.html#id2930686">Migration of Classical Printing to Samba</a></dt><dt><a href="printing.html#id2930861">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2930884">Common Errors</a></dt><dd><dl><dt><a href="printing.html#id2930892">I Give My Root Password but I Do Not Get Access</a></dt><dt><a href="printing.html#id2930943">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></dt></dl></dd></dl></dd><dt>19. <a href="CUPS-printing.html">CUPS Printing Support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931072">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931079">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2931130">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2931182">Basic CUPS Support Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2931276">Linking smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2931526">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2931722">More Complex CUPS smb.conf Settings</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932089">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2932110">Central Spooling vs. Peer-to-Peer Printing</a></dt><dt><a href="CUPS-printing.html#id2932163">Raw Print Serving Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2932223">Installation of Windows Client Drivers</a></dt><dt><a href="CUPS-printing.html#cups-raw">Explicitly Enable raw Printing for application/octet-stream</a></dt><dt><a href="CUPS-printing.html#id2932552">Driver Upload Methods</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2932699">Advanced Intelligent Printing with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#gdipost">GDI on Windows -- PostScript on UNIX</a></dt><dt><a href="CUPS-printing.html#id2932876">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2933049">UNIX Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#post-and-ghost">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2933354">Ghostscript the Software RIP for Non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2933497">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2933573">Using Windows-Formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2933679">CUPS Also Uses PPDs for Non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2933709">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2933883">MIME Types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2934118">MIME Type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2934287">Filtering Overview</a></dt><dt><a href="CUPS-printing.html#id2934481">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2934591">pstops</a></dt><dt><a href="CUPS-printing.html#id2934715">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2934912">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2934991">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2935143">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2935508">The Role of cupsomatic/foomatic</a></dt><dt><a href="CUPS-printing.html#id2935673">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2935688">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2935752">Raw Printing</a></dt><dt><a href="CUPS-printing.html#id2935861">application/octet-stream Printing</a></dt><dt><a href="CUPS-printing.html#id2936129">PostScript Printer Descriptions (PPDs) for Non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2936430">cupsomatic/foomatic-rip Versus native CUPS Printing</a></dt><dt><a href="CUPS-printing.html#id2936743">Examples for Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2937128">Sources of CUPS Drivers/PPDs</a></dt><dt><a href="CUPS-printing.html#id2937265">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937358">Network Printing (Purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937377">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2937434">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2937506">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937618">Network Printing (Windows Clients UNIX/Samba Print
+Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2937639">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2937834">Samba Receiving Jobfiles and Passing Them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2937924">Network PostScript RIP</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938025">PPDs for Non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2938085">PPDs for Non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938166">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938184">Printer Drivers Running in Kernel Mode Cause Many
+Problems</a></dt><dt><a href="CUPS-printing.html#id2938229">Workarounds Impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2938250">CUPS: A Magical Stone?</a></dt><dt><a href="CUPS-printing.html#id2938313">PostScript Drivers with No Major Problems Even in Kernel
+Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2938378">Configuring CUPS for Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2938397">cupsaddsmb: The Unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2938514">Prepare Your smb.conf for cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2938755">CUPS PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939044">Recognizing Different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939174">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2939204">ESP Print Pro PostScript Driver for Windows NT/200x/XP</a></dt><dt><a href="CUPS-printing.html#id2939274">Caveats to be Considered</a></dt><dt><a href="CUPS-printing.html#id2939571">Windows CUPS PostScript Driver Versus Adobe Driver</a></dt><dt><a href="CUPS-printing.html#id2939801">Run cupsaddsmb (Quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2939946">Run cupsaddsmb with Verbose Output</a></dt><dt><a href="CUPS-printing.html#id2940175">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2940352">How to Recognize If cupsaddsmb Completed Successfully</a></dt><dt><a href="CUPS-printing.html#id2940450">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2940538">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2940621">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2940801">Avoiding Critical PostScript Driver Settings on the Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2940875">Installing PostScript Driver Files Manually Using rpcclient</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2941083">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941229">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2941358">Producing an Example by Querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2941534">Requirements for adddriver and setdriver to Succeed</a></dt><dt><a href="CUPS-printing.html#id2941782">Manual Driver Installation in 15 Steps</a></dt><dt><a href="CUPS-printing.html#id2942909">Troubleshooting Revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943077">The Printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943322">Trivial Database Files</a></dt><dt><a href="CUPS-printing.html#id2943400">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2943470">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2943528">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2943673">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2943860">foomatic-rip and Foomatic Explained</a></dt><dt><a href="CUPS-printing.html#id2944657">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945207">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2945248">Setting Up Quotas</a></dt><dt><a href="CUPS-printing.html#id2945318">Correct and Incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2945366">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2945495">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2945665">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2945745">Future Developments</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2945799">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2946030">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946094">CUPS Configuration Settings Explained</a></dt><dt><a href="CUPS-printing.html#id2946198">Pre-Conditions</a></dt><dt><a href="CUPS-printing.html#id2946367">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2946425">Printing from CUPS to Windows Attached Printers</a></dt><dt><a href="CUPS-printing.html#id2946721">More CUPS-Filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2946814">Common Errors</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2946820">Windows 9x/ME Client Can't Install Driver</a></dt><dt><a href="CUPS-printing.html#id2946839">cupsaddsmb Keeps Asking for Root Password in Never-ending Loop</a></dt><dt><a href="CUPS-printing.html#id2946889">cupsaddsmb Errors</a></dt><dt><a href="CUPS-printing.html#id2946973">Client Can't Connect to Samba Printer</a></dt><dt><a href="CUPS-printing.html#id2947002">New Account Reconnection from Windows 200x/XP Troubles</a></dt><dt><a href="CUPS-printing.html#id2947106">Avoid Being Connected to the Samba Server as the Wrong User</a></dt><dt><a href="CUPS-printing.html#id2947158">Upgrading to CUPS Drivers from Adobe Drivers</a></dt><dt><a href="CUPS-printing.html#id2947200">Can't Use cupsaddsmb on Samba Server Which Is a PDC</a></dt><dt><a href="CUPS-printing.html#id2947239">Deleted Windows 200x Printer Driver Is Still Shown</a></dt><dt><a href="CUPS-printing.html#id2947278">Windows 200x/XP "Local Security Policies"</a></dt><dt><a href="CUPS-printing.html#id2947293">Administrator Cannot Install Printers for All Local Users</a></dt><dt><a href="CUPS-printing.html#id2947323">Print Change Notify Functions on NT-clients</a></dt><dt><a href="CUPS-printing.html#id2947350">WinXP-SP1</a></dt><dt><a href="CUPS-printing.html#id2947402">Print Options for All Users Can't Be Set on Windows 200x/XP</a></dt><dt><a href="CUPS-printing.html#id2947717">Most Common Blunders in Driver Settings on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2947779">cupsaddsmb Does Not Work with Newly Installed Printer</a></dt><dt><a href="CUPS-printing.html#id2947835">Permissions on /var/spool/samba/ Get Reset After Each Reboot</a></dt><dt><a href="CUPS-printing.html#id2947951">Print Queue Called lp Mis-handles Print Jobs</a></dt><dt><a href="CUPS-printing.html#id2948008">Location of Adobe PostScript Driver Files for cupsaddsmb</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2948065">Overview of the CUPS Printing Processes</a></dt></dl></dd><dt>20. <a href="VFS.html">Stackable VFS modules</a></dt><dd><dl><dt><a href="VFS.html#id2948269">Features and Benefits</a></dt><dt><a href="VFS.html#id2948287">Discussion</a></dt><dt><a href="VFS.html#id2948540">Included Modules</a></dt><dd><dl><dt><a href="VFS.html#id2948547">audit</a></dt><dt><a href="VFS.html#id2948583">extd_audit</a></dt><dt><a href="VFS.html#fakeperms">fake_perms</a></dt><dt><a href="VFS.html#id2948756">recycle</a></dt><dt><a href="VFS.html#id2948986">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2949031">VFS Modules Available Elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2949053">DatabaseFS</a></dt><dt><a href="VFS.html#id2949115">vscan</a></dt></dl></dd></dl></dd><dt>21. <a href="winbind.html">Winbind: Use of Domain Accounts</a></dt><dd><dl><dt><a href="winbind.html#id2949352">Features and Benefits</a></dt><dt><a href="winbind.html#id2949476">Introduction</a></dt><dt><a href="winbind.html#id2949558">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2949633">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2949664">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2949693">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2949726">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2949752">Name Service Switch</a></dt><dt><a href="winbind.html#id2949887">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2949965">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2949998">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2950035">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2950042">Introduction</a></dt><dt><a href="winbind.html#id2950108">Requirements</a></dt><dt><a href="winbind.html#id2950191">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2951948">Conclusion</a></dt><dt><a href="winbind.html#id2951967">Common Errors</a></dt><dd><dl><dt><a href="winbind.html#id2952021">NSCD Problem Warning</a></dt><dt><a href="winbind.html#id2952067">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></dd><dt>22. <a href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952277">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952308">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2952449">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952467">Remote Management from NoMachine.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2952700">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2952929">Adding Printers without User Intervention</a></dt></dl></dd></dl></dd><dt>23. <a href="PolicyMgmt.html">System and Account Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2953044">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2953137">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2953271">Windows 9x/ME Policies</a></dt><dt><a href="PolicyMgmt.html#id2953383">Windows NT4-Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2953525">MS Windows 200x/XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2953826">Managing Account/User Policies</a></dt><dt><a href="PolicyMgmt.html#id2953985">Management Tools</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954000">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2954096">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2954120">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2954165">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2954310">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2954324">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="ProfileMgmt.html">Desktop Profile Management</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954425">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2954459">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954500">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2955058">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt><a href="ProfileMgmt.html#id2956492">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2956822">Mandatory Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956917">Creating and Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956970">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2956999">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2958338">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2958351">Configuring Roaming Profiles for a Few Users or Groups</a></dt><dt><a href="ProfileMgmt.html#id2958416">Cannot Use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2958626">Changing the Default Profile</a></dt></dl></dd></dl></dd><dt>25. <a href="pam.html">PAM-Based Distributed Authentication</a></dt><dd><dl><dt><a href="pam.html#id2958910">Features and Benefits</a></dt><dt><a href="pam.html#id2959235">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2959266">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2960262">Example System Configurations</a></dt><dt><a href="pam.html#id2960612">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2960701">Remote CIFS Authentication Using winbindd.so</a></dt><dt><a href="pam.html#id2960824">Password Synchronization Using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2961283">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2961296">pam_winbind Problem</a></dt><dt><a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></dd><dt>26. <a href="integrate-ms-networks.html">Integrating MS Windows Networks with Samba</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2961659">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2961683">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2961747">Name Resolution in a Pure UNIX/Linux World</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2961804">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2961955">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id2961999">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id2962064">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2962179">Name Resolution as Used within MS Windows Networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2962531">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id2962597">The LMHOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962844">HOSTS File</a></dt><dt><a href="integrate-ms-networks.html#id2962877">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id2962910">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id2963026">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2963041">Pinging Works Only in One Way</a></dt><dt><a href="integrate-ms-networks.html#id2963083">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id2963134">Samba Server Name Change Problem</a></dt></dl></dd></dl></dd><dt>27. <a href="unicode.html">Unicode/Charsets</a></dt><dd><dl><dt><a href="unicode.html#id2963374">Features and Benefits</a></dt><dt><a href="unicode.html#id2963419">What Are Charsets and Unicode?</a></dt><dt><a href="unicode.html#id2963499">Samba and Charsets</a></dt><dt><a href="unicode.html#id2963627">Conversion from Old Names</a></dt><dt><a href="unicode.html#id2963643">Japanese Charsets</a></dt><dt><a href="unicode.html#id2963781">Common Errors</a></dt><dd><dl><dt><a href="unicode.html#id2963788">CP850.so Can't Be Found</a></dt></dl></dd></dl></dd><dt>28. <a href="Backup.html">Samba Backup Techniques</a></dt><dd><dl><dt><a href="Backup.html#id2963903">Note</a></dt><dt><a href="Backup.html#id2963917">Features and Benefits</a></dt></dl></dd><dt>29. <a href="SambaHA.html">High Availability Options</a></dt><dd><dl><dt><a href="SambaHA.html#id2963987">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ClientConfig.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NetworkBrowsing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. MS Windows Network Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Network Browsing</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. PAM-Based Distributed Authentication</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter 25. PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="pam.html#id2958910">Features and Benefits</a></dt><dt><a href="pam.html#id2959235">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2959266">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2960262">Example System Configurations</a></dt><dt><a href="pam.html#id2960612">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2960701">Remote CIFS Authentication Using winbindd.so</a></dt><dt><a href="pam.html#id2960824">Password Synchronization Using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2961283">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2961296">pam_winbind Problem</a></dt><dt><a href="pam.html#id2961406">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></div><p>
+This chapter should help you to deploy Winbind-based authentication on any PAM-enabled
+UNIX/Linux system. Winbind can be used to enable User-Level application access authentication
+from any MS Windows NT Domain, MS Windows 200x Active Directory-based
+domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access
+controls that are appropriate to your Samba configuration.
+</p><p>
+In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management
+possibilities and in particular how to deploy tools like <tt class="filename">pam_smbpass.so</tt> to your advantage.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The use of Winbind requires more than PAM configuration alone.
+Please refer to <link linkend="winbind">, for further information regarding Winbind.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958910"></a>Features and Benefits</h2></div></div><div></div></div><p>
+A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
+now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
+authorization and resource control services. Prior to the introduction of PAM, a decision
+to use an alternative to the system password database (<tt class="filename">/etc/passwd</tt>)
+would require the provision of alternatives for all programs that provide security services.
+Such a choice would involve provision of alternatives to programs such as: <b class="command">login</b>,
+<b class="command">passwd</b>, <b class="command">chown</b>, and so on.
+</p><p>
+PAM provides a mechanism that disconnects these security programs from the underlying
+authentication/authorization infrastructure. PAM is configured by making appropriate modifications to one file
+<tt class="filename">/etc/pam.conf</tt> (Solaris), or by editing individual control files that are
+located in <tt class="filename">/etc/pam.d</tt>.
+</p><p>
+On PAM-enabled UNIX/Linux systems, it is an easy matter to configure the system to use any
+authentication backend so long as the appropriate dynamically loadable library modules
+are available for it. The backend may be local to the system, or may be centralized on a
+remote server.
+</p><p>
+PAM support modules are available for:
+</p><div class="variablelist"><dl><dt><span class="term"><tt class="filename">/etc/passwd</tt></span></dt><dd><p>
+ There are several PAM modules that interact with this standard UNIX user
+ database. The most common are called: <tt class="filename">pam_unix.so</tt>, <tt class="filename">pam_unix2.so</tt>, <tt class="filename">pam_pwdb.so</tt>
+ and <tt class="filename">pam_userdb.so</tt>.
+ </p></dd><dt><span class="term">Kerberos</span></dt><dd><p>
+ The <tt class="filename">pam_krb5.so</tt> module allows the use of any Kerberos compliant server.
+ This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
+ Microsoft Active Directory (if enabled).
+ </p></dd><dt><span class="term">LDAP</span></dt><dd><p>
+ The <tt class="filename">pam_ldap.so</tt> module allows the use of any LDAP v2 or v3 compatible backend
+ server. Commonly used LDAP backend servers include: OpenLDAP v2.0 and v2.1,
+ Sun ONE iDentity server, Novell eDirectory server, Microsoft Active Directory.
+ </p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p>
+ The <tt class="filename">pam_ncp_auth.so</tt> module allows authentication off any bindery-enabled
+ NetWare Core Protocol-based server.
+ </p></dd><dt><span class="term">SMB Password</span></dt><dd><p>
+ This module, called <tt class="filename">pam_smbpass.so</tt>, will allow user authentication off
+ the passdb backend that is configured in the Samba <tt class="filename">smb.conf</tt> file.
+ </p></dd><dt><span class="term">SMB Server</span></dt><dd><p>
+ The <tt class="filename">pam_smb_auth.so</tt> module is the original MS Windows networking authentication
+ tool. This module has been somewhat outdated by the Winbind module.
+ </p></dd><dt><span class="term">Winbind</span></dt><dd><p>
+ The <tt class="filename">pam_winbind.so</tt> module allows Samba to obtain authentication from any
+ MS Windows Domain Controller. It can just as easily be used to authenticate
+ users for access to any PAM-enabled application.
+ </p></dd><dt><span class="term">RADIUS</span></dt><dd><p>
+ There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
+ module. In most cases, administrators will need to locate the source code
+ for this tool and compile and install it themselves. RADIUS protocols are
+ used by many routers and terminal servers.
+ </p></dd></dl></div><p>
+Of the above, Samba provides the <tt class="filename">pam_smbpasswd.so</tt> and the <tt class="filename">pam_winbind.so</tt> modules alone.
+</p><p>
+Once configured, these permit a remarkable level of flexibility in the location and use
+of distributed Samba Domain Controllers that can provide wide area network bandwidth
+efficient authentication services for PAM-capable systems. In effect, this allows the
+deployment of centrally managed and maintained distributed authentication from a
+single-user account database.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2959235"></a>Technical Discussion</h2></div></div><div></div></div><p>
+PAM is designed to provide the system administrator with a great deal of flexibility in
+configuration of the privilege granting applications of their system. The local
+configuration of system security controlled by PAM is contained in one of two places:
+either the single system file, <tt class="filename">/etc/pam.conf</tt>, or the
+<tt class="filename">/etc/pam.d/</tt> directory.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959266"></a>PAM Configuration Syntax</h3></div></div><div></div></div><p>
+In this section we discuss the correct syntax of and generic options respected by entries to these files.
+PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case
+sensitive since they indicate a file's name and reflect the case
+dependence of typical file systems.
+The case-sensitivity of the arguments to any given module is defined for each module in turn.
+</p><p>
+In addition to the lines described below, there are two special characters provided for the convenience
+of the system administrator: comments are preceded by a “<span class="quote">#</span>” and extend to the next end-of-line; also,
+module specification lines may be extended with a “<span class="quote">\</span>” escaped newline.
+</p><p>
+If the PAM authentication module (loadable link library file) is located in the
+default location, then it is not necessary to specify the path. In the case of
+Linux, the default location is <tt class="filename">/lib/security</tt>. If the module
+is located outside the default, then the path must be specified as:
+</p><p>
+</p><pre class="programlisting">
+auth required /other_path/pam_strange_module.so
+</pre><p>
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2959332"></a>Anatomy of <tt class="filename">/etc/pam.d</tt> Entries</h4></div></div><div></div></div><p>
+The remaining information in this subsection was taken from the documentation of the Linux-PAM
+project. For more information on PAM, see
+<ulink url="http://ftp.kernel.org/pub/linux/libs/pam/">The Official Linux-PAM home page.</ulink>
+</p><p>
+A general configuration line of the <tt class="filename">/etc/pam.conf</tt> file has the following form:
+</p><p>
+</p><pre class="programlisting">
+service-name module-type control-flag module-path args
+</pre><p>
+</p><p>
+Below, we explain the meaning of each of these tokens. The second (and more recently adopted)
+way of configuring Linux-PAM is via the contents of the <tt class="filename">/etc/pam.d/</tt> directory.
+Once we have explained the meaning of the above tokens, we will describe this method.
+</p><div class="variablelist"><dl><dt><span class="term">service-name</span></dt><dd><p>
+ The name of the service associated with this entry. Frequently, the service name is the conventional
+ name of the given application. For example, <b class="command">ftpd</b>, <b class="command">rlogind</b> and
+ <b class="command">su</b>, and so on.
+ </p><p>
+ There is a special service-name reserved for defining a default authentication mechanism. It has
+ the name <i class="parameter"><tt>OTHER</tt></i> and may be specified in either lower- or upper-case characters.
+ Note, when there is a module specified for a named service, the <i class="parameter"><tt>OTHER</tt></i>
+ entries are ignored.
+ </p></dd><dt><span class="term">module-type</span></dt><dd><p>
+ One of (currently) four types of module. The four types are as follows:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <i class="parameter"><tt>auth:</tt></i> This module type provides two aspects of authenticating the user.
+ It establishes that the user is who he claims to be by instructing the application
+ to prompt the user for a password or other means of identification. Secondly, the module can
+ grant group membership (independently of the <tt class="filename">/etc/groups</tt> file discussed
+ above) or other privileges through its credential granting properties.
+ </p></li><li><p>
+ <i class="parameter"><tt>account:</tt></i> This module performs non-authentication-based account management.
+ It is typically used to restrict/permit access to a service based on the time of day, currently
+ available system resources (maximum number of users) or perhaps the location of the applicant
+ user “<span class="quote">root</span>” login only on the console.
+ </p></li><li><p>
+ <i class="parameter"><tt>session:</tt></i> Primarily, this module is associated with doing things that need
+ to be done for the user before and after they can be given service. Such things include the logging
+ of information concerning the opening and closing of some data exchange with a user, mounting
+ directories, and so on.
+ </p></li><li><p>
+ <i class="parameter"><tt>password:</tt></i> This last module type is required for updating the authentication
+ token associated with the user. Typically, there is one module for each “<span class="quote">challenge/response</span>”
+ -based authentication <i class="parameter"><tt>(auth)</tt></i> module type.
+ </p></li></ul></div></dd><dt><span class="term">control-flag</span></dt><dd><p>
+ The control-flag is used to indicate how the PAM library will react to the success or failure of the
+ module it is associated with. Since modules can be stacked (modules of the same type execute in series,
+ one after another), the control-flags determine the relative importance of each module. The application
+ is not made aware of the individual success or failure of modules listed in the
+ <tt class="filename">/etc/pam.conf</tt> file. Instead, it receives a summary success or fail response from
+ the Linux-PAM library. The order of execution of these modules is that of the entries in the
+ <tt class="filename">/etc/pam.conf</tt> file; earlier entries are executed before later ones.
+ As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes.
+ </p><p>
+ The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
+ severity of concern associated with the success or failure of a specific module. There are four such
+ keywords: <i class="parameter"><tt>required, requisite, sufficient and optional</tt></i>.
+ </p><p>
+ The Linux-PAM library interprets these keywords in the following manner:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <i class="parameter"><tt>required:</tt></i> This indicates that the success of the module is required for the
+ module-type facility to succeed. Failure of this module will not be apparent to the user until all
+ of the remaining modules (of the same module-type) have been executed.
+ </p></li><li><p>
+ <i class="parameter"><tt>requisite:</tt></i> Like required, however, in the case that such a module returns a
+ failure, control is directly returned to the application. The return value is that associated with
+ the first required or requisite module to fail. This flag can be used to protect against the
+ possibility of a user getting the opportunity to enter a password over an unsafe medium. It is
+ conceivable that such behavior might inform an attacker of valid accounts on a system. This
+ possibility should be weighed against the not insignificant concerns of exposing a sensitive
+ password in a hostile environment.
+ </p></li><li><p>
+ <i class="parameter"><tt>sufficient:</tt></i> The success of this module is deemed <i class="parameter"><tt>sufficient</tt></i> to satisfy
+ the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no
+ previous required module has failed, no more “<span class="quote">stacked</span>” modules of this type are invoked.
+ (In this case, subsequent required modules are not invoked). A failure of this module is not deemed
+ as fatal to satisfying the application that this module-type has succeeded.
+ </p></li><li><p>
+ <i class="parameter"><tt>optional:</tt></i> As its name suggests, this control-flag marks the module as not
+ being critical to the success or failure of the user's application for service. In general,
+ Linux-PAM ignores such a module when determining if the module stack will succeed or fail.
+ However, in the absence of any definite successes or failures of previous or subsequent stacked
+ modules, this module will determine the nature of the response to the application. One example of
+ this latter case, is when the other modules return something like PAM_IGNORE.
+ </p></li></ul></div><p>
+ The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
+ over how the user is authenticated. This form of the control flag is delimited with square brackets and
+ consists of a series of <i class="parameter"><tt>value=action</tt></i> tokens:
+ </p><pre class="programlisting">
+[value1=action1 value2=action2 ...]
+</pre><p>
+ Here, <i class="parameter"><tt>value1</tt></i> is one of the following return values:
+</p><pre class="screen">
+<i class="parameter"><tt>success; open_err; symbol_err; service_err; system_err; buf_err;</tt></i>
+<i class="parameter"><tt>perm_denied; auth_err; cred_insufficient; authinfo_unavail;</tt></i>
+<i class="parameter"><tt>user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err;</tt></i>
+<i class="parameter"><tt>cred_unavail; cred_expired; cred_err; no_module_data; conv_err;</tt></i>
+<i class="parameter"><tt>authtok_err; authtok_recover_err; authtok_lock_busy;</tt></i>
+<i class="parameter"><tt>authtok_disable_aging; try_again; ignore; abort; authtok_expired;</tt></i>
+<i class="parameter"><tt>module_unknown; bad_item;</tt></i> and <i class="parameter"><tt>default</tt></i>.
+</pre><p>
+</p><p>
+ The last of these <i class="parameter"><tt>(default)</tt></i> can be used to set the action for those return values that are not explicitly defined.
+ </p><p>
+ The <i class="parameter"><tt>action1</tt></i> can be a positive integer or one of the following tokens:
+ <i class="parameter"><tt>ignore; ok; done; bad; die;</tt></i> and <i class="parameter"><tt>reset</tt></i>.
+ A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
+ current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
+ stack of modules with a number of different paths of execution. Which path is taken can be determined by the
+ reactions of individual modules.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <i class="parameter"><tt>ignore:</tt></i> When used with a stack of modules, the module's return status will not
+ contribute to the return code the application obtains.
+ </p></li><li><p>
+ <i class="parameter"><tt>bad:</tt></i> This action indicates that the return code should be thought of as indicative
+ of the module failing. If this module is the first in the stack to fail, its status value will be used
+ for that of the whole stack.
+ </p></li><li><p>
+ <i class="parameter"><tt>die:</tt></i> Equivalent to bad with the side effect of terminating the module stack and
+ PAM immediately returning to the application.
+ </p></li><li><p>
+ <i class="parameter"><tt>ok:</tt></i> This tells PAM that the administrator thinks this return code should
+ contribute directly to the return code of the full stack of modules. In other words, if the former
+ state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
+ this value. Note, if the former state of the stack holds some value that is indicative of a modules
+ failure, this <i class="parameter"><tt>ok</tt></i> value will not be used to override that value.
+ </p></li><li><p>
+ <i class="parameter"><tt>done:</tt></i> Equivalent to <i class="parameter"><tt>ok</tt></i> with the side effect of terminating the module stack and
+ PAM immediately returning to the application.
+ </p></li><li><p>
+ <i class="parameter"><tt>reset:</tt></i> Clears all memory of the state of the module stack and starts again with
+ the next stacked module.
+ </p></li></ul></div><p>
+ Each of the four keywords: <i class="parameter"><tt>required; requisite; sufficient;</tt></i> and <i class="parameter"><tt>optional</tt></i>,
+ have an equivalent expression in terms of the [...] syntax. They are as follows:
+ </p><p>
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <i class="parameter"><tt>required</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok ignore=ignore default=bad]</tt></i>.
+ </p></li><li><p>
+ <i class="parameter"><tt>requisite</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok ignore=ignore default=die]</tt></i>.
+ </p></li><li><p>
+ <i class="parameter"><tt>sufficient</tt></i> is equivalent to <i class="parameter"><tt>[success=done new_authtok_reqd=done default=ignore]</tt></i>.
+ </p></li><li><p>
+ <i class="parameter"><tt>optional</tt></i> is equivalent to <i class="parameter"><tt>[success=ok new_authtok_reqd=ok default=ignore]</tt></i>.
+ </p></li></ul></div><p>
+ </p><p>
+ Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63,
+ the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support
+ machine-machine authentication using the transport protocol inherent to the client/server application. With the
+ <i class="parameter"><tt>[ ... value=action ... ]</tt></i> control syntax, it is possible for an application to be configured
+ to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication
+ mode for older, legacy applications.
+ </p></dd><dt><span class="term">module-path</span></dt><dd><p>
+ The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the
+ module path is “<span class="quote">/</span>”, it is assumed to be a complete path. If this is not the case, the given module path is appended
+ to the default module path: <tt class="filename">/lib/security</tt> (but see the notes above).
+ </p><p>
+ The arguments are a list of tokens that are passed to the module when it is invoked, much like arguments to a typical
+ Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments
+ are ignored by a module, however, when encountering an invalid argument, the module is required to write an error
+ to syslog(3). For a list of generic options, see the next section.
+ </p><p>
+ If you wish to include spaces in an argument, you should surround that argument with square brackets. For example:
+ </p><pre class="programlisting">
+squid auth required pam_mysql.so user=passwd_query passwd=mada \
+db=eminence [query=select user_name from internet_service where \
+user_name=“<span class="quote">%u</span>” and password=PASSWORD(“<span class="quote">%p</span>”) and service=“<span class="quote">web_proxy</span>”]
+</pre><p>
+ When using this convention, you can include “<span class="quote">[</span>” characters inside the string, and if you wish to have a “<span class="quote">]</span>”
+ character inside the string that will survive the argument parsing, you should use “<span class="quote">\[</span>”. In other words:
+ </p><pre class="programlisting">
+[..[..\]..] --> ..[..]..
+</pre><p>
+ Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the
+ side of caution) to make the authentication process fail. A corresponding error is written to the system log files
+ with a call to syslog(3).
+ </p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960262"></a>Example System Configurations</h3></div></div><div></div></div><p>
+The following is an example <tt class="filename">/etc/pam.d/login</tt> configuration file.
+This example had all options uncommented and is probably not usable
+because it stacks many conditions before allowing successful completion
+of the login process. Essentially all conditions can be disabled
+by commenting them out, except the calls to <tt class="filename">pam_pwdb.so</tt>.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2960294"></a>PAM: Original Login Config</h4></div></div><div></div></div><pre class="programlisting">
+#%PAM-1.0
+# The PAM configuration file for the “<span class="quote">login</span>” service
+#
+auth required pam_securetty.so
+auth required pam_nologin.so
+# auth required pam_dialup.so
+# auth optional pam_mail.so
+auth required pam_pwdb.so shadow md5
+# account requisite pam_time.so
+account required pam_pwdb.so
+session required pam_pwdb.so
+# session optional pam_lastlog.so
+# password required pam_cracklib.so retry=3
+password required pam_pwdb.so shadow md5
+</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2960324"></a>PAM: Login Using <tt class="filename">pam_smbpass</tt></h4></div></div><div></div></div><p>
+PAM allows use of replaceable modules. Those available on a sample system include:
+</p><p><tt class="prompt">$</tt><b class="userinput"><tt>/bin/ls /lib/security</tt></b>
+</p><pre class="programlisting">
+pam_access.so pam_ftp.so pam_limits.so
+pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
+pam_cracklib.so pam_group.so pam_listfile.so
+pam_nologin.so pam_rootok.so pam_tally.so
+pam_deny.so pam_issue.so pam_mail.so
+pam_permit.so pam_securetty.so pam_time.so
+pam_dialup.so pam_lastlog.so pam_mkhomedir.so
+pam_pwdb.so pam_shells.so pam_UNIX.so
+pam_env.so pam_ldap.so pam_motd.so
+pam_radius.so pam_smbpass.so pam_UNIX_acct.so
+pam_wheel.so pam_UNIX_auth.so pam_UNIX_passwd.so
+pam_userdb.so pam_warn.so pam_UNIX_session.so
+</pre><p>
+The following example for the login program replaces the use of
+the <tt class="filename">pam_pwdb.so</tt> module that uses the system
+password database (<tt class="filename">/etc/passwd</tt>,
+<tt class="filename">/etc/shadow</tt>, <tt class="filename">/etc/group</tt>) with
+the module <tt class="filename">pam_smbpass.so</tt>, which uses the Samba
+database which contains the Microsoft MD4 encrypted password
+hashes. This database is stored in either
+<tt class="filename">/usr/local/samba/private/smbpasswd</tt>,
+<tt class="filename">/etc/samba/smbpasswd</tt>, or in
+<tt class="filename">/etc/samba.d/smbpasswd</tt>, depending on the
+Samba implementation for your UNIX/Linux system. The
+<tt class="filename">pam_smbpass.so</tt> module is provided by
+Samba version 2.2.1 or later. It can be compiled by specifying the
+<tt class="option">--with-pam_smbpass</tt> options when running Samba's
+<b class="command">configure</b> script. For more information
+on the <tt class="filename">pam_smbpass</tt> module, see the documentation
+in the <tt class="filename">source/pam_smbpass</tt> directory of the Samba
+source distribution.
+</p><pre class="programlisting">
+#%PAM-1.0
+# The PAM configuration file for the “<span class="quote">login</span>” service
+#
+auth required pam_smbpass.so nodelay
+account required pam_smbpass.so nodelay
+session required pam_smbpass.so nodelay
+password required pam_smbpass.so nodelay
+</pre><p>
+The following is the PAM configuration file for a particular
+Linux system. The default condition uses <tt class="filename">pam_pwdb.so</tt>.
+</p><pre class="programlisting">
+#%PAM-1.0
+# The PAM configuration file for the “<span class="quote">samba</span>” service
+#
+auth required pam_pwdb.so nullok nodelay shadow audit
+account required pam_pwdb.so audit nodelay
+session required pam_pwdb.so nodelay
+password required pam_pwdb.so shadow md5
+</pre><p>
+In the following example, the decision has been made to use the
+<b class="command">smbpasswd</b> database even for basic Samba authentication. Such a
+decision could also be made for the <b class="command">passwd</b> program and would
+thus allow the <b class="command">smbpasswd</b> passwords to be changed using the
+<b class="command">passwd</b> program:
+</p><pre class="programlisting">
+#%PAM-1.0
+# The PAM configuration file for the “<span class="quote">samba</span>” service
+#
+auth required pam_smbpass.so nodelay
+account required pam_pwdb.so audit nodelay
+session required pam_pwdb.so nodelay
+password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf
+</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>PAM allows stacking of authentication mechanisms. It is
+also possible to pass information obtained within one PAM module through
+to the next module in the PAM stack. Please refer to the documentation for
+your particular system implementation for details regarding the specific
+capabilities of PAM in this environment. Some Linux implementations also
+provide the <tt class="filename">pam_stack.so</tt> module that allows all
+authentication to be configured in a single central file. The
+<tt class="filename">pam_stack.so</tt> method has some devoted followers
+on the basis that it allows for easier administration. As with all issues in
+life though, every decision makes trade-offs, so you may want to examine the
+PAM documentation for further helpful information.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960612"></a><tt class="filename">smb.conf</tt> PAM Configuration</h3></div></div><div></div></div><p>
+ There is an option in <tt class="filename">smb.conf</tt> called <a class="indexterm" name="id2960633"></a><i class="parameter"><tt>obey pam restrictions</tt></i>.
+The following is from the online help for this option in SWAT;
+</p><p>
+When Samba is configured to enable PAM support (i.e., <tt class="option">--with-pam</tt>), this parameter will
+control whether or not Samba should obey PAM's account and session management directives. The default behavior
+is to use PAM for cleartext authentication only and to ignore any account or session management. Samba always
+ignores PAM for authentication in the case of <a class="indexterm" name="id2960663"></a><i class="parameter"><tt>encrypt passwords</tt></i> = yes.
+The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB
+password encryption.
+</p><p>Default: <a class="indexterm" name="id2960684"></a><i class="parameter"><tt>obey pam restrictions</tt></i> = no</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960701"></a>Remote CIFS Authentication Using <tt class="filename">winbindd.so</tt></h3></div></div><div></div></div><p>
+All operating systems depend on the provision of users credentials acceptable to the platform.
+UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID).
+These are both simple integer type numbers that are obtained from a password backend such
+as <tt class="filename">/etc/passwd</tt>.
+</p><p>
+Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for
+the domain when the user or group is created. To convert the Windows NT user or group into
+a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This
+is one of the jobs that winbind performs.
+</p><p>
+As Winbind users and groups are resolved from a server, user and group IDs are allocated
+from a specified range. This is done on a first come, first served basis, although all
+existing users and groups will be mapped as soon as a client performs a user or group
+enumeration command. The allocated UNIX IDs are stored in a database file under the Samba
+lock directory and will be remembered.
+</p><p>
+The astute administrator will realize from this that the combination of <tt class="filename">pam_smbpass.so</tt>,
+<b class="command">winbindd</b> and a distributed <a class="indexterm" name="id2960770"></a><i class="parameter"><tt>passdb backend</tt></i>,
+such as <i class="parameter"><tt>ldap</tt></i>, will allow the establishment of a centrally managed, distributed user/password
+database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have
+particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) in so far as
+the reduction of wide area network authentication traffic.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+The RID to UNIX ID database is the only location where the user and group mappings are
+stored by <b class="command">winbindd</b>. If this file is deleted or corrupted, there is no way for <b class="command">winbindd</b>
+to determine which user and group IDs correspond to Windows NT user and group RIDs.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960824"></a>Password Synchronization Using <tt class="filename">pam_smbpass.so</tt></h3></div></div><div></div></div><p>
+<tt class="filename">pam_smbpass</tt> is a PAM module that can be used on conforming systems to
+keep the <tt class="filename">smbpasswd</tt> (Samba password) database in sync with the UNIX
+password file. PAM (Pluggable Authentication Modules) is an API supported
+under some UNIX operating systems, such as Solaris, HPUX and Linux, that provides a
+generic interface to authentication mechanisms.
+</p><p>
+This module authenticates a local <tt class="filename">smbpasswd</tt> user database. If you require
+support for authenticating against a remote SMB server, or if you are
+concerned about the presence of SUID root binaries on your system, it is
+recommended that you use <tt class="filename">pam_winbind</tt> instead.
+</p><p>
+Options recognized by this module are shown in <link linkend="smbpassoptions">.
+</p><div class="table"><a name="smbpassoptions"></a><p class="title"><b>Table 25.1. Options recognized by <i class="parameter"><tt>pam_smbpass</tt></i></b></p><table summary="Options recognized by pam_smbpass" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left">debug</td><td align="justify">log more debugging info.</td></tr><tr><td align="left">audit</td><td align="justify">like debug, but also logs unknown usernames.</td></tr><tr><td align="left">use_first_pass</td><td align="justify">do not prompt the user for passwords; take them from PAM_ items instead.</td></tr><tr><td align="left">try_first_pass</td><td align="justify">try to get the password from a previous PAM module fall back to prompting the user.</td></tr><tr><td align="left">use_authtok</td><td align="justify">like try_first_pass, but *fail* if the new PAM_AUTHTOK has not been previously set (intended for stacking password modules only).</td></tr><tr><td align="left">not_set_pass</td><td align="justify">do not make passwords used by this module available to other modules.</td></tr><tr><td align="left">nodelay</td><td align="justify">do not insert ~1 second delays on authentication failure.</td></tr><tr><td align="left">nullok</td><td align="justify">null passwords are allowed.</td></tr><tr><td align="left">nonull</td><td align="justify">null passwords are not allowed. Used to override the Samba configuration.</td></tr><tr><td align="left">migrate</td><td align="justify">only meaningful in an “<span class="quote">auth</span>” context; used to update smbpasswd file with a password used for successful authentication.</td></tr><tr><td align="left">smbconf=<i class="replaceable"><tt>file</tt></i></td><td align="justify">specify an alternate path to the <tt class="filename">smb.conf</tt> file.</td></tr></tbody></table></div><p>
+</p><p>
+The following are examples of the use of <tt class="filename">pam_smbpass.so</tt> in the format of Linux
+<tt class="filename">/etc/pam.d/</tt> files structure. Those wishing to implement this
+tool on other platforms will need to adapt this appropriately.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961083"></a>Password Synchronization Configuration</h4></div></div><div></div></div><p>
+A sample PAM configuration that shows the use of pam_smbpass to make
+sure <tt class="filename">private/smbpasswd</tt> is kept in sync when <tt class="filename">/etc/passwd (/etc/shadow)</tt>
+is changed. Useful when an expired password might be changed by an
+application (such as <b class="command">ssh</b>).
+</p><pre class="programlisting">
+#%PAM-1.0
+# password-sync
+#
+auth requisite pam_nologin.so
+auth required pam_UNIX.so
+account required pam_UNIX.so
+password requisite pam_cracklib.so retry=3
+password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass
+password required pam_smbpass.so nullok use_authtok try_first_pass
+session required pam_UNIX.so
+</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961136"></a>Password Migration Configuration</h4></div></div><div></div></div><p>
+A sample PAM configuration that shows the use of <tt class="filename">pam_smbpass</tt> to migrate
+from plaintext to encrypted passwords for Samba. Unlike other methods,
+this can be used for users who have never connected to Samba shares:
+password migration takes place when users <b class="command">ftp</b> in, login using <b class="command">ssh</b>, pop
+their mail, and so on.
+</p><pre class="programlisting">
+#%PAM-1.0
+# password-migration
+#
+auth requisite pam_nologin.so
+# pam_smbpass is called IF pam_UNIX succeeds.
+auth requisite pam_UNIX.so
+auth optional pam_smbpass.so migrate
+account required pam_UNIX.so
+password requisite pam_cracklib.so retry=3
+password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass
+password optional pam_smbpass.so nullok use_authtok try_first_pass
+session required pam_UNIX.so
+</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961191"></a>Mature Password Configuration</h4></div></div><div></div></div><p>
+A sample PAM configuration for a mature <tt class="filename">smbpasswd</tt> installation.
+<tt class="filename">private/smbpasswd</tt> is fully populated, and we consider it an error if
+the SMB password does not exist or does not match the UNIX password.
+</p><pre class="programlisting">
+#%PAM-1.0
+# password-mature
+#
+auth requisite pam_nologin.so
+auth required pam_UNIX.so
+account required pam_UNIX.so
+password requisite pam_cracklib.so retry=3
+password requisite pam_UNIX.so shadow md5 use_authtok try_first_pass
+password required pam_smbpass.so use_authtok use_first_pass
+session required pam_UNIX.so
+</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961236"></a>Kerberos Password Integration Configuration</h4></div></div><div></div></div><p>
+A sample PAM configuration that shows <i class="parameter"><tt>pam_smbpass</tt></i> used together with
+<i class="parameter"><tt>pam_krb5</tt></i>. This could be useful on a Samba PDC that is also a member of
+a Kerberos realm.
+</p><pre class="programlisting">
+#%PAM-1.0
+# kdc-pdc
+#
+auth requisite pam_nologin.so
+auth requisite pam_krb5.so
+auth optional pam_smbpass.so migrate
+account required pam_krb5.so
+password requisite pam_cracklib.so retry=3
+password optional pam_smbpass.so nullok use_authtok try_first_pass
+password required pam_krb5.so use_authtok try_first_pass
+session required pam_krb5.so
+</pre></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961283"></a>Common Errors</h2></div></div><div></div></div><p>
+PAM can be fickle and sensitive to configuration glitches. Here we look at a few cases from
+the Samba mailing list.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961296"></a>pam_winbind Problem</h3></div></div><div></div></div><p>
+ A user reported: I have the following PAM configuration:
+ </p><p>
+</p><pre class="programlisting">
+auth required /lib/security/pam_securetty.so
+auth sufficient /lib/security/pam_winbind.so
+auth sufficient /lib/security/pam_UNIX.so use_first_pass nullok
+auth required /lib/security/pam_stack.so service=system-auth
+auth required /lib/security/pam_nologin.so
+account required /lib/security/pam_stack.so service=system-auth
+account required /lib/security/pam_winbind.so
+password required /lib/security/pam_stack.so service=system-auth
+</pre><p>
+</p><p>
+ When I open a new console with [ctrl][alt][F1], I can't log in with my user “<span class="quote">pitie</span>”.
+ I have tried with user “<span class="quote">scienceu+pitie</span>” also.
+ </p><p>
+ <span class="emphasis"><em>Answer:</em></span> The problem may lie with your inclusion of <i class="parameter"><tt>pam_stack.so
+ service=system-auth</tt></i>. That file often contains a lot of stuff that may
+ duplicate what you are already doing. Try commenting out the <i class="parameter"><tt>pam_stack</tt></i> lines
+ for <i class="parameter"><tt>auth</tt></i> and <i class="parameter"><tt>account</tt></i> and see if things work. If they do, look at
+ <tt class="filename">/etc/pam.d/system-auth</tt> and copy only what you need from it into your
+ <tt class="filename">/etc/pam.d/login</tt> file. Alternately, if you want all services to use
+ Winbind, you can put the Winbind-specific stuff in <tt class="filename">/etc/pam.d/system-auth</tt>.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961406"></a>Winbind Is Not Resolving Users and Groups</h3></div></div><div></div></div><p>
+ “<span class="quote">
+ My <tt class="filename">smb.conf</tt> file is correctly configured. I have specified
+ <a class="indexterm" name="id2961428"></a><i class="parameter"><tt>idmap uid</tt></i> = 12000,
+ and <a class="indexterm" name="id2961442"></a><i class="parameter"><tt>idmap gid</tt></i> = 3000-3500
+ and <b class="command">winbind</b> is running. When I do the following it all works fine.
+ </span>”
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -u</tt></b>
+MIDEARTH+maryo
+MIDEARTH+jackb
+MIDEARTH+ameds
+...
+MIDEARTH+root
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -g</tt></b>
+MIDEARTH+Domain Users
+MIDEARTH+Domain Admins
+MIDEARTH+Domain Guests
+...
+MIDEARTH+Accounts
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b>
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+...
+maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
+</pre><p>
+ “<span class="quote">
+ But this command fails:
+ </span>”
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>chown maryo a_file</tt></b>
+chown: 'maryo': invalid user
+</pre><p>
+ “<span class="quote">This is driving me nuts! What can be wrong?</span>”
+ </p><p>
+ <span class="emphasis"><em>Answer:</em></span> Your system is likely running <b class="command">nscd</b>, the name service
+ caching daemon. Shut it down, do not restart it! You will find your problem resolved.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 24. Desktop Profile Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 26. Integrating MS Windows Networks with Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter 12. Group Mapping MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email"><<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="passdb.html#id2903592">Features and Benefits</a></dt><dd><dl><dt><a href="passdb.html#id2903640">Backward Compatibility Backends</a></dt><dt><a href="passdb.html#id2903800">New Backends</a></dt></dl></dd><dt><a href="passdb.html#passdbtech">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2904193">Important Notes About Security</a></dt><dt><a href="passdb.html#id2904429">Mapping User Identifiers between MS Windows and UNIX</a></dt><dt><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></dt></dl></dd><dt><a href="passdb.html#acctmgmttools">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2904747">The smbpasswd Command</a></dt><dt><a href="passdb.html#pdbeditthing">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2905334">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2905385">Plaintext</a></dt><dt><a href="passdb.html#id2905425">smbpasswd Encrypted Password Database</a></dt><dt><a href="passdb.html#id2905552">tdbsam</a></dt><dt><a href="passdb.html#id2905605">ldapsam</a></dt><dt><a href="passdb.html#id2907687">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2908781">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2908788">Users Cannot Logon</a></dt><dt><a href="passdb.html#id2908830">Users Being Added to the Wrong Backend Database</a></dt><dt><a href="passdb.html#id2908922">Configuration of auth methods</a></dt></dl></dd></dl></div><p>
+Samba-3 implements a new capability to work concurrently with multiple account backends.
+The possible new combinations of password backends allows Samba-3 a degree of flexibility
+and scalability that previously could be achieved only with MS Windows Active Directory.
+This chapter describes the new functionality and how to get the most out of it.
+</p><p>
+In the development of Samba-3, a number of requests were received to provide the
+ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
+matching UNIX/Linux accounts. We called this the <span class="emphasis"><em>Non-UNIX Accounts (NUA)</em></span>
+capability. The intent was that an administrator could decide to use the <span class="emphasis"><em>tdbsam</em></span>
+backend and by simply specifying <a class="indexterm" name="id2903560"></a><i class="parameter"><tt>passdb backend</tt></i> = tdbsam_nua,
+this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late
+in the development cycle, the team doing this work hit upon some obstacles that prevents this
+solution from being used. Given the delays with the Samba-3 release, a decision was made to not
+deliver this functionality until a better method of recognizing NT Group SIDs from NT User
+SIDs could be found. This feature may return during the life cycle for the Samba-3 series.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Samba-3 does not support Non-UNIX Account (NUA) operation for user accounts.
+Samba-3 does support NUA operation for machine accounts.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903592"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Samba-3 provides for complete backward compatibility with Samba-2.2.x functionality
+as follows:
+<a class="indexterm" name="id2903606"></a>
+<a class="indexterm" name="id2903617"></a>
+<a class="indexterm" name="id2903628"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903640"></a>Backward Compatibility Backends</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Plain Text</span></dt><dd><p>
+ This option uses nothing but the UNIX/Linux <tt class="filename">/etc/passwd</tt>
+ style backend. On systems that have Pluggable Authentication Modules (PAM)
+ support, all PAM modules are supported. The behavior is just as it was with
+ Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
+ apply likewise. Please refer to <link linkend="passdbtech"> for more information
+ regarding the limitations of Plain Text password usage.
+ </p></dd><dt><span class="term">smbpasswd</span></dt><dd><p>
+ This option allows continued use of the <tt class="filename">smbpasswd</tt>
+ file that maintains a plain ASCII (text) layout that includes the MS Windows
+ LanMan and NT encrypted passwords as well as a field that stores some
+ account information. This form of password backend does not store any of
+ the MS Windows NT/200x SAM (Security Account Manager) information required to
+ provide the extended controls that are needed for more comprehensive
+ interoperation with MS Windows NT4/200x servers.
+ </p><p>
+ This backend should be used only for backward compatibility with older
+ versions of Samba. It may be deprecated in future releases.
+ </p></dd><dt><span class="term">ldapsam_compat (Samba-2.2 LDAP Compatibility)</span></dt><dd><p>
+ There is a password backend option that allows continued operation with
+ an existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension.
+ This option is provided primarily as a migration tool, although there is
+ no reason to force migration at this time. This tool will eventually
+ be deprecated.
+ </p></dd></dl></div></div><p>
+Samba-3 introduces a number of new password backend capabilities.
+<a class="indexterm" name="id2903755"></a>
+<a class="indexterm" name="id2903766"></a>
+<a class="indexterm" name="id2903777"></a>
+<a class="indexterm" name="id2903788"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903800"></a>New Backends</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">tdbsam</span></dt><dd><p>
+ This backend provides a rich database backend for local servers. This
+ backend is not suitable for multiple Domain Controllers (i.e., PDC + one
+ or more BDC) installations.
+ </p><p>
+ The <span class="emphasis"><em>tdbsam</em></span> password backend stores the old <span class="emphasis"><em>
+ smbpasswd</em></span> information plus the extended MS Windows NT / 200x
+ SAM information into a binary format TDB (trivial database) file.
+ The inclusion of the extended information makes it possible for Samba-3
+ to implement the same account and system access controls that are possible
+ with MS Windows NT4/200x-based systems.
+ </p><p>
+ The inclusion of the <span class="emphasis"><em>tdbsam</em></span> capability is a direct
+ response to user requests to allow simple site operation without the overhead
+ of the complexities of running OpenLDAP. It is recommended to use this only
+ for sites that have fewer than 250 users. For larger sites or implementations,
+ the use of OpenLDAP or of Active Directory integration is strongly recommended.
+ </p></dd><dt><span class="term">ldapsam</span></dt><dd><p>
+ This provides a rich directory backend for distributed account installation.
+ </p><p>
+ Samba-3 has a new and extended LDAP implementation that requires configuration
+ of OpenLDAP with a new format Samba schema. The new format schema file is
+ included in the <tt class="filename">examples/LDAP</tt> directory of the Samba distribution.
+ </p><p>
+ The new LDAP implementation significantly expands the control abilities that
+ were possible with prior versions of Samba. It is now possible to specify
+ “<span class="quote">per user</span>” profile settings, home directories, account access controls, and
+ much more. Corporate sites will see that the Samba Team has listened to their
+ requests both for capability and to allow greater scalability.
+ </p></dd><dt><span class="term">mysqlsam (MySQL based backend)</span></dt><dd><p>
+ It is expected that the MySQL-based SAM will be very popular in some corners.
+ This database backend will be of considerable interest to sites that want to
+ leverage existing MySQL technology.
+ </p></dd><dt><span class="term">xmlsam (XML based datafile)</span></dt><dd><p>
+<a class="indexterm" name="id2903946"></a>
+ Allows the account and password data to be stored in an XML format
+ data file. This backend cannot be used for normal operation, it can only
+ be used in conjunction with <b class="command">pdbedit</b>'s pdb2pdb
+ functionality. The DTD that is used might be subject to changes in the future.
+ </p><p>
+ The <i class="parameter"><tt>xmlsam</tt></i> option can be useful for account migration between database
+ backends or backups. Use of this tool will allow the data to be edited before migration
+ into another backend format.
+ </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="passdbtech"></a>Technical Information</h2></div></div><div></div></div><p>
+ Old Windows clients send plain text passwords over the wire. Samba can check these
+ passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
+ </p><p>
+<a class="indexterm" name="id2904009"></a>
+ Newer Windows clients send encrypted passwords (so-called Lanman and NT hashes) over
+ the wire, instead of plain text passwords. The newest clients will send only encrypted
+ passwords and refuse to send plain text passwords, unless their registry is tweaked.
+ </p><p>
+ These passwords can't be converted to UNIX-style encrypted passwords. Because of that,
+ you can't use the standard UNIX user database, and you have to store the Lanman and NT
+ hashes somewhere else.
+ </p><p>
+ In addition to differently encrypted passwords, Windows also stores certain data for each
+ user that is not stored in a UNIX user database. For example, workstations the user may logon from,
+ the location where the user's profile is stored, and so on. Samba retrieves and stores this
+ information using a <a class="indexterm" name="id2904039"></a><i class="parameter"><tt>passdb backend</tt></i>. Commonly available backends are LDAP, plain text
+ file, and MySQL. For more information, see the man page for <tt class="filename">smb.conf</tt> regarding the
+ <a class="indexterm" name="id2904062"></a><i class="parameter"><tt>passdb backend</tt></i> parameter.
+ </p><div class="figure"><a name="idmap-sid2uid"></a><p class="title"><b>Figure 11.1. IDMAP: Resolution of SIDs to UIDs.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-sid2uid.png" width="270" alt="IDMAP: Resolution of SIDs to UIDs."></div></div><p>
+<a class="indexterm" name="id2904123"></a>
+ The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running, or cannot
+ be contacted, then only local SID/UID resolution is possible. See <link linkend="idmap-sid2uid"> and
+ <link linkend="idmap-uid2sid">.
+ </p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure 11.2. IDMAP: Resolution of UIDs to SIDs.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904193"></a>Important Notes About Security</h3></div></div><div></div></div><p>
+ The UNIX and SMB password encryption techniques seem similar on the surface. This
+ similarity is, however, only skin deep. The UNIX scheme typically sends cleartext
+ passwords over the network when logging in. This is bad. The SMB encryption scheme
+ never sends the cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed values
+ are a “<span class="quote">password equivalent.</span>” You cannot derive the user's password from them, but
+ they could potentially be used in a modified client to gain access to a server.
+ This would require considerable technical knowledge on behalf of the attacker but
+ is perfectly possible. You should thus treat the datastored in whatever passdb
+ backend you use (smbpasswd file, LDAP, MYSQL) as though it contained the cleartext
+ passwords of all your users. Its contents must be kept secret and the file should
+ be protected accordingly.
+ </p><p>
+ Ideally, we would like a password scheme that involves neither plain text passwords
+ on the network nor on disk. Unfortunately, this is not available as Samba is stuck with
+ having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me).
+ </p><p>
+ Windows NT 4.0 Service Pack 3 changed the default setting so plaintext passwords
+ are disabled from being sent over the wire. This mandates either the use of encrypted
+ password support or editing the Windows NT registry to re-enable plaintext passwords.
+ </p><p>
+ The following versions of Microsoft Windows do not support full domain security protocols,
+ although they may log onto a domain environment:
+ </p><div class="itemizedlist"><ul type="disc"><li>MS DOS Network client 3.0 with the basic network redirector installed.</li><li>Windows 95 with the network redirector update installed.</li><li>Windows 98 [Second Edition].</li><li>Windows Me.</li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ MS Windows XP Home does not have facilities to become a Domain Member and it cannot participate in domain logons.
+ </p></div><p>
+ The following versions of MS Windows fully support domain security protocols.
+ </p><div class="itemizedlist"><ul type="disc"><li>Windows NT 3.5x.</li><li>Windows NT 4.0.</li><li>Windows 2000 Professional.</li><li>Windows 200x Server/Advanced Server.</li><li>Windows XP Professional.</li></ul></div><p>
+ All current releases of Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling cleartext authentication
+ does not disable the ability of the client to participate in encrypted authentication.
+ Instead, it allows the client to negotiate either plain text or encrypted password
+ handling.
+ </p><p>
+ MS Windows clients will cache the encrypted password alone. Where plain text passwords
+ are re-enabled through the appropriate registry change, the plain text password is never
+ cached. This means that in the event that a network connections should become disconnected
+ (broken), only the cached (encrypted) password will be sent to the resource server to
+ effect an auto-reconnect. If the resource server does not support encrypted passwords the
+ auto-reconnect will fail. Use of encrypted passwords is strongly advised.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2904338"></a>Advantages of Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plaintext passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</p></li><li><p>Plaintext passwords are not stored anywhere in
+ memory or on disk.</p></li><li><p>Windows NT does not like talking to a server
+ that does not support encrypted passwords. It will refuse
+ to browse the server if the server is also in User Level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </p></li><li><p>Encrypted password support allows automatic share
+ (resource) reconnects.</p></li><li><p>Encrypted passwords are essential for PDC/BDC
+ operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2904393"></a>Advantages of Non-Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plaintext passwords are not kept
+ on disk, and are not cached in memory. </p></li><li><p>Uses same password file as other UNIX
+ services such as Login and FTP.</p></li><li><p>Use of other services (such as Telnet and FTP) that
+ send plain text passwords over the network, so sending them for SMB
+ is not such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904429"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div><div></div></div><p>
+ Every operation in UNIX/Linux requires a user identifier (UID), just as in
+ MS Windows NT4/200x this requires a Security Identifier (SID). Samba provides
+ two means for mapping an MS Windows user to a UNIX/Linux UID.
+ </p><p>
+ First, all Samba SAM (Security Account Manager database) accounts require
+ a UNIX/Linux UID that the account will map to. As users are added to the account
+ information database, Samba will call the <a class="indexterm" name="id2904452"></a><i class="parameter"><tt>add user script</tt></i>
+ interface to add the account to the Samba host OS. In essence all accounts in
+ the local SAM require a local user account.
+ </p><p>
+ The second way to effect Windows SID to UNIX UID mapping is via the
+ <span class="emphasis"><em>idmap uid</em></span> and <span class="emphasis"><em>idmap gid</em></span> parameters in <tt class="filename">smb.conf</tt>.
+ Please refer to the man page for information about these parameters.
+ These parameters are essential when mapping users from a remote SAM server.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div><div></div></div><p>
+ Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
+ on all servers in a distributed network. A distributed network is one where there exists
+ a PDC, one or more BDCs and/or one or more Domain Member servers. Why is this important?
+ This is important if files are being shared over more than one protocol (e.g., NFS) and where
+ users are copying files across UNIX/Linux systems using tools such as <b class="command">rsync</b>.
+ </p><p>
+ The special facility is enabled using a parameter called <i class="parameter"><tt>idmap backend</tt></i>.
+ The default setting for this parameter is an empty string. Technically it is possible to use
+ an LDAP based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
+ network configurations that also use LDAP for the SAM backend. A sample use is shown in
+ <link linkend="idmapbackendexample">.
+ </p><p>
+<a class="indexterm" name="id2904556"></a>
+</p><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. Example configuration with the LDAP idmap backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam:ldap://ldap-server.quenya.org:636</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam:ldaps://ldap-server.quenya.org</tt></i></td></tr></table></div><p>
+ </p><p>
+ A network administrator who wants to make significant use of LDAP backends will sooner or later be
+ exposed to the excellent work done by PADL Software. PADL <ulink url="http://www.padl.com">http://www.padl.com</ulink> have
+ produced and released to open source an array of tools that might be of interest. These tools include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <span class="emphasis"><em>nss_ldap:</em></span> An LDAP Name Service Switch module to provide native
+ name service support for AIX, Linux, Solaris, and other operating systems. This tool
+ can be used for centralized storage and retrieval of UIDs/GIDs.
+ </p></li><li><p>
+ <span class="emphasis"><em>pam_ldap:</em></span> A PAM module that provides LDAP integration for UNIX/Linux
+ system access authentication.
+ </p></li><li><p>
+ <span class="emphasis"><em>idmap_ad:</em></span> An IDMAP backend that supports the Microsoft Services for
+ UNIX RFC 2307 schema available from their web
+ <ulink url="http://www.padl.com/download/xad_oss_plugins.tar.gz">site</ulink>.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2904718"></a>
+Samba provides two tools for management of user and machine accounts. These tools are
+called <b class="command">smbpasswd</b> and <b class="command">pdbedit</b>. A third tool is under
+development but is not expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
+GUI tool that looks much like the MS Windows NT4 Domain User Manager. Hopefully this will
+be announced in time for the Samba-3.0.1 release.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904747"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div><div></div></div><p>
+ The smbpasswd utility is similar to the <b class="command">passwd</b>
+ or <b class="command">yppasswd</b> programs. It maintains the two 32 byte password
+ fields in the passdb backend.
+ </p><p>
+ <b class="command">smbpasswd</b> works in a client-server mode where it contacts the
+ local smbd to change the user's password on its behalf. This has enormous benefits.
+ </p><p>
+ <b class="command">smbpasswd</b> has the capability to change passwords on Windows NT
+ servers (this only works when the request is sent to the NT Primary Domain Controller
+ if changing an NT Domain user's password).
+ </p><p>
+ <b class="command">smbpasswd</b> can be used to:
+<a class="indexterm" name="id2904816"></a>
+<a class="indexterm" name="id2904824"></a>
+
+ </p><div class="itemizedlist"><ul type="disc"><li><span class="emphasis"><em>add</em></span> user or machine accounts.</li><li><span class="emphasis"><em>delete</em></span> user or machine accounts.</li><li><span class="emphasis"><em>enable</em></span> user or machine accounts.</li><li><span class="emphasis"><em>disable</em></span> user or machine accounts.</li><li><span class="emphasis"><em>set to NULL</em></span> user passwords.</li><li><span class="emphasis"><em>manage interdomain trust accounts.</em></span></li></ul></div><p>
+ To run smbpasswd as a normal user just type:
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>smbpasswd</tt></b>
+<tt class="prompt">Old SMB password: </tt><b class="userinput"><tt><i class="replaceable"><tt>secret</tt></i></tt></b>
+</pre><p>
+ For <i class="replaceable"><tt>secret</tt></i>, type old value here or press return if
+ there is no old password.
+</p><pre class="screen">
+<tt class="prompt">New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
+<tt class="prompt">Repeat New SMB Password: </tt><b class="userinput"><tt><i class="replaceable"><tt>new secret</tt></i></tt></b>
+</pre><p>
+ </p><p>
+ If the old value does not match the current value stored for that user, or the two
+ new values do not match each other, then the password will not be changed.
+ </p><p>
+ When invoked by an ordinary user, the command will only allow the user to change his or her own
+ SMB password.
+ </p><p>
+ When run by root, <b class="command">smbpasswd</b> may take an optional argument specifying
+ the user name whose SMB password you wish to change. When run as root, <b class="command">smbpasswd</b>
+ does not prompt for or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.
+ </p><p>
+ <b class="command">smbpasswd</b> is designed to work in the way familiar to UNIX
+ users who use the <b class="command">passwd</b> or <b class="command">yppasswd</b> commands.
+ While designed for administrative use, this tool provides essential User Level
+ password change capabilities.
+ </p><p>
+ For more details on using <b class="command">smbpasswd</b>, refer to the man page (the
+ definitive reference).
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2905062"></a>
+ <b class="command">pdbedit</b> is a tool that can be used only by root. It is used to
+ manage the passdb backend. <b class="command">pdbedit</b> can be used to:
+<a class="indexterm" name="id2905085"></a>
+<a class="indexterm" name="id2905094"></a>
+
+ </p><div class="itemizedlist"><ul type="disc"><li>add, remove or modify user accounts.</li><li>list user accounts.</li><li>migrate user accounts.</li></ul></div><p>
+<a class="indexterm" name="id2905127"></a>
+ The <b class="command">pdbedit</b> tool is the only one that can manage the account
+ security and policy settings. It is capable of all operations that smbpasswd can
+ do as well as a super set of them.
+ </p><p>
+<a class="indexterm" name="id2905150"></a>
+ One particularly important purpose of the <b class="command">pdbedit</b> is to allow
+ the migration of account information from one passdb backend to another. See the
+ <link linkend="XMLpassdb"> password backend section of this chapter.
+ </p><p>
+ The following is an example of the user account information that is stored in
+ a tdbsam password backend. This listing was produced by running:
+ </p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>pdbedit -Lv met</tt></b>
+UNIX username: met
+NT username:
+Account Flags: [UX ]
+User SID: S-1-5-21-1449123459-1407424037-3116680435-2004
+Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201
+Full Name: Melissa E Terpstra
+Home Directory: \\frodo\met\Win9Profile
+HomeDir Drive: H:
+Logon Script: scripts\logon.bat
+Profile Path: \\frodo\Profiles\met
+Domain: MIDEARTH
+Account desc:
+Workstations: melbelle
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Sat, 14 Dec 2002 14:37:03 GMT
+Password can change: Sat, 14 Dec 2002 14:37:03 GMT
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+</pre><p>
+<a class="indexterm" name="id2905222"></a>
+ The <b class="command">pdbedit</b> tool allows migration of authentication (account)
+ databases from one backend to another. For example: To migrate accounts from an
+ old <tt class="filename">smbpasswd</tt> database to a <i class="parameter"><tt>tdbsam</tt></i>
+ backend:
+ </p><div class="procedure"><ol type="1"><li><p>
+ Set the <a class="indexterm" name="id2905264"></a><i class="parameter"><tt>passdb backend</tt></i> = tdbsam, smbpasswd.
+ </p></li><li><p>
+ Execute:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>pdbedit -i smbpassed -e tdbsam</tt></b>
+</pre><p>
+ </p></li><li><p>
+ Now remove the <i class="parameter"><tt>smbpasswd</tt></i> from the passdb backend
+ configuration in <tt class="filename">smb.conf</tt>.
+ </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905334"></a>Password Backends</h2></div></div><div></div></div><p>
+Samba offers the greatest flexibility in backend account database design of any SMB/CIFS server
+technology available today. The flexibility is immediately obvious as one begins to explore this
+capability.
+</p><p>
+It is possible to specify not only multiple different password backends, but even multiple
+backends of the same type. For example, to use two different tdbsam databases:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>passdb backend = tdbsam:/etc/samba/passdb.tdb \</tt></i></td></tr><tr><td><i class="parameter"><tt>tdbsam:/etc/samba/old-passdb.tdb</tt></i></td></tr></table><p>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905385"></a>Plaintext</h3></div></div><div></div></div><p>
+ Older versions of Samba retrieved user information from the UNIX user database
+ and eventually some other fields from the file <tt class="filename">/etc/samba/smbpasswd</tt>
+ or <tt class="filename">/etc/smbpasswd</tt>. When password encryption is disabled, no
+ SMB specific data is stored at all. Instead all operations are conducted via the way
+ that the Samba host OS will access its <tt class="filename">/etc/passwd</tt> database.
+ Linux systems For example, all operations are done via PAM.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905425"></a>smbpasswd Encrypted Password Database</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2905439"></a>
+ Traditionally, when configuring <a class="indexterm" name="id2905450"></a><i class="parameter"><tt>encrypt passwords</tt></i> = yes in Samba's <tt class="filename">smb.conf</tt> file, user account
+ information such as username, LM/NT password hashes, password change times, and account
+ flags have been stored in the <tt class="filename">smbpasswd(5)</tt> file. There are several
+ disadvantages to this approach for sites with large numbers of users (counted
+ in the thousands).
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The first problem is that all lookups must be performed sequentially. Given that
+ there are approximately two lookups per domain logon (one for a normal
+ session connection such as when mapping a network drive or printer), this
+ is a performance bottleneck for large sites. What is needed is an indexed approach
+ such as used in databases.
+ </p></li><li><p>
+ The second problem is that administrators who desire to replicate a smbpasswd file
+ to more than one Samba server were left to use external tools such as
+ <b class="command">rsync(1)</b> and <b class="command">ssh(1)</b> and wrote custom,
+ in-house scripts.
+ </p></li><li><p>
+ Finally, the amount of information that is stored in an smbpasswd entry leaves
+ no room for additional attributes such as a home directory, password expiration time,
+ or even a Relative Identifier (RID).
+ </p></li></ul></div><p>
+ As a result of these deficiencies, a more robust means of storing user attributes
+ used by smbd was developed. The API which defines access to user accounts
+ is commonly referred to as the samdb interface (previously this was called the passdb
+ API, and is still so named in the Samba CVS trees).
+ </p><p>
+ Samba provides an enhanced set of passdb backends that overcome the deficiencies
+ of the smbpasswd plain text database. These are tdbsam, ldapsam and xmlsam.
+ Of these, ldapsam will be of most interest to large corporate or enterprise sites.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905552"></a>tdbsam</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2905563"></a>
+ Samba can store user and machine account data in a “<span class="quote">TDB</span>” (Trivial Database).
+ Using this backend does not require any additional configuration. This backend is
+ recommended for new installations that do not require LDAP.
+ </p><p>
+ As a general guide, the Samba Team does not recommend using the tdbsam backend for sites
+ that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
+ in sites that require PDB/BDC implementations that require replication of the account
+ database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
+ </p><p>
+ The recommendation of a 250 user limit is purely based on the notion that this
+ would generally involve a site that has routed networks, possibly spread across
+ more than one physical location. The Samba Team has not at this time established
+ the performance based scalability limits of the tdbsam architecture.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905605"></a>ldapsam</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2905616"></a>
+ There are a few points to stress that the ldapsam does not provide. The LDAP
+ support referred to in this documentation does not include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>A means of retrieving user account information from
+ an Windows 200x Active Directory server.</p></li><li><p>A means of replacing /etc/passwd.</p></li></ul></div><p>
+ The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
+ versions of these libraries can be obtained from
+ <ulink url="http://www.padl.com/">PADL Software</ulink>.
+ More information about the configuration of these packages may be found at
+ <ulink url="http://safari.oreilly.com/?XmlId=1-56592-491-6">
+ LDAP, System Administration; Gerald Carter by O'Reilly; Chapter 6: Replacing NIS."</ulink>
+ </p><p>
+ This document describes how to use an LDAP directory for storing Samba user
+ account information traditionally stored in the smbpasswd(5) file. It is
+ assumed that the reader already has a basic understanding of LDAP concepts
+ and has a working directory server already installed. For more information
+ on LDAP architectures and directories, please refer to the following sites:
+ </p><div class="itemizedlist"><ul type="disc"><li><p><ulink url="http://www.openldap.org/">OpenLDAP</ulink></p></li><li><p><ulink url="http://iplanet.netscape.com/directory">Sun iPlanet Directory Server</ulink></p></li></ul></div><p>
+ Two additional Samba resources which may prove to be helpful are:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>The <ulink url="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html">Samba-PDC-LDAP-HOWTO</ulink>
+ maintained by Ignacio Coupeau.</p></li><li><p>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
+ geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
+ </p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2905753"></a>Supported LDAP Servers</h4></div></div><div></div></div><p>
+ The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
+ client libraries. The same code should work with Netscape's Directory Server and client SDK.
+ However, there are bound to be compile errors and bugs. These should not be hard to fix.
+ Please submit fixes via the process outlined in <link linkend="bugreport">.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2905778"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div><div></div></div><p>
+ Samba-3.0 includes the necessary schema file for OpenLDAP 2.0 in
+ <tt class="filename">examples/LDAP/samba.schema</tt>. The sambaSamAccount objectclass is given here:
+ </p><p>
+</p><pre class="programlisting">
+objectclass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
+ DESC 'Samba-3.0 Auxiliary SAM Account'
+ MUST ( uid $ sambaSID )
+ MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
+ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
+ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
+ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
+ sambaProfilePath $ description $ sambaUserWorkstations $
+ sambaPrimaryGroupSID $ sambaDomainName ))
+</pre><p>
+</p><p>
+ The <tt class="filename">samba.schema</tt> file has been formatted for OpenLDAP 2.0/2.1.
+ The Samba Team owns the OID space used by the above schema and recommends its use.
+ If you translate the schema to be used with Netscape DS, please submit the modified
+ schema file as a patch to <ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>.
+ </p><p>
+ Just as the smbpasswd file is meant to store information that provides information additional to a
+ user's <tt class="filename">/etc/passwd</tt> entry, so is the sambaSamAccount object
+ meant to supplement the UNIX user account information. A sambaSamAccount is a
+ <tt class="constant">AUXILIARY</tt> objectclass so it can be used to augment existing
+ user account information in the LDAP directory, thus providing information needed
+ for Samba account handling. However, there are several fields (e.g., uid) that overlap
+ with the posixAccount objectclass outlined in RFC2307. This is by design.
+ </p><p>
+ In order to store all user account information (UNIX and Samba) in the directory,
+ it is necessary to use the sambaSamAccount and posixAccount objectclasses in
+ combination. However, smbd will still obtain the user's UNIX account
+ information via the standard C library calls (e.g., getpwnam(), et al).
+ This means that the Samba server must also have the LDAP NSS library installed
+ and functioning correctly. This division of information makes it possible to
+ store all Samba account information in LDAP, but still maintain UNIX account
+ information in NIS while the network is transitioning to a full LDAP infrastructure.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2905890"></a>OpenLDAP Configuration</h4></div></div><div></div></div><p>
+ To include support for the sambaSamAccount object in an OpenLDAP directory
+ server, first copy the samba.schema file to slapd's configuration directory.
+ The samba.schema file can be found in the directory <tt class="filename">examples/LDAP</tt>
+ in the Samba source distribution.
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cp samba.schema /etc/openldap/schema/</tt></b>
+</pre><p>
+</p><p>
+ Next, include the <tt class="filename">samba.schema</tt> file in <tt class="filename">slapd.conf</tt>.
+ The sambaSamAccount object contains two attributes that depend on other schema
+ files. The <i class="parameter"><tt>uid</tt></i> attribute is defined in <tt class="filename">cosine.schema</tt> and
+ the <i class="parameter"><tt>displayName</tt></i> attribute is defined in the <tt class="filename">inetorgperson.schema</tt>
+ file. Both of these must be included before the <tt class="filename">samba.schema</tt> file.
+ </p><p>
+</p><pre class="programlisting">
+## /etc/openldap/slapd.conf
+
+## schema files (core.schema is required by default)
+include /etc/openldap/schema/core.schema
+
+## needed for sambaSamAccount
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/samba.schema
+include /etc/openldap/schema/nis.schema
+....
+</pre><p>
+</p><p>
+ It is recommended that you maintain some indices on some of the most useful attributes,
+ as in the following example, to speed up searches made on sambaSamAccount objectclasses
+ (and possibly posixAccount and posixGroup as well):
+ </p><p>
+</p><pre class="programlisting">
+# Indices to maintain
+## required by OpenLDAP
+index objectclass eq
+
+index cn pres,sub,eq
+index sn pres,sub,eq
+## required to support pdb_getsampwnam
+index uid pres,sub,eq
+## required to support pdb_getsambapwrid()
+index displayName pres,sub,eq
+
+## uncomment these if you are storing posixAccount and
+## posixGroup entries in the directory as well
+##index uidNumber eq
+##index gidNumber eq
+##index memberUid eq
+
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</pre><p>
+</p><p>
+ Create the new index by executing:
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt>./sbin/slapindex -f slapd.conf
+</pre><p>
+</p><p>
+ Remember to restart slapd after making these changes:
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>/etc/init.d/slapd restart</tt></b>
+</pre><p>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906098"></a>Initialize the LDAP Database</h4></div></div><div></div></div><p>
+ Before you can add accounts to the LDAP database you must create the account containers
+ that they will be stored in. The following LDIF file should be modified to match your
+ needs (DNS entries, and so on):
+ </p><p>
+</p><pre class="programlisting">
+# Organization for Samba Base
+dn: dc=quenya,dc=org
+objectclass: dcObject
+objectclass: organization
+dc: quenya
+o: Quenya Org Network
+description: The Samba-3 Network LDAP Example
+
+# Organizational Role for Directory Management
+dn: cn=Manager,dc=quenya,dc=org
+objectclass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+# Setting up container for users
+dn: ou=People,dc=quenya,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+# Setting up admin handle for People OU
+dn: cn=admin,ou=People,dc=quenya,dc=org
+cn: admin
+objectclass: top
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
+
+# Setting up container for groups
+dn: ou=Groups,dc=quenya,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+# Setting up admin handle for Groups OU
+dn: cn=admin,ou=Groups,dc=quenya,dc=org
+cn: admin
+objectclass: top
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
+
+# Setting up container for computers
+dn: ou=Computers,dc=quenya,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+# Setting up admin handle for Computers OU
+dn: cn=admin,ou=Computers,dc=quenya,dc=org
+cn: admin
+objectclass: top
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
+</pre><p>
+</p><p>
+ The userPassword shown above should be generated using <b class="command">slappasswd</b>.
+ </p><p>
+ The following command will then load the contents of the LDIF file into the LDAP
+ database.
+ </p><p>
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>slapadd -v -l initldap.dif</tt></b>
+</pre><p>
+</p><p>
+ Do not forget to secure your LDAP server with an adequate access control list
+ as well as an admin password.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ Before Samba can access the LDAP server you need to store the LDAP admin password
+ into the Samba-3 <tt class="filename">secrets.tdb</tt> database by:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -w <i class="replaceable"><tt>secret</tt></i></tt></b>
+</pre><p>
+ </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906239"></a>Configuring Samba</h4></div></div><div></div></div><p>
+ The following parameters are available in smb.conf only if your
+ version of Samba was built with LDAP support. Samba automatically builds with LDAP support if the
+ LDAP libraries are found.
+ </p><p>LDAP related smb.conf options:
+ <a class="indexterm" name="id2906257"></a><i class="parameter"><tt>passdb backend</tt></i> = ldapsam:url,
+ <a class="indexterm" name="id2906272"></a><i class="parameter"><tt>ldap admin dn</tt></i>,
+ <a class="indexterm" name="id2906286"></a><i class="parameter"><tt>ldap delete dn</tt></i>,
+ <a class="indexterm" name="id2906300"></a><i class="parameter"><tt>ldap filter</tt></i>,
+ <a class="indexterm" name="id2906313"></a><i class="parameter"><tt>ldap group suffix</tt></i>,
+ <a class="indexterm" name="id2906327"></a><i class="parameter"><tt>ldap idmap suffix</tt></i>,
+ <a class="indexterm" name="id2906341"></a><i class="parameter"><tt>ldap machine suffix</tt></i>,
+ <a class="indexterm" name="id2906355"></a><i class="parameter"><tt>ldap passwd sync</tt></i>,
+ <a class="indexterm" name="id2906369"></a><i class="parameter"><tt>ldap ssl</tt></i>,
+ <a class="indexterm" name="id2906383"></a><i class="parameter"><tt>ldap suffix</tt></i>,
+ <a class="indexterm" name="id2906396"></a><i class="parameter"><tt>ldap user suffix</tt></i>,
+ </p><p>
+ These are described in the <tt class="filename">smb.conf</tt> man
+ page and so will not be repeated here. However, a sample <tt class="filename">smb.conf</tt> file for
+ use with an LDAP directory could appear as shown in <link linkend="confldapex">.
+ </p><p>
+</p><div class="example"><a name="confldapex"></a><p class="title"><b>Example 11.2. Configuration with LDAP</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = MORIA</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = NOLDOR</tt></i></td></tr><tr><td># ldap related parameters</td></tr><tr><td># define the DN to use when binding to the directory servers</td></tr><tr><td># The password for this DN is not stored in smb.conf. Rather it</td></tr><tr><td># must be set by using 'smbpasswd -w <i class="replaceable"><tt>secretpw</tt></i>' to store the</td></tr><tr><td># passphrase in the secrets.tdb file. If the "ldap admin dn" values</td></tr><tr><td># change, this password will need to be reset.</td></tr><tr><td><i class="parameter"><tt>ldap admin dn = "cn=Manager,ou=People,dc=quenya,dc=org"</tt></i></td></tr><tr><td># Define the SSL option when connecting to the directory</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><i class="parameter"><tt>ldap ssl = start tls</tt></i></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam:ldap://frodo.quenya.org</tt></i></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><i class="parameter"><tt>ldap delete dn = no</tt></i></td></tr><tr><td># the machine and user suffix added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><i class="parameter"><tt>ldap user suffix = ou=People</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap machine suffix = ou=Computers</tt></i></td></tr><tr><td># Trust UNIX account information in LDAP</td></tr><tr><td># (see the smb.conf manpage for details)</td></tr><tr><td># specify the base DN to use when searching the directory</td></tr><tr><td><i class="parameter"><tt>ldap suffix = ou=People,dc=quenya,dc=org</tt></i></td></tr><tr><td># generally the default ldap search filter is ok</td></tr><tr><td><i class="parameter"><tt>ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))</tt></i></td></tr></table></div><p>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906668"></a>Accounts and Groups Management</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2906680"></a>
+<a class="indexterm" name="id2906689"></a>
+
+ As user accounts are managed through the sambaSamAccount objectclass, you should
+ modify your existing administration tools to deal with sambaSamAccount attributes.
+ </p><p>
+ Machine accounts are managed with the sambaSamAccount objectclass, just
+ like users accounts. However, it is up to you to store those accounts
+ in a different tree of your LDAP namespace. You should use
+ “<span class="quote">ou=Groups,dc=quenya,dc=org</span>” to store groups and
+ “<span class="quote">ou=People,dc=quenya,dc=org</span>” to store users. Just configure your
+ NSS and PAM accordingly (usually, in the <tt class="filename">/etc/openldap/sldap.conf</tt>
+ configuration file).
+ </p><p>
+ In Samba-3, the group management system is based on POSIX
+ groups. This means that Samba makes use of the posixGroup objectclass.
+ For now, there is no NT-like group system management (global and local
+ groups). Samba-3 knows only about <tt class="constant">Domain Groups</tt>
+ and, unlike MS Windows 2000 and Active Directory, Samba-3 does not
+ support nested groups.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906746"></a>Security and sambaSamAccount</h4></div></div><div></div></div><p>
+ There are two important points to remember when discussing the security
+ of sambaSamAccount entries in the directory.
+ </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Never</em></span> retrieve the lmPassword or
+ ntPassword attribute values over an unencrypted LDAP session.</p></li><li><p><span class="emphasis"><em>Never</em></span> allow non-admin users to
+ view the lmPassword or ntPassword attribute values.</p></li></ul></div><p>
+ These password hashes are cleartext equivalents and can be used to impersonate
+ the user without deriving the original cleartext strings. For more information
+ on the details of LM/NT password hashes, refer to the
+ <link linkend="passdb"> section of this chapter.
+ </p><p>
+ To remedy the first security issue, the <a class="indexterm" name="id2906805"></a><i class="parameter"><tt>ldap ssl</tt></i> <tt class="filename">smb.conf</tt> parameter defaults
+ to require an encrypted session (<a class="indexterm" name="id2906827"></a><i class="parameter"><tt>ldap ssl</tt></i> = on) using
+ the default port of <tt class="constant">636</tt>
+ when contacting the directory server. When using an OpenLDAP server, it
+ is possible to use the use the StartTLS LDAP extended operation in the place of
+ LDAPS. In either case, you are strongly discouraged to disable this security
+ (<a class="indexterm" name="id2906849"></a><i class="parameter"><tt>ldap ssl</tt></i> = off).
+ </p><p>
+ Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
+ extended operation. However, the OpenLDAP library still provides support for
+ the older method of securing communication between clients and servers.
+ </p><p>
+ The second security precaution is to prevent non-administrative users from
+ harvesting password hashes from the directory. This can be done using the
+ following ACL in <tt class="filename">slapd.conf</tt>:
+ </p><p>
+</p><pre class="programlisting">
+## allow the "ldap admin dn" access, but deny everyone else
+access to attrs=lmPassword,ntPassword
+ by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write
+ by * none
+</pre><p>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906904"></a>LDAP Special Attributes for sambaSamAccounts</h4></div></div><div></div></div><p>
+ The sambaSamAccount objectclass is composed of the attributes shown in <link linkend="attribobjclPartA">, and <link linkend="attribobjclPartB">.
+ </p><p>
+ </p><div class="table"><a name="attribobjclPartA"></a><p class="title"><b>Table 11.1. Attributes in the sambaSamAccount objectclass (LDAP) Part A</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part A" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><tt class="constant">sambaLMPassword</tt></td><td align="justify">The LANMAN password 16-byte hash stored as a character
+ representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaNTPassword</tt></td><td align="justify">The NT password hash 16-byte stored as a character
+ representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaPwdLastSet</tt></td><td align="justify">The integer time in seconds since 1970 when the
+ <tt class="constant">sambaLMPassword</tt> and <tt class="constant">sambaNTPassword</tt> attributes were last set.
+ </td></tr><tr><td align="left"><tt class="constant">sambaAcctFlags</tt></td><td align="justify">String of 11 characters surrounded by square brackets []
+ representing account flags such as U (user), W (workstation), X (no password expiration),
+ I (Domain trust account), H (Home dir required), S (Server trust account),
+ and D (disabled).</td></tr><tr><td align="left"><tt class="constant">sambaLogonTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaLogoffTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaKickoffTime</tt></td><td align="justify">Specifies the time (UNIX time format) when the user
+ will be locked down and cannot login any longer. If this attribute is ommited, then the account will never expire.
+ If you use this attribute together with `shadowExpire' of the `shadowAccount' objectClass, will enable accounts to
+ expire completly on an exact date.</td></tr><tr><td align="left"><tt class="constant">sambaPwdCanChange</tt></td><td align="justify">Specifies the time (UNIX time format) from which on the user is allowed to
+ change his password. If attribute is not set, the user will be free to change his password whenever he wants.</td></tr><tr><td align="left"><tt class="constant">sambaPwdMustChange</tt></td><td align="justify">Specifies the time (UNIX time format) since when the user is
+ forced to change his password. If this value is set to `0', the user will have to change his password at first login.
+ If this attribute is not set, then the password will never expire.</td></tr><tr><td align="left"><tt class="constant">sambaHomeDrive</tt></td><td align="justify">Specifies the drive letter to which to map the
+ UNC path specified by sambaHomePath. The drive letter must be specified in the form “<span class="quote">X:</span>”
+ where X is the letter of the drive to map. Refer to the “<span class="quote">logon drive</span>” parameter in the
+ smb.conf(5) man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaLogonScript</tt></td><td align="justify">The sambaLogonScript property specifies the path of
+ the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
+ is relative to the netlogon share. Refer to the <a class="indexterm" name="id2907136"></a><i class="parameter"><tt>logon script</tt></i> parameter in the
+ <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaProfilePath</tt></td><td align="justify">Specifies a path to the user's profile.
+ This value can be a null string, a local absolute path, or a UNC path. Refer to the
+ <a class="indexterm" name="id2907170"></a><i class="parameter"><tt>logon path</tt></i> parameter in the <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaHomePath</tt></td><td align="justify">The sambaHomePath property specifies the path of
+ the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies
+ a drive letter, sambaHomePath should be a UNC path. The path must be a network
+ UNC path of the form <tt class="filename">\\server\share\directory</tt>. This value can be a null string.
+ Refer to the <b class="command">logon home</b> parameter in the <tt class="filename">smb.conf</tt> man page for more information.
+ </td></tr></tbody></table></div><p>
+ </p><p>
+ </p><div class="table"><a name="attribobjclPartB"></a><p class="title"><b>Table 11.2. Attributes in the sambaSamAccount objectclass (LDAP) Part B</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part B" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><tt class="constant">sambaUserWorkstations</tt></td><td align="justify">Here you can give a comma-seperated list of machines
+ on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member.
+ Bacause Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is ommited,
+ the default implies no restrictions.
+ </td></tr><tr><td align="left"><tt class="constant">sambaSID</tt></td><td align="justify">The security identifier(SID) of the user.
+ The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="left"><tt class="constant">sambaPrimaryGroupSID</tt></td><td align="justify">The Security IDentifier (SID) of the primary group
+ of the user.</td></tr><tr><td align="left"><tt class="constant">sambaDomainName</tt></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div><p>
+ </p><p>
+ The majority of these parameters are only used when Samba is acting as a PDC of
+ a domain (refer to <link linkend="samba-pdc">, for details on
+ how to configure Samba as a Primary Domain Controller). The following four attributes
+ are only stored with the sambaSamAccount entry if the values are non-default values:
+ </p><div class="itemizedlist"><ul type="disc"><li>sambaHomePath</li><li>sambaLogonScript</li><li>sambaProfilePath</li><li>sambaHomeDrive</li></ul></div><p>
+ These attributes are only stored with the sambaSamAccount entry if
+ the values are non-default values. For example, assume MORIA has now been
+ configured as a PDC and that <a class="indexterm" name="id2907374"></a><i class="parameter"><tt>logon home</tt></i> = \\%L\%u was defined in
+ its <tt class="filename">smb.conf</tt> file. When a user named “<span class="quote">becky</span>” logons to the domain,
+ the <a class="indexterm" name="id2907399"></a><i class="parameter"><tt>logon home</tt></i> string is expanded to \\MORIA\becky.
+ If the smbHome attribute exists in the entry “<span class="quote">uid=becky,ou=People,dc=samba,dc=org</span>”,
+ this value is used. However, if this attribute does not exist, then the value
+ of the <a class="indexterm" name="id2907421"></a><i class="parameter"><tt>logon home</tt></i> parameter is used in its place. Samba
+ will only write the attribute value to the directory entry if the value is
+ something other than the default (e.g., <tt class="filename">\\MOBY\becky</tt>).
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907447"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div><div></div></div><p>
+ The following is a working LDIF that demonstrates the use of the SambaSamAccount objectclass:
+ </p><p>
+ </p><pre class="programlisting">
+ dn: uid=guest2, ou=People,dc=quenya,dc=org
+ sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7
+ sambaPwdMustChange: 2147483647
+ sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513
+ sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE
+ sambaPwdLastSet: 1010179124
+ sambaLogonTime: 0
+ objectClass: sambaSamAccount
+ uid: guest2
+ sambaKickoffTime: 2147483647
+ sambaAcctFlags: [UX ]
+ sambaLogoffTime: 2147483647
+ sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006
+ sambaPwdCanChange: 0
+ </pre><p>
+ </p><p>
+ The following is an LDIF entry for using both the sambaSamAccount and
+ posixAccount objectclasses:
+ </p><p>
+ </p><pre class="programlisting">
+ dn: uid=gcarter, ou=People,dc=quenya,dc=org
+ sambaLogonTime: 0
+ displayName: Gerald Carter
+ sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE
+ sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201
+ objectClass: posixAccount
+ objectClass: sambaSamAccount
+ sambaAcctFlags: [UX ]
+ userPassword: {crypt}BpM2ej8Rkzogo
+ uid: gcarter
+ uidNumber: 9000
+ cn: Gerald Carter
+ loginShell: /bin/bash
+ logoffTime: 2147483647
+ gidNumber: 100
+ sambaKickoffTime: 2147483647
+ sambaPwdLastSet: 1010179230
+ sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004
+ homeDirectory: /home/moria/gcarter
+ sambaPwdCanChange: 0
+ sambaPwdMustChange: 2147483647
+ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7
+</pre><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907513"></a>Password Synchronization</h4></div></div><div></div></div><p>
+ Samba-3 and later can update the non-samba (LDAP) password stored with an account. When
+ using pam_ldap, this allows changing both UNIX and Windows passwords at once.
+ </p><p>The <a class="indexterm" name="id2907531"></a><i class="parameter"><tt>ldap passwd sync</tt></i> options can have the values shown in
+ <link linkend="ldappwsync">.</p><div class="table"><a name="ldappwsync"></a><p class="title"><b>Table 11.3. Possible <span class="emphasis"><em>ldap passwd sync</em></span> values</b></p><table summary="Possible ldap passwd sync values" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Value</th><th align="center">Description</th></tr></thead><tbody><tr><td align="left">yes</td><td align="justify"><p>When the user changes his password, update
+ <tt class="constant">ntPassword</tt>, <tt class="constant">lmPassword</tt>
+ and the <tt class="constant">password</tt> fields.</p></td></tr><tr><td align="left">no</td><td align="justify"><p>Only update <tt class="constant">ntPassword</tt> and <tt class="constant">lmPassword</tt>.</p></td></tr><tr><td align="left">only</td><td align="justify"><p>Only update the LDAP password and let the LDAP server worry about the other fields.
+ This option is only available on some LDAP servers. Only when the LDAP server
+ supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div><p>More information can be found in the <tt class="filename">smb.conf</tt> manpage.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2907687"></a>MySQL</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2907698"></a>
+ Every so often someone will come along with a great new idea. Storing user accounts in a
+ SQL backend is one of them. Those who want to do this are in the best position to know what the
+ specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt
+ to document every little detail why certain things of marginal utility to the bulk of
+ Samba users might make sense to the rest. In any case, the following instructions should help
+ the determined SQL user to implement a working system.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907730"></a>Creating the Database</h4></div></div><div></div></div><p>
+ You can set up your own table and specify the field names to pdb_mysql (see below
+ for the column names) or use the default table. The file <tt class="filename">examples/pdb/mysql/mysql.dump</tt>
+ contains the correct queries to create the required tables. Use the command:
+
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>mysql -u<i class="replaceable"><tt>username</tt></i> -h<i class="replaceable"><tt>hostname</tt></i> -p<i class="replaceable"><tt>password</tt></i> \
+ <i class="replaceable"><tt>databasename</tt></i> < <tt class="filename">/path/to/samba/examples/pdb/mysql/mysql.dump</tt></tt></b>
+</pre><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2907797"></a>Configuring</h4></div></div><div></div></div><p>This plugin lacks some good documentation, but here is some brief infoormation. Add the following to the
+ <a class="indexterm" name="id2907808"></a><i class="parameter"><tt>passdb backend</tt></i> variable in your <tt class="filename">smb.conf</tt>:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>passdb backend = [other-plugins] mysql:identifier [other-plugins]</tt></i></td></tr></table><p>
+ </p><p>The identifier can be any string you like, as long as it does not collide with
+ the identifiers of other plugins or other instances of pdb_mysql. If you
+ specify multiple pdb_mysql.so entries in <a class="indexterm" name="id2907852"></a><i class="parameter"><tt>passdb backend</tt></i>, you also need to
+ use different identifiers.
+ </p><p>
+ Additional options can be given through the <tt class="filename">smb.conf</tt> file in the <i class="parameter"><tt>[global]</tt></i> section.
+ Refer to <link linkend="mysqlpbe">.
+ </p><div class="table"><a name="mysqlpbe"></a><p class="title"><b>Table 11.4. Basic smb.conf options for MySQL passdb backend</b></p><table summary="Basic smb.conf options for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Field</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="left">mysql host</td><td align="justify">Host name, defaults to `localhost'</td></tr><tr><td align="left">mysql password</td><td align="justify"> </td></tr><tr><td align="left">mysql user</td><td align="justify">Defaults to `samba'</td></tr><tr><td align="left">mysql database</td><td align="justify">Defaults to `samba'</td></tr><tr><td align="left">mysql port</td><td align="justify">Defaults to 3306</td></tr><tr><td align="left">table</td><td align="justify">Name of the table containing the users</td></tr></tbody></table></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Since the password for the MySQL user is stored in the <tt class="filename">smb.conf</tt> file, you should make the <tt class="filename">smb.conf</tt> file
+ readable only to the user who runs Samba. This is considered a security bug and will soon be fixed.
+ </p></div><p>Names of the columns are given in <link linkend="moremysqlpdbe">. The default column names can be found in the example table dump.
+ </p><p>
+ </p><div class="table"><a name="moremysqlpdbe"></a><p class="title"><b>Table 11.5. MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Field</th><th align="left">Type</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="left">logon time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of last logon of user</td></tr><tr><td align="left">logoff time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of last logoff of user</td></tr><tr><td align="left">kickoff time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment user should be kicked off workstation (not enforced)</td></tr><tr><td align="left">pass last set time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment password was last set</td></tr><tr><td align="left">pass can change time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment from which password can be changed</td></tr><tr><td align="left">pass must change time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment on which password must be changed</td></tr><tr><td align="left">username column</td><td align="left">varchar(255)</td><td align="justify">UNIX username</td></tr><tr><td align="left">domain column</td><td align="left">varchar(255)</td><td align="justify">NT domain user belongs to</td></tr><tr><td align="left">nt username column</td><td align="left">varchar(255)</td><td align="justify">NT username</td></tr><tr><td align="left">fullname column</td><td align="left">varchar(255)</td><td align="justify">Full name of user</td></tr><tr><td align="left">home dir column</td><td align="left">varchar(255)</td><td align="justify">UNIX homedir path</td></tr><tr><td align="left">dir drive column</td><td align="left">varchar(2)</td><td align="justify">Directory drive path (e.g., “<span class="quote">H:</span>”)</td></tr><tr><td align="left">logon script column</td><td align="left">varchar(255)</td><td align="justify">Batch file to run on client side when logging on</td></tr><tr><td align="left">profile path column</td><td align="left">varchar(255)</td><td align="justify">Path of profile</td></tr><tr><td align="left">acct desc column</td><td align="left">varchar(255)</td><td align="justify">Some ASCII NT user data</td></tr><tr><td align="left">workstations column</td><td align="left">varchar(255)</td><td align="justify">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="left">unknown string column</td><td align="left">varchar(255)</td><td align="justify">Unknown string</td></tr><tr><td align="left">munged dial column</td><td align="left">varchar(255)</td><td align="justify">Unknown</td></tr><tr><td align="left">user sid column</td><td align="left">varchar(255)</td><td align="justify">NT user SID</td></tr><tr><td align="left">group sid column</td><td align="left">varchar(255)</td><td align="justify">NT group SID</td></tr><tr><td align="left">lanman pass column</td><td align="left">varchar(255)</td><td align="justify">Encrypted lanman password</td></tr><tr><td align="left">nt pass column</td><td align="left">varchar(255)</td><td align="justify">Encrypted nt passwd</td></tr><tr><td align="left">plain pass column</td><td align="left">varchar(255)</td><td align="justify">Plaintext password</td></tr><tr><td align="left">acct ctrl column</td><td align="left">int(9)</td><td align="justify">NT user data</td></tr><tr><td align="left">unknown 3 column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">logon divs column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">hours len column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">bad password count column</td><td align="left">int(5)</td><td align="justify">Number of failed password tries before disabling an account</td></tr><tr><td align="left">logon count column</td><td align="left">int(5)</td><td align="justify">Number of logon attempts</td></tr><tr><td align="left">unknown 6 column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr></tbody></table></div><p>
+ </p><p>
+ You can put a colon (:) after the name of each column, which
+ should specify the column to update when updating the table. You can also
+ specify nothing behind the colon. Then the field data will not be updated. Setting a column name to <i class="parameter"><tt>NULL</tt></i> means the field should not be used.
+ </p><p>An example configuration can be found in <link linkend="mysqlsam">.
+ </p><div class="example"><a name="mysqlsam"></a><p class="title"><b>Example 11.3. Example configuration for the MySQL passdb backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = mysql:foo</tt></i></td></tr><tr><td><i class="parameter"><tt>foo:mysql user = samba</tt></i></td></tr><tr><td><i class="parameter"><tt>foo:mysql password = abmas</tt></i></td></tr><tr><td><i class="parameter"><tt>foo:mysql database = samba</tt></i></td></tr><tr><td># domain name is static and can't be changed</td></tr><tr><td><i class="parameter"><tt>foo:domain column = 'MYWORKGROUP':</tt></i></td></tr><tr><td># The fullname column comes from several other columns</td></tr><tr><td><i class="parameter"><tt>foo:fullname column = CONCAT(firstname,' ',surname):</tt></i></td></tr><tr><td># Samba should never write to the password columns</td></tr><tr><td><i class="parameter"><tt>foo:lanman pass column = lm_pass:</tt></i></td></tr><tr><td><i class="parameter"><tt>foo:nt pass column = nt_pass:</tt></i></td></tr><tr><td># The unknown 3 column is not stored</td></tr><tr><td><i class="parameter"><tt>foo:unknown 3 column = NULL</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2908611"></a>Using Plaintext Passwords or Encrypted Password</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2908623"></a>
+ I strongly discourage the use of plaintext passwords, however, you can use them.
+ </p><p>
+ If you would like to use plaintext passwords, set
+ `identifier:lanman pass column' and `identifier:nt pass column' to
+ `NULL' (without the quotes) and `identifier:plain pass column' to the
+ name of the column containing the plaintext passwords.
+ </p><p>
+ If you use encrypted passwords, set the 'identifier:plain pass
+ column' to 'NULL' (without the quotes). This is the default.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2908650"></a>Getting Non-Column Data from the Table</h4></div></div><div></div></div><p>
+ It is possible to have not all data in the database by making some `constant'.
+ </p><p>
+ For example, you can set `identifier:fullname column' to
+ something like <b class="command">CONCAT(Firstname,' ',Surname)</b>
+ </p><p>
+ Or, set `identifier:workstations column' to:
+ <b class="command">NULL</b></p><p>See the MySQL documentation for more language constructs.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="XMLpassdb"></a>XML</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2908711"></a>
+ This module requires libxml2 to be installed.</p><p>The usage of pdb_xml is fairly straightforward. To export data, use:
+ </p><p>
+<a class="indexterm" name="id2908732"></a>
+ <tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -e xml:filename</tt></b>
+ </p><p>
+ (where filename is the name of the file to put the data in)
+ </p><p>
+ To import data, use:
+ <tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -i xml:filename</tt></b>
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2908781"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908788"></a>Users Cannot Logon</h3></div></div><div></div></div><p>“<span class="quote">I've installed Samba, but now I can't log on with my UNIX account! </span>”</p><p>Make sure your user has been added to the current Samba <a class="indexterm" name="id2908806"></a><i class="parameter"><tt>passdb backend</tt></i>. Read the section <link linkend="acctmgmttools"> for details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908830"></a>Users Being Added to the Wrong Backend Database</h3></div></div><div></div></div><p>
+ A few complaints have been received from users that just moved to Samba-3. The following
+ <tt class="filename">smb.conf</tt> file entries were causing problems, new accounts were being added to the old
+ smbpasswd file, not to the tdbsam passdb.tdb file:
+ </p><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>passdb backend = smbpasswd, tdbsam</tt></i></td></tr><tr><td>...</td></tr></table><p>
+ </p><p>
+ Samba will add new accounts to the first entry in the <span class="emphasis"><em>passdb backend</em></span>
+ parameter entry. If you want to update to the tdbsam, then change the entry to:
+ </p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>passdb backend = tdbsam, smbpasswd</tt></i></td></tr></table><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2908922"></a>Configuration of <i class="parameter"><tt>auth methods</tt></i></h3></div></div><div></div></div><p>
+ When explicitly setting an <a class="indexterm" name="id2908940"></a><i class="parameter"><tt>auth methods</tt></i> parameter,
+ <i class="parameter"><tt>guest</tt></i> must be specified as the first entry on the line,
+ for example, <a class="indexterm" name="id2908962"></a><i class="parameter"><tt>auth methods</tt></i> = guest sam.
+ </p><p>
+ This is the exact opposite of the requirement for the <a class="indexterm" name="id2908981"></a><i class="parameter"><tt>passdb backend</tt></i>
+ option, where it must be the <span class="emphasis"><em>LAST</em></span> parameter on the line.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 10. Network Browsing </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Group Mapping MS Windows and UNIX</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Legal Notice</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="pr02.html" title="Attributions"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Legal Notice</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2817733"></a>Legal Notice</h2></div></div><div></div></div><p>
+This documentation is distributed under the GNU General Public License (GPL)
+version 2. A copy of the license is included with the Samba source
+distribution. A copy can be found on-line at <ulink url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt</ulink>
+</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="index.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pr02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAMBA Project Documentation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Attributions</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Attributions</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="pr01.html" title="Legal Notice"><link rel="next" href="introduction.html" title="Part I. General Installation"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Attributions</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr></table><hr></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="id2817756"></a>Attributions</h2></div></div><div></div></div><p><link linkend="IntroSMB"></p><div class="itemizedlist"><ul type="disc"><li><p>David Lechnyr <<ulink url="mailto:david@lechnyr.com">david@lechnyr.com</ulink>></p></li></ul></div><p><link linkend="install"></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Karl Auer <<ulink url="mailto:kauer@biplane.com.au">kauer@biplane.com.au</ulink>></p></li><li><p>Dan Shearer <<ulink url="mailto:dan@samba.org">dan@samba.org</ulink>></p></li></ul></div><p><link linkend="FastStart"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="ServerType"></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="samba-pdc"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li><li><p>David Bannon <<ulink url="mailto:dbannon@samba.org">dbannon@samba.org</ulink>></p></li><li><p>Guenther Deschner <<ulink url="mailto:gd@suse.de">gd@suse.de</ulink>> (LDAP updates) </p></li></ul></div><p><link linkend="samba-bdc"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Volker Lendecke <<ulink url="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</ulink>></p></li><li><p>Guenther Deschner <<ulink url="mailto:gd@suse.de">gd@suse.de</ulink>> (LDAP updates) </p></li></ul></div><p><link linkend="domain-member"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Jeremy Allison <<ulink url="mailto:jra@samba.org">jra@samba.org</ulink>></p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>Guenther Deschner <<ulink url="mailto:gd@suse.de">gd@suse.de</ulink>> (LDAP updates) </p></li></ul></div><p><link linkend="StandAloneServer"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="ClientConfig"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="NetworkBrowsing"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li></ul></div><p><link linkend="passdb"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li><li><p>Jeremy Allison <<ulink url="mailto:jra@samba.org">jra@samba.org</ulink>></p></li><li><p>Guenther Deschner <<ulink url="mailto:gd@suse.de">gd@suse.de</ulink>> (LDAP updates) </p></li><li><p>Olivier (lem) Lemaire <<ulink url="mailto:olem@IDEALX.org">olem@IDEALX.org</ulink>></p></li></ul></div><p><link linkend="groupmapping"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Jean François Micouleau</p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li></ul></div><p><link linkend="AccessControls"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Jeremy Allison <<ulink url="mailto:jra@samba.org">jra@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>> (drawing) </p></li></ul></div><p><link linkend="locking"></p><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<ulink url="mailto:jra@samba.org">jra@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Eric Roseme <<ulink url="mailto:eric.roseme@hp.com">eric.roseme@hp.com</ulink>></p></li></ul></div><p><link linkend="securing-samba"></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="InterdomainTrusts"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Rafal Szczesniak <<ulink url="mailto:mimir@samba.org">mimir@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>> (drawing) </p></li><li><p>Stephen Langasek <<ulink url="mailto:vorlon@netexpress.net">vorlon@netexpress.net</ulink>></p></li></ul></div><p><link linkend="msdfs"></p><div class="itemizedlist"><ul type="disc"><li><p>Shirish Kalele <<ulink url="mailto:samba@samba.org">samba@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="printing"></p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<ulink url="mailto:kpfeifle@danka.de">kpfeifle@danka.de</ulink>></p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="CUPS-printing"></p><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<ulink url="mailto:kpfeifle@danka.de">kpfeifle@danka.de</ulink>></p></li><li><p>Ciprian Vizitiu <<ulink url="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</ulink>> (drawings) </p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>> (drawings) </p></li></ul></div><p><link linkend="VFS"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Tim Potter <<ulink url="mailto:tpot@samba.org">tpot@samba.org</ulink>></p></li><li><p>Simo Sorce (original vfs_skel README) </p></li><li><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li><p>Stefan Metzmacher (Update for multiple modules) </p></li></ul></div><p><link linkend="winbind"></p><div class="itemizedlist"><ul type="disc"><li><p>Tim Potter <<ulink url="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</ulink>></p></li><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>Naag Mummaneni <<ulink url="mailto:getnag@rediffmail.com">getnag@rediffmail.com</ulink>> (Notes for Solaris) </p></li><li><p>John Trostel <<ulink url="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="AdvancedNetworkManagement"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="PolicyMgmt"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="ProfileMgmt"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="pam"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Stephen Langasek <<ulink url="mailto:vorlon@netexpress.net">vorlon@netexpress.net</ulink>></p></li></ul></div><p><link linkend="integrate-ms-networks"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="unicode"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>TAKAHASHI Motonobu <<ulink url="mailto:monyo@home.monyo.com">monyo@home.monyo.com</ulink>></p></li></ul></div><p><link linkend="Backup"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="SambaHA"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="upgrading-to-3.0"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li></ul></div><p><link linkend="NT4Migration"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="SWAT"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="diagnosis"></p><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>Dan Shearer <<ulink url="mailto:dan@samba.org">dan@samba.org</ulink>></p></li></ul></div><p><link linkend="problems"></p><div class="itemizedlist"><ul type="disc"><li><p>Gerald (Jerry) Carter <<ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>David Bannon <<ulink url="mailto:dbannon@samba.org">dbannon@samba.org</ulink>></p></li><li><p>Dan Shearer <<ulink url="mailto:dan@samba.org">dan@samba.org</ulink>></p></li></ul></div><p><link linkend="bugreport"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li></ul></div><p><link linkend="compiling"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Andrew Tridgell <<ulink url="mailto:tridge@samba.org">tridge@samba.org</ulink>></p></li></ul></div><p><link linkend="Portability"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="Other-Clients"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li><li><p>Dan Shearer <<ulink url="mailto:dan@samba.org">dan@samba.org</ulink>></p></li><li><p>Jim McDonough <<ulink url="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</ulink>> (OS/2) </p></li></ul></div><p><link linkend="speed"></p><div class="itemizedlist"><ul type="disc"><li><p>Paul Cochrane <<ulink url="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</ulink>></p></li><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="DNSDHCP"></p><div class="itemizedlist"><ul type="disc"><li><p>John H. Terpstra <<ulink url="mailto:jht@samba.org">jht@samba.org</ulink>></p></li></ul></div><p><link linkend="Further-Resources"></p><div class="itemizedlist"><ul type="disc"><li><p>Jelmer R. Vernooij <<ulink url="mailto:jelmer@samba.org">jelmer@samba.org</ulink>></p></li></ul></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="pr01.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Legal Notice </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part I. General Installation</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 18. Classical Printing Support</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"><link rel="next" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 18. Classical Printing Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="printing"></a>Chapter 18. Classical Printing Support</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="printing.html#id2920666">Features and Benefits</a></dt><dt><a href="printing.html#id2920765">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2920831">Client to Samba Print Job Processing</a></dt><dt><a href="printing.html#id2920903">Printing Related Configuration Parameters</a></dt></dl></dd><dt><a href="printing.html#id2920998">Simple Print Configuration</a></dt><dd><dl><dt><a href="printing.html#id2921211">Verifing Configuration with testparm</a></dt><dt><a href="printing.html#id2921327">Rapid Configuration Validation</a></dt></dl></dd><dt><a href="printing.html#id2921667">Extended Printing Configuration</a></dt><dd><dl><dt><a href="printing.html#id2922020">Detailed Explanation Settings</a></dt></dl></dd><dt><a href="printing.html#id2924414">Printing Developments Since Samba-2.2</a></dt><dd><dl><dt><a href="printing.html#id2924566">Point'n'Print Client Drivers on Samba Servers</a></dt><dt><a href="printing.html#id2924710">The Obsoleted [printer$] Section</a></dt><dt><a href="printing.html#id2924810">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2925021">[print$] Section Parameters</a></dt><dt><a href="printing.html#id2925355">The [print$] Share Directory</a></dt></dl></dd><dt><a href="printing.html#id2925525">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2925644">Add Printer Wizard Driver Installation</a></dt><dt><a href="printing.html#inst-rpc">Installing Print Drivers Using rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2927518">Client Driver Installation Procedure</a></dt><dd><dl><dt><a href="printing.html#id2927537">First Client Driver Installation</a></dt><dt><a href="printing.html#id2927769">Setting Device Modes on New Printers</a></dt><dt><a href="printing.html#id2928112">Additional Client Driver Installation</a></dt><dt><a href="printing.html#id2928220">Always Make First Client Connection as root or printer admin</a></dt></dl></dd><dt><a href="printing.html#id2928404">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2928430">Setting Default Print Options for Client Drivers</a></dt><dt><a href="printing.html#id2928854">Supporting Large Numbers of Printers</a></dt><dt><a href="printing.html#id2929151">Adding New Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2929458">Error Message: Cannot connect under a different Name</a></dt><dt><a href="printing.html#id2929564">Take Care When Assembling Driver Files</a></dt><dt><a href="printing.html#id2929923">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2930008">Avoiding Common Client Driver Misconfiguration</a></dt></dl></dd><dt><a href="printing.html#id2930033">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2930071">What is Imprints?</a></dt><dt><a href="printing.html#id2930113">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2930132">The Imprints Server</a></dt><dt><a href="printing.html#id2930153">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2930314">Adding Network Printers without User Interaction</a></dt><dt><a href="printing.html#id2930639">The addprinter Command</a></dt><dt><a href="printing.html#id2930686">Migration of Classical Printing to Samba</a></dt><dt><a href="printing.html#id2930861">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2930884">Common Errors</a></dt><dd><dl><dt><a href="printing.html#id2930892">I Give My Root Password but I Do Not Get Access</a></dt><dt><a href="printing.html#id2930943">My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920666"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Printing is often a mission-critical service for the users. Samba can
+provide this service reliably and seamlessly for a client network
+consisting of Windows workstations.
+</p><p>
+A Samba print service may be run on a Stand-alone or Domain Member server,
+side by side with file serving functions, or on a dedicated print server.
+It can be made as tight or as loosely secured as needs dictate. Configurations
+may be simple or complex. Available authentication schemes are essentially
+the same as described for file services in previous chapters. Overall,
+Samba's printing support is now able to replace an NT or Windows 2000
+print server full-square, with additional benefits in many cases. Clients
+may download and install drivers and printers through their familiar
+“<span class="quote">Point'n'Print</span>” mechanism. Printer installations executed by
+“<span class="quote">Logon Scripts</span>” are no problem. Administrators can upload and
+manage drivers to be used by clients through the familiar “<span class="quote">Add Printer
+Wizard</span>”. As an additional benefit, driver and printer management may
+be run from the command line or through scripts, making it more efficient
+in case of large numbers of printers. If a central accounting of print jobs
+(tracking every single page and supplying the raw data for all sorts of
+statistical reports) is required, this function is best supported by
+the newer Common UNIX Printing System (CUPS)
+as the print subsystem underneath the Samba hood.
+</p><p>
+This chapter deals with the foundations of Samba printing as they
+are implemented by the more traditional UNIX (BSD- and System V-style)
+printing systems. Many things covered in this chapter apply also to CUPS.
+If you use CUPS, you may be tempted
+to jump to the next chapter but you will certainly miss a few things if
+you do. It is recommended that you read this chapter as well as <link linkend="CUPS-printing">.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Most of the following examples have been verified on Windows XP
+Professional clients. Where this document describes the responses to
+commands given, bear in mind that Windows 200x/XP clients are quite
+similar, but may differ in minor details. Windows NT is somewhat different
+again.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920765"></a>Technical Introduction</h2></div></div><div></div></div><p>
+Samba's printing support always relies on the installed print subsystem
+of the UNIX OS it runs on. Samba is a “<span class="quote">middleman.</span>” It takes
+print files from Windows (or other SMB) clients and passes them to the real
+printing system for further processing, therefore, it needs to communicate with
+both sides: the Windows print clients and the UNIX printing system. Hence, we
+must differentiate between the various client OS types, each of which behave
+differently, as well as the various UNIX print subsystems, which themselves
+have different features and are accessed differently.
+</p><p>
+This deals with the traditional way of UNIX printing. The next chapter
+covers in great detail the more modern <span class="emphasis"><em>Common UNIX Printing
+System</em></span> (CUPS).
+</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>CUPS users, be warned: do not just jump on to the next
+chapter. You might miss important information only found here!
+</p></div><p>
+It is apparent from postings on the Samba mailing list that print configuration
+is one of the most problematic aspects of Samba administration today. Many
+new Samba administrators have the impression that Samba performs some sort
+of print processing. Rest assured, Samba does not peform any type of print
+processing. It does not do any form of print filtering.
+</p><p>
+Samba obtains from its clients a data stream (print job) that it spools to a
+local spool area. When the entire print job has been received, Samba invokes
+a local UNIX/Linux print command and passes the spooled file to it. It is
+up to the local system printing subsystems to correctly process the print
+job and to submit it to the printer.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920831"></a>Client to Samba Print Job Processing</h3></div></div><div></div></div><p>
+Successful printing from a Windows client via a Samba print server to a UNIX
+printer involves six (potentially seven) stages:
+</p><div class="orderedlist"><ol type="1"><li><p>Windows opens a connection to the printer share.</p></li><li><p>Samba must authenticate the user.</p></li><li><p>Windows sends a copy of the print file over the network
+into Samba's spooling area.</p></li><li><p>Windows closes the connection.</p></li><li><p>Samba invokes the print command to hand the file over
+to the UNIX print subsystem's spooling area.</p></li><li><p>The UNIX print subsystem processes the print job.</p></li><li><p>The print file may need to be explicitly deleted
+from the Samba spooling area. This item depends on your print spooler
+configuration settings.</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920903"></a>Printing Related Configuration Parameters</h3></div></div><div></div></div><p>
+There are a number of configuration parameters to control Samba's
+printing behavior. Please refer to the man page for <tt class="filename">smb.conf</tt> for an
+overview of these. As with other parameters, there are Global Level
+(tagged with a <span class="emphasis"><em>G</em></span> in the listings) and Service Level
+(<span class="emphasis"><em>S</em></span>) parameters.
+</p><div class="variablelist"><dl><dt><span class="term">Global Parameters</span></dt><dd><p> These <span class="emphasis"><em>may not</em></span> go into
+ individual share definitions. If they go in by error,
+ the <b class="command">testparm</b> utility can discover this
+ (if you run it) and tell you so.
+ </p></dd><dt><span class="term">Service Level Parameters</span></dt><dd><p> These may be specified in the
+ <i class="parameter"><tt>[global]</tt></i> section of <tt class="filename">smb.conf</tt>.
+ In this case they define the default behavior of all individual
+ or service level shares (provided they do not have a different
+ setting defined for the same parameter, thus overriding the
+ global default).
+ </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920998"></a>Simple Print Configuration</h2></div></div><div></div></div><p>
+<link linkend="simpleprc"> shows a simple printing configuration.
+If you compare this with your own, you may find
+additional parameters that have been pre-configured by your OS
+vendor. Below is a discussion and explanation of the
+parameters. This example does not use many parameters.
+However, in many environments these are enough to provide a valid
+<tt class="filename">smb.conf</tt> file that enables all clients to print.
+</p><p>
+</p><div class="example"><a name="simpleprc"></a><p class="title"><b>Example 18.1. Simple configuration with BSD printing</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = bsd</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no</tt></i></td></tr></table></div><p>
+This is only an example configuration. Samba assigns default values to
+all configuration parameters. The defaults are conservative
+and sensible. When a parameter is specified in the <tt class="filename">smb.conf</tt> file, this
+overwrites the default value. The <b class="command">testparm</b> utility when
+run as root is capable of reporting all setting, both default as well as
+<tt class="filename">smb.conf</tt> file settings. <b class="command">Testparm</b> gives warnings for all
+misconfigured settings. The complete output is easily 340 lines and more,
+so you may want to pipe it through a pager program.
+</p><p>
+The syntax for the configuration file is easy to grasp. You should
+know that is not very picky about its syntax. As has been explained
+elsewhere in this document, Samba tolerates some spelling errors (such
+as <a class="indexterm" name="id2921166"></a><i class="parameter"><tt>browsable</tt></i> instead of
+<a class="indexterm" name="id2921181"></a><i class="parameter"><tt>browseable</tt></i>), and spelling is
+case-insensitive. It is permissible to use <i class="parameter"><tt>Yes/No</tt></i>
+or <i class="parameter"><tt>True/False</tt></i> for Boolean settings. Lists of names
+may be separated by commas, spaces or tabs.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921211"></a>Verifing Configuration with <b class="command">testparm</b></h3></div></div><div></div></div><p>
+To see all (or at least most) printing-related settings in Samba, including
+the implicitly used ones, try the command outlined below. This command greps
+for all occurrences of <tt class="constant">lp, print, spool, driver, ports</tt>
+and <tt class="constant">[</tt> in testparms output. This provides a convenient
+overview of the running <b class="command">smbd</b> print configuration. This
+command does not show individually created printer shares or the spooling
+paths they may use. Here is the output of my Samba setup, with settings
+shown in <link linkend="simpleprc">:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>testparm -s -v | egrep "(lp|print|spool|driver|ports|\[)"</tt></b>
+ Load smb config files from /etc/samba/smb.conf
+ Processing section "[homes]"
+ Processing section "[printers]"
+
+ [global]
+ smb ports = 445 139
+ lpq cache time = 10
+ total print jobs = 0
+ load printers = Yes
+ printcap name = /etc/printcap
+ disable spoolss = No
+ enumports command =
+ addprinter command =
+ deleteprinter command =
+ show add printer wizard = Yes
+ os2 driver map =
+ printer admin =
+ min print space = 0
+ max print jobs = 1000
+ printable = No
+ printing = bsd
+ print command = lpr -r -P'%p' %s
+ lpq command = lpq -P'%p'
+ lprm command = lprm -P'%p' %j
+ lppause command =
+ lpresume command =
+ printer name =
+ use client driver = No
+
+ [homes]
+
+ [printers]
+ path = /var/spool/samba
+ printable = Yes
+</pre><p>
+</p><p>
+You can easily verify which settings were implicitly added by Samba's
+default behavior. <span class="emphasis"><em>Remember: it may
+be important in your future dealings with Samba.</em></span>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> testparm in Samba-3 behaves differently from that in 2.2.x: used
+without the “<span class="quote">-v</span>” switch it only shows you the settings actually
+written into! To see the complete
+configuration used, add the “<span class="quote">-v</span>” parameter to testparm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921327"></a>Rapid Configuration Validation</h3></div></div><div></div></div><p>
+Should you need to troubleshoot at any stage, please always come back
+to this point first and verify if <b class="command">testparm</b> shows the parameters you
+expect. To give you a warning from personal experience,
+try to just comment out the <a class="indexterm" name="id2921350"></a><i class="parameter"><tt>load printers</tt></i>
+parameter. If your 2.2.x system behaves like mine, you'll see this:
+</p><pre class="screen">
+<tt class="prompt">root# </tt>grep "load printers" /etc/samba/smb.conf
+ # load printers = Yes
+ # This setting is commented out!!
+
+<tt class="prompt">root# </tt>testparm -v /etc/samba/smb.conf | egrep "(load printers)"
+ load printers = Yes
+</pre><p>
+I assumed that commenting out of this setting should prevent Samba from
+publishing my printers, but it still did. It took some time to figure out
+the reason. But I am no longer fooled ... at least not by this.
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>grep -A1 "load printers" /etc/samba/smb.conf</tt></b>
+ load printers = No
+ # The above setting is what I want!
+ # load printers = Yes
+ # This setting is commented out!
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>testparm -s -v smb.conf.simpleprinting | egrep "(load printers)"</tt></b>
+ load printers = No
+
+</pre><p>
+Only when the parameter is explicitly set to
+<a class="indexterm" name="id2921441"></a><i class="parameter"><tt>load printers</tt></i> = No
+would Samba conform with my intentions. So, my strong advice is:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Never rely on commented out parameters.</p></li><li><p>Always set parameters explicitly as you intend them to
+behave.</p></li><li><p>Use <b class="command">testparm</b> to uncover hidden
+settings that might not reflect your intentions.</p></li></ul></div><p>
+The following is the most minimal configuration file:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cat /etc/samba/smb.conf-minimal</tt></b>
+ [printers]
+</pre><p>
+This example should show that you can use testparm to test any Samba
+configuration file. Actually, we encourage you <span class="emphasis"><em>not</em></span>
+to change your working system (unless you know exactly what you are
+doing). Don't rely on the assumption that changes will only take effect after
+you re-start smbd! This is not the case. Samba re-reads it every 60 seconds
+and on each new client connection. You might have to face changes for your
+production clients that you didn't intend to apply. You will now
+note a few more interesting things; <b class="command">testparm</b> is useful to
+identify what the Samba print configuration would be if you used this minimalistic
+configuration. Here is what you can expect to find:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>testparm -v smb.conf-minimal | egrep "(print|lpq|spool|driver|ports|[)"</tt></b>
+ Processing section "[printers]"
+ WARNING: [printers] service MUST be printable!
+ No path in service printers - using /tmp
+
+ lpq cache time = 10
+ total print jobs = 0
+ load printers = Yes
+ printcap name = /etc/printcap
+ disable spoolss = No
+ enumports command =
+ addprinter command =
+ deleteprinter command =
+ show add printer wizard = Yes
+ os2 driver map =
+ printer admin =
+ min print space = 0
+ max print jobs = 1000
+ printable = No
+ printing = bsd
+ print command = lpr -r -P%p %s
+ lpq command = lpq -P%p
+ printer name =
+ use client driver = No
+
+ [printers]
+ printable = Yes
+
+</pre><p>
+testparm issued two warnings:
+</p><div class="itemizedlist"><ul type="disc"><li><p>We did not specify the <i class="parameter"><tt>[printers]</tt></i> section as printable.</p></li><li><p>We did not tell Samba which spool directory to use.</p></li></ul></div><p>
+However, this was not fatal and Samba will default to values that will
+work. Please, do not rely on this and do not use this example. This was
+included to encourage you to be careful to design and specify your setup to do
+precisely what you require. The outcome on your system may vary for some
+parameters given, since Samba may have been built with different compile-time
+options. <span class="emphasis"><em>Warning:</em></span> do not put a comment sign
+<span class="emphasis"><em>at the end</em></span> of a valid line. It will cause the parameter
+to be ignored (just as if you had put the comment sign at the front). At first
+I regarded this as a bug in my Samba versions. But the man page clearly says:
+“<span class="quote">Internal whitespace in a parameter value is retained verbatim.</span>”
+This means that a line consisting of, for example:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td># This defines LPRng as the printing system</td></tr><tr><td><i class="parameter"><tt>printing = lprng</tt></i></td></tr></table><p>
+will regard the whole of the string after the
+“<span class="quote"><tt class="constant">=</tt></span>” sign as the value you want to
+define. This is an invalid value that will be ignored and a default
+value will be
+used in its place.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921667"></a>Extended Printing Configuration</h2></div></div><div></div></div><p>
+In <link linkend="extbsdpr"> we show a more verbose example configuration
+for print-related settings in a BSD-style printing environment. What follows
+is a discussion and explanation of the various parameters. We chose to
+use BSD-style printing here because it is still the most commonly used
+system on legacy UNIX/Linux installations. New installations predominantly
+use CUPS, which is discussed in a separate chapter. <link linkend="extbsdpr"> explicitly
+names many parameters that do not need to be specified because they are set
+by default. You could use a much leaner <tt class="filename">smb.conf</tt> file. Alternately, you can use
+<b class="command">testparm</b> or <b class="command">SWAT</b> to optimize the <tt class="filename">smb.conf</tt>
+file to remove all parameters that are set at default.
+</p><div class="example"><a name="extbsdpr"></a><p class="title"><b>Example 18.2. Extended BSD Printing Configuration</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>printing = bsd</tt></i></td></tr><tr><td><i class="parameter"><tt>load printers = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>show add printer wizard = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printcap name = /etc/printcap</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = @ntadmin, root</tt></i></td></tr><tr><td><i class="parameter"><tt>total print jobs = 100</tt></i></td></tr><tr><td><i class="parameter"><tt>lpq cache time = 20</tt></i></td></tr><tr><td><i class="parameter"><tt>use client driver = no</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = All Printers</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>public = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writable = no </tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[my_printer_name]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer with Restricted Access</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/spool/samba_my_printer</tt></i></td></tr><tr><td><i class="parameter"><tt>printer admin = kurt</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>printable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>writeable = no</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = 0.0.0.0</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = no</tt></i></td></tr></table></div><p>
+This is an example configuration. You may not find all the settings that are in
+the confioguration file that was provided by the OS vendor. Samba configuration
+parameters, if not explicitly set default to a sensible value.
+To see all settings, as <tt class="constant">root</tt> use the <b class="command">testparm</b>
+utility. <b class="command">testparm</b> gives warnings for misconfigured settings.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922020"></a>Detailed Explanation Settings</h3></div></div><div></div></div><p>
+The following is a discussion of the settings from above shown example.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922033"></a>The [global] Section</h4></div></div><div></div></div><p>
+The <i class="parameter"><tt>[global]</tt></i> section is one of four special
+sections (along with [<i class="parameter"><tt>[homes]</tt></i>,
+<i class="parameter"><tt>[printers]</tt></i>
+and <i class="parameter"><tt>[print$]</tt></i>...). The
+<i class="parameter"><tt>[global]</tt></i> contains all parameters which apply
+to the server as a whole. It is the place for parameters that have only a
+global meaning. It may also contain service level parameters that then define
+default settings for all other sections and shares. This way you can simplify
+the configuration and avoid setting the same value repeatedly. (Within each
+individual section or share you may, however, override these globally set
+share settings and specify other values).
+</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2922094"></a><i class="parameter"><tt>printing</tt></i> = bsd </span></dt><dd><p>Causes Samba to use default print commands
+ applicable for the BSD (also known as RFC 1179 style or LPR/LPD) printing
+ system. In general, the <i class="parameter"><tt>printing</tt></i> parameter informs Samba about the
+ print subsystem it should expect. Samba supports CUPS, LPD, LPRNG,
+ SYSV, HPUX, AIX, QNX, and PLP. Each of these systems defaults to a
+ different <a class="indexterm" name="id2922127"></a><i class="parameter"><tt>print command</tt></i> (and other queue control
+ commands).</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <a class="indexterm" name="id2922147"></a><i class="parameter"><tt>printing</tt></i> parameter is
+ normally a service level parameter. Since it is included here in the
+ <i class="parameter"><tt>[global]</tt></i> section, it will take effect for all
+ printer shares that are not defined differently. Samba-3 no longer
+ supports the SOFTQ printing system.</p></div></dd><dt><span class="term"><a class="indexterm" name="id2922176"></a><i class="parameter"><tt>load printers</tt></i> = yes </span></dt><dd><p>Tells Samba to create automatically all
+ available printer shares. Available printer shares are discovered by
+ scanning the printcap file. All created printer shares are also loaded
+ for browsing. If you use this parameter, you do not need to specify
+ separate shares for each printer. Each automatically created printer
+ share will clone the configuration options found in the
+ <i class="parameter"><tt>[printers]</tt></i> section. (The <i class="parameter"><tt>load printers
+ = no</tt></i> setting will allow you to specify each UNIX printer
+ you want to share separately, leaving out some you do not want to be
+ publicly visible and available).</p></dd><dt><span class="term"><a class="indexterm" name="id2922227"></a><i class="parameter"><tt>show add printer wizard</tt></i> = yes </span></dt><dd><p>Setting is normally enabled by default (even if the parameter is not specified in <tt class="filename">smb.conf</tt>).
+ It causes the <span class="guiicon">Add Printer Wizard</span> icon to appear
+ in the <span class="guiicon">Printers</span> folder of the Samba host's
+ share listing (as shown in <span class="guiicon">Network Neighborhood</span> or
+ by the <b class="command">net view</b> command). To disable it, you need to
+ explicitly set it to <tt class="constant">no</tt> (commenting it out
+ will not suffice). The <i class="parameter"><tt>Add Printer Wizard</tt></i> lets you upload printer
+ drivers to the <i class="parameter"><tt>[print$]</tt></i> share and associate it
+ with a printer (if the respective queue exists before the
+ action), or exchange a printer's driver against any other previously
+ uploaded driver.</p></dd><dt><span class="term"><a class="indexterm" name="id2922312"></a><i class="parameter"><tt>total print jobs</tt></i> = 100 </span></dt><dd><p>Sets the upper limit to 100 print jobs
+ being active on the Samba server at any one time. Should a client
+ submit a job that exceeds this number, a “<span class="quote">no more space
+ available on server</span>” type of error message will be returned by
+ Samba to the client. A setting of zero (the default) means there is
+ <span class="emphasis"><em>no</em></span> limit at all.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922350"></a><i class="parameter"><tt>printcap name</tt></i> = /etc/printcap </span></dt><dd><p>Tells Samba where to look for a list of
+ available printer names. Where CUPS is used, make sure that a printcap
+ file is written. This is controlled by the <tt class="constant">Printcap</tt> directive in the
+ <tt class="filename">cupsd.conf</tt> file.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922389"></a><i class="parameter"><tt>printer admin</tt></i> = @ntadmin </span></dt><dd><p>Members of the ntadmin group should be able to add
+ drivers and set printer properties (<tt class="constant">ntadmin</tt> is only an example name,
+ it needs to be a valid UNIX group name); root is implicitly always a
+ <a class="indexterm" name="id2922416"></a><i class="parameter"><tt>printer admin</tt></i>. The @ sign precedes group names in the
+ <tt class="filename">/etc/group</tt>. A printer admin can do anything to
+ printers via the remote administration interfaces offered by MS-RPC
+ (see below). In larger installations, the <a class="indexterm" name="id2922440"></a><i class="parameter"><tt>printer admin</tt></i>
+ parameter is normally a per-share parameter. This permits different groups to administer each printer share.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922460"></a><i class="parameter"><tt>lpq cache time</tt></i> = 20 </span></dt><dd><p>Controls the cache time for the results of the
+ lpq command. It prevents the lpq command being called too often and
+ reduces the load on a heavily used print server.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922487"></a><i class="parameter"><tt>use client driver</tt></i> = no </span></dt><dd><p>If set to <tt class="constant">yes</tt>, only
+ takes effect for Windows NT/200x/XP clients (and not for Win 95/98/ME). Its
+ default value is <tt class="constant">No</tt> (or <tt class="constant">False</tt>).
+ It must <span class="emphasis"><em>not</em></span> be enabled on print shares
+ (with a <tt class="constant">yes</tt> or <tt class="constant">true</tt> setting) that
+ have valid drivers installed on the Samba server. For more detailed
+ explanations see the <tt class="filename">smb.conf</tt> man page.
+ </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ptrsect"></a>The [printers] Section</h4></div></div><div></div></div><p>
+This is the second special section. If a section with this name appears in
+the <tt class="filename">smb.conf</tt>, users are able to connect to any printer specified in the
+Samba host's printcap file, because Samba on startup then creates a printer
+share for every printername it finds in the printcap file. You could regard
+this section as a general convenience shortcut to share all printers with
+minimal configuration. It is also a container for settings that should
+apply as default to all printers. (For more details see the <tt class="filename">smb.conf</tt>
+man page.) Settings inside this container must be Share Level parameters.
+</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2922592"></a><i class="parameter"><tt>comment</tt></i> = All printers </span></dt><dd><p>
+ The <a class="indexterm" name="id2922612"></a><i class="parameter"><tt>comment</tt></i> is shown next to the share if
+ a client queries the server, either via <span class="guiicon">Network Neighborhood</span> or with
+ the <b class="command">net view</b> command to list available shares.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922646"></a><i class="parameter"><tt>printable</tt></i> = yes </span></dt><dd><p>
+ The <i class="parameter"><tt>[printers]</tt></i> service <span class="emphasis"><em>must</em></span>
+ be declared as printable. If you specify otherwise, smbd will refuse to load at
+ startup. This parameter allows connected clients to open, write to and submit spool files
+ into the directory specified with the <a class="indexterm" name="id2922680"></a><i class="parameter"><tt>path</tt></i>
+ parameter for this service. It is used by Samba to differentiate printer shares from
+ file shares.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922702"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba </span></dt><dd><p>
+ Must point to a directory used by Samba to spool incoming print files. <span class="emphasis"><em>It
+ must not be the same as the spool directory specified in the configuration of your UNIX
+ print subsystem!</em></span> The path typically points to a directory that is world
+ writeable, with the “<span class="quote">sticky</span>” bit set to it.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922740"></a><i class="parameter"><tt>browseable</tt></i> = no </span></dt><dd><p>
+ Is always set to <tt class="constant">no</tt> if
+ <a class="indexterm" name="id2922764"></a><i class="parameter"><tt>printable</tt></i> = yes. It makes
+ the <i class="parameter"><tt>[printer]</tt></i> share itself invisible in the list of
+ available shares in a <b class="command">net view</b> command or in the Explorer browse
+ list. (You will of course see the individual printers).
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922800"></a><i class="parameter"><tt>guest ok</tt></i> = yes </span></dt><dd><p>
+ If this parameter is set to <tt class="constant">yes</tt>, no password is required to
+ connect to the printer's service. Access will be granted with the privileges of the
+ <a class="indexterm" name="id2922826"></a><i class="parameter"><tt>guest account</tt></i>. On many systems the guest
+ account will map to a user named “<span class="quote">nobody</span>”. This user will usually be found
+ in the UNIX passwd file with an empty password, but with no valid UNIX login. (On some
+ systems the guest account might not have the privilege to be able to print. Test this
+ by logging in as your guest user using <b class="command">su - guest</b> and run a system
+ print command like:
+ </p><p>
+ <b class="userinput"><tt>lpr -P printername /etc/motd</tt></b>
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922875"></a><i class="parameter"><tt>public</tt></i> = yes </span></dt><dd><p>
+ Is a synonym for <a class="indexterm" name="id2922894"></a><i class="parameter"><tt>guest ok</tt></i> = yes.
+ Since we have <a class="indexterm" name="id2922909"></a><i class="parameter"><tt>guest ok</tt></i> = yes, it
+ really does not need to be here. (This leads to the interesting question: “<span class="quote">What if I
+ by accident have two contradictory settings for the same share?</span>” The answer is the
+ last one encountered by Samba wins. Testparm does not complain about different settings
+ of the same parameter for the same share. You can test this by setting up multiple
+ lines for the <i class="parameter"><tt>guest account</tt></i> parameter with different usernames,
+ and then run testparm to see which one is actually used by Samba.)
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922947"></a><i class="parameter"><tt>read only</tt></i> = yes </span></dt><dd><p>
+ Normally (for other types of shares) prevents users from creating or modifying files
+ in the service's directory. However, in a “<span class="quote">printable</span>” service, it is
+ <span class="emphasis"><em>always</em></span> allowed to write to the directory (if user privileges allow the
+ connection), but only via print spooling operations. Normal write operations are not permitted.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2922986"></a><i class="parameter"><tt>writeable</tt></i> = no </span></dt><dd><p>
+ Is a synonym for <a class="indexterm" name="id2923006"></a><i class="parameter"><tt>read only</tt></i> = yes.
+ </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923024"></a>Any [my_printer_name] Section</h4></div></div><div></div></div><p>
+If a section appears in the <tt class="filename">smb.conf</tt> file, which when given the parameter
+<a class="indexterm" name="id2923042"></a><i class="parameter"><tt>printable</tt></i> = yes causes Samba to configure it
+as a printer share. Windows 9x/Me clients may have problems with connecting or loading printer drivers
+if the share name has more than eight characters. Do not name a printer share with a name that may conflict
+with an existing user or file share name. On Client connection requests, Samba always tries to find file
+shares with that name first. If it finds one, it will connect to this and will not connect
+to a printer with the same name!
+</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2923073"></a><i class="parameter"><tt>comment</tt></i> = Printer with Restricted Access </span></dt><dd><p>
+ The comment says it all.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923099"></a><i class="parameter"><tt>path</tt></i> = /var/spool/samba_my_printer </span></dt><dd><p>
+ Sets the spooling area for this printer to a directory other than the default. It is not
+ necessary to set it differently, but the option is available.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923126"></a><i class="parameter"><tt>printer admin</tt></i> = kurt </span></dt><dd><p>
+ The printer admin definition is different for this explicitly defined printer share from the general
+ <i class="parameter"><tt>[printers]</tt></i> share. It is not a requirement; we
+ did it to show that it is possible.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923161"></a><i class="parameter"><tt>browseable</tt></i> = yes </span></dt><dd><p>
+ This makes the printer browseable so the clients may conveniently find it when browsing the
+ <span class="guiicon">Network Neighborhood</span>.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923196"></a><i class="parameter"><tt>printable</tt></i> = yes </span></dt><dd><p>
+ See <link linkend="ptrsect">.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923228"></a><i class="parameter"><tt>writeable</tt></i> = no </span></dt><dd><p>
+ See <link linkend="ptrsect">.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923260"></a><i class="parameter"><tt>hosts allow</tt></i> = 10.160.50.,10.160.51. </span></dt><dd><p>
+ Here we exercise a certain degree of access control by using the <a class="indexterm" name="id2923281"></a><i class="parameter"><tt>hosts allow</tt></i> and <a class="indexterm" name="id2923294"></a><i class="parameter"><tt>hosts deny</tt></i>
+ parameters. This is not by any means a safe bet. It is not a way to secure your
+ printers. This line accepts all clients from a certain subnet in a first evaluation of
+ access control.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923317"></a><i class="parameter"><tt>hosts deny</tt></i> = turbo_xp,10.160.50.23,10.160.51.60 </span></dt><dd><p>
+ All listed hosts are not allowed here (even if they belong to the allowed subnets). As
+ you can see, you could name IP addresses as well as NetBIOS hostnames here.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2923345"></a><i class="parameter"><tt>guest ok</tt></i> = no </span></dt><dd><p>
+ This printer is not open for the guest account.
+ </p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923371"></a>Print Commands</h4></div></div><div></div></div><p>
+In each section defining a printer (or in the <i class="parameter"><tt>[printers]</tt></i> section),
+a <i class="parameter"><tt>print command</tt></i> parameter may be defined. It sets a command to process the files
+that have been placed into the Samba print spool directory for that printer. (That spool directory was,
+if you remember, set up with the <a class="indexterm" name="id2923399"></a><i class="parameter"><tt>path</tt></i> parameter). Typically,
+this command will submit the spool file to the Samba host's print subsystem, using the suitable system
+print command. But there is no requirement that this needs to be the case. For debugging or
+some other reason, you may want to do something completely different than print the file. An example is a
+command that just copies the print file to a temporary location for further investigation when you need
+to debug printing. If you craft your own print commands (or even develop print command shell scripts),
+make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise,
+your hard disk may soon suffer from shortage of free space.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923428"></a>Default UNIX System Printing Commands</h4></div></div><div></div></div><p>
+You learned earlier on that Samba, in most cases, uses its built-in settings for many parameters
+if it cannot find an explicitly stated one in its configuration file. The same is true for the
+<a class="indexterm" name="id2923441"></a><i class="parameter"><tt>print command</tt></i>. The default print command varies depending
+on the <a class="indexterm" name="id2923458"></a><i class="parameter"><tt>printing</tt></i> parameter setting. In the commands listed
+below, you will notice some parameters of the form <span class="emphasis"><em>%X</em></span> where <span class="emphasis"><em>X</em></span> is
+<span class="emphasis"><em>p, s, J</em></span>, and so on. These letters stand for printer name, spoolfile and job ID, respectively.
+They are explained in more detail further below. <link linkend="printOptions"> presents an overview of key
+printing options but excludes the special case of CUPS that is discussed in <link linkend="CUPS-printing">.
+</p><div class="table"><a name="printOptions"></a><p class="title"><b>Table 18.1. Default Printing Settings</b></p><table summary="Default Printing Settings" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Setting</th><th align="left">Default Printing Commands</th></tr></thead><tbody><tr><td align="left"><a class="indexterm" name="id2923569"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">print command is <b class="command">lpr -r -P%p %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923599"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">print command is <b class="command">lp -c -P%p %s; rm %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923631"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">print command is <b class="command">lp -r -P%p -s %s</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923662"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lpq command is <b class="command">lpq -P%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923692"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lpq command is <b class="command">lpstat -o%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923723"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lpq command is <b class="command">lpq -P%p</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923753"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lprm command is <b class="command">lprm -P%p %j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923784"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lprm command is <b class="command">cancel %p-%j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923814"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lprm command is <b class="command">cancel %p-%j</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923845"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lppause command is <b class="command">lp -i %p-%j -H hold</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923876"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2923901"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lppause command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2923926"></a><i class="parameter"><tt>printing</tt></i> = bsd|aix|lprng|plp</td><td align="left">lpresume command is <b class="command">lp -i %p-%j -H resume</b></td></tr><tr><td align="left"><a class="indexterm" name="id2923957"></a><i class="parameter"><tt>printing</tt></i> = sysv|hpux</td><td align="left">lpresume command (...is empty)</td></tr><tr><td align="left"><a class="indexterm" name="id2923983"></a><i class="parameter"><tt>printing</tt></i> = qnx</td><td align="left">lpresume command (...is empty)</td></tr></tbody></table></div><p>
+We excluded the special case of CUPS here, because it is discussed in the next chapter. For
+<i class="parameter"><tt>printing = CUPS</tt></i>, if Samba is compiled against libcups, it uses the CUPS API to submit
+jobs. (It is a good idea also to set <a class="indexterm" name="id2924021"></a><i class="parameter"><tt>printcap</tt></i> = cups
+in case your <tt class="filename">cupsd.conf</tt> is set to write its autogenerated printcap file to an
+unusual place). Otherwise, Samba maps to the System V printing commands with the -oraw option for printing,
+i.e., it uses <b class="command">lp -c -d%p -oraw; rm %s</b>. With <i class="parameter"><tt>printing = cups</tt></i>,
+and if Samba is compiled against libcups, any manually set print command will be ignored!
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2924063"></a>Custom Print Commands</h4></div></div><div></div></div><p>
+After a print job has finished spooling to a service, the <a class="indexterm" name="id2924074"></a><i class="parameter"><tt>print command</tt></i>
+ will be used by Samba via a <span class="emphasis"><em>system()</em></span> call to process the
+spool file. Usually the command specified will submit the spool file to the host's printing subsystem. But
+there is no requirement at all that this must be the case. The print subsystem may not remove the spool
+file on its own. So whatever command you specify, you should ensure that the spool file is deleted after
+it has been processed.
+</p><p>
+There is no difficulty with using your own customized print commands with the traditional printing
+systems. However, if you do not wish to roll your own, you should be well informed about the default
+built-in commands that Samba uses for each printing subsystem (see
+Table 17.1). In all the
+commands listed in the last paragraphs, you see parameters of the form <span class="emphasis"><em>%X</em></span>. These are
+<span class="emphasis"><em>macros</em></span>, or shortcuts, used as placeholders for the names of real objects. At the time
+of running a command with such a placeholder, Samba will insert the appropriate value automatically. Print
+commands can handle all Samba macro substitutions. In regard to printing, the following ones do have
+special relevance:
+</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%s, %f</tt></i> the path to the spool file name.</p></li><li><p><i class="parameter"><tt>%p</tt></i> the appropriate printer name.</p></li><li><p><i class="parameter"><tt>%J</tt></i> the job name as transmitted by the client.</p></li><li><p><i class="parameter"><tt>%c</tt></i> the number of printed pages of the spooled job (if known).</p></li><li><p><i class="parameter"><tt>%z</tt></i> the size of the spooled print job (in bytes).</p></li></ul></div><p>
+The print command must contain at least one occurrence of <i class="parameter"><tt>%s</tt></i> or
+the <i class="parameter"><tt>%f</tt></i>. The <i class="parameter"><tt>%p</tt></i> is optional. If no printer name is supplied,
+the <i class="parameter"><tt>%p</tt></i> will be silently removed from the print command. In this case, the job is
+sent to the default printer.
+</p><p>
+If specified in the <i class="parameter"><tt>[global]</tt></i> section, the print command given will be
+used for any printable service that does not have its own print command specified. If there is neither a
+specified print command for a printable service nor a global print command, spool files will be created
+but not processed! Most importantly, print files will not be removed, so they will consume disk space.
+</p><p>
+Printing may fail on some UNIX systems when using the “<span class="quote">nobody</span>” account. If this happens, create an
+alternative guest account and give it the privilege to print. Set up this guest account in the
+<i class="parameter"><tt>[global]</tt></i> section with the <i class="parameter"><tt>guest account</tt></i> parameter.
+</p><p>
+You can form quite complex print commands. You need to realize that print commands are just
+passed to a UNIX shell. The shell is able to expand the included environment variables as
+usual. (The syntax to include a UNIX environment variable <i class="parameter"><tt>$variable</tt></i>
+in the Samba print command is <i class="parameter"><tt>%$variable</tt></i>.) To give you a working
+<a class="indexterm" name="id2924309"></a><i class="parameter"><tt>print command</tt></i> example, the following will log a print job
+to <tt class="filename">/tmp/print.log</tt>, print the file, then remove it. The semicolon (“<span class="quote">;</span>”
+is the usual separator for commands in shell scripts:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</tt></i></td></tr></table><p>
+You may have to vary your own command considerably from this example depending on how you normally print
+files on your system. The default for the <a class="indexterm" name="id2924363"></a><i class="parameter"><tt>print command</tt></i>
+parameter varies depending on the setting of the <a class="indexterm" name="id2924379"></a><i class="parameter"><tt>printing</tt></i>
+parameter. Another example is:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>print command = /usr/local/samba/bin/myprintscript %p %s</tt></i></td></tr></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924414"></a>Printing Developments Since Samba-2.2</h2></div></div><div></div></div><p>
+Prior to Samba-2.2.x, print server support for Windows clients was limited to <span class="emphasis"><em>LanMan</em></span>
+printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers.
+Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These
+are implemented via <span class="emphasis"><em>MS-RPC</em></span> (RPC = <span class="emphasis"><em>Remote Procedure Calls</em></span>
+). MS-RPCs use the <span class="emphasis"><em>SPOOLSS</em></span> named pipe for all printing.
+</p><p>
+The additional functionality provided by the new SPOOLSS support includes:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon
+ demand (<span class="emphasis"><em>Point'n'Print</em></span>).
+ </p></li><li><p>
+ Uploading of printer drivers via the Windows NT <span class="emphasis"><em>Add Printer Wizard</em></span> (APW)
+ or the <ulink url="http://imprints.sourceforge.net/">Imprints</ulink> tool set.
+ </p></li><li><p>
+ Support for the native MS-RPC printing calls such as
+ StartDocPrinter, EnumJobs(), and so on. (See the
+ <ulink url="http://msdn.microsoft.com/">MSDN documentation</ulink> for more information on the
+ Win32 printing API).
+ </p></li><li><p>
+ Support for NT <span class="emphasis"><em>Access Control Lists</em></span> (ACL) on printer objects.
+ </p></li><li><p>
+ Improved support for printer queue manipulation through the use of internal databases for spooled
+ job information (implemented by various <tt class="filename">*.tdb</tt> files).
+ </p></li></ul></div><p>
+A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP).
+</p><p>
+A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT
+permits the installation of local printers that are not shared. This is an artifact of the fact that
+any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all
+printers that are made available, either by default or by specific declaration via printer-specific shares.
+</p><p>
+Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can
+print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that
+the client has the necessary privileges on the remote host that serves the printer resource. The
+default permissions assigned by Windows NT to a printer gives the Print permissions to the well-known
+<span class="emphasis"><em>Everyone</em></span> group. (The older clients of type Windows 9x/Me can only print to shared
+printers).
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924566"></a>Point'n'Print Client Drivers on Samba Servers</h3></div></div><div></div></div><p>
+There is much confusion about what all this means. The question is often asked, “<span class="quote">Is it or is
+it not necessary for printer drivers to be installed on a Samba host in order to support printing from
+Windows clients?</span>” The answer to this is no, it is not necessary.
+</p><p>
+Windows NT/2000 clients can, of course, also run their APW to install drivers <span class="emphasis"><em>locally</em></span>
+(which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me
+clients. (However, a <span class="emphasis"><em>bug</em></span> existed in Samba 2.2.0 that made Windows NT/2000 clients
+require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1).
+</p><p>
+But it is a new capability to install the printer drivers into the <i class="parameter"><tt>[print$]</tt></i>
+share of the Samba server, and a big convenience, too. Then <span class="emphasis"><em>all</em></span> clients
+(including 95/98/ME) get the driver installed when they first connect to this printer share. The
+<span class="emphasis"><em>uploading</em></span> or <span class="emphasis"><em>depositing</em></span> of the driver into this
+<i class="parameter"><tt>[print$]</tt></i> share and the following binding of this driver to an existing
+Samba printer share can be achieved by different means:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Running the <span class="emphasis"><em>APW</em></span> on an NT/200x/XP Professional client (this does not work from 95/98/ME clients).
+ </p></li><li><p>
+ Using the <span class="emphasis"><em>Imprints</em></span> toolset.
+ </p></li><li><p>
+ Using the <span class="emphasis"><em>smbclient</em></span> and <span class="emphasis"><em>rpcclient</em></span> commandline tools.
+ </p></li><li><p>
+ Using <span class="emphasis"><em>cupsaddsmb</em></span> (only works for the CUPS
+ printing system, not for LPR/LPD, LPRng, and so on).
+ </p></li></ul></div><p>
+Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized
+entirely by the clients who download and install them via the “<span class="quote">Point'n'Print</span>” mechanism
+supported by Samba. The clients use these drivers to generate print files in the format the printer
+(or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing
+system, which is responsible for all further processing, as needed.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924710"></a>The Obsoleted [printer$] Section</h3></div></div><div></div></div><p>
+ Versions of Samba prior to 2.2 made it possible to use a share named
+ <i class="parameter"><tt>[printer$]</tt></i>. This name was taken from the same named service created by
+ Windows 9x/Me clients when a printer was shared by them. Windows 9x/Me printer servers always
+ have a <i class="parameter"><tt>[printer$]</tt></i> service that provides read-only access (with
+ no password required) to support printer driver downloads. However, Samba's initial
+ implementation allowed for a parameter named <i class="parameter"><tt>printer driver location</tt></i> to
+ be used on a per share basis. This specified the location of the driver files associated with
+ that printer. Another parameter named <i class="parameter"><tt>printer driver</tt></i> provided a means of
+ defining the printer driver name to be sent to the client.
+ </p><p>
+ These parameters, including the <i class="parameter"><tt>printer driver file</tt></i> parameter,
+ are now removed and cannot be used in installations of Samba-3. The share name
+ <i class="parameter"><tt>[print$]</tt></i> is now used for the location of downloadable printer
+ drivers. It is taken from the <i class="parameter"><tt>[print$]</tt></i> service created
+ by Windows NT PCs when a printer is shared by them. Windows NT print servers always have a
+ <i class="parameter"><tt>[print$]</tt></i> service that provides read-write access (in the context
+ of its ACLs) to support printer driver downloads and uploads. This does not mean Windows
+ 9x/Me clients are now thrown aside. They can use Samba's <i class="parameter"><tt>[print$]</tt></i>
+ share support just fine.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924810"></a>Creating the [print$] Share</h3></div></div><div></div></div><p>
+In order to support the uploading and downloading of printer driver files, you must first configure a
+file share named <i class="parameter"><tt>[print$]</tt></i>. The public name of this share is hard coded
+in the MS Windows clients. It cannot be renamed since Windows clients are programmed to search for a
+service of exactly this name if they want to retrieve printer driver files.
+</p><p>
+You should modify the server's file to add the global parameters and create the
+<i class="parameter"><tt>[print$]</tt></i> file share (of course, some of the parameter values, such
+as <a class="indexterm" name="id2924847"></a><i class="parameter"><tt>path</tt></i> are arbitrary and should be replaced with appropriate values for your
+site). See <link linkend="prtdollar">.
+</p><p>
+</p><div class="example"><a name="prtdollar"></a><p class="title"><b>Example 18.3. [print\$] example</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td># members of the ntadmin group should be able to add drivers and set</td></tr><tr><td># printer properties. root is implicitly always a 'printer admin'.</td></tr><tr><td><i class="parameter"><tt>printer admin = @ntadmin</tt></i></td></tr><tr><td>...</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td>...</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Printer Driver Download Area</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /etc/samba/drivers</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = @ntadmin, root</tt></i></td></tr></table></div><p>
+</p><p>
+Of course, you also need to ensure that the directory named by the
+<a class="indexterm" name="id2925004"></a><i class="parameter"><tt>path</tt></i> parameter exists on the UNIX file system.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925021"></a>[print$] Section Parameters</h3></div></div><div></div></div><p>
+The <i class="parameter"><tt>[print$]</tt></i> is a special section in <tt class="filename">smb.conf</tt>. It contains settings relevant to
+potential printer driver download and is used by windows clients for local print driver installation.
+The following parameters are frequently needed in this share section:
+</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2925058"></a><i class="parameter"><tt>comment</tt></i> = Printer Driver Download Area </span></dt><dd><p>
+ The comment appears next to the share name if it is listed in a share list (usually Windows
+ clients will not see it, but it will also appear up in a <b class="command">smbclient -L sambaserver
+ </b> output).
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2925094"></a><i class="parameter"><tt>path</tt></i> = /etc/samba/printers </span></dt><dd><p>
+ Is the path to the location of the Windows driver file deposit from the UNIX point of view.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2925120"></a><i class="parameter"><tt>browseable</tt></i> = no </span></dt><dd><p>
+ Makes the <i class="parameter"><tt>[print$]</tt></i> share invisible to clients from the
+ <span class="guimenu">Network Neighborhood</span>. However, you can still mount it from any client
+ using the <b class="command">net use g:\\sambaserver\print$</b> command in a DOS-box or the
+ <span class="guimenu">Connect network drive menu></span> from Windows Explorer.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2925177"></a><i class="parameter"><tt>guest ok</tt></i> = yes </span></dt><dd><p>
+ Gives read-only access to this share for all guest users. Access may be granted to
+ download and install printer drivers on clients. The requirement for <i class="parameter"><tt>guest ok
+ = yes</tt></i> depends on how your site is configured. If users will be guaranteed
+ to have an account on the Samba host, then this is a non-issue.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ If all your Windows NT users are guaranteed to be authenticated by the Samba server
+ (for example, if Samba authenticates via an NT domain server and the user has already been
+ validated by the Domain Controller in order to logon to the Windows NT session), then guest
+ access is not necessary. Of course, in a workgroup environment where you just want
+ to print without worrying about silly accounts and security, then configure the share for
+ guest access. You should consider adding <a class="indexterm" name="id2925224"></a><i class="parameter"><tt>map to guest</tt></i> = Bad
+ User in the <i class="parameter"><tt>[global]</tt></i> section
+ as well. Make sure you understand what this parameter does before using it.
+ </p></div></dd><dt><span class="term"><a class="indexterm" name="id2925252"></a><i class="parameter"><tt>read only</tt></i> = yes </span></dt><dd><p>
+ Because we do not want everybody to upload driver files (or even change driver settings),
+ we tagged this share as not writeable.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2925280"></a><i class="parameter"><tt>write list</tt></i> = @ntadmin, root </span></dt><dd><p>
+ The <i class="parameter"><tt>[print$]</tt></i> was made read-only by the previous
+ setting so we should create a <i class="parameter"><tt>write list</tt></i> entry also. UNIX
+ groups (denoted with a leading “<span class="quote">@</span>” character). Users listed here are allowed
+ write-access (as an exception to the general public's read-only access), which they need to
+ update files on the share. Normally, you will want to only name administrative-level user
+ account in this setting. Check the file system permissions to make sure these accounts
+ can copy files to the share. If this is a non-root account, then the account should also
+ be mentioned in the global <a class="indexterm" name="id2925328"></a><i class="parameter"><tt>printer admin</tt></i>
+ parameter. See the <tt class="filename">smb.conf</tt> man page for more information on configuring file shares.
+ </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925355"></a>The [print$] Share Directory</h3></div></div><div></div></div><p>
+In order for a Windows NT print server to support the downloading of driver files by multiple client
+architectures, you must create several subdirectories within the <i class="parameter"><tt>[print$]</tt></i>
+service (i.e., the UNIX directory named by the <a class="indexterm" name="id2925375"></a><i class="parameter"><tt>path</tt></i>
+parameter). These correspond to each of the supported client architectures. Samba follows this model as
+well. Just like the name of the <i class="parameter"><tt>[print$]</tt></i> share itself, the subdirectories
+must be exactly the names listed below (you may leave out the subdirectories of architectures you do
+not need to support).
+</p><p>
+Therefore, create a directory tree below the
+<i class="parameter"><tt>[print$]</tt></i> share for each architecture you wish
+to support like this:
+</p><pre class="programlisting">
+[print$]--+
+ |--W32X86 # serves drivers to Windows NT x86
+ |--WIN40 # serves drivers to Windows 95/98
+ |--W32ALPHA # serves drivers to Windows NT Alpha_AXP
+ |--W32MIPS # serves drivers to Windows NT R4000
+ |--W32PPC # serves drivers to Windows NT PowerPC
+</pre><p>
+</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Required permissions</h3><p>
+ In order to add a new driver to your Samba host, one of two conditions must hold true:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The account used to connect to the Samba host must have a UID of 0 (i.e., a root account).
+ </p></li><li><p>
+ The account used to connect to the Samba host must be named in the <span class="emphasis"><em>printer admin</em></span>list.
+ </p></li></ul></div><p>
+ Of course, the connected account must still have write access to add files to the subdirectories beneath
+ <i class="parameter"><tt>[print$]</tt></i>. Remember that all file shares are set to “<span class="quote">read-only</span>” by default.
+ </p></div><p>
+Once you have created the required <i class="parameter"><tt>[print$]</tt></i> service and
+associated subdirectories, go to a Windows NT 4.0/200x/XP client workstation. Open <span class="guiicon">Network
+Neighborhood</span> or <span class="guiicon">My Network Places</span> and browse for the Samba host. Once you
+have located the server, navigate to its <span class="guiicon">Printers and Faxes</span> folder. You should see
+an initial listing of printers that matches the printer shares defined on your Samba host.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2925525"></a>Installing Drivers into [print$]</h2></div></div><div></div></div><p>
+Have you successfully created the <i class="parameter"><tt>[print$]</tt></i> share in <tt class="filename">smb.conf</tt>, and have your forced Samba
+to re-read its <tt class="filename">smb.conf</tt> file? Good. But you are not yet ready to use the new facility. The client driver
+files need to be installed into this share. So far it is still an empty share. Unfortunately, it is
+not enough to just copy the driver files over. They need to be
+correctly installed so that appropriate
+records for each driver will exist in the Samba internal databases so it can provide the correct
+drivers as they are requested from MS Windows clients. And that is a bit tricky, to say the least. We
+now discuss two alternative ways to install the drivers into <i class="parameter"><tt>[print$]</tt></i>:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Using the Samba commandline utility <b class="command">rpcclient</b> with its various subcommands (here:
+ <b class="command">adddriver</b> and <b class="command">setdriver</b>) from any UNIX workstation.
+ </p></li><li><p>
+ Running a GUI (<span class="guiicon">Printer Properties</span> and <span class="guiicon">Add Printer Wizard</span>)
+ from any Windows NT/200x/XP client workstation.
+ </p></li></ul></div><p>
+The latter option is probably the easier one (even if the process may seem a little bit weird at first).
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2925644"></a>Add Printer Wizard Driver Installation</h3></div></div><div></div></div><p>
+The initial listing of printers in the Samba host's <span class="guiicon">Printers</span> folder accessed from a
+client's Explorer will have no real printer driver assigned to them. By default this driver name is set
+to a null string. This must be changed now. The local <span class="guiicon">Add Printer Wizard</span> (APW), run from
+NT/2000/XP clients, will help us in this task.
+</p><p>
+Installation of a valid printer driver is not straightforward. You must attempt
+to view the printer properties for the printer to which you want the driver assigned. Open the Windows
+Explorer, open <span class="guiicon">Network Neighborhood</span>, browse to the Samba host, open Samba's <span class="guiicon">Printers</span>
+folder, right-click on the printer icon and select <span class="guimenu">Properties...</span>. You are now trying to
+view printer and driver properties for a queue that has this default <tt class="constant">NULL</tt> driver
+assigned. This will result in the following error message:
+</p><p><span class="errorname">
+ Device settings cannot be displayed. The driver for the specified printer is not installed,
+ only spooler properties will be displayed. Do you want to install the driver now?
+ </span></p><p>
+Do not click on <span class="guibutton">Yes</span>! Instead, click on <span class="guibutton">No</span> in the error dialog.
+Only now you will be presented with the printer properties window. From here, the way to assign a driver
+to a printer is open to us. You now have the choice of:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Select a driver from the pop-up list of installed drivers. Initially this list will be empty.
+ </p></li><li><p>
+ Click on <span class="guibutton">New Driver</span> to install a new printer driver (which will
+ start up the APW).
+ </p></li></ul></div><p>
+Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we
+assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure
+your connection is, in fact, setup as a user with <a class="indexterm" name="id2925776"></a><i class="parameter"><tt>printer admin</tt></i>
+privileges (if in doubt, use <b class="command">smbstatus</b> to check for this). If you wish to install
+printer drivers for client operating systems other than <span class="application">Windows NT x86</span>,
+you will need to use the <span class="guilabel">Sharing</span> tab of the printer properties dialog.
+</p><p>
+Assuming you have connected with an administrative (or root) account (as named by the
+<a class="indexterm" name="id2925818"></a><i class="parameter"><tt>printer admin</tt></i> parameter), you will also be able to modify
+other printer properties such as ACLs and default device settings using this dialog. For the default
+device settings, please consider the advice given further in <link linkend="inst-rpc">.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="inst-rpc"></a>Installing Print Drivers Using <b class="command">rpcclient</b></h3></div></div><div></div></div><p>
+The second way to install printer drivers into <i class="parameter"><tt>[print$]</tt></i> and set them
+up in a valid way is to do it from the UNIX command line. This involves four distinct steps:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Gather info about required driver files and collect the files.
+ </p></li><li><p>
+ Deposit the driver files into the <i class="parameter"><tt>[print$]</tt></i> share's correct subdirectories
+ (possibly by using <b class="command">smbclient</b>).
+ </p></li><li><p>
+ Run the <b class="command">rpcclient</b> command line utility once with the <b class="command">adddriver</b>
+ subcommand.
+ </p></li><li><p>
+ Run <b class="command">rpcclient</b> a second time with the <b class="command">setdriver</b> subcommand.
+ </p></li></ol></div><p>
+We provide detailed hints for each of these steps in the paragraphs that follow.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2925958"></a>Identifying Driver Files</h4></div></div><div></div></div><p>
+To find out about the driver files, you have two options. You could check the contents of the driver
+CDROM that came with your printer. Study the <tt class="filename">*.inf</tt> files lcoated on the CDROM. This
+may not be possible, since the <tt class="filename">*.inf</tt> file might be missing. Unfortunately, vendors have now started
+to use their own installation programs. These installations packages are often in some Windows platform
+archive format. Additionally, the files may be re-named during the installation process. This makes it
+extremely difficult to identify the driver files required.
+</p><p>
+Then you only have the second option. Install the driver locally on a Windows client and
+investigate which file names and paths it uses after they are installed. (You need to repeat
+this procedure for every client platform you want to support. We show it here for the
+<span class="application">W32X86</span> platform only, a name used by Microsoft for all Windows NT/200x/XP
+clients.)
+</p><p>
+A good method to recognize the driver files is to print the test page from the driver's
+<span class="guilabel">Properties</span> dialog (<span class="guilabel">General</span> tab). Then look at the list of
+driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the
+<span class="guilabel">Driver File</span>, <span class="guilabel">Data File</span>, <span class="guilabel">Config File</span>,
+<span class="guilabel">Help File</span> and (optionally) the <span class="guilabel">Dependent Driver Files</span>
+(this may vary slightly for Windows NT). You need to take a note of all file names for the next steps.
+</p><p>
+Another method to quickly test the driver filenames and related paths is provided by the
+<b class="command">rpcclient</b> utility. Run it with <b class="command">enumdrivers</b> or with the
+<b class="command">getdriver</b> subcommand, each at the <tt class="filename">3</tt> info level. In the following example,
+<span class="emphasis"><em>TURBO_XP</em></span> is the name of the Windows PC (in this case it was a Windows XP Professional
+laptop). I installed the driver locally to TURBO_XP, from a Samba server called <tt class="constant">KDE-BITSHOP</tt>.
+We could run an interactive <b class="command">rpcclient</b> session; then we would get an
+<b class="command">rpcclient /></b> prompt and would type the subcommands at this prompt. This is left as
+a good exercise to the reader. For now, we use <b class="command">rpcclient</b> with the <tt class="option">-c</tt>
+parameter to execute a single subcommand line and exit again. This is the method you would use if you
+want to create scripts to automate the procedure for a large number of printers and drivers. Note the
+different quotes used to overcome the different spaces in between words:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'Danka%xxxx' -c \
+ 'getdriver "Heidelberg Digimaster 9110 (PS)" 3' TURBO_XP</tt></b>
+cmd = getdriver "Heidelberg Digimaster 9110 (PS)" 3
+
+[Windows NT x86]
+Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [Heidelberg Digimaster 9110 (PS)]
+ Architecture: [Windows NT x86]
+ Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.DLL]
+ Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.ppd]
+ Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.DLL]
+ Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01U_de.HLP]
+
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.DLL]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.INI]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.dat]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.cat]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.def]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hre]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.vnd]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\Hddm91c1_de.hlp]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01Aux.dll]
+ Dependentfiles: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\HDNIS01_de.NTF]
+
+ Monitorname: []
+ Defaultdatatype: []
+</pre><p>
+You may notice that this driver has quite a large number of <span class="guilabel">Dependent files</span>
+(there are worse cases, however). Also, strangely, the
+<span class="guilabel">Driver File</span> is tagged here
+<span class="guilabel">Driver Path</span>. We do not yet have support for the so-called
+<span class="application">WIN40</span> architecture installed. This name is used by Microsoft for the Windows
+9x/Me platforms. If we want to support these, we need to install the Windows 9x/Me driver files in
+addition to those for <span class="application">W32X86</span> (i.e., the Windows NT72000/XP clients) onto a
+Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000 or XP.
+</p><p>
+Since the <i class="parameter"><tt>[print$]</tt></i> share is usually accessible through the <span class="guiicon">Network
+Neighborhood</span>, you can also use the UNC notation from Windows Explorer to poke at it. The Windows
+9x/Me driver files will end up in subdirectory <tt class="filename">0</tt> of the <tt class="filename">WIN40</tt>
+directory. The full path to access them will be <tt class="filename">\\WINDOWSHOST\print$\WIN40\0\</tt>.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+More recent drivers on Windows 2000 and Windows XP are installed into the “<span class="quote">3</span>” subdirectory
+instead of the “<span class="quote">2</span>”. The version 2 of drivers, as used in Windows NT, were running in Kernel
+Mode. Windows 2000 changed this. While it still can use the Kernel Mode drivers (if this is enabled by
+the Admin), its native mode for printer drivers is User Mode execution. This requires drivers designed
+for this. These types of drivers install into the “<span class="quote">3</span>” subdirectory.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926311"></a>Obtaining Driver Files from Windows Client [print$] Shares</h4></div></div><div></div></div><p>
+Now we need to collect all the driver files we identified in our previous step. Where do we get them
+from? Well, why not retrieve them from the very PC and the same <i class="parameter"><tt>[print$]</tt></i>
+share that we investigated in our last step to identify the files? We can use <b class="command">smbclient</b>
+to do this. We will use the paths and names that were leaked to us by <b class="command">getdriver</b>. The
+listing is edited to include linebreaks for readability:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //TURBO_XP/print\$ -U'Danka%xxxx' \
+ -c 'cd W32X86/2;mget HD*_de.* hd*ppd Hd*_de.* Hddm*dll HDN*Aux.DLL'</tt></b>
+
+added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+Got a positive name query response from 10.160.50.8 ( 10.160.50.8 )
+Domain=[DEVELOPMENT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
+<tt class="prompt">Get file Hddm91c1_de.ABD? </tt><b class="userinput"><tt>n</tt></b>
+<tt class="prompt">Get file Hddm91c1_de.def? </tt><b class="userinput"><tt>y</tt></b>
+getting file \W32X86\2\Hddm91c1_de.def of size 428 as Hddm91c1_de.def
+<tt class="prompt">Get file Hddm91c1_de.DLL? </tt><b class="userinput"><tt>y</tt></b>
+getting file \W32X86\2\Hddm91c1_de.DLL of size 876544 as Hddm91c1_de.DLL
+[...]
+</pre><p>
+After this command is complete, the files are in our current local directory. You probably have noticed
+that this time we passed several commands to the <tt class="option">-c</tt> parameter, separated by semi-colons.
+This effects that all commands are executed in sequence on the remote Windows server before smbclient
+exits again.
+</p><p>
+Remember to repeat the procedure for the <span class="application">WIN40</span> architecture should
+you need to support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the
+<tt class="filename">WIN40/0/</tt> subdirectory. Once this is complete, we can run <b class="command">smbclient ...
+put</b> to store the collected files on the Samba server's <i class="parameter"><tt>[print$]</tt></i>
+share.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926467"></a>Installing Driver Files into [print$]</h4></div></div><div></div></div><p>
+We are now going to locate the driver files into the <i class="parameter"><tt>[print$]</tt></i>
+share. Remember, the UNIX path to this share has been defined
+previously in your words missing here. You
+also have created subdirectories for the different Windows client types you want to
+support. Supposing your <i class="parameter"><tt>[print$]</tt></i> share maps to the UNIX path
+<tt class="filename">/etc/samba/drivers/</tt>, your driver files should now go here:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ For all Windows NT, 2000 and XP clients into <tt class="filename">/etc/samba/drivers/W32X86/</tt> but
+ not (yet) into the <tt class="filename">2</tt> subdirectory.
+ </p></li><li><p>
+ For all Windows 95, 98 and ME clients into <tt class="filename">/etc/samba/drivers/WIN40/</tt> but not
+ (yet) into the <tt class="filename">0</tt> subdirectory.
+ </p></li></ul></div><p>
+We again use smbclient to transfer the driver files across the network. We specify the same files
+and paths as were leaked to us by running <b class="command">getdriver</b> against the original
+<span class="emphasis"><em>Windows</em></span> install. However, now we are going to store the files into a
+<span class="emphasis"><em>Samba/UNIX</em></span> print server's <i class="parameter"><tt>[print$]</tt></i> share.
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -U'root%xxxx' -c \
+ 'cd W32X86; put HDNIS01_de.DLL; \
+ put Hddm91c1_de.ppd; put HDNIS01U_de.DLL; \
+ put HDNIS01U_de.HLP; put Hddm91c1_de.DLL; \
+ put Hddm91c1_de.INI; put Hddm91c1KMMin.DLL; \
+ put Hddm91c1_de.dat; put Hddm91c1_de.dat; \
+ put Hddm91c1_de.def; put Hddm91c1_de.hre; \
+ put Hddm91c1_de.vnd; put Hddm91c1_de.hlp; \
+ put Hddm91c1_de_reg.HLP; put HDNIS01Aux.dll; \
+ put HDNIS01_de.NTF'</tt></b>
+
+added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+Got a positive name query response from 10.160.51.162 ( 10.160.51.162 )
+Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
+putting file HDNIS01_de.DLL as \W32X86\HDNIS01_de.DLL
+putting file Hddm91c1_de.ppd as \W32X86\Hddm91c1_de.ppd
+putting file HDNIS01U_de.DLL as \W32X86\HDNIS01U_de.DLL
+putting file HDNIS01U_de.HLP as \W32X86\HDNIS01U_de.HLP
+putting file Hddm91c1_de.DLL as \W32X86\Hddm91c1_de.DLL
+putting file Hddm91c1_de.INI as \W32X86\Hddm91c1_de.INI
+putting file Hddm91c1KMMin.DLL as \W32X86\Hddm91c1KMMin.DLL
+putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat
+putting file Hddm91c1_de.dat as \W32X86\Hddm91c1_de.dat
+putting file Hddm91c1_de.def as \W32X86\Hddm91c1_de.def
+putting file Hddm91c1_de.hre as \W32X86\Hddm91c1_de.hre
+putting file Hddm91c1_de.vnd as \W32X86\Hddm91c1_de.vnd
+putting file Hddm91c1_de.hlp as \W32X86\Hddm91c1_de.hlp
+putting file Hddm91c1_de_reg.HLP as \W32X86\Hddm91c1_de_reg.HLP
+putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll
+putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF
+</pre><p>
+
+Whew that was a lot of typing! Most drivers are a lot smaller many only having three generic
+PostScript driver files plus one PPD. While we did retrieve the files from the <tt class="filename">2</tt>
+subdirectory of the <tt class="filename">W32X86</tt> directory from the Windows box, we do not put them
+(for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the
+<b class="command">adddriver</b> command, which we will run shortly (and do not forget to also put the files
+for the Windows 9x/Me architecture into the <tt class="filename">WIN40/</tt> subdirectory should you need them).
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926676"></a><b class="command">smbclient</b> to Confirm Driver Installation</h4></div></div><div></div></div><p>
+For now we verify that our files are there. This can be done with <b class="command">smbclient</b>, too
+(but, of course, you can log in via SSH also and do this through a standard UNIX shell access):
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -U 'root%xxxx' \
+ -c 'cd W32X86; pwd; dir; cd 2; pwd; dir'</tt></b>
+ added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+Got a positive name query response from 10.160.51.162 ( 10.160.51.162 )
+Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.8a]
+
+Current directory is \\SAMBA-CUPS\print$\W32X86\
+. D 0 Sun May 4 03:56:35 2003
+.. D 0 Thu Apr 10 23:47:40 2003
+2 D 0 Sun May 4 03:56:18 2003
+HDNIS01Aux.dll A 15356 Sun May 4 03:58:59 2003
+Hddm91c1KMMin.DLL A 46966 Sun May 4 03:58:59 2003
+HDNIS01_de.DLL A 434400 Sun May 4 03:58:59 2003
+HDNIS01_de.NTF A 790404 Sun May 4 03:56:35 2003
+Hddm91c1_de.DLL A 876544 Sun May 4 03:58:59 2003
+Hddm91c1_de.INI A 101 Sun May 4 03:58:59 2003
+Hddm91c1_de.dat A 5044 Sun May 4 03:58:59 2003
+Hddm91c1_de.def A 428 Sun May 4 03:58:59 2003
+Hddm91c1_de.hlp A 37699 Sun May 4 03:58:59 2003
+Hddm91c1_de.hre A 323584 Sun May 4 03:58:59 2003
+Hddm91c1_de.ppd A 26373 Sun May 4 03:58:59 2003
+Hddm91c1_de.vnd A 45056 Sun May 4 03:58:59 2003
+HDNIS01U_de.DLL A 165888 Sun May 4 03:58:59 2003
+HDNIS01U_de.HLP A 19770 Sun May 4 03:58:59 2003
+Hddm91c1_de_reg.HLP A 228417 Sun May 4 03:58:59 2003
+ 40976 blocks of size 262144. 709 blocks available
+
+Current directory is \\SAMBA-CUPS\print$\W32X86\2\
+. D 0 Sun May 4 03:56:18 2003
+.. D 0 Sun May 4 03:56:35 2003
+ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003
+laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003
+ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003
+ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003
+PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003
+ 40976 blocks of size 262144. 709 blocks available
+</pre><p>
+Notice that there are already driver files present in the <tt class="filename">2</tt> subdirectory (probably
+from a previous installation). Once the files for the new driver are there too, you are still a few
+steps away from being able to use them on the clients. The only thing you could do now is to retrieve
+them from a client just like you retrieve ordinary files from a file share, by opening print$ in Windows
+Explorer. But that wouldn't install them per Point'n'Print. The reason
+is: Samba does not yet know that
+these files are something special, namely <span class="emphasis"><em>printer driver files</em></span> and it does not know
+to which print queue(s) these driver files belong.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926841"></a>Running <b class="command">rpcclient</b> with <b class="command">adddriver</b></h4></div></div><div></div></div><p>
+Next, you must tell Samba about the special category of the files you just uploaded into the
+<i class="parameter"><tt>[print$]</tt></i> share. This is done by the <b class="command">adddriver</b>
+command. It will prompt Samba to register the driver files into its internal TDB database files. The
+following command and its output has been edited, again, for readability:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \
+ "dm9110:HDNIS01_de.DLL: \
+ Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \
+ NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
+ Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
+ Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
+ HDNIS01Aux.dll,HDNIS01_de.NTF, \
+ Hddm91c1_de_reg.HLP' SAMBA-CUPS</tt></b>
+
+cmd = adddriver "Windows NT x86" \
+ "dm9110:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL: \
+ HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
+ Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
+ Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
+ HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP"
+
+Printer Driver dm9110 successfully installed.
+</pre><p>
+After this step, the driver should be recognized by Samba on the print server. You need to be very
+careful when typing the command. Don't exchange the order of the fields. Some changes would lead to
+an <tt class="computeroutput">NT_STATUS_UNSUCCESSFUL</tt> error message. These become obvious. Other
+changes might install the driver files successfully, but render the driver unworkable. So take care!
+Hints about the syntax of the adddriver command are in the man page. The CUPS printing chapter
+provides a more detailed description, should you need it.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2926940"></a>Checking <b class="command">adddriver</b> Completion</h4></div></div><div></div></div><p>
+One indication for Samba's recognition of the files as driver files is the <tt class="computeroutput">successfully
+installed</tt> message. Another one is the fact that our files have been moved by the
+<b class="command">adddriver</b> command into the <tt class="filename">2</tt> subdirectory. You can check this
+again with <b class="command">smbclient</b>:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbclient //SAMBA-CUPS/print\$ -Uroot%xx \
+ -c 'cd W32X86;dir;pwd;cd 2;dir;pwd'</tt></b>
+ added interface ip=10.160.51.162 bcast=10.160.51.255 nmask=255.255.252.0
+ Domain=[CUPS-PRINT] OS=[UNIX] Server=[Samba 2.2.7a]
+
+ Current directory is \\SAMBA-CUPS\print$\W32X86\
+ . D 0 Sun May 4 04:32:48 2003
+ .. D 0 Thu Apr 10 23:47:40 2003
+ 2 D 0 Sun May 4 04:32:48 2003
+ 40976 blocks of size 262144. 731 blocks available
+
+ Current directory is \\SAMBA-CUPS\print$\W32X86\2\
+ . D 0 Sun May 4 04:32:48 2003
+ .. D 0 Sun May 4 04:32:48 2003
+ DigiMaster.PPD A 148336 Thu Apr 24 01:07:00 2003
+ ADOBEPS5.DLL A 434400 Sat May 3 23:18:45 2003
+ laserjet4.ppd A 9639 Thu Apr 24 01:05:32 2003
+ ADOBEPSU.DLL A 109568 Sat May 3 23:18:45 2003
+ ADOBEPSU.HLP A 18082 Sat May 3 23:18:45 2003
+ PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003
+ HDNIS01Aux.dll A 15356 Sun May 4 04:32:18 2003
+ Hddm91c1KMMin.DLL A 46966 Sun May 4 04:32:18 2003
+ HDNIS01_de.DLL A 434400 Sun May 4 04:32:18 2003
+ HDNIS01_de.NTF A 790404 Sun May 4 04:32:18 2003
+ Hddm91c1_de.DLL A 876544 Sun May 4 04:32:18 2003
+ Hddm91c1_de.INI A 101 Sun May 4 04:32:18 2003
+ Hddm91c1_de.dat A 5044 Sun May 4 04:32:18 2003
+ Hddm91c1_de.def A 428 Sun May 4 04:32:18 2003
+ Hddm91c1_de.hlp A 37699 Sun May 4 04:32:18 2003
+ Hddm91c1_de.hre A 323584 Sun May 4 04:32:18 2003
+ Hddm91c1_de.ppd A 26373 Sun May 4 04:32:18 2003
+ Hddm91c1_de.vnd A 45056 Sun May 4 04:32:18 2003
+ HDNIS01U_de.DLL A 165888 Sun May 4 04:32:18 2003
+ HDNIS01U_de.HLP A 19770 Sun May 4 04:32:18 2003
+ Hddm91c1_de_reg.HLP A 228417 Sun May 4 04:32:18 2003
+ 40976 blocks of size 262144. 731 blocks available
+</pre><p>
+Another verification is that the timestamp of the printing TDB files is now updated
+(and possibly their file size has increased).
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927063"></a>Check Samba for Driver Recognition</h4></div></div><div></div></div><p>
+Now the driver should be registered with Samba. We can easily verify this, and will do so in a
+moment. However, this driver is not yet associated with a particular printer. We may check the driver
+status of the files by at least three methods:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ From any Windows client browse Network Neighborhood, find the Samba host and open the Samba
+ <span class="guiicon">Printers and Faxes</span> folder. Select any printer icon, right-click and select
+ the printer <span class="guimenuitem">Properties</span>. Click the <span class="guilabel">Advanced</span>
+ tab. Here is a field indicating the driver for that printer. A drop-down menu allows you to
+ change that driver (be careful not to do this unwittingly). You can use this list to view
+ all drivers known to Samba. Your new one should be among them. (Each type of client will only
+ see his own architecture's list. If you do not have every driver installed for each platform,
+ the list will differ if you look at it from Windows95/98/ME or WindowsNT/2000/XP.)
+ </p></li><li><p>
+ From a Windows 200x/XP client (not Windows NT) browse <span class="guiicon">Network Neighborhood</span>,
+ search for the Samba server and open the server's <span class="guiicon">Printers</span> folder,
+ right-click on the white background (with no printer highlighted). Select <span class="guimenuitem">Server
+ Properties</span>. On the <span class="guilabel">Drivers</span> tab you will see the new driver
+ listed. This view enables you to also inspect the list of files belonging to that driver
+ (this does not work on Windows NT, but only on Windows 2000 and Windows XP; Windows NT does not
+ provide the <span class="guimenuitem">Drivers</span> tab). An
+ alternative and much quicker method for
+ Windows 2000/XP to start this dialog is by typing into a DOS box (you must of course adapt the
+ name to your Samba server instead of <i class="replaceable"><tt>SAMBA-CUPS</tt></i>):
+ </p><p><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /s /t2 /n\\<i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b></p></li><li><p>
+ From a UNIX prompt, run this command (or a variant thereof) where
+ <i class="replaceable"><tt>SAMBA-CUPS</tt></i> is the name of the Samba host and xxxx represents the
+ actual Samba password assigned to root:
+ </p><p><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'enumdrivers' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b></p><p>
+ You will see a listing of all drivers Samba knows about. Your new one should be among
+ them. But it is only listed under the <i class="parameter"><tt>[Windows NT x86]</tt></i> heading, not under
+ <i class="parameter"><tt>[Windows 4.0]</tt></i>, since you didn't install that part. Or did you?
+ You will see a listing of all drivers Samba knows about. Your new one should be among them. In
+ our example it is named <tt class="constant">dm9110</tt>. Note that the third column shows the other
+ installed drivers twice, one time for each supported architecture. Our new driver only shows up
+ for <span class="application">Windows NT 4.0 or 2000</span>. To have it present for <span class="application">Windows
+ 95, 98 and ME</span>, you'll have to repeat the whole procedure with the WIN40 architecture
+ and subdirectory.
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927262"></a>Specific Driver Name Flexibility</h4></div></div><div></div></div><p>
+You can name the driver as you like. If you repeat the <b class="command">adddriver</b> step with the same
+files as before but with a different driver name, it will work the same:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -Uroot%xxxx \
+ -c 'adddriver "Windows NT x86" \
+ "mydrivername:HDNIS01_de.DLL: \
+ Hddm91c1_de.ppd:HDNIS01U_de.DLL:HDNIS01U_de.HLP: \
+ NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
+ Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
+ Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
+ HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP' SAMBA-CUPS
+ </tt></b>
+
+cmd = adddriver "Windows NT x86" \
+ "mydrivername:HDNIS01_de.DLL:Hddm91c1_de.ppd:HDNIS01U_de.DLL:\
+ HDNIS01U_de.HLP:NULL:RAW:Hddm91c1_de.DLL,Hddm91c1_de.INI, \
+ Hddm91c1_de.dat,Hddm91c1_de.def,Hddm91c1_de.hre, \
+ Hddm91c1_de.vnd,Hddm91c1_de.hlp,Hddm91c1KMMin.DLL, \
+ HDNIS01Aux.dll,HDNIS01_de.NTF,Hddm91c1_de_reg.HLP"
+
+Printer Driver mydrivername successfully installed.
+</pre><p>
+You will be able to bind that driver to any print queue (however, you are responsible that
+you associate drivers to queues that make sense with respect to target printers). You cannot run the
+<b class="command">rpcclient</b> <b class="command">adddriver</b> command repeatedly. Each run consumes the
+files you had put into the <i class="parameter"><tt>[print$]</tt></i> share by moving them into the
+respective subdirectories. So you must execute an <b class="command">smbclient ... put</b> command before
+each <b class="command">rpcclient ... adddriver</b> command.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2927366"></a>Running <b class="command">rpcclient</b> with the <b class="command">setdriver</b></h4></div></div><div></div></div><p>
+Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and
+store this info in Samba's memory, the TDB files. The <b class="command">rpcclient setdriver</b> command
+achieves exactly this:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'setdriver dm9110 mydrivername' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b>
+ cmd = setdriver dm9110 mydrivername
+
+Successfully set dm9110 to driver mydrivername.
+</pre><p>
+Ah, no, I did not want to do that. Repeat, this time with the name I intended:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <i class="replaceable"><tt>SAMBA-CUPS</tt></i></tt></b>
+ cmd = setdriver dm9110 dm9110
+Successfully set dm9110 to driver dm9110.
+</pre><p>
+The syntax of the command is:
+</p><pre class="screen">
+<b class="userinput"><tt>rpcclient -U'root%<i class="replaceable"><tt>sambapassword</tt></i>' -c 'setdriver <i class="replaceable"><tt>printername</tt></i> \
+ <i class="replaceable"><tt>drivername</tt></i>' <i class="replaceable"><tt>SAMBA-Hostname</tt></i></tt></b>.
+</pre><p>
+Now we have done most of the work, but not all of it.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The <b class="command">setdriver</b> command will only succeed if the
+printer is already known to Samba. A
+bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba,
+or at least send an HUP signal to all running smbd processes to work around this: <b class="userinput"><tt>kill -HUP
+`pidof smbd`</tt></b>.
+</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2927518"></a>Client Driver Installation Procedure</h2></div></div><div></div></div><p>
+As Don Quixote said: “<span class="quote">The proof of the pudding is in the eating.</span>” The proof
+for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is
+not as straightforward as it may seem. Read on.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927537"></a>First Client Driver Installation</h3></div></div><div></div></div><p>
+Especially important is the installation onto the first client PC (for each architectural platform
+separately). Once this is done correctly, all further clients are easy to setup and shouldn't need further
+attention. What follows is a description for the recommended first procedure. You work now from a client
+workstation. You should guarantee that your connection is not unwittingly mapped to <span class="emphasis"><em>bad
+user</em></span> nobody. In a DOS box type:
+</p><p><b class="userinput"><tt>net use \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\print$ /user:root</tt></b></p><p>
+Replace root, if needed, by another valid <a class="indexterm" name="id2927577"></a><i class="parameter"><tt>printer admin</tt></i> user as given in
+the definition. Should you already be connected as a different user, you will get an error message. There
+is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging
+off from a share connection (do not confuse this with logging off from the local workstation; that is
+a different matter). You can try to close all Windows file explorer
+and Internet Explorer for Windows. As
+a last resort, you may have to reboot. Make sure there is no automatic reconnection set up. It may be
+easier to go to a different workstation and try from there. After you have made sure you are connected
+as a printer admin user (you can check this with the <b class="command">smbstatus</b> command on Samba),
+do this from the Windows workstation:
+</p><div class="procedure"><ol type="1"><li><p>
+ Open <span class="guiicon">Network Neighborhood</span>.
+ </p></li><li><p>
+ Browse to Samba server.
+ </p></li><li><p>
+ Open its <span class="guiicon">Printers and Faxes</span> folder.
+ </p></li><li><p>
+ Highlight and right-click on the printer.
+ </p></li><li><p>
+ Select <span class="guimenuitem">Connect</span> (for Windows NT4/200x
+ it is possibly <span class="guimenuitem">Install</span>).
+ </p></li></ol></div><p>
+A new printer (named <i class="replaceable"><tt>printername</tt></i> on Samba-server) should now have
+appeared in your <span class="emphasis"><em>local</em></span> Printer folder (check <span class="guimenu">Start</span> --
+<span class="guimenuitem">Settings</span> -- <span class="guimenuitem">Control Panel</span> -- <span class="guiicon">Printers
+and Faxes</span>).
+</p><p>
+Most likely you are now tempted to try to print a test page. After all, you now can open the printer
+properties, and on the <span class="guimenu">General</span> tab there is a button offering to do just that. But
+chances are that you get an error message saying <span class="errorname">Unable to print Test Page</span>. The
+reason might be that there is not yet a valid Device Mode set for the driver, or that the “<span class="quote">Printer
+Driver Data</span>” set is still incomplete.
+</p><p>
+You must make sure that a valid <i class="parameter"><tt>Device Mode</tt></i> is set for the
+driver. We now explain what that means.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2927769"></a>Setting Device Modes on New Printers</h3></div></div><div></div></div><p>
+For a printer to be truly usable by a Windows NT/200x/XP client, it must possess:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ A valid <span class="emphasis"><em>Device Mode</em></span> generated by the driver for the printer (defining things
+ like paper size, orientation and duplex settings).
+ </p></li><li><p>
+ A complete set of <span class="emphasis"><em>Printer Driver Data</em></span> generated by the driver.
+ </p></li></ul></div><p>
+If either of these is incomplete, the clients can produce less than optimal output at best. In the
+worst cases, unreadable garbage or nothing at all comes from the printer or it produces a harvest of
+error messages when attempting to print. Samba stores the named values and all printing related information in
+its internal TDB database files <tt class="filename">(ntprinters.tdb</tt>, <tt class="filename">ntdrivers.tdb</tt>,
+<tt class="filename">printing.tdb</tt> and <tt class="filename">ntforms.tdb</tt>).
+</p><p>
+What do these two words stand for? Basically, the Device Mode and the set of Printer Driver Data is a
+collection of settings for all print queue properties, initialized in a sensible way. Device Modes and
+Printer Driver Data should initially be set on the print server (the Samba host) to healthy
+values so the clients can start to use them immediately. How do we set these initial healthy values?
+This can be achieved by accessing the drivers remotely from an NT (or 200x/XP) client, as is discussed
+in the following paragraphs.
+</p><p>
+Be aware that a valid Device Mode can only be initiated by a
+<a class="indexterm" name="id2927864"></a><i class="parameter"><tt>printer admin</tt></i>, or root
+(the reason should be obvious). Device Modes can only be correctly
+set by executing the printer driver program itself. Since Samba cannot execute this Win32 platform driver
+code, it sets this field initially to NULL (which is not a valid setting for clients to use). Fortunately,
+most drivers automatically generate the Printer Driver Data that is needed when they are uploaded to the
+<i class="parameter"><tt>[print$]</tt></i> share with the help of the APW or rpcclient.
+</p><p>
+The generation and setting of a first valid Device Mode, however, requires some tickling from a client,
+to set it on the Samba server. The easiest means of doing so is to simply change the page orientation on
+the server's printer. This executes enough of the printer driver program on the client for the desired
+effect to happen, and feeds back the new Device Mode to our Samba server. You can use the native Windows
+NT/200x/XP printer properties page from a Window client for this:
+</p><div class="procedure"><ol type="1"><li><p>
+ Browse the <span class="guiicon">Network Neighborhood.</span>
+ </p></li><li><p>
+ Find the Samba server.
+ </p></li><li><p>
+ Open the Samba server's <span class="guiicon">Printers and Faxes</span> folder.
+ </p></li><li><p>
+ Highlight the shared printer in question.
+ </p></li><li><p>
+ Right-click on the printer (you may already be here, if you followed the last section's description).
+ </p></li><li><p>
+ At the bottom of the context menu select <span class="guimenu">Properties</span> (if the menu still offers the
+ <span class="guimenuitem">Connect</span> entry further above, you
+ need to click on that one first to achieve the driver
+ installation as shown in the last section).
+ </p></li><li><p>
+ Go to the <span class="guilabel">Advanced</span> tab; click on <span class="guibutton">Printing Defaults</span>.
+ </p></li><li><p>
+ Change the <span class="guimenuitem">Portrait</span> page setting to <span class="guimenuitem">Landscape</span> (and back).
+ </p></li><li><p>
+ Make sure to apply changes between swapping the page orientation to cause the change to actually take effect.
+ </p></li><li><p>
+ While you are at it, you may also want to set the desired printing defaults here, which then apply to all future
+ client driver installations on the remaining from now on.
+ </p></li></ol></div><p>
+This procedure has executed the printer driver program on the client platform and fed back the correct
+Device Mode to Samba, which now stored it in its TDB files. Once the driver is installed on the client,
+you can follow the analogous steps by accessing the <span class="emphasis"><em>local</em></span> <span class="guiicon">Printers</span>
+folder, too, if you are a Samba printer admin user. From now on, printing should work as expected.
+</p><p>
+Samba includes a service level parameter name <i class="parameter"><tt>default devmode</tt></i> for generating a default
+Device Mode for a printer. Some drivers will function well with Samba's default set of properties. Others
+may crash the client's spooler service. So use this parameter with caution. It is always better to have
+the client generate a valid device mode for the printer and store it on the server for you.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928112"></a>Additional Client Driver Installation</h3></div></div><div></div></div><p>
+Every additional driver may be installed, along the lines described
+above. Browse network, open the
+<span class="guiicon">Printers</span> folder on Samba server, right-click on <span class="guiicon">Printer</span> and choose
+<span class="guimenuitem">Connect...</span>. Once this completes (should be not more than a few seconds,
+but could also take a minute, depending on network conditions), you should find the new printer in your
+client workstation local <span class="guiicon">Printers and Faxes</span> folder.
+</p><p>
+You can also open your local <span class="guiicon">Printers and Faxes</span> folder by
+using this command on Windows 200x/XP Professional workstations:
+</p><p><b class="userinput"><tt>rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder</tt></b></p><p>
+or this command on Windows NT 4.0 workstations:
+</p><p><b class="userinput"><tt>
+rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2
+</tt></b></p><p>
+You can enter the commands either inside a <span class="guilabel">DOS box</span> window or in the <span class="guimenuitem">Run
+command...</span> field from the <span class="guimenu">Start</span> menu.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928220"></a>Always Make First Client Connection as root or “<span class="quote">printer admin</span>”</h3></div></div><div></div></div><p>
+After you installed the driver on the Samba server (in its <i class="parameter"><tt>[print$]</tt></i>
+share, you should always make sure that your first client installation completes correctly. Make it a
+habit for yourself to build the very first connection from a client as <a class="indexterm" name="id2928244"></a><i class="parameter"><tt>printer admin</tt></i>. This is to make sure that:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ A first valid <span class="emphasis"><em>Device Mode</em></span> is really initialized (see above for more
+ explanation details).
+ </p></li><li><p>
+ The default print settings of your printer for all further client installations are as you want them.
+ </p></li></ul></div><p>
+Do this by changing the orientation to landscape, click on <span class="guiicon">Apply</span>, and then change it
+back again. Next, modify the other settings (for example, you do not want the default media size set to
+<span class="guiicon">Letter</span> when you are all using <span class="guiicon">A4</span>, right? You may want to set the
+printer for <span class="guiicon">duplex</span> as the default, and so on).
+</p><p>
+To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt:
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n
+ \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printername</tt></i>"</tt></b>
+</pre><p>
+</p><p>
+You will be prompted for root's Samba-password; type it, wait a few
+seconds, click on <span class="guibutton">Printing
+Defaults</span>, and proceed to set the job options that should be used as defaults by all
+clients. Alternately, instead of root you can name one other member of the <a class="indexterm" name="id2928372"></a><i class="parameter"><tt>printer admin</tt></i> from the setting.
+</p><p>
+ Now all the other users downloading and installing the driver the same way (called
+“<span class="quote">Point'n'Print</span>”) will have the same defaults set for them. If you miss this step
+you'll get a lot of Help Desk calls from your users, but maybe you like to talk to people.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928404"></a>Other Gotchas</h2></div></div><div></div></div><p>
+Your driver is installed. It is now ready for Point'n'Print
+installation by the clients. You may have tried to download and use it
+onto your first client machine, but
+wait. Let's make sure you are acquainted first with a few tips and tricks you may find useful. For example,
+suppose you did not set the defaults on the printer, as advised in the preceding
+paragraphs. Your users complain about various issues (such as, “<span class="quote">We need to set the paper size
+for each job from Letter to A4 and it will not store it.</span>”)
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928430"></a>Setting Default Print Options for Client Drivers</h3></div></div><div></div></div><p>
+The last sentence might be viewed with mixed feelings by some users and
+admins. They have struggled for hours and could not arrive at a point
+where their settings seemed to be saved. It is not their fault. The confusing
+thing is that in the multi-tabbed dialog that pops up when you right-click
+on the printer name and select <span class="guimenuitem">Properties</span>, you
+can arrive at two dialogs that appear identical, each claiming that they help
+you to set printer options in three different ways. Here is the definite
+answer to the Samba default driver setting FAQ:
+</p><p><b>“<span class="quote">I can not set and save default print options
+for all users on Windows 200x/XP. Why not?</span>” </b>
+How are you doing it? I bet the wrong way. (It is not easy to find out, though). There are three different
+ways to bring you to a dialog that seems to set everything. All three
+dialogs look the same, but only one
+of them does what you intend. You need to be Administrator or Print Administrator to do this for all
+users. Here is how I reproduce it in an XP Professional:
+
+The following list needs periods after the letters and numbers:::::::::
+</p><div class="orderedlist"><ol type="A"><li><p>The first “<span class="quote">wrong</span>” way:
+ </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guiicon">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and
+ select in context menu <span class="guimenu">Printing Preferences...</span></p></li><li><p>Look at this dialog closely and remember what it looks like.</p></li></ol></div></li><li><p>The second “<span class="quote">wrong</span>” way:
+ </p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="guimenu">Printers</span> folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on
+ cupshost</em></span>) and select in the context menu
+ <span class="guimenuitem">Properties</span></p></li><li><p>Click on the <span class="guilabel">General</span>
+ tab</p></li><li><p>Click on the <span class="guibutton">Printing
+ Preferences...</span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
+ to the parent dialog.</p></li></ol></div><p>
+ </p></li><li><p>
+ The third and correct way: (should you do this from the beginning, just carry out steps 1
+ and 2 from the second method above).
+ </p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="guilabel">Advanced</span>
+ tab. (If everything is “<span class="quote">grayed out,</span>” then you are not logged
+ in as a user with enough privileges).</p></li><li><p>Click on the <span class="guibutton">Printing
+ Defaults</span> button.</p></li><li><p>On any of the two new tabs,
+ click on the
+ <span class="guilabel">Advanced</span> button.</p></li><li><p>A new dialog opens. Compare
+ this one to the other. Are they
+ identical looking comparing one from
+ “<span class="quote">B.5</span>” and one from A.3".</p></li></ol></div></li></ol></div><p>
+Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which
+you arrived at with steps C.1 through 6 will permanently save any settings which will then become the defaults
+for new users. If you want all clients to have the same defaults, you need to conduct these steps as
+administrator (<a class="indexterm" name="id2928716"></a><i class="parameter"><tt>printer admin</tt></i> in ) before
+a client downloads the driver (the clients can later set their own per-user defaults
+by following procedures A or B above). Windows 200x/XP allow per-user default settings and the ones the
+administrator gives them, before they set up their own. The parents of the identically-looking dialogs have a slight difference in their window names; one is called <tt class="computeroutput">Default Print
+Values for Printer Foo on Server Bar"</tt> (which is the one you need) and the other is called
+“<span class="quote"><tt class="computeroutput">Print Settings for Printer Foo on Server Bar</tt></span>”. The last one is the one you
+arrive at when you right-click on the printer and select <span class="guimenuitem">Print Settings...</span>. This
+is the one that you were taught to use back in the days of Windows NT, so it is only natural to try the
+same way with Windows 200x/XP. You would not dream that there is now a different path to arrive at an
+identically looking, but functionally different, dialog to set defaults for all users.
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Try (on Windows 200x/XP) to run this command (as a user with the right privileges):
+</p><p><b class="userinput"><tt>
+rundll32 printui.dll,PrintUIEntry /p /t3 /n\\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
+</tt></b></p><p>
+To see the tab with the <span class="guilabel">Printing Defaults</span> button (the one you need),also run this command:
+</p><p><b class="userinput"><tt>
+rundll32 printui.dll,PrintUIEntry /p /t0 /n\\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
+</tt></b></p><p>
+To see the tab with the <span class="guilabel">Printing Preferences</span>
+button (the one which does not set system-wide defaults), you can
+start the commands from inside a DOS box" or from <span class="guimenu">Start</span> -> <span class="guimenuitem">Run</span>.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928854"></a>Supporting Large Numbers of Printers</h3></div></div><div></div></div><p>
+One issue that has arisen during the recent development phase of Samba is the need to support driver
+downloads for hunderds of printers. Using Windows NT APW here is somewhat awkward (to say the least). If
+you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need
+to think about a non-interactive script.
+</p><p>
+If more than one printer is using the same driver, the <b class="command">rpcclient setdriver</b>
+command can be used to set the driver associated with an installed queue. If the driver is uploaded to
+<i class="parameter"><tt>[print$]</tt></i> once and registered with the printing TDBs, it can be used by
+multiple print queues. In this case, you just need to repeat the <b class="command">setprinter</b> subcommand of
+<b class="command">rpcclient</b> for every queue (without the need to conduct the <b class="command">adddriver</b>
+repeatedly). The following is an example of how this could be accomplished:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumdrivers'</tt></b>
+ cmd = enumdrivers
+
+ [Windows NT x86]
+ Printer Driver Info 1:
+ Driver Name: [infotec IS 2075 PCL 6]
+
+ Printer Driver Info 1:
+ Driver Name: [DANKA InfoStream]
+
+ Printer Driver Info 1:
+ Driver Name: [Heidelberg Digimaster 9110 (PS)]
+
+ Printer Driver Info 1:
+ Driver Name: [dm9110]
+
+ Printer Driver Info 1:
+ Driver Name: [mydrivername]
+
+ [....]
+</pre><p>
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
+ cmd = enumprinters
+ flags:[0x800000]
+ name:[\\SAMBA-CUPS\dm9110]
+ description:[\\SAMBA-CUPS\dm9110,,110ppm HiVolume DANKA Stuttgart]
+ comment:[110 ppm HiVolume DANKA Stuttgart]
+ [....]
+</pre><p>
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c \
+ 'setdriver <i class="replaceable"><tt>dm9110</tt></i> "<i class="replaceable"><tt>Heidelberg Digimaster 9110 (PS)</tt></i>"'</tt></b>
+ cmd = setdriver dm9110 Heidelberg Digimaster 9110 (PPD)
+ Successfully set dm9110 to driver Heidelberg Digimaster 9110 (PS).
+</pre><p>
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
+ cmd = enumprinters
+ flags:[0x800000]
+ name:[\\SAMBA-CUPS\dm9110]
+ description:[\\SAMBA-CUPS\dm9110,Heidelberg Digimaster 9110 (PS),\
+ 110ppm HiVolume DANKA Stuttgart]
+ comment:[110ppm HiVolume DANKA Stuttgart]
+ [....]
+</pre><p>
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'setdriver <i class="replaceable"><tt>dm9110</tt></i> <i class="replaceable"><tt>mydrivername</tt></i>'</tt></b>
+ cmd = setdriver dm9110 mydrivername
+ Successfully set dm9110 to mydrivername.
+</pre><p>
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>SAMBA-CUPS</tt></i> -U root%<i class="replaceable"><tt>secret</tt></i> -c 'enumprinters'</tt></b>
+ cmd = enumprinters
+ flags:[0x800000]
+ name:[\\SAMBA-CUPS\dm9110]
+ description:[\\SAMBA-CUPS\dm9110,mydrivername,\
+ 110ppm HiVolume DANKA Stuttgart]
+ comment:[110ppm HiVolume DANKA Stuttgart]
+ [....]
+</pre><p>
+It may not be easy to recognize that the first call to <b class="command">enumprinters</b> showed the
+“<span class="quote">dm9110</span>” printer with an empty string where the driver should have been listed (between
+the 2 commas in the description field). After the <b class="command">setdriver</b> command
+succeeded, all is well.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929151"></a>Adding New Printers with the Windows NT APW</h3></div></div><div></div></div><p>
+By default, Samba exhibits all printer shares defined in <tt class="filename">smb.conf</tt> in the <span class="guiicon">Printers</span>
+folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ The connected user is able to successfully execute an <b class="command">OpenPrinterEx(\\server)</b> with
+ administrative privileges (i.e., root or <a class="indexterm" name="id2929197"></a><i class="parameter"><tt>printer admin</tt></i>).
+ </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Try this from a Windows 200x/XP DOS box command prompt:
+ </p><p><b class="userinput"><tt>
+ runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\<i class="replaceable"><tt>SAMBA-SERVER</tt></i>\<i class="replaceable"><tt>printersharename</tt></i>
+ </tt></b></p><p>
+ Click on <span class="guibutton">Printing Preferences</span>.
+ </p></div></li><li><p>... contains the setting
+ <a class="indexterm" name="id2929252"></a><i class="parameter"><tt>show add printer wizard</tt></i> = yes (the
+ default).</p></li></ul></div><p>
+The APW can do various things:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Upload a new driver to the Samba <i class="parameter"><tt>[print$]</tt></i> share.
+ </p></li><li><p>
+ Associate an uploaded driver with an existing (but still driverless) print queue.
+ </p></li><li><p>
+ Exchange the currently used driver for an existing print queue with one that has been uploaded before.
+ </p></li><li><p>
+ Add an entirely new printer to the Samba host (only in conjunction with a working
+ <a class="indexterm" name="id2929308"></a><i class="parameter"><tt>add printer command</tt></i>. A corresponding
+ <a class="indexterm" name="id2929324"></a><i class="parameter"><tt>delete printer command</tt></i> for removing entries from the
+ <span class="guiicon">Printers</span> folder may also be provided).
+ </p></li></ul></div><p>
+The last one (add a new printer) requires more effort than the previous ones. To use
+the APW to successfully add a printer to a Samba server, the <a class="indexterm" name="id2929353"></a><i class="parameter"><tt>add printer command</tt></i> must have a defined value. The program hook must successfully
+add the printer to the UNIX print system (i.e., to <tt class="filename">/etc/printcap</tt>,
+<tt class="filename">/etc/cups/printers.conf</tt> or other appropriate files) and to <tt class="filename">smb.conf</tt> if necessary.
+</p><p>
+When using the APW from a client, if the named printer share does not exist, smbd will execute the
+<a class="indexterm" name="id2929396"></a><i class="parameter"><tt>add printer command</tt></i> and reparse to the to attempt to locate the new printer
+share. If the share is still not defined, an error of <span class="errorname">Access Denied</span> is returned to
+the client. The <a class="indexterm" name="id2929418"></a><i class="parameter"><tt>add printer command</tt></i> is executed
+under the context of the connected user, not necessarily a root account. A <a class="indexterm" name="id2929433"></a><i class="parameter"><tt>map to guest</tt></i> = bad user may have connected you unwittingly under the wrong
+privilege. You should check it by using the <b class="command">smbstatus</b> command.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929458"></a>Error Message: “<span class="quote"><span class="errorname">Cannot connect under a different Name</span></span>”</h3></div></div><div></div></div><p>
+Once you are connected with the wrong credentials, there is no means to reverse the situation other than
+to close all Explorer Windows, and perhaps reboot.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ The <b class="command">net use \\SAMBA-SERVER\sharename /user:root</b> gives you an error message:
+ “<span class="quote">Multiple connections to a server or a shared resource by the same user utilizing
+ the several user names are not allowed. Disconnect all previous connections to the server,
+ resp. the shared resource, and try again.</span>”
+ </p></li><li><p>
+ Every attempt to “<span class="quote">connect a network drive</span>” to <tt class="filename">\\SAMBASERVER\\print$</tt>
+ to <tt class="constant">z:</tt> is countered by the pertinacious message: “<span class="quote">This
+ network folder is currently connected under different credentials (username and password).
+ Disconnect first any existing connection to this network share in order to connect again under
+ a different username and password</span>”.
+ </p></li></ul></div><p>
+So you close all connections. You try again. You get the same message. You check from the Samba side,
+using <b class="command">smbstatus</b>. Yes, there are more connections. You kill them all. The client
+still gives you the same error message. You watch the smbd.log file on a high debug level and try
+reconnect. Same error message, but not a single line in the log. You start to wonder if there was a
+connection attempt at all. You run ethereal and tcpdump while you try to connect. Result: not a single
+byte goes on the wire. Windows still gives the error message. You close all Explorer windows and start it
+again. You try to connect and this times it works! Windows seems to cache connection informtion somewhere and
+does not keep it up-to-date (if you are unlucky you might need to reboot to get rid of the error message).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929564"></a>Take Care When Assembling Driver Files</h3></div></div><div></div></div><p>
+You need to be extremely careful when you take notes about the files and belonging to a particular
+driver. Don't confuse the files for driver version “<span class="quote">0</span>” (for Windows 9x/Me, going into
+<tt class="filename">[print$]/WIN/0/</tt>), driver version <tt class="filename">2</tt> (Kernel Mode driver for Windows NT,
+going into <tt class="filename">[print$]/W32X86/2/</tt> may be used on Windows 200x/XP also), and
+driver version “<span class="quote">3</span>” (non-Kernel Mode driver going into <tt class="filename">[print$]/W32X86/3/</tt>
+cannot be used on Windows NT). Quite often these different driver versions contain
+files that have the same name but actually are very different. If you look at them from
+the Windows Explorer (they reside in <tt class="filename">%WINDOWS%\system32\spool\drivers\W32X86\</tt>),
+you will probably see names in capital letters, while an <b class="command">enumdrivers</b> command from Samba
+would show mixed or lower case letters. So it is easy to confuse them. If you install them manually using
+<b class="command">rpcclient</b> and subcommands, you may even succeed without an error message. Only later,
+when you try install on a client, you will encounter error messages like <tt class="computeroutput">This server
+has no appropriate driver for the printer</tt>.
+</p><p>
+Here is an example. You are invited to look closely at the various files, compare their names and
+their spelling, and discover the differences in the composition of the version 2 and 3 sets. Note: the
+version 0 set contained 40 <i class="parameter"><tt>Dependentfiles</tt></i>, so I left it out for space reasons:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>rpcclient -U 'Administrator%<i class="replaceable"><tt>secret</tt></i>' -c 'enumdrivers 3' 10.160.50.8 </tt></b>
+
+ Printer Driver Info 3:
+ Version: [3]
+ Driver Name: [Canon iR8500 PS3]
+ Architecture: [Windows NT x86]
+ Driver Path: [\\10.160.50.8\print$\W32X86\3\cns3g.dll]
+ Datafile: [\\10.160.50.8\print$\W32X86\3\iR8500sg.xpd]
+ Configfile: [\\10.160.50.8\print$\W32X86\3\cns3gui.dll]
+ Helpfile: [\\10.160.50.8\print$\W32X86\3\cns3g.hlp]
+
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aucplmNT.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\ucs32p.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\tnl32.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussdrv.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cnspdc.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\aussapi.dat]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3407.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\CnS3G.cnt]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBAPI.DLL]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\NBIPC.DLL]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcview.exe]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcdspl.exe]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcedit.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm.exe]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcspl.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cfine32.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcr407.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\Cpcqm407.hlp]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cpcqm407.cnt]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\3\cns3ggr.dll]
+
+ Monitorname: []
+ Defaultdatatype: []
+
+ Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [Canon iR5000-6000 PS3]
+ Architecture: [Windows NT x86]
+ Driver Path: [\\10.160.50.8\print$\W32X86\2\cns3g.dll]
+ Datafile: [\\10.160.50.8\print$\W32X86\2\IR5000sg.xpd]
+ Configfile: [\\10.160.50.8\print$\W32X86\2\cns3gui.dll]
+ Helpfile: [\\10.160.50.8\print$\W32X86\2\cns3g.hlp]
+
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\AUCPLMNT.DLL]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussdrv.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cnspdc.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\aussapi.dat]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3407.dll]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\CnS3G.cnt]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBAPI.DLL]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\NBIPC.DLL]
+ Dependentfiles: [\\10.160.50.8\print$\W32X86\2\cns3gum.dll]
+
+ Monitorname: [CPCA Language Monitor2]
+ Defaultdatatype: []
+
+</pre><p>
+If we write the “<span class="quote">version 2</span>” files and the “<span class="quote">version 3</span>” files
+into different text files and compare the result, we see this
+picture:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>sdiff 2-files 3-files</tt></b>
+
+
+ cns3g.dll cns3g.dll
+ iR8500sg.xpd iR8500sg.xpd
+ cns3gui.dll cns3gui.dll
+ cns3g.hlp cns3g.hlp
+ AUCPLMNT.DLL | aucplmNT.dll
+ > ucs32p.dll
+ > tnl32.dll
+ aussdrv.dll aussdrv.dll
+ cnspdc.dll cnspdc.dll
+ aussapi.dat aussapi.dat
+ cns3407.dll cns3407.dll
+ CnS3G.cnt CnS3G.cnt
+ NBAPI.DLL NBAPI.DLL
+ NBIPC.DLL NBIPC.DLL
+ cns3gum.dll | cpcview.exe
+ > cpcdspl.exe
+ > cpcqm.exe
+ > cpcspl.dll
+ > cfine32.dll
+ > cpcr407.dll
+ > Cpcqm407.hlp
+ > cpcqm407.cnt
+ > cns3ggr.dll
+
+</pre><p>
+
+Do not be fooled! Driver files for each version with identical
+names may be different in their content, as you can see from this size
+comparison:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>for i in cns3g.hlp cns3gui.dll cns3g.dll; do \
+ smbclient //10.160.50.8/print\$ -U 'Administrator%xxxx' \
+ -c "cd W32X86/3; dir $i; cd .. ; cd 2; dir $i"; \
+ done</tt></b>
+
+ CNS3G.HLP A 122981 Thu May 30 02:31:00 2002
+ CNS3G.HLP A 99948 Thu May 30 02:31:00 2002
+
+ CNS3GUI.DLL A 1805824 Thu May 30 02:31:00 2002
+ CNS3GUI.DLL A 1785344 Thu May 30 02:31:00 2002
+
+ CNS3G.DLL A 1145088 Thu May 30 02:31:00 2002
+ CNS3G.DLL A 15872 Thu May 30 02:31:00 2002
+</pre><p>
+In my example were even more differences than shown here. Conclusion: you must be careful to select
+the correct driver files for each driver version. Don't rely on the
+names alone and don't interchange files
+belonging to different driver versions.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929923"></a>Samba and Printer Ports</h3></div></div><div></div></div><p>
+Windows NT/2000 print servers associate a port with each printer. These normally take the form of
+<tt class="filename">LPT1:</tt>, <tt class="filename">COM1:</tt>,
+<tt class="filename">FILE:</tt>, and so on. Samba must also
+support the concept of ports associated with a printer. By default, only one printer port, named “<span class="quote">Samba
+Printer Port</span>”, exists on a system. Samba does not really need such a “<span class="quote">port</span>” in order
+to print; rather it is a requirement of Windows clients. They insist on being told about an available
+port when they request this information, otherwise they throw an error message at you. So Samba fakes the port
+information to keep the Windows clients happy.
+</p><p>
+Samba does not support the concept of <tt class="constant">Printer Pooling</tt> internally either. Printer
+Pooling assigns a logical printer to multiple ports as a form of load balancing or fail over.
+</p><p>
+If you require multiple ports be defined for some reason or another (my users and my boss should not know
+that they are working with Samba), configure <a class="indexterm" name="id2929988"></a><i class="parameter"><tt>enumports command</tt></i>
+which can be used to define an external program that generates a listing of ports on a system.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930008"></a>Avoiding Common Client Driver Misconfiguration</h3></div></div><div></div></div><p>
+So now the printing works, but there are still problems. Most jobs print well, some do not print at
+all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some
+are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about
+“<span class="quote">Avoiding the Wrong PostScript Driver Settings</span>” in the CUPS Printing part of this document.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930033"></a>The Imprints Toolset</h2></div></div><div></div></div><p>
+The Imprints tool set provides a UNIX equivalent of the Windows NT Add Printer
+Wizard. For complete information, please refer to the Imprints Web site at <ulink url="http://imprints.sourceforge.net/">http://imprints.sourceforge.net/</ulink> as well as the documentation
+included with the imprints source distribution. This section only provides a brief introduction to
+the features of Imprints.
+</p><p>
+Unfortunately, the Imprints toolset is no longer maintained. As of December 2000, the project is in
+need of a new maintainer. The most important skill to have is Perl coding and an interest in MS-RPC-based
+printing used in Samba. If you wish to volunteer, please coordinate
+your efforts on the Samba technical
+mailing list. The toolset is still in usable form, but only for a series of older printer models where
+there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints
+should have a future.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930071"></a>What is Imprints?</h3></div></div><div></div></div><p>
+Imprints is a collection of tools for supporting these goals:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Providing a central repository of information regarding Windows NT and 95/98 printer driver packages.
+ </p></li><li><p>
+ Providing the tools necessary for creating the Imprints printer driver packages.
+ </p></li><li><p>
+ Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server
+ repository and install them on remote Samba and Windows NT4 print servers.
+ </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930113"></a>Creating Printer Driver Packages</h3></div></div><div></div></div><p>
+The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt
+also included with the Samba distribution for more information). In short, an Imprints driver package
+is a gzipped tarball containing the driver files, related INF files, and a control file needed by the
+installation client.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930132"></a>The Imprints Server</h3></div></div><div></div></div><p>
+The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each
+printer entry in the database has an associated URL for the actual downloading of the package. Each
+package is digitally signed via GnuPG which can be used to verify that
+the package downloaded is actually
+the one referred in the Imprints database. It is strongly recommended that this security check
+not be disabled.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930153"></a>The Installation Client</h3></div></div><div></div></div><p>
+More information regarding the Imprints installation client is available from the the documentation file
+<tt class="filename">Imprints-Client-HOWTO.ps</tt> that is included with the Imprints source package. The Imprints
+installation client comes in two forms:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A set of command line Perl scripts.</p></li><li><p>A GTK+ based graphical interface to the command line Perl scripts.</p></li></ul></div><p>
+The installation client (in both forms) provides a means of querying the Imprints database server for
+a matching list of known printer model names as well as a means to download and install the drivers on
+remote Samba and Windows NT print servers.
+</p><p>
+The basic installation process is in four steps and Perl code is wrapped around smbclient and rpcclient.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ For each supported architecture for a given driver:
+ </p><div class="orderedlist"><ol type="1"><li><p>rpcclient: Get the appropriate upload directory on the remote server.</p></li><li><p>smbclient: Upload the driver files.</p></li><li><p>rpcclient: Issues an AddPrinterDriver() MS-RPC.</p></li></ol></div><p>
+ </p></li><li><p>rpcclient: Issue an AddPrinterEx() MS-RPC to actually create the printer.</p></li></ul></div><p>
+One of the problems encountered when implementing the Imprints tool set was the name space issues between
+various supported client architectures. For example, Windows NT includes a driver named “<span class="quote">Apple LaserWriter
+II NTX v51.8</span>” and Windows 95 calls its version of this driver “<span class="quote">Apple LaserWriter II NTX</span>”.
+</p><p>
+The problem is how to know what client drivers have been uploaded for a printer. An astute reader will
+remember that the Windows NT Printer Properties dialog only includes space for one printer driver name. A
+quick look in the Windows NT 4.0 system registry at:
+</p><p><tt class="filename">
+ HKLM\System\CurrentControlSet\Control\Print\Environment
+</tt></p><p>
+will reveal that Windows NT always uses the NT driver name. This is okay as Windows NT always requires
+that at least the Windows NT version of the printer driver is present. Samba does not have the
+requirement internally, therefore, “<span class="quote">How can you use the NT driver name if it has not already been installed?</span>”
+</p><p>
+The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and
+95/98 printer drivers and that the NT driver is installed first.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930314"></a>Adding Network Printers without User Interaction</h2></div></div><div></div></div><p>
+The following MS Knowledge Base article may be of some help if you need to handle Windows 2000
+clients: <span class="emphasis"><em>How to Add Printers with No User Interaction in Windows 2000,</em></span> (<ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;189105">http://support.microsoft.com/default.aspx?scid=kb;en-us;189105</ulink>).
+It also applies to Windows XP Professional clients.
+The ideas sketched out in this section are inspired by this article, which describes a commandline method that can be
+applied to install network and local printers and their drivers. This is most useful if integrated in Logon
+Scripts. You can see what options are available by typing in the command prompt (<b class="command">DOS box</b>):
+</p><p><b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /?</tt></b></p><p>
+A window pops up that shows you all of the commandline switches available. An extensive list of examples
+is also provided. This is only for Win 200x/XP, it does not work on
+Windows NT. Windows NT probably has
+some other tools in the respective Resource Kit. Here is a suggestion about what a client logon script
+might contain, with a short explanation of what the lines actually do (it works if 200x/XP Windows
+clients access printers via Samba, and works for Windows-based print servers too):
+</p><pre class="screen">
+<b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /dn /n "\\cupsserver\infotec2105-IPDS" /q</tt></b>
+<b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /in /n "\\cupsserver\infotec2105-PS"</tt></b>
+<b class="userinput"><tt>rundll32 printui.dll,PrintUIEntry /y /n "\\cupsserver\infotec2105-PS"</tt></b>
+</pre><p>
+Here is a list of the used commandline parameters:
+</p><div class="variablelist"><dl><dt><span class="term">/dn</span></dt><dd><p>deletes a network printer</p></dd><dt><span class="term">/q</span></dt><dd><p>quiet modus</p></dd><dt><span class="term">/n</span></dt><dd><p>names a printer</p></dd><dt><span class="term">/in</span></dt><dd><p>adds a network printer connection</p></dd><dt><span class="term">/y</span></dt><dd><p>sets printer as default printer</p></dd></dl></div><div class="itemizedlist"><ul type="disc"><li><p>
+ Line 1 deletes a possibly existing previous network printer <span class="emphasis"><em>infotec2105-IPDS</em></span>
+ (which had used native Windows drivers with LPRng that were removed from the server that was
+ converted to CUPS). The <b class="command">/q</b> at the end eliminates Confirm
+ or error dialog boxes from popping up. They should not be presented to the user logging on.
+ </p></li><li><p>
+ Line 2 adds the new printer
+ <span class="emphasis"><em>infotec2105-PS</em></span> (which actually is the same
+ physical device but is now run by the new CUPS printing system and associated with the
+ CUPS/Adobe PS drivers). The printer and its driver must have been added to Samba prior to
+ the user logging in (e.g., by a procedure as discussed earlier in this chapter, or by running
+ <b class="command">cupsaddsmb</b>). The driver is now auto-downloaded to the client PC where the
+ user is about to log in.
+ </p></li><li><p>
+ Line 3 sets the default printer to this new network printer (there might be several other
+ printers installed with this same method and some may be local as well, so we decide for a
+ default printer). The default printer selection may, of course, be different for different users.
+ </p></li></ul></div><p>
+The second line only works if the printer <span class="emphasis"><em>infotec2105-PS</em></span> has an already working
+print queue on the <tt class="constant">cupsserver</tt>, and if the
+printer drivers have been successfully uploaded
+(via the <b class="command">APW</b>, <b class="command">smbclient/rpcclient</b>, or <b class="command">cupsaddsmb</b>)
+into the <i class="parameter"><tt>[print$]</tt></i> driver repository of Samba. Some Samba versions
+prior to version 3.0 required a re-start of smbd after the printer install and the driver upload,
+otherwise the script (or any other client driver download) would fail.
+</p><p>
+Since there no easy way to test for the existence of an installed network printer from the logon script,
+do not bother checking, just allow the deinstallation/reinstallation to occur every time a user logs in;
+it's really quick anyway (1 to 2 seconds).
+</p><p>
+The additional benefits for this are:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ It puts in place any printer default setup changes automatically at every user logon.
+ </p></li><li><p>
+ It allows for “<span class="quote">roaming</span>” users' login into the domain from different workstations.
+ </p></li></ul></div><p>
+Since network printers are installed per user, this much simplifies the process of keeping the installation
+up-to-date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally
+added, changed and deleted at will on the server with no user intervention required from the clients
+(you just need to keep the logon scripts up-to-date).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930639"></a>The <b class="command">addprinter</b> Command</h2></div></div><div></div></div><p>
+The <b class="command">addprinter</b> command can be configured to be a shell script or program executed by
+Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks
+the user to fill in several fields (such as printer name, driver to be used, comment, port monitor,
+and so on). These parameters are passed on to Samba by the APW. If the addprinter command is designed in a
+way that it can create a new printer (through writing correct printcap entries on legacy systems, or
+execute the <b class="command">lpadmin</b> command on more modern systems) and create the associated share
+in, then the APW will in effect really create a new printer on Samba and the UNIX print subsystem!
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930686"></a>Migration of Classical Printing to Samba</h2></div></div><div></div></div><p>
+The basic NT-style printer driver management has not changed considerably in 3.0 over the 2.2.x releases
+(apart from many small improvements). Here migration should be quite easy, especially if you followed
+previous advice to stop using deprecated parameters in your setup. For migrations from an existing 2.0.x
+setup, or if you continued Windows 9x/Me-style printing in your Samba 2.2 installations, it is more of
+an effort. Please read the appropriate release notes and the HOWTO Collection for Samba-2.2.x. You can
+follow several paths. Here are possible scenarios for migration:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ You need to study and apply the new Windows NT printer and driver support. Previously used
+ parameters <i class="parameter"><tt>printer driver file</tt></i>, <i class="parameter"><tt>printer driver</tt></i>
+ and <i class="parameter"><tt>printer driver location</tt></i> are no longer supported.
+ </p></li><li><p>
+ If you want to take advantage of Windows NT printer driver support, you also need to migrate the
+ Windows 9x/Me drivers to the new setup.
+ </p></li><li><p>
+ An existing <tt class="filename">printers.def</tt> file (the one specified in the now removed parameter
+ <i class="parameter"><tt>printer driver file</tt></i>) will no longer work with Samba-3. In 3.0, smbd attempts
+ to locate a Windows 9x/Me driver files for the printer in <i class="parameter"><tt>[print$]</tt></i>
+ and additional settings in the TDB and only there; if it fails, it will <span class="emphasis"><em>not</em></span>
+ (as 2.2.x used to do) drop down to using a <tt class="filename">printers.def</tt> (and all associated
+ parameters). The make_printerdef tool is removed and there is no backward compatibility for this.
+ </p></li><li><p>You need to install a Windows 9x/Me driver into the
+ <i class="parameter"><tt>[print$]</tt></i> share for a printer on your Samba
+ host. The driver files will be stored in the “<span class="quote">WIN40/0</span>” subdirectory of
+ <i class="parameter"><tt>[print$]</tt></i>, and some other settings and information go
+ into the printing-related TDBs.</p></li><li><p>If you want to migrate an existing
+ <tt class="filename">printers.def</tt> file into the new setup, the
+ only current
+ solution is to use the Windows NT APW to install the NT drivers
+ and the 9x/Me drivers. This can be scripted using smbclient and
+ rpcclient. See the Imprints installation client at:
+ </p><p>
+ <ulink url="http://imprints.sourceforge.net/">http://imprints.sourceforge.net/</ulink>
+ </p><p>
+ for an example. See also the discussion of rpcclient usage in the
+ “<span class="quote">CUPS Printing</span>” section.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930861"></a>Publishing Printer Information in Active Directory or LDAP</h2></div></div><div></div></div><p>
+This will be addressed in a later update of this document. If you wish to volunteer your services to help
+document this, please contact <ulink url="mail://jht@samba.org">John H Terpstra.</ulink>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2930884"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930892"></a>I Give My Root Password but I Do Not Get Access</h3></div></div><div></div></div><p>
+Do not confuse the root password which is valid for the UNIX system (and in most cases stored in the
+form of a one-way hash in a file named <tt class="filename">/etc/shadow</tt>), with the password used to
+authenticate against Samba. Samba does not know the UNIX password. Root access to Samba resources
+requires that a Samba account for root must first be created. This is done with the <b class="command">smbpasswd</b>
+command as follows:
+</p><pre class="screen">
+<tt class="prompt">root# </tt> smbpasswd -a root
+New SMB password: secret
+Retype new SMB password: secret
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2930943"></a>My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost</h3></div></div><div></div></div><p>
+Do not use the existing UNIX print system spool directory for the Samba spool directory. It may seem
+convenient and a savings of space, but it only leads to problems. The two must be separate.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="msdfs.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="CUPS-printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 17. Hosting a Microsoft Distributed File System tree on Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 19. CUPS Printing Support</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 34. Analyzing and Solving Samba Problems</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="troubleshooting.html" title="Part V. Troubleshooting"><link rel="previous" href="diagnosis.html" title="Chapter 33. The Samba Checklist"><link rel="next" href="bugreport.html" title="Chapter 35. Reporting Bugs"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 34. Analyzing and Solving Samba Problems</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><th width="60%" align="center">Part V. Troubleshooting</th><td width="20%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="problems"></a>Chapter 34. Analyzing and Solving Samba Problems</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Dan</span> <span class="surname">Shearer</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dan@samba.org">dan@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">8 Apr 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="problems.html#id2971255">Diagnostics Tools</a></dt><dd><dl><dt><a href="problems.html#id2971276">Debugging with Samba Itself</a></dt><dt><a href="problems.html#id2971441">Tcpdump</a></dt><dt><a href="problems.html#id2971477">Ethereal</a></dt><dt><a href="problems.html#id2971621">The Windows Network Monitor</a></dt></dl></dd><dt><a href="problems.html#id2971938">Useful URLs</a></dt><dt><a href="problems.html#id2971978">Getting Mailing List Help</a></dt><dt><a href="problems.html#id2972155">How to Get Off the Mailing Lists</a></dt></dl></div><p>
+There are many sources of information available in the form
+of mailing lists, RFCs and documentation. The documentation that comes
+with the Samba distribution contains good explanations of
+general SMB topics such as browsing.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2971255"></a>Diagnostics Tools</h2></div></div><div></div></div><p>With SMB networking, it is often not immediately clear what
+the cause is of a certain problem. Samba itself provides rather
+useful information, but in some cases you might have to fall back
+to using a <span class="emphasis"><em>sniffer</em></span>. A sniffer is a program that
+listens on your LAN, analyzes the data sent on it and displays it
+on the screen.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2971276"></a>Debugging with Samba Itself</h3></div></div><div></div></div><p>
+One of the best diagnostic tools for debugging problems is Samba itself.
+You can use the <tt class="option">-d option</tt> for both <span class="application">smbd</span> and <span class="application">nmbd</span> to specify the
+<a class="indexterm" name="id2971308"></a><i class="parameter"><tt>debug level</tt></i> at which to run.
+See the man pages for <b class="command">smbd, nmbd</b> and
+<tt class="filename">smb.conf</tt> for more information regarding debugging options. The debug
+level can range from 1 (the default) to 10 (100 for debugging passwords).
+</p><p>
+Another helpful method of debugging is to compile Samba using the
+<b class="command">gcc -g </b> flag. This will include debug information in the binaries and
+allow you to attach gdb to the running <b class="command">smbd/nmbd</b> process.
+To attach <b class="command">gdb</b> to an <b class="command">smbd</b>
+process for an NT workstation, first get the workstation to make the
+connection. Pressing ctrl-alt-delete and going down to the domain box
+is sufficient (at least, the first time you join the domain) to
+generate a <i class="parameter"><tt>LsaEnumTrustedDomains</tt></i>. Thereafter, the workstation
+maintains an open connection and there will be an smbd
+process running (assuming that you haven't set a really short smbd
+idle timeout). So, in between pressing <b class="command">ctrl-alt-delete</b> and actually
+typing in your password, you can attach <b class="command">gdb</b> and continue.
+</p><p>
+Some useful Samba commands worth investigating are:
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>testparm | more</tt></b>
+<tt class="prompt">$ </tt><b class="userinput"><tt>smbclient -L //{netbios name of server}</tt></b>
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2971441"></a>Tcpdump</h3></div></div><div></div></div><p>
+<ulink url="http://www.tcpdump.org/">Tcpdump</ulink> was the first
+UNIX sniffer with SMB support. It is a command-line utility and
+now, its SMB support is somewhat lagging that of <b class="command">ethereal</b>
+and <b class="command">tethereal</b>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2971477"></a>Ethereal</h3></div></div><div></div></div><p>
+<ulink url="http://www.ethereal.com/">Ethereal</ulink> is a graphical
+sniffer, available for both UNIX (Gtk) and Windows. Ethereal's
+SMB support is quite good.</p><p>For details on the use of <b class="command">ethereal</b>, read the well-written
+Ethereal User Guide.</p><div class="figure"><a name="ethereal1"></a><p class="title"><b>Figure 34.1. Starting a capture.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/ethereal1.png" width="270" alt="Starting a capture."></div></div><p>
+Listen for data on ports 137, 138, 139, and 445. For example, use the filter <b class="userinput"><tt>port 137, port 138, port 139, or port 445</tt></b> as seen in <link linkend="ethereal1">.</p><p>A console version of ethereal is available as well and is called
+<b class="command">tethereal</b>.</p><div class="figure"><a name="ethereal2"></a><p class="title"><b>Figure 34.2. Main ethereal data window.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/ethereal2.png" width="270" alt="Main ethereal data window."></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2971621"></a>The Windows Network Monitor</h3></div></div><div></div></div><p>
+For tracing things on Microsoft Windows NT, Network Monitor
+(aka Netmon) is available on Microsoft Developer Network CDs,
+the Windows NT Server install CD and the SMS CDs. The version of
+Netmon that ships with SMS allows for dumping packets between any two
+computers (i.e., placing the network interface in promiscuous mode).
+The version on the NT Server install CD will only allow monitoring
+of network traffic directed to the local NT box and broadcasts on the
+local subnet. Be aware that Ethereal can read and write Netmon
+formatted files.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2971641"></a>Installing Network Monitor on an NT Workstation</h4></div></div><div></div></div><p>
+Installing Netmon on an NT workstation requires a couple
+of steps. The following are instructions for installing Netmon V4.00.349, which comes
+with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
+Workstation 4.0. The process should be similar for other versions of
+Windows NT version of Netmon. You will need both the Microsoft Windows
+NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+</p><p>
+Initially you will need to install <span class="application">Network Monitor Tools and Agent</span>
+on the NT Server to do this:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> <span class="guibutton">Control Panel</span> ->
+ <span class="guibutton">Network</span> -> <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li><p>Select the <span class="guilabel">Network Monitor Tools and Agent</span> and click on <span class="guibutton">OK</span>.</p></li><li><p>Click on <span class="guibutton">OK</span> on the Network Control Panel.</p></li><li><p>Insert the Windows NT Server 4.0 install CD when prompted.</p></li></ul></div><p>
+At this point, the Netmon files should exist in <tt class="filename">%SYSTEMROOT%\System32\netmon\*.*</tt>.
+Two subdirectories exist as well, <tt class="filename">parsers\</tt> which contains the necessary DLLs
+for parsing the Netmon packet dump, and <tt class="filename">captures\</tt>.
+</p><p>
+To install the Netmon tools on an NT Workstation, you will first need to install the
+Network Monitor Agent from the Workstation install CD.
+</p><div class="itemizedlist"><ul type="disc"><li><p>Go to <span class="guibutton">Start</span> -> <span class="guibutton">Settings</span> -> <span class="guibutton">Control Panel</span> ->
+ <span class="guibutton">Network</span> -> <span class="guibutton">Services</span> -> <span class="guibutton">Add</span>.</p></li><li><p>Select the <span class="guilabel">Network Monitor Agent</span>, click on <span class="guibutton">OK</span>.</p></li><li><p>Click on <span class="guibutton">OK</span> in the Network Control Panel.
+ </p></li><li><p>Insert the Windows NT Workstation 4.0 install CD when prompted.</p></li></ul></div><p>
+Now copy the files from the NT Server in <tt class="filename">%SYSTEMROOT%\System32\netmon</tt>
+to <tt class="filename">%SYSTEMROOT%\System32\netmon</tt> on the Workstation and set permissions
+as you deem appropriate for your site. You will need administrative rights on the NT box to run Netmon.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2971911"></a>Installing Network Monitor on Windows 9x/Me</h4></div></div><div></div></div><p>
+To install Netmon on Windows 9x/Me, install the Network Monitor Agent
+from the Windows 9x/Me CD (<tt class="filename">\admin\nettools\netmon</tt>).
+There is a readme file located with the Netmon driver files on the CD if you need
+information on how to do this. Copy the files from a working Netmon installation.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2971938"></a>Useful URLs</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>See how Scott Merrill simulates a BDC behavior at
+ <ulink url="http://www.skippy.net/linux/smb-howto.html">
+ http://www.skippy.net/linux/smb-howto.html</ulink>. </p></li><li><p>FTP site for older SMB specs:
+ <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/">
+ ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2971978"></a>Getting Mailing List Help</h2></div></div><div></div></div><p>
+There are a number of Samba-related mailing lists. Go to <ulink url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror
+and then click on <b class="command">Support</b> and next click on <b class="command">
+Samba-related mailing lists</b>.
+</p><p>
+For questions relating to Samba TNG, go to
+<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/.</ulink>
+It has been requested that you do not post questions about Samba-TNG to the
+main-stream Samba lists.</p><p>
+If you do post a message to one of the lists, please observe the following guidelines :
+</p><div class="itemizedlist"><ul type="disc"><li><p>Always remember that the developers are volunteers, they are
+ not paid and they never guarantee to produce a particular feature at
+ a particular time. Any timelines are “<span class="quote">best guess</span>” and nothing more.
+ </p></li><li><p>Always mention what version of Samba you are using and what
+ operating system it's running under. You should list the relevant sections of
+ your <tt class="filename">smb.conf</tt> file, at least the options in <i class="parameter"><tt>[global]</tt></i>
+ that affect PDC support.
+ </p></li><li><p>In addition to the version, if you obtained Samba via
+ CVS, mention the date when you last checked it out.</p></li><li><p> Try and make your questions clear and brief. Lots of long,
+ convoluted questions get deleted before they are completely read!
+ Do not post HTML encoded messages. Most people on mailing lists simply delete
+ them.
+ </p></li><li><p> If you run one of those nifty “<span class="quote">I'm on holidays</span>” things when
+ you are away, make sure its configured to not answer mailing list traffic. Auto-responses
+ to mailing lists really irritate the thousands of people who end up having to deal
+ with such bad netiquet bahavior.
+ </p></li><li><p>Don't cross post. Work out which is the best list to post to
+ and see what happens. Do not post to both samba-ntdom and samba-technical.
+ Many people active on the lists subscribe to more
+ than one list and get annoyed to see the same message two or more times.
+ Often someone will see a message and thinking it would be better dealt
+ with on another list, will forward it on for you.</p></li><li><p>You might include <span class="emphasis"><em>partial</em></span>
+ log files written at a debug level set to as much as 20.
+ Please do not send the entire log but just enough to give the context of the
+ error messages.</p></li><li><p>If you have a complete Netmon trace (from the opening of
+ the pipe to the error), you can send the *.CAP file as well.</p></li><li><p>Please think carefully before attaching a document to an email.
+ Consider pasting the relevant parts into the body of the message. The Samba
+ mailing lists go to a huge number of people. Do they all need a copy of your
+ <tt class="filename">smb.conf</tt> in their attach directory?</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2972155"></a>How to Get Off the Mailing Lists</h2></div></div><div></div></div><p>To have your name removed from a Samba mailing list, go to the same
+place where you went to
+subscribe to it. Go to <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>,
+click on your nearest mirror, click on <b class="command">Support</b> and
+then click on<b class="command"> Samba related mailing lists</b>.
+</p><p>
+Please do not post messages to the list asking to be removed. You will only
+be referred to the above address (unless that process failed in some way).
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="diagnosis.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="bugreport.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 33. The Samba Checklist </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 35. Reporting Bugs</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2891162">Features and Benefits</a></dt><dt><a href="samba-bdc.html#id2891552">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2891580">MS Windows NT4-style Domain Control</a></dt><dt><a href="samba-bdc.html#id2891874">LDAP Configuration Notes</a></dt><dt><a href="samba-bdc.html#id2892094">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2892115">What Qualifies a Domain Controller on the Network?</a></dt><dt><a href="samba-bdc.html#id2892157">How does a Workstation find its Domain Controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892538">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892768">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892791">Machine Accounts Keep Expiring</a></dt><dt><a href="samba-bdc.html#id2892845">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2892880">How Do I Replicate the smbpasswd File?</a></dt><dt><a href="samba-bdc.html#id2892948">Can I Do This All with LDAP?</a></dt></dl></dd></dl></div><p>
+Before you continue reading this section, please make sure that you are comfortable
+with configuring a Samba Domain Controller as described in <link linkend="samba-pdc">.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891162"></a>Features and Benefits</h2></div></div><div></div></div><p>
+This is one of the most difficult chapters to summarize. It does not matter what we say here
+for someone will still draw conclusions and/or approach the Samba Team with expectations
+that are either not yet capable of being delivered, or that can be achieved far more
+effectively using a totally different approach. In the event that you should have a persistent
+concern that is not addressed in this book, please email <ulink url="mailto:jht@samba.org">John H. Terpstra</ulink>
+clearly setting out your requirements and/or question and we will do our best to provide a solution.
+</p><p>
+<a class="indexterm" name="id2891195"></a>
+Samba-3 is capable of acting as a Backup Domain Controller (BDC) to another Samba Primary Domain
+Controller (PDC). A Samba-3 PDC can operate with an LDAP Account backend. The LDAP backend can be
+either a common master LDAP server, or a slave server. The use of a slave LDAP server has the
+benefit that when the master is down, clients may still be able to log onto the network.
+This effectively gives Samba a high degree of scalability and is an effective solution
+for large organizations. Do not use an LDAP slave server for a PDC, this may cause serious
+stability and operational problems.
+</p><p>
+<a class="indexterm" name="id2891221"></a>
+While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will
+need to figure out precisely what is the best way to replicate (copy/distribute) the
+user and machine accounts' backend.
+</p><p>
+<a class="indexterm" name="id2891240"></a>
+The use of a non-LDAP backend SAM database is particularly problematic because Domain Member
+servers and workstations periodically change the Machine Trust Account password. The new
+password is then stored only locally. This means that in the absence of a centrally stored
+accounts database (such as that provided with an LDAP-based solution) if Samba-3 is running
+as a BDC, the BDC instance of the Domain Member trust account password will not reach the
+PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs, this results in
+overwriting the SAM that contains the updated (changed) trust account password with resulting
+breakage of the domain trust.
+</p><p>
+Considering the number of comments and questions raised concerning how to configure a BDC,
+let's consider each possible option and look at the pros and cons for each possible solution.
+<link linkend="pdc-bdc-table"> lists possible design configurations for a PDC/BDC infrastructure.
+<a class="indexterm" name="id2891281"></a>
+<a class="indexterm" name="id2891291"></a>
+<a class="indexterm" name="id2891302"></a>
+<a class="indexterm" name="id2891313"></a>
+</p><div class="table"><a name="pdc-bdc-table"></a><p class="title"><b>Table 6.1. Domain Backend Account Distribution Options</b></p><table summary="Domain Backend Account Distribution Options" border="1"><colgroup><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="center">PDC Backend</th><th align="center">BDC Backend</th><th align="left">Notes/Discussion</th></tr></thead><tbody><tr><td align="center"><p>Master LDAP Server</p></td><td align="center"><p>Slave LDAP Server</p></td><td align="left"><p>The optimal solution that provides high integrity. The SAM will be
+ replicated to a common master LDAP server.</p></td></tr><tr><td align="center"><p>Single Central LDAP Server</p></td><td align="center"><p>Single Central LDAP Server</p></td><td align="left"><p>
+ A workable solution without fail-over ability. This is a useable solution, but not optimal.
+ </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <b class="command">net rpc vampire</b></p></td><td align="left"><p>
+ Does not work with Samba-3.0.0; may be implemented in a later release. The downside of this solution
+ is that an external process will control account database integrity. This solution may appeal to sites
+ that wish to avoid the complexity of LDAP. The <b class="command">net rpc vampire</b> is used to
+ synchronize domain accounts from the PDC to the BDC.
+ </p></td></tr><tr><td align="center"><p>tdbsam</p></td><td align="center"><p>tdbsam + <b class="command">rsync</b></p></td><td align="left"><p>
+ Do not use this configuration.
+ Does not work because the TDB files are live and data may not have been flushed to disk.
+ Use <b class="command">rsync</b> to synchronize the TDB database files from the PDC to the BDC.
+ </p></td></tr><tr><td align="center"><p>smbpasswd file</p></td><td align="center"><p>smbpasswd file</p></td><td align="left"><p>
+ Do not use this configuration.
+ Not an elegant solution due to the delays in synchronization.
+ Use <b class="command">rsync</b> to synchronize the TDB database files from the PDC to the BDC.
+ Can be made to work using a <b class="command">cron</b> job to synchronize data from the PDC to the BDC.
+ </p></td></tr></tbody></table></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2891552"></a>Essential Background Information</h2></div></div><div></div></div><p>
+A Domain Controller is a machine that is able to answer logon requests from network
+workstations. Microsoft LanManager and IBM LanServer were two early products that
+provided this capability. The technology has become known as the LanMan Netlogon service.
+</p><p>
+When MS Windows NT3.10 was first released, it supported a new style of Domain Control
+and with it a new form of the network logon service that has extended functionality.
+This service became known as the NT NetLogon Service. The nature of this service has
+changed with the evolution of MS Windows NT and today provides a complex array of
+services that are implemented over an intricate spectrum of technologies.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891580"></a>MS Windows NT4-style Domain Control</h3></div></div><div></div></div><p>
+Whenever a user logs into a Windows NT4/200x/XP Professional Workstation,
+the workstation connects to a Domain Controller (authentication server) to validate that
+the username and password the user entered are valid. If the information entered
+does not match account information that has been stored in the Domain
+Control database (the SAM, or Security Account Manager database), a set of error
+codes is returned to the workstation that has made the authentication request.
+</p><p>
+When the username/password pair has been validated, the Domain Controller
+(authentication server) will respond with full enumeration of the account information
+that has been stored regarding that user in the User and Machine Accounts database
+for that Domain. This information contains a complete network access profile for
+the user but excludes any information that is particular to the user's desktop profile,
+or for that matter it excludes all desktop profiles for groups that the user may
+belong to. It does include password time limits, password uniqueness controls,
+network access time limits, account validity information, machine names from which the
+user may access the network, and much more. All this information was stored in the SAM
+in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
+</p><p>
+<a class="indexterm" name="id2891624"></a>
+The account information (user and machine) on Domain Controllers is stored in two files,
+one containing the Security information and the other the SAM. These are stored in files
+by the same name in the <tt class="filename">C:\Windows NT\System32\config</tt> directory. These
+are the files that are involved in replication of the SAM database where Backup Domain
+Controllers are present on the network.
+</p><p>
+There are two situations in which it is desirable to install Backup Domain Controllers:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ On the local network that the Primary Domain Controller is on, if there are many
+ workstations and/or where the PDC is generally very busy. In this case the BDCs
+ will pick up network logon requests and help to add robustness to network services.
+ </p></li><li><p>
+ At each remote site, to reduce wide area network traffic and to add stability to
+ remote network operations. The design of the network, the strategic placement of
+ Backup Domain Controllers, together with an implementation that localizes as much
+ of network to client interchange as possible will help to minimize wide area network
+ bandwidth needs (and thus costs).
+ </p></li></ul></div><p>
+The inter-operation of a PDC and its BDCs in a true Windows NT4 environemt is worth
+mentioning here. The PDC contains the master copy of the SAM. In the event that an
+administrator makes a change to the user account database while physically present
+on the local network that has the PDC, the change will likely be made directly to
+the PDC instance of the master copy of the SAM. In the event that this update may
+be performed in a branch office, the change will likely be stored in a delta file
+on the local BDC. The BDC will then send a trigger to the PDC to commence the process
+of SAM synchronization. The PDC will then request the delta from the BDC and apply
+it to the master SAM. The PDC will then contact all the BDCs in the Domain and
+trigger them to obtain the update and then apply that to their own copy of the SAM.
+</p><p>
+Samba-3 can not participate in true SAM replication and is therefore not able to
+employ precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will
+not create SAM update delta files. It will not inter-operate with a PDC (NT4 or Samba)
+to synchronize the SAM from delta files that are held by BDCs.
+</p><p>
+Samba-3 cannot function as a BDC to an MS Windows NT4 PDC, and Samba-3 can not
+function correctly as a PDC to an MS Windows NT4 BDC. Both Samba-3 and MS Windows
+NT4 can function as a BDC to its own type of PDC.
+</p><p>
+The BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which
+it is able to process network logon requests and authenticate users. The BDC can
+continue to provide this service, particularly while, for example, the wide area
+network link to the PDC is down. A BDC plays a very important role in both the
+maintenance of Domain Security as well as in network integrity.
+</p><p>
+In the event that the NT4 PDC should need to be taken out of service, or if it dies,
+one of the NT4 BDCs can be promoted to a PDC. If this happens while the original NT4 PDC is on
+line, it is automatically demoted to an NT4 BDC. This is an important aspect of Domain
+Controller management. The tool that is used to effect a promotion or a demotion is the
+Server Manager for Domains. It should be noted that Samba-3 BDCs can not be promoted
+in this manner because reconfiguration of Samba requires changes to the <tt class="filename">smb.conf</tt> file.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2891756"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
+Beginning with Version 2.2, Samba officially supports domain logons for all current Windows clients,
+including Windows NT4, 2003 and XP Professional. For Samba to be enabled as a PDC, some
+parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set.
+Refer to <link linkend="minimalPDC"> for an example of the minimum required settings.
+</p><div class="example"><a name="minimalPDC"></a><p class="title"><b>Example 6.1. Minimal smb.conf for a PDC in Use With a BDC LDAP Server on PDC.</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam://localhost:389</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr></table></div><p>
+Several other things like a <i class="parameter"><tt>[homes]</tt></i> and a
+<i class="parameter"><tt>[netlogon]</tt></i> share also need to be set along with
+settings for the profile path, the user's home drive, and so on. This is not covered in this
+chapter; for more information please refer to <link linkend="samba-pdc">.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2891874"></a>LDAP Configuration Notes</h3></div></div><div></div></div><p>
+When configuring a master and a slave LDAP server, it is advisable to use the master LDAP server
+for the PDC and slave LDAP servers for the BDCs. It is not essential to use slave LDAP servers, however,
+many administrators will want to do so in order to provide redundant services. Of course, one or more BDCs
+may use any slave LDAP server. Then again, it is entirely possible to use a single LDAP server for the
+entire network.
+</p><p>
+When configuring a master LDAP server that will have slave LDAP servers, do not forget to configure
+this in the <tt class="filename">/etc/openldap/slapd.conf</tt> file. It must be noted that the DN of a
+server certificate must use the CN attribute to name the server, and the CN must carry the servers'
+fully qualified domain name. Additional alias names and wildcards may be present in the
+subjectAltName certificate extension. More details on server certificate names are in RFC2830.
+</p><p>
+It does not really fit within the scope of this document, but a working LDAP installation is
+basic to LDAP enabled Samba operation. When using an OpenLdap server with Transport Layer Security
+(TLS), the machine name in <tt class="filename">/etc/ssl/certs/slapd.pem</tt> must be the
+same as in <tt class="filename">/etc/openldap/sldap.conf</tt>. The Red Hat Linux startup script
+creates the <tt class="filename">slapd.pem</tt> file with hostname “<span class="quote">localhost.localdomain.</span>”
+It is impossible to access this LDAP server from a slave LDAP server (i.e., a Samba BDC) unless the
+certificate is recreated with a correct hostname.
+</p><p>
+Do not install a Samba PDC on a OpenLDAP slave server. Joining client machines to the domain
+will fail in this configuration because the change to the machine account in the LDAP tree
+must take place on the master LDAP server. This is not replicated rapidly enough to the slave
+server that the PDC queries. It therfore gives an error message on the client machine about
+not being able to set up account credentials. The machine account is created on the LDAP server
+but the password fields will be empty.
+</p><p>
+Possible PDC/BDC plus LDAP configurations include:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ PDC+BDC -> One Central LDAP Server.
+ </p></li><li><p>
+ PDC -> LDAP master server, BDC -> LDAP slave server.
+ </p></li><li><p>
+ PDC -> LDAP master, with secondary slave LDAP server.
+ </p><p>
+ BDC -> LDAP master, with secondary slave LDAP server.
+ </p></li><li><p>
+ PDC -> LDAP master, with secondary slave LDAP server.
+ </p><p>
+ BDC -> LDAP slave server, with secondary master LDAP server.
+ </p></li></ul></div><p>
+In order to have a fall-back configuration (secondary) LDAP server one would specify
+the secondary LDAP server in the <tt class="filename">smb.conf</tt> file as shown in <link linkend="mulitldapcfg">.
+</p><p>
+</p><div class="example"><a name="mulitldapcfg"></a><p class="title"><b>Example 6.2. Multiple LDAP Servers in smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td>...</td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam:ldap://master.quenya.org</tt></i></td></tr><tr><td><i class="parameter"><tt>ldapsam:ldap://slave.quenya.org</tt></i></td></tr><tr><td>...</td></tr></table></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892094"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
+As of the release of MS Windows 2000 and Active Directory, this information is now stored
+in a directory that can be replicated and for which partial or full administrative control
+can be delegated. Samba-3 is not able to be a Domain Controller within an Active Directory
+tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot
+act as a Backup Domain Controller to an Active Directory Domain Controller.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892115"></a>What Qualifies a Domain Controller on the Network?</h3></div></div><div></div></div><p>
+Every machine that is a Domain Controller for the domain MIDEARTH has to register the NetBIOS
+group name MIDEARTH<#1c> with the WINS server and/or by broadcast on the local network.
+The PDC also registers the unique NetBIOS name MIDEARTH<#1b> with the WINS server.
+The name type <#1b> name is normally reserved for the Domain Master Browser, a role
+that has nothing to do with anything related to authentication, but the Microsoft Domain
+implementation requires the Domain Master Browser to be on the same machine as the PDC.
+</p><p>
+Where a WINS server is not used, broadcast name registrations alone must suffice. Refer to
+<link linkend="netdiscuss"> for more information regarding TCP/IP network protocols and how
+ SMB/CIFS names are handled.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892157"></a>How does a Workstation find its Domain Controller?</h3></div></div><div></div></div><p>
+There are two different mechanisms to locate a domain controller, one method is used when
+NetBIOS over TCP/IP is enabled and the other when it has been disabled in the TCP/IP
+network configuration.
+</p><p>
+Where NetBIOS over TCP/IP is disabled, all name resolution involves the use of DNS, broadcast
+messaging over UDP, as well as Active Directory communication technologies. In this type of
+environment all machines require appropriate DNS entries. More information may be found in
+<link linkend="adsdnstech">.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2892189"></a>NetBIOS Over TCP/IP Enabled</h4></div></div><div></div></div><p>
+An MS Windows NT4/200x/XP Professional workstation in the domain MIDEARTH that wants a
+local user to be authenticated has to find the Domain Controller for MIDEARTH. It does this
+by doing a NetBIOS name query for the group name MIDEARTH<#1c>. It assumes that each
+of the machines it gets back from the queries is a Domain Controller and can answer logon
+requests. To not open security holes, both the workstation and the selected Domain Controller
+authenticate each other. After that the workstation sends the user's credentials (name and
+password) to the local Domain Controller for validation.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2892201"></a>NetBIOS Over TCP/IP Disabled</h4></div></div><div></div></div><p>
+An MS Windows NT4/200x/XP Professional workstation in the realm <tt class="constant">quenya.org</tt>
+that has a need to affect user logon authentication will locate the Domain Controller by
+requerying DNS servers for the <tt class="constant">_ldap._tcp.pdc.ms-dcs.quenya.org</tt> record.
+More information regarding this subject may be found in <link linkend="adsdnstech">.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892268"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
+The creation of a BDC requires some steps to prepare the Samba server before
+<span class="application">smbd</span> is executed for the first time. These steps are outlines as follows:
+<a class="indexterm" name="id2892289"></a>
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ The domain SID has to be the same on the PDC and the BDC. In Samba versions
+ pre-2.2.5, the domain SID was stored in the file <tt class="filename">private/MACHINE.SID</tt>.
+ The domain SID is now stored in the file <tt class="filename">private/secrets.tdb</tt>. This file
+ is unique to each server and can not be copied from a PDC to a BDC, the BDC will generate
+ a new SID at start-up. It will over-write the PDC domain SID with the newly created BDC SID.
+ There is a procedure that will allow the BDC to aquire the Domain SID. This is described here.
+ </p><p>
+ To retrieve the domain SID from the PDC or an existing BDC and store it in the
+ <tt class="filename">secrets.tdb</tt>, execute:
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc getsid</tt></b>
+</pre></li><li><p>
+ Specification of the <a class="indexterm" name="id2892368"></a><i class="parameter"><tt>ldap admin dn</tt></i> is obligatory.
+ This also requires the LDAP administration password to be set in the <tt class="filename">secrets.tdb</tt>
+ using the <b class="command">smbpasswd -w <i class="replaceable"><tt>mysecret</tt></i></b>.
+ </p></li><li><p>
+ Either <a class="indexterm" name="id2892405"></a><i class="parameter"><tt>ldap suffix</tt></i> or
+ <a class="indexterm" name="id2892419"></a><i class="parameter"><tt>ldap idmap suffix</tt></i> must be specified in
+ the <tt class="filename">smb.conf</tt> file.
+ </p></li><li><p>
+<a class="indexterm" name="id2892446"></a>
+ The UNIX user database has to be synchronized from the PDC to the
+ BDC. This means that both the <tt class="filename">/etc/passwd</tt> and
+ <tt class="filename">/etc/group</tt> have to be replicated from the PDC
+ to the BDC. This can be done manually whenever changes are made.
+ Alternately, the PDC is set up as an NIS master server and the BDC as an NIS slave
+ server. To set up the BDC as a mere NIS client would not be enough,
+ as the BDC would not be able to access its user database in case of
+ a PDC failure. NIS is by no means the only method to synchronize
+ passwords. An LDAP solution would also work.
+ </p></li><li><p>
+ The Samba password database must be replicated from the PDC to the BDC.
+ Although it is possible to synchronize the <tt class="filename">smbpasswd</tt>
+ file with <b class="command">rsync</b> and <b class="command">ssh</b>, this method
+ is broken and flawed, and is therefore not recommended. A better solution
+ is to set up slave LDAP servers for each BDC and a master LDAP server for the PDC.
+ </p></li><li><p>
+ The netlogon share has to be replicated from the PDC to the
+ BDC. This can be done manually whenever login scripts are changed,
+ or it can be done automatically using a <b class="command">cron</b> job
+ that will replicate the directory structure in this share using a tool
+ like <b class="command">rsync</b>.
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892538"></a>Example Configuration</h3></div></div><div></div></div><p>
+Finally, the BDC has to be found by the workstations. This can be done by setting Samba as shown in <link linkend="minim-bdc">.
+</p><div class="example"><a name="minim-bdc"></a><p class="title"><b>Example 6.3. Minimal setup for being a BDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam:ldap://slave-ldap.quenya.org</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam:ldap://slave-ldap.quenya.org</tt></i></td></tr></table></div><p>
+In the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> of the BDC. This makes the BDC
+only register the name SAMBA<#1c> with the WINS server. This is no
+problem as the name SAMBA<#1c> is a NetBIOS group name that is meant to
+be registered by more than one machine. The parameter
+<a class="indexterm" name="id2892643"></a><i class="parameter"><tt>domain master</tt></i> = no
+forces the BDC not to register SAMBA<#1b> which as a unique NetBIOS
+name is reserved for the Primary Domain Controller.
+</p><p>
+<a class="indexterm" name="id2892668"></a>
+<a class="indexterm" name="id2892677"></a>
+The <i class="parameter"><tt>idmap backend</tt></i> will redirect the <b class="command">winbindd</b> utility to
+use the LDAP database to resolve all UIDs and GIDs for UNIX accounts.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2892706"></a>
+Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it
+allows greater flexibility in how user and group IDs are handled in respect to NT Domain User and Group
+SIDs. One of the new facilities provides for explicitly ensuring that UNIX/Linux UID and GID values
+will be consistent on the PDC, all BDCs and all Domain Member servers. The parameter that controls this
+is called <i class="parameter"><tt>idmap backend</tt></i>. Please refer to the man page for <tt class="filename">smb.conf</tt> for more information
+regarding its behavior.
+</p></div><p>
+The use of the <a class="indexterm" name="id2892744"></a><i class="parameter"><tt>idmap backend</tt></i> = ldap://master.quenya/org
+option on a BDC only make sense where ldapsam is used on a PDC. The purpose for an LDAP based idmap backend is
+also to allow a domain-member (without its own passdb backend) to use winbindd to resolve Windows network users
+and groups to common UID/GIDs. In other words, this option is generally intended for use on BDCs and on Domain
+Member servers.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2892768"></a>Common Errors</h2></div></div><div></div></div><p>
+As this is a rather new area for Samba, there are not many examples that we may refer to.
+Updates will be published as they become available and may be found in later Samba releases or
+from the Samba web <ulink url="http://samba.org">site.</ulink>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892791"></a>Machine Accounts Keep Expiring</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2892802"></a>
+This problem will occur when the passdb (SAM) files are copied from a central
+server but the local Backup Domain Controller is acting as a PDC. This results in the application of
+Local Machine Trust Account password updates to the local SAM. Such updates
+are not copied back to the central server. The newer machine account password is then over
+written when the SAM is re-copied from the PDC. The result is that the Domain Member machine
+on start up will find that its passwords do not match the one now in the database and
+since the startup security check will now fail, this machine will not allow logon attempts
+to proceed and the account expiry error will be reported.
+</p><p>
+The solution is to use a more robust passdb backend, such as the ldapsam backend, setting up
+a slave LDAP server for each BDC, and a master LDAP server for the PDC.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892845"></a>Can Samba Be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2892857"></a>
+No. The native NT4 SAM replication protocols have not yet been fully implemented.
+</p><p>
+Can I get the benefits of a BDC with Samba? Yes, but only to a Samba PDC.The
+main reason for implementing a BDC is availability. If the PDC is a Samba
+machine, a second Samba machine can be set up to service logon requests whenever
+the PDC is down.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892880"></a>How Do I Replicate the smbpasswd File?</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2892891"></a>
+Replication of the smbpasswd file is sensitive. It has to be done whenever changes
+to the SAM are made. Every user's password change is done in the smbpasswd file and
+has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
+</p><p>
+As the smbpasswd file contains plain text password equivalents, it must not be
+sent unencrypted over the wire. The best way to set up smbpasswd replication from
+the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
+<b class="command">ssh</b> itself can be set up to accept <span class="emphasis"><em>only</em></span>
+<b class="command">rsync</b> transfer without requiring the user to type a password.
+</p><p>
+As said a few times before, use of this method is broken and flawed. Machine trust
+accounts will go out of sync, resulting in a broken domain. This method is
+<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2892948"></a>Can I Do This All with LDAP?</h3></div></div><div></div></div><p>
+The simple answer is yes. Samba's pdb_ldap code supports binding to a replica
+LDAP server, and will also follow referrals and rebind to the master if it ever
+needs to make a modification to the database. (Normally BDCs are read only, so
+this will not occur often).
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Domain Membership</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-pdc.html#id2870050">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2870321">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2870336">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2889080">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2889458">Domain Control Example Configuration</a></dt><dt><a href="samba-pdc.html#id2889951">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2889989">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890004">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2890570">Common Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890577">$ Cannot Be Included in Machine Name</a></dt><dt><a href="samba-pdc.html#id2890661">Joining Domain Fails Because of Existing Machine Account</a></dt><dt><a href="samba-pdc.html#id2890722">The System Cannot Log You On (C000019B)</a></dt><dt><a href="samba-pdc.html#id2890822">The Machine Trust Account Is Not Accessible</a></dt><dt><a href="samba-pdc.html#id2890899">Account Disabled</a></dt><dt><a href="samba-pdc.html#id2890932">Domain Controller Unavailable</a></dt><dt><a href="samba-pdc.html#id2890954">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt></dl></dd></dl></div><p>
+There are many who approach MS Windows networking with incredible misconceptions.
+That's okay, because it gives the rest of us plenty of opportunity to be of assistance.
+Those who really want help would be well advised to become familiar with information
+that is already available.
+</p><p>
+The reader is advised not to tackle this section without having first understood
+and mastered some basics. MS Windows networking is not particularly forgiving of
+misconfiguration. Users of MS Windows networking are likely to complain
+of persistent niggles that may be caused by a broken network configuration.
+To a great many people, however, MS Windows networking starts with a Domain Controller
+that in some magical way is expected to solve all network operational ills.
+</p><p>
+The diagram in <link linkend="domain-example"> shows a typical MS Windows Domain Security
+network environment. Workstations A, B and C are representative of many physical MS Windows
+network clients.
+</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 5.1. An Example Domain.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/domain.png" width="270" alt="An Example Domain."></div></div><p>
+From the Samba mailing list one can readily identify many common networking issues.
+If you are not clear on the following subjects, then it will do much good to read the
+sections of this HOWTO that deal with it. These are the most common causes of MS Windows
+networking problems:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration.</p></li><li><p>NetBIOS name resolution.</p></li><li><p>Authentication configuration.</p></li><li><p>User and group configuration.</p></li><li><p>Basic file and directory permission control in UNIX/Linux.</p></li><li><p>Understanding how MS Windows clients interoperate in a network
+ environment.</p></li></ul></div><p>
+Do not be put off; on the surface of it MS Windows networking seems so simple that anyone
+can do it. In fact, it is not a good idea to set up an MS Windows network with
+inadequate training and preparation. But let's get our first indelible principle out of the
+way: <span class="emphasis"><em>It is perfectly okay to make mistakes!</em></span> In the right place and at
+the right time, mistakes are the essence of learning. It is very much not okay to make
+mistakes that cause loss of productivity and impose an avoidable financial burden on an
+organization.
+</p><p>
+Where is the right place to make mistakes? Only out of harm's way. If you are going to
+make mistakes, then please do it on a test network, away from users and in such a way as
+to not inflict pain on others. Do your learning on a test network.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2870050"></a>Features and Benefits</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2870061"></a>
+<span class="emphasis"><em>What is the key benefit of Microsoft Domain Security?</em></span>
+</p><p>
+In a word, <span class="emphasis"><em>Single Sign On</em></span>, or SSO for short. To many, this is the Holy
+Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network
+to log onto any workstation that is a member of the domain that their user account is in
+(or in a domain that has an appropriate trust relationship with the domain they are visiting)
+and they will be able to log onto the network and access resources (shares, files and printers)
+as if they are sitting at their home (personal) workstation. This is a feature of the Domain
+Security protocols.
+</p><p>
+<a class="indexterm" name="id2870098"></a>
+The benefits of Domain Security are available to those sites that deploy a Samba PDC.
+A Domain provides a unique network security identifier (SID). Domain user and group security
+identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to
+the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control
+Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
+recognize only local security identifiers.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Network clients of an MS Windows Domain Security Environment must be Domain Members to be
+able to gain access to the advanced features provided. Domain Membership involves more than just
+setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
+for the workstation (called a machine account). Refer to <link linkend="domain-member">
+for more information.
+</p></div><p>
+The following functionalities are new to the Samba-3 release:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Windows NT4 domain trusts.
+ </p></li><li><p>
+ <a class="indexterm" name="id2870155"></a>
+ Adding users via the User Manager for Domains. This can be done on any MS Windows
+ client using the <tt class="filename">Nexus.exe</tt> toolkit that is available from Microsoft's Web site.
+ Samba-3 supports the use of the Microsoft Management Console for user management.
+ </p></li><li><p>
+ Introduces replaceable and multiple user account (authentication)
+ backends. In the case where the backend is placed in an LDAP database,
+ Samba-3 confers the benefits of a backend that can be distributed, replicated
+ and is highly scalable.
+ </p></li><li><p>
+ Implements full Unicode support. This simplifies cross locale internationalization
+ support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
+ to the need to fully support Unicode.
+ </p></li></ul></div><p>
+The following functionalities are not provided by Samba-3:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+<a class="indexterm" name="id2870209"></a>
+<a class="indexterm" name="id2870218"></a>
+ SAM replication with Windows NT4 Domain Controllers
+ (i.e., a Samba PDC and a Windows NT BDC or vice versa). This means Samba
+ cannot operate as a BDC when the PDC is Microsoft-based or
+ replicate account data to Windows BDCs.
+ </p></li><li><p>
+ Acting as a Windows 2000 Domain Controller (i.e., Kerberos and
+ Active Directory). In point of fact, Samba-3 does have some
+ Active Directory Domain Control ability that is at this time
+ purely experimental that is certain to change as it becomes a
+ fully supported feature some time during the Samba-3 (or later)
+ life cycle. However, Active Directory is more then just SMB
+ it's also LDAP, Kerberos, DHCP, and other protocols (with proprietary
+ extensions, of course).
+ </p></li><li><p>
+ The Windows 200x/XP MMC (Computer Management) Console can not be used
+ to manage a Samba-3 server. For this you can use only the MS Windows NT4
+ Domain Server manager and the MS Windows NT4 Domain User Manager. Both are
+ part of the SVRTOOLS.EXE package mentioned later.
+ </p></li></ul></div><p>
+Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined
+in this chapter. The protocol for support of Windows 9x/Me style network (domain) logons
+is completely different from NT4/Windows 200x type domain logons and has been officially supported
+for some time. These clients use the old LanMan Network Logon facilities that are supported
+in Samba since approximately the Samba-1.9.15 series.
+</p><p>
+Samba-3 implements group mapping between Windows NT groups
+and UNIX groups (this is really quite complicated to explain in a short space). This is
+discussed more fully in <link linkend="groupmapping">.
+</p><p>
+<a class="indexterm" name="id2870290"></a>
+Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
+user and Machine Trust Account information in a suitable backend datastore.
+Refer to <link linkend="machine-trust-accounts">. With Samba-3 there can be multiple
+backends for this. A complete discussion of account database backends can be found in
+<link linkend="passdb">.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2870321"></a>Basics of Domain Control</h2></div></div><div></div></div><p>
+Over the years, public perceptions of what Domain Control really is has taken on an
+almost mystical nature. Before we branch into a brief overview of Domain Control,
+there are three basic types of Domain Controllers.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2870336"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p>
+The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in MS
+Windows NT4. In Windows 200x Domain Control architecture, this role is held by Domain Controllers.
+Folklore dictates that because of its role in the MS Windows
+network, the Domain Controller should be the most powerful and most capable machine in the network.
+As strange as it may seem to say this here, good overall network performance dictates that
+the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-alone
+(Domain Member) servers than in the Domain Controllers.
+</p><p>
+<a class="indexterm" name="id2870387"></a>
+In the case of MS Windows NT4-style domains, it is the PDC that initiates a new Domain Control database.
+This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key
+part in NT4-type domain user authentication and in synchronization of the domain authentication
+database with Backup Domain Controllers.
+</p><p>
+With MS Windows 200x Server-based Active Directory domains, one Domain Controller initiates a potential
+hierarchy of Domain Controllers, each with their own area of delegated control. The master domain
+controller has the ability to override any downstream controller, but a downline controller has
+control only over its downline. With Samba-3, this functionality can be implemented using an
+LDAP-based user and machine account backend.
+</p><p>
+New to Samba-3 is the ability to use a backend database that holds the same type of data as
+the NT4-style SAM database (one of the registry files)<sup>[<a name="id2870421" href="#ftn.id2870421">1</a>]</sup>.
+</p><p>
+The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network
+authentication requests. The BDC is biased to answer logon requests in preference to the PDC.
+On a network segment that has a BDC and a PDC, the BDC will most likely service network
+logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
+A BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to
+PDC, the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic
+operation; the PDC and BDC must be manually configured and changes also need to be made.
+</p><p>
+With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be.
+It is possible to promote a BDC to a PDC and vice versa. The only way
+to convert a Domain Controller to a Domain Member server or a Stand-alone Server is to
+reinstall it. The install time choices offered are:
+</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> the one that seeds the domain SAM.</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> one that obtains a copy of the domain SAM.</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> one that has no copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</p></li><li><p><span class="emphasis"><em>Stand-alone Server</em></span> one that plays no part is SAM synchronization, has its own authentication database and plays no role in Domain Security.</p></li></ul></div><p>
+With MS Windows 2000, the configuration of Domain Control is done after the server has been
+installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server
+Active Directory domain.
+</p><p>
+<a class="indexterm" name="id2889012"></a>
+New to Samba-3 is the ability to function fully as an MS Windows NT4-style Domain Controller,
+excluding the SAM replication components. However, please be aware that Samba-3 also supports the
+MS Windows 200x Domain Control protocols.
+</p><p>
+At this time any appearance that Samba-3 is capable of acting as an
+<span class="emphasis"><em>Domain Controller</em></span> in native ADS mode is limited and experimental in nature.
+This functionality should not be used until the Samba Team offers formal support for it.
+At such a time, the documentation will be revised to duly reflect all configuration and
+management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP
+environment. However, there are certain compromises:
+
+</p><div class="itemizedlist"><ul type="disc"><li>No machine policy files.</li><li>No Group Policy Objects.</li><li>No synchronously executed AD logon scripts.</li><li>Can't use Active Directory management tools to manage users and machines.</li><li>Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect.</li><li>Without AD you cannot perform the function of exporting specific applications to specific users or groups.</li></ul></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889080"></a>Preparing for Domain Control</h3></div></div><div></div></div><p>
+There are two ways that MS Windows machines may interact with each other, with other servers
+and with Domain Controllers: either as <span class="emphasis"><em>Stand-alone</em></span> systems, more commonly
+called <span class="emphasis"><em>Workgroup</em></span> members, or as full participants in a security system,
+more commonly called <span class="emphasis"><em>Domain</em></span> members.
+</p><p>
+It should be noted that <span class="emphasis"><em>Workgroup</em></span> membership involves no special configuration
+other than the machine being configured so the network configuration has a commonly used name
+for its workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
+mode of configurationi, there are no Machine Trust Accounts and any concept of membership as such
+is limited to the fact that all machines appear in the network neighborhood to be logically
+grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not involve security machine
+accounts</em></span>.
+</p><p>
+Domain Member machines have a machine account in the Domain accounts database. A special procedure
+must be followed on each machine to effect Domain Membership. This procedure, which can be done
+only by the local machine Administrator account, will create the Domain machine account (if it does
+not exist), and then initializes that account. When the client first logs onto the
+Domain it triggers a machine password change.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+When Samba is configured as a Domain Controller, secure network operation demands that
+all MS Windows NT4/200x/XP Professional clients should be configured as Domain Members.
+If a machine is not made a member of the Domain, then it will operate like a workgroup
+(Stand-alone) machine. Please refer to <link linkend="domain-member"> for
+information regarding Domain Membership.
+</p></div><p>
+The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows
+NT4/200x/XP clients:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2889184"></a><i class="parameter"><tt>security</tt></i> = user).</p></li><li><p>Consistent configuration of Name Resolution<sup>[<a name="id2889204" href="#ftn.id2889204">2</a>]</sup>.</p></li><li><p>Domain logons for Windows NT4/200x/XP Professional clients.</p></li><li><p>Configuration of Roaming Profiles or explicit configuration to force local profile usage.</p></li><li><p>Configuration of network/system policies.</p></li><li><p>Adding and managing domain user accounts.</p></li><li><p>Configuring MS Windows client machines to become Domain Members.</p></li></ul></div><p>
+The following provisions are required to serve MS Windows 9x/Me clients:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows networking.</p></li><li><p>Correct designation of the server role (<a class="indexterm" name="id2889279"></a><i class="parameter"><tt>security</tt></i> = user).</p></li><li><p>Network Logon Configuration (since Windows 9x/Me/XP Home are not technically domain
+ members, they do not really participate in the security aspects of Domain logons as such).</p></li><li><p>Roaming Profile Configuration.</p></li><li><p>Configuration of System Policy handling.</p></li><li><p>Installation of the network driver “<span class="quote">Client for MS Windows Networks</span>” and configuration
+ to log onto the domain.</p></li><li><p>Placing Windows 9x/Me clients in User Level Security if it is desired to allow
+ all client share access to be controlled according to domain user/group identities.</p></li><li><p>Adding and managing domain user accounts.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Roaming Profiles and System/Network policies are advanced network administration topics
+that are covered in the <link linkend="ProfileMgmt"> and
+<link linkend="PolicyMgmt"> chapters of this document. However, these are not
+necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
+</p></div><p>
+A Domain Controller is an SMB/CIFS server that:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
+ as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
+ to a WINS server over UDP unicast, or via DNS and Active Directory).
+ </p></li><li><p>
+ Provides the NETLOGON service. (This is actually a collection of services that runs over
+ mulitple protocols. These include the LanMan Logon service, the Netlogon service,
+ the Local Security Account service, and variations of them.)
+ </p></li><li><p>
+ Provides a share called NETLOGON.
+ </p></li></ul></div><p>
+It is rather easy to configure Samba to provide these. Each Samba Domain Controller must provide
+the NETLOGON service that Samba calls the <a class="indexterm" name="id2889409"></a><i class="parameter"><tt>domain logons</tt></i> functionality
+(after the name of the parameter in the <tt class="filename">smb.conf</tt> file). Additionally, one server in a Samba-3
+Domain must advertise itself as the Domain Master Browser<sup>[<a name="id2889433" href="#ftn.id2889433">3</a>]</sup>.
+This causes the Primary Domain Controller to claim a domain-specific NetBIOS name that identifies it as a
+Domain Master Browser for its given domain or workgroup. Local master browsers in the same domain or workgroup on
+broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide area network.
+Browser clients will then contact their Local Master Browser, and will receive the domain-wide browse list,
+instead of just the list for their broadcast-isolated subnet.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889458"></a>Domain Control Example Configuration</h2></div></div><div></div></div><p>
+The first step in creating a working Samba PDC is to understand the parameters necessary
+in <tt class="filename">smb.conf</tt>. An example <tt class="filename">smb.conf</tt> for acting as a PDC can be found in <link linkend="pdc-example">.
+</p><p>
+</p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 5.1. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = tdbsam</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 33</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%u</tt></i></td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td><i class="parameter"><tt>logon home = \\homeserver\%u\winprofile</tt></i></td></tr><tr><td><i class="parameter"><tt>logon script = logon.cmd</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = ntadmin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr></table></div><p>
+</p><p>
+The basic options shown in <link linkend="pdc-example"> are explained as follows:
+</p><div class="variablelist"><dl><dt><span class="term">passdb backend </span></dt><dd><p>
+ This contains all the user and group account information. Acceptable values for a PDC
+ are: <span class="emphasis"><em>smbpasswd, tdbsam, and ldapsam</em></span>. The “<span class="quote">guest</span>” entry provides
+ default accounts and is included by default, there is no need to add it explicitly.</p><p>
+ Where use of backup Domain Controllers (BDCs) is intended, the only logical choice is
+ to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files
+ cannot effectively be distributed and therefore should not be used.
+ </p></dd><dt><span class="term">Domain Control Parameters </span></dt><dd><p>
+ The parameters <span class="emphasis"><em>os level, preferred master, domain master, security,
+ encrypt passwords, and domain logons</em></span> play a central role in assuring domain
+ control and network logon support.</p><p>
+ The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A Domain Controller
+ must be the Domain Master Browser, must be set in <span class="emphasis"><em>user</em></span> mode security,
+ must support Microsoft-compatible encrypted passwords, and must provide the network logon
+ service (domain logons). Encrypted passwords must be enabled. For more details on how
+ to do this, refer to <link linkend="passdb">.
+ </p></dd><dt><span class="term">Environment Parameters </span></dt><dd><p>
+ The parameters <span class="emphasis"><em>logon path, logon home, logon drive, and logon script</em></span> are
+ environment support settings that help to facilitate client logon operations and that help
+ to provide automated control facilities to ease network management overheads. Please refer
+ to the man page information for these parameters.
+ </p></dd><dt><span class="term">NETLOGON Share </span></dt><dd><p>
+ The NETLOGON share plays a central role in domain logon and Domain Membership support.
+ This share is provided on all Microsoft Domain Controllers. It is used to provide logon
+ scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common
+ tools that may be needed for logon processing. This is an essential share on a Domain Controller.
+ </p></dd><dt><span class="term">PROFILE Share </span></dt><dd><p>
+ This share is used to store user desktop profiles. Each user must have a directory at the root
+ of this share. This directory must be write-enabled for the user and must be globally read-enabled.
+ Samba-3 has a VFS module called “<span class="quote">fake_permissions</span>” that may be installed on this share. This will
+ allow a Samba administrator to make the directory read-only to everyone. Of course this is useful
+ only after the profile has been properly created.
+ </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The above parameters make for a full set of parameters that may define the server's mode
+of operation. The following <tt class="filename">smb.conf</tt> parameters are the essentials alone:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = User</tt></i></td></tr></table><p>
+</p><p>
+The additional parameters shown in the longer listing above just makes for
+a more complete explanation.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889951"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p>
+Samba-3 is not, and cannot act as, an Active Directory Server. It cannot truly function as
+an Active Directory Primary Domain Controller. The protocols for some of the functionality
+of Active Directory Domain Controllers has been partially implemented on an experimental
+only basis. Please do not expect Samba-3 to support these protocols. Do not depend
+on any such functionality either now or in the future. The Samba Team may remove these
+experimental features or may change their behavior. This is mentioned for the benefit of those
+who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be
+completed. The answer is maybe or maybe never!
+</p><p>
+To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style
+Domain Controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have
+a number of features that Windows NT4 domain contollers do not have. In short, Samba-3 is not NT4 and it
+is not Windows Server 200x, it is not an Active Directory server. We hope this is plain and simple
+enough for all to understand.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889989"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p>
+The subject of Network or Domain Logons is discussed here because it forms
+an integral part of the essential functionality that is provided by a Domain Controller.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890004"></a>Domain Network Logon Service</h3></div></div><div></div></div><p>
+All Domain Controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span>
+in Samba). One Domain Controller must be configured with <a class="indexterm" name="id2890021"></a><i class="parameter"><tt>domain master</tt></i> = Yes
+(the Primary Domain Controller); on all Backup Domain Controllers <a class="indexterm" name="id2890038"></a><i class="parameter"><tt>domain master</tt></i> = No
+must be set.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890053"></a>Example Configuration</h4></div></div><div></div></div><div class="example"><a name="PDC-config"></a><p class="title"><b>Example 5.2. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = (Yes on PDC, No on BDCs)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Network Logon Service</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890149"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><p>
+To be completely clear: If you want MS Windows XP Home Edition to integrate with your
+MS Windows NT4 or Active Directory Domain Security, understand it cannot be done.
+The only option is to purchase the upgrade from MS Windows XP Home Edition to
+MS Windows XP Professional.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows XP Home Edition does not have the ability to join any type of Domain
+Security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely
+lacks the ability to log onto a network.
+</p></div><p>
+Now that this has been said, please do not ask the mailing list or email any of the
+Samba Team members with your questions asking how to make this work. It can't be done.
+If it can be done, then to do so would violate your software license agreement with
+Microsoft, and we recommend that you do not do that.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2890186"></a>The Special Case of Windows 9x/Me</h4></div></div><div></div></div><p>
+A domain and a workgroup are exactly the same in terms of network
+browsing. The difference is that a distributable authentication
+database is associated with a domain, for secure login access to a
+network. Also, different access rights can be granted to users if they
+successfully authenticate against a domain logon server. Samba-3 does this
+now in the same way as MS Windows NT/200x.
+</p><p>
+The SMB client logging on to a domain has an expectation that every other
+server in the domain should accept the same authentication information.
+Network browsing functionality of domains and workgroups is identical and
+is explained in this documentation under the browsing discussions.
+It should be noted that browsing is totally orthogonal to logon support.
+</p><p>
+Issues related to the single-logon network model are discussed in this
+section. Samba supports domain logons, network logon scripts and user
+profiles for MS Windows for workgroups and MS Windows 9X/ME clients,
+which are the focus of this section.
+</p><p>
+When an SMB client in a domain wishes to logon, it broadcasts requests for a
+logon server. The first one to reply gets the job, and validates its
+password using whatever mechanism the Samba administrator has installed.
+It is possible (but ill advised ) to create a domain where the user
+database is not shared between servers, i.e., they are effectively workgroup
+servers advertising themselves as participating in a domain. This
+demonstrates how authentication is quite different from but closely
+involved with domains.
+</p><p>
+Using these features you can make your clients verify their logon via
+the Samba server; make clients run a batch file when they logon to
+the network and download their preferences, desktop and start menu.
+</p><p><span class="emphasis"><em>
+MS Windows XP Home edition is not able to join a domain and does not permit
+the use of domain logons.
+</em></span></p><p>
+Before launching into the configuration instructions, it is
+worthwhile to look at how a Windows 9x/Me client performs a logon:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ The client broadcasts (to the IP broadcast address of the subnet it is in)
+ a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1c> at the
+ NetBIOS layer. The client chooses the first response it receives, which
+ contains the NetBIOS name of the logon server to use in the format of
+ <tt class="filename">\\SERVER</tt>.
+ </p></li><li><p>
+ The client connects to that server, logs on (does an SMBsessetupX) and
+ then connects to the IPC$ share (using an SMBtconX).
+ </p></li><li><p>
+ The client does a NetWkstaUserLogon request, which retrieves the name
+ of the user's logon script.
+ </p></li><li><p>
+ The client then connects to the NetLogon share and searches for said script.
+ If it is found and can be read, it is retrieved and executed by the client.
+ After this, the client disconnects from the NetLogon share.
+ </p></li><li><p>
+ The client sends a NetUserGetInfo request to the server to retrieve
+ the user's home share, which is used to search for profiles. Since the
+ response to the NetUserGetInfo request does not contain much more than
+ the user's home share, profiles for Windows 9x clients must reside in the user
+ home directory.
+ </p></li><li><p>
+ The client connects to the user's home share and searches for the
+ user's profile. As it turns out, you can specify the user's home share as
+ a sharename and path. For example, <tt class="filename">\\server\fred\.winprofile</tt>.
+ If the profiles are found, they are implemented.
+ </p></li><li><p>
+ The client then disconnects from the user's home share and reconnects to
+ the NetLogon share and looks for <tt class="filename">CONFIG.POL</tt>, the policies file. If this is
+ found, it is read and implemented.
+ </p></li></ol></div><p>
+The main difference between a PDC and a Windows 9x/Me logon server configuration is:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Password encryption is not required for a Windows 9x/Me logon server. But note
+ that beginning with MS Windows 98 the default setting is that plain-text
+ password support is disabled. It can be re-enabled with the registry
+ changes that are documented in <link linkend="PolicyMgmt">.
+ </p></li><li><p>
+ Windows 9x/Me clients do not require and do not use Machine Trust Accounts.
+ </p></li></ul></div><p>
+A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the
+network logon services that MS Windows 9x/Me expect to find.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Use of plain-text passwords is strongly discouraged. Where used they are easily detected
+using a sniffer tool to examine network traffic.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890439"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p>
+There are a few comments to make in order to tie up some loose ends. There has been
+much debate over the issue of whether it is okay to configure Samba as a Domain
+Controller in security modes other than user. The only security mode that will
+not work due to technical reasons is share-mode security. Domain and server mode
+security are really just a variation on SMB User Level Security.
+</p><p>
+Actually, this issue is also closely tied to the debate on whether
+Samba must be the Domain Master Browser for its workgroup
+when operating as a DC. While it may technically be possible
+to configure a server as such (after all, browsing and domain logons
+are two distinctly different functions), it is not a good idea to do
+so. You should remember that the DC must register the DOMAIN<#1b> NetBIOS
+name. This is the name used by Windows clients to locate the DC.
+Windows clients do not distinguish between the DC and the DMB.
+A DMB is a Domain Master Browser see <link linkend="DMB">.
+For this reason, it is wise to configure the Samba DC as the DMB.
+</p><p>
+Now back to the issue of configuring a Samba DC to use a mode other than
+<a class="indexterm" name="id2890493"></a><i class="parameter"><tt>security</tt></i> = user. If a Samba host is
+configured to use another SMB server or DC in order to validate user connection requests,
+it is a fact that some other machine on the network (the <a class="indexterm" name="id2890510"></a><i class="parameter"><tt>password server</tt></i>)
+knows more about the user than the Samba host. About 99% of the time, this other host is
+a Domain Controller. Now to operate in domain mode security, the <a class="indexterm" name="id2890527"></a><i class="parameter"><tt>workgroup</tt></i>
+parameter must be set to the name of the Windows NT domain (which already has a Domain Controller).
+If the domain does not already have a Domain Controller, you do not yet have a Domain.
+</p><p>
+Configuring a Samba box as a DC for a domain that already by definition has a
+PDC is asking for trouble. Therefore, you should always configure the Samba DC
+to be the DMB for its domain and set <a class="indexterm" name="id2890552"></a><i class="parameter"><tt>security</tt></i> = user.
+This is the only officially supported mode of operation.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890570"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890577"></a>“<span class="quote">$</span>” Cannot Be Included in Machine Name</h3></div></div><div></div></div><p>
+A machine account, typically stored in <tt class="filename">/etc/passwd</tt>, takes the form of the machine
+name with a “<span class="quote">$</span>” appended. FreeBSD (and other BSD systems) will not create a user with a
+“<span class="quote">$</span>” in the name.
+</p><p>
+The problem is only in the program used to make the entry. Once made, it works perfectly.
+Create a user without the “<span class="quote">$</span>”. Then use <b class="command">vipw</b> to edit the entry, adding
+the “<span class="quote">$</span>”. Or create the whole entry with vipw if you like; make sure you use a unique user login ID.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>The machine account must have the exact name that the workstation has.</div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The UNIX tool <b class="command">vipw</b> is a common tool for directly editing the <tt class="filename">/etc/passwd</tt> file.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890661"></a>Joining Domain Fails Because of Existing Machine Account</h3></div></div><div></div></div><p>
+“<span class="quote">I get told, `You already have a connection to the Domain....' or `Cannot join domain, the
+credentials supplied conflict with an existing set...' when creating a Machine Trust Account.</span>”
+</p><p>
+This happens if you try to create a Machine Trust Account from the machine itself and already have a
+connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command
+will remove all network drive connections:
+</p><pre class="screen">
+<tt class="prompt">C:\> </tt><b class="userinput"><tt>net use * /d</tt></b>
+</pre><p>
+</p><p>
+Further, if the machine is already a “<span class="quote">member of a workgroup</span>” that
+is the same name as the domain you are joining (bad idea) you will
+get this message. Change the workgroup name to something else, it
+does not matter what, reboot, and try again.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890722"></a>The System Cannot Log You On (C000019B)</h3></div></div><div></div></div><p>“<span class="quote">I joined the domain successfully but after upgrading
+to a newer version of the Samba code I get the message, <span class="errorname">`The system
+cannot log you on (C000019B), Please try again or consult your
+system administrator</span> when attempting to logon.'</span>”
+</p><p>
+<a class="indexterm" name="id2890749"></a>
+This occurs when the domain SID stored in the secrets.tdb database
+is changed. The most common cause of a change in domain SID is when
+the domain name and/or the server name (NetBIOS name) is changed.
+The only way to correct the problem is to restore the original domain
+SID or remove the domain client from the domain and rejoin. The domain
+SID may be reset using either the net or rpcclient utilities.
+</p><p>
+To reset or change the domain SID you can use the net command as follows:
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net getlocalsid 'OLDNAME'</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>net setlocalsid 'SID'</tt></b>
+</pre><p>
+</p><p>
+Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes
+Domain Members (workstations) will not be able to log onto the domain. The original Domain SID
+can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join
+it to the domain.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890822"></a>The Machine Trust Account Is Not Accessible</h3></div></div><div></div></div><p>
+“<span class="quote">When I try to join the domain I get the message, <span class="errorname">`The machine account
+for this computer either does not exist or is not accessible'</span>. What's
+wrong?</span>”
+</p><p>
+This problem is caused by the PDC not having a suitable Machine Trust Account.
+If you are using the <a class="indexterm" name="id2890849"></a><i class="parameter"><tt>add machine script</tt></i> method to create
+accounts then this would indicate that it has not worked. Ensure the domain
+admin user system is working.
+</p><p>
+Alternately, if you are creating account entries manually then they
+have not been created correctly. Make sure that you have the entry
+correct for the Machine Trust Account in <tt class="filename">smbpasswd</tt> file on the Samba PDC.
+If you added the account using an editor rather than using the smbpasswd
+utility, make sure that the account name is the machine NetBIOS name
+with a “<span class="quote">$</span>” appended to it (i.e., computer_name$). There must be an entry
+in both /etc/passwd and the smbpasswd file.
+</p><p>
+Some people have also reported that inconsistent subnet masks between the Samba server and the NT
+client can cause this problem. Make sure that these are consistent for both client and server.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890899"></a>Account Disabled</h3></div></div><div></div></div><p>“<span class="quote">When I attempt to login to a Samba Domain from a NT4/W200x workstation,
+I get a message about my account being disabled.</span>”</p><p>
+Enable the user accounts with <b class="userinput"><tt>smbpasswd -e <i class="replaceable"><tt>username</tt></i>
+</tt></b>. This is normally done as an account is created.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890932"></a>Domain Controller Unavailable</h3></div></div><div></div></div><p>“<span class="quote">Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable'</span>”</p><p>
+A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes,
+then try again.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890954"></a>Cannot Log onto Domain Member Workstation After Joining Domain</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2890966"></a>
+<a class="indexterm" name="id2890975"></a>
+After successfully joining the domain, user logons fail with one of two messages: one to the
+effect that the Domain Controller cannot be found; the other claims that the account does not
+exist in the domain or that the password is incorrect. This may be due to incompatible
+settings between the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span>
+(secure channel) settings or <span class="emphasis"><em>smb signing</em></span> settings. Check your Samba
+settings for <span class="emphasis"><em> client schannel, server schannel, client signing, server signing</em></span>
+by executing:
+</p><pre class="screen">
+<b class="command">testparm -v | more</b> and looking for the value of these parameters.
+</pre><p>
+</p><p>
+Also use the Microsoft Management Console Local Security Settings. This tool is available from the
+Control Panel. The Policy settings are found in the Local Policies/Securty Options area and are prefixed by
+<span class="emphasis"><em>Secure Channel: ..., and Digitally sign ....</em></span>.
+</p><p>
+It is important that these be set consistently with the Samba-3 server settings.
+</p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><link linkend="passdb"></div><div class="footnote"><p><sup>[<a name="ftn.id2889204" href="#id2889204">2</a>] </sup>See <link linkend="NetworkBrowsing">, and
+ <link linkend="integrate-ms-networks">.</p></div><div class="footnote"><link linkend="NetworkBrowsing"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Backup Domain Control</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. Securing Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="locking.html" title="Chapter 14. File and Record Locking"><link rel="next" href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. Securing Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="securing-samba"></a>Chapter 15. Securing Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 26, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="securing-samba.html#id2918114">Introduction</a></dt><dt><a href="securing-samba.html#id2918159">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2918244">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2918263">Using Host-Based Protection</a></dt><dt><a href="securing-samba.html#id2918364">User-Based Protection</a></dt><dt><a href="securing-samba.html#id2918424">Using Interface Protection</a></dt><dt><a href="securing-samba.html#id2918507">Using a Firewall</a></dt><dt><a href="securing-samba.html#id2918564">Using IPC$ Share-Based Denials </a></dt><dt><a href="securing-samba.html#id2918648">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2918707">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2918731">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2918750">Smbclient Works on Localhost, but the Network Is Dead</a></dt><dt><a href="securing-samba.html#id2918774">Why Can Users Access Home Directories of Other Users?</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918114"></a>Introduction</h2></div></div><div></div></div><p>
+This note was attached to the Samba 2.2.8 release notes as it contained an
+important security fix. The information contained here applies to Samba
+installations in general.
+</p><div class="blockquote"><blockquote class="blockquote"><p>
+A new apprentice reported for duty to the chief engineer of a boiler house. He said, “<span class="quote">Here I am,
+if you will show me the boiler I'll start working on it.</span>” Then engineer replied, “<span class="quote">You're leaning
+on it!</span>”
+</p></blockquote></div><p>
+Security concerns are just like that. You need to know a little about the subject to appreciate
+how obvious most of it really is. The challenge for most of us is to discover that first morsel
+of knowledge with which we may unlock the secrets of the masters.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918159"></a>Features and Benefits</h2></div></div><div></div></div><p>
+There are three levels at which security principals must be observed in order to render a site
+at least moderately secure. They are the perimeter firewall, the configuration of the host
+server that is running Samba and Samba itself.
+</p><p>
+Samba permits a most flexible approach to network security. As far as possible Samba implements
+the latest protocols to permit more secure MS Windows file and print operations.
+</p><p>
+Samba may be secured from connections that originate from outside the local network. This may be
+done using <span class="emphasis"><em>host-based protection</em></span> (using samba's implementation of a technology
+known as “<span class="quote">tcpwrappers,</span>” or it may be done be using <span class="emphasis"><em>interface-based exclusion</em></span>
+so <span class="application">smbd</span> will bind only to specifically permitted interfaces. It is also
+possible to set specific share or resource-based exclusions, for example on the <i class="parameter"><tt>[IPC$]</tt></i>
+auto-share. The <i class="parameter"><tt>[IPC$]</tt></i> share is used for browsing purposes as well as to establish
+TCP/IP connections.
+</p><p>
+Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access
+Control List (ACL) on the shares themselves. This is discussed in <link linkend="AccessControls">.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918244"></a>Technical Discussion of Protective Measures and Issues</h2></div></div><div></div></div><p>
+The key challenge of security is the fact that protective measures suffice at best
+only to close the door on known exploits and breach techniques. Never assume that
+because you have followed these few measures that the Samba server is now an impenetrable
+fortress! Given the history of information systems so far, it is only a matter of time
+before someone will find yet another vulnerability.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918263"></a>Using Host-Based Protection</h3></div></div><div></div></div><p>
+ In many installations of Samba, the greatest threat comes from outside
+ your immediate network. By default, Samba will accept connections from
+ any host, which means that if you run an insecure version of Samba on
+ a host that is directly connected to the Internet you can be
+ especially vulnerable.
+ </p><p>
+ One of the simplest fixes in this case is to use the <a class="indexterm" name="id2918285"></a><i class="parameter"><tt>hosts allow</tt></i> and
+ <a class="indexterm" name="id2918298"></a><i class="parameter"><tt>hosts deny</tt></i> options in the Samba <tt class="filename">smb.conf</tt> configuration file to only
+ allow access to your server from a specific range of hosts. An example might be:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p>
+ The above will only allow SMB connections from <tt class="constant">localhost</tt> (your own
+ computer) and from the two private networks 192.168.2 and 192.168.3. All other
+ connections will be refused as soon as the client sends its first packet. The refusal
+ will be marked as <span class="errorname">not listening on called name</span> error.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918364"></a>User-Based Protection</h3></div></div><div></div></div><p>
+ If you want to restrict access to your server to valid users only, then the following
+ method may be of use. In the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[global]</tt></i> section put:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>valid users = @smbusers, jacko</tt></i></td></tr></table><p>
+ This restricts all server access to either the user <span class="emphasis"><em>jacko</em></span>
+ or to members of the system group <span class="emphasis"><em>smbusers</em></span>.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918424"></a>Using Interface Protection</h3></div></div><div></div></div><p>
+ By default, Samba will accept connections on any network interface that
+ it finds on your system. That means if you have a ISDN line or a PPP
+ connection to the Internet then Samba will accept connections on those
+ links. This may not be what you want.
+ </p><p>
+ You can change this behavior using options like this:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>interfaces = eth* lo</tt></i></td></tr><tr><td><i class="parameter"><tt>bind interfaces only = yes</tt></i></td></tr></table><p>
+ This tells Samba to only listen for connections on interfaces with a
+ name starting with <tt class="constant">eth</tt> such as <tt class="constant">eth0, eth1</tt> plus on the loopback
+ interface called <tt class="constant">lo</tt>. The name you will need to use depends on what
+ OS you are using. In the above, I used the common name for Ethernet
+ adapters on Linux.
+ </p><p>
+ If you use the above and someone tries to make an SMB connection to
+ your host over a PPP interface called <tt class="constant">ppp0,</tt> then they will get a TCP
+ connection refused reply. In that case, no Samba code is run at all as
+ the operating system has been told not to pass connections from that
+ interface to any Samba process.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918507"></a>Using a Firewall</h3></div></div><div></div></div><p>
+ Many people use a firewall to deny access to services they do not
+ want exposed outside their network. This can be a good idea,
+ although I recommend using it in conjunction with the above
+ methods so you are protected even if your firewall is not active
+ for some reason.
+ </p><p>
+ If you are setting up a firewall, you need to know what TCP and
+ UDP ports to allow and block. Samba uses the following:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td>UDP/137 - used by nmbd</td></tr><tr><td>UDP/138 - used by nmbd</td></tr><tr><td>TCP/139 - used by smbd</td></tr><tr><td>TCP/445 - used by smbd</td></tr></table><p>
+ The last one is important as many older firewall setups may not be
+ aware of it, given that this port was only added to the protocol in
+ recent years.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918564"></a>Using IPC$ Share-Based Denials </h3></div></div><div></div></div><p>
+ If the above methods are not suitable, then you could also place a
+ more specific deny on the IPC$ share that is used in the recently
+ discovered security hole. This allows you to offer access to other
+ shares while denying access to IPC$ from potentially untrustworthy
+ hosts.
+ </p><p>
+ To do this you could use:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[IPC$]</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts allow = 192.168.115.0/24 127.0.0.1</tt></i></td></tr><tr><td><i class="parameter"><tt>hosts deny = 0.0.0.0/0</tt></i></td></tr></table><p>
+ This instructs Samba that IPC$ connections are not allowed from
+ anywhere except from the two listed network addresses (localhost and the 192.168.115
+ subnet). Connections to other shares are still allowed. As the
+ IPC$ share is the only share that is always accessible anonymously,
+ this provides some level of protection against attackers that do not
+ know a valid username/password for your host.
+ </p><p>
+ If you use this method, then clients will be given an <span class="errorname">`access denied'</span>
+ reply when they try to access the IPC$ share. Those clients will not be able to
+ browse shares, and may also be unable to access some other resources. This is not
+ recommended unless you cannot use one of the other methods listed above for some reason.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918648"></a>NTLMv2 Security</h3></div></div><div></div></div><p>
+ To configure NTLMv2 authentication, the following registry keys are worth knowing about:
+ </p><p>
+ </p><pre class="screen">
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "lmcompatibilitylevel"=dword:00000003
+ </pre><p>
+ </p><p>
+ The value 0x00000003 means send NTLMv2 response only. Clients will use NTLMv2 authentication,
+ use NTLMv2 session security if the server supports it. Domain Controllers accept LM,
+ NTLM and NTLMv2 authentication.
+ </p><p>
+ </p><pre class="screen">
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "NtlmMinClientSec"=dword:00080000
+ </pre><p>
+ </p><p>
+ The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or
+ NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2
+ session security is not negotiated.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918707"></a>Upgrading Samba</h2></div></div><div></div></div><p>
+Please check regularly on <ulink url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
+important announcements. Occasionally security releases are made and
+it is highly recommended to upgrade Samba when a security vulnerability
+is discovered. Check with your OS vendor for OS specific upgrades.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2918731"></a>Common Errors</h2></div></div><div></div></div><p>
+If all of Samba and host platform configuration were really as intuitive as one might like them to be, this
+section would not be necessary. Security issues are often vexing for a support person to resolve, not
+because of the complexity of the problem, but for the reason that most administrators who post what turns
+out to be a security problem request are totally convinced that the problem is with Samba.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918750"></a>Smbclient Works on Localhost, but the Network Is Dead</h3></div></div><div></div></div><p>
+ This is a common problem. Red Hat Linux (and others) installs a default firewall.
+ With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1)
+ is allowed through the firewall.
+ </p><p>
+ The solution is either to remove the firewall (stop it) or modify the firewall script to
+ allow SMB networking traffic through. See section above in this chapter.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2918774"></a>Why Can Users Access Home Directories of Other Users?</h3></div></div><div></div></div><p>
+ “<span class="quote">
+ We are unable to keep individual users from mapping to any other user's
+ home directory once they have supplied a valid password! They only need
+ to enter their own password. I have not found any method to configure
+ Samba so that users may map only their own home directory.
+ </span>”
+ </p><p>“<span class="quote">
+ User xyzzy can map his home directory. Once mapped user xyzzy can also map
+ anyone else's home directory.
+ </span>”</p><p>
+ This is not a security flaw, it is by design. Samba allows users to have
+ exactly the same access to the UNIX file system as when they were logged
+ onto the UNIX box, except that it only allows such views onto the file
+ system as are allowed by the defined shares.
+ </p><p>
+ If your UNIX home directories are set up so that one user can happily <b class="command">cd</b>
+ into another users directory and execute <b class="command">ls</b>, the UNIX security solution is to change file
+ permissions on the user's home directories such that the <b class="command">cd</b> and <b class="command">ls</b> are denied.
+ </p><p>
+ Samba tries very hard not to second guess the UNIX administrators security policies, and
+ trusts the UNIX admin to set the policies and permissions he or she desires.
+ </p><p>
+ Samba allows the behavior you require. Simply put the <a class="indexterm" name="id2918859"></a><i class="parameter"><tt>only user</tt></i> = %S
+ option in the <i class="parameter"><tt>[homes]</tt></i> share definition.
+ </p><p>
+ The <a class="indexterm" name="id2918883"></a><i class="parameter"><tt>only user</tt></i> works in conjunction with the <a class="indexterm" name="id2918899"></a><i class="parameter"><tt>users</tt></i> = list,
+ so to get the behavior you require, add the line :
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>users = %S</tt></i></td></tr></table><p>
+ this is equivalent to adding
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>valid users = %S</tt></i></td></tr></table><p>
+ to the definition of the <i class="parameter"><tt>[homes]</tt></i> share, as recommended in
+ the <tt class="filename">smb.conf</tt> man page.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="locking.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="InterdomainTrusts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. File and Record Locking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Interdomain Trust Relationships</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 39. Samba Performance Tuning</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Other-Clients.html" title="Chapter 38. Samba and Other CIFS Clients"><link rel="next" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 39. Samba Performance Tuning</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="speed"></a>Chapter 39. Samba Performance Tuning</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Paul</span> <span class="surname">Cochrane</span></h3><div class="affiliation"><span class="orgname">Dundee Limb Fitting Centre<br></span><div class="address"><p><tt class="email"><<a href="mailto:paulc@dth.scot.nhs.uk">paulc@dth.scot.nhs.uk</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="speed.html#id2976235">Comparisons</a></dt><dt><a href="speed.html#id2976281">Socket Options</a></dt><dt><a href="speed.html#id2976372">Read Size</a></dt><dt><a href="speed.html#id2976422">Max Xmit</a></dt><dt><a href="speed.html#id2976477">Log Level</a></dt><dt><a href="speed.html#id2976507">Read Raw</a></dt><dt><a href="speed.html#id2976592">Write Raw</a></dt><dt><a href="speed.html#id2976655">Slow Logins</a></dt><dt><a href="speed.html#id2976683">Client Tuning</a></dt><dt><a href="speed.html#id2976707">Samba Performance Problem Due to Changing Linux Kernel</a></dt><dt><a href="speed.html#id2976766">Corrupt tdb Files</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976235"></a>Comparisons</h2></div></div><div></div></div><p>
+The Samba server uses TCP to talk to the client. Thus if you are
+trying to see if it performs well, you should really compare it to
+programs that use the same protocol. The most readily available
+programs for file transfer that use TCP are ftp or another TCP-based
+SMB server.
+</p><p>
+If you want to test against something like an NT or Windows for Workgroups server, then
+you will have to disable all but TCP on either the client or
+server. Otherwise, you may well be using a totally different protocol
+(such as NetBEUI) and comparisons may not be valid.
+</p><p>
+Generally, you should find that Samba performs similarly to ftp at raw
+transfer speed. It should perform quite a bit faster than NFS,
+although this depends on your system.
+</p><p>
+Several people have done comparisons between Samba and Novell, NFS or
+Windows NT. In some cases Samba performed the best, in others the worst. I
+suspect the biggest factor is not Samba versus some other system, but the
+hardware and drivers used on the various systems. Given similar
+hardware, Samba should certainly be competitive in speed with other
+systems.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976281"></a>Socket Options</h2></div></div><div></div></div><p>
+There are a number of socket options that can greatly affect the
+performance of a TCP-based server like Samba.
+</p><p>
+The socket options that Samba uses are settable both on the command
+line with the <tt class="option">-O</tt> option, or in the <tt class="filename">smb.conf</tt> file.
+</p><p>
+The <a class="indexterm" name="id2976313"></a><i class="parameter"><tt>socket options</tt></i> section of the <tt class="filename">smb.conf</tt> manual page describes how
+to set these and gives recommendations.
+</p><p>
+Getting the socket options correct can make a big difference to your
+performance, but getting them wrong can degrade it by just as
+much. The correct settings are very dependent on your local network.
+</p><p>
+The socket option TCP_NODELAY is the one that seems to make the biggest single difference
+for most networks. Many people report that adding
+<a class="indexterm" name="id2976350"></a><i class="parameter"><tt>socket options</tt></i> = TCP_NODELAY
+doubles the read performance of a Samba drive. The best explanation I have seen for
+this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976372"></a>Read Size</h2></div></div><div></div></div><p>
+The option <a class="indexterm" name="id2976382"></a><i class="parameter"><tt>read size</tt></i> affects the overlap of disk
+reads/writes with network reads/writes. If the amount of data being
+transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and
+SMBreadbraw) is larger than this value, then the server begins writing
+the data before it has received the whole packet from the network, or
+in the case of SMBreadbraw, it begins writing to the network before
+all the data has been read from disk.
+</p><p>
+This overlapping works best when the speeds of disk and network access
+are similar, having little effect when the speed of one is much
+greater than the other.
+</p><p>
+The default value is 16384, but little experimentation has been
+done as yet to determine the optimal value, and it is likely that the best
+value will vary greatly between systems anyway. A value over 65536 is
+pointless and will cause you to allocate memory unnecessarily.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976422"></a>Max Xmit</h2></div></div><div></div></div><p>
+ At startup the client and server negotiate a <i class="parameter"><tt>maximum transmit</tt></i> size,
+which limits the size of nearly all SMB commands. You can set the
+maximum size that Samba will negotiate using the <a class="indexterm" name="id2976442"></a><i class="parameter"><tt>max xmit</tt></i> option
+in <tt class="filename">smb.conf</tt>. Note that this is the maximum size of SMB requests that
+Samba will accept, but not the maximum size that the client will accept.
+The client maximum receive size is sent to Samba by the client and Samba
+honors this limit.
+</p><p>
+It defaults to 65536 bytes (the maximum), but it is possible that some
+clients may perform better with a smaller transmit unit. Trying values
+of less than 2048 is likely to cause severe problems.
+In most cases the default is the best option.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976477"></a>Log Level</h2></div></div><div></div></div><p>
+If you set the log level (also known as <a class="indexterm" name="id2976487"></a><i class="parameter"><tt>debug level</tt></i>) higher than 2
+then you may suffer a large drop in performance. This is because the
+server flushes the log file after each operation, which can be quite
+expensive.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976507"></a>Read Raw</h2></div></div><div></div></div><p>
+The <a class="indexterm" name="id2976517"></a><i class="parameter"><tt>read raw</tt></i> operation is designed to be an optimized, low-latency
+file read operation. A server may choose to not support it,
+however, and Samba makes support for <a class="indexterm" name="id2976534"></a><i class="parameter"><tt>read raw</tt></i> optional, with it
+being enabled by default.
+</p><p>
+In some cases clients do not handle <a class="indexterm" name="id2976552"></a><i class="parameter"><tt>read raw</tt></i> very well and actually
+get lower performance using it than they get using the conventional
+read operations.
+</p><p>
+So you might like to try <a class="indexterm" name="id2976573"></a><i class="parameter"><tt>read raw</tt></i> = no and see what happens on your
+network. It might lower, raise or not effect your performance. Only
+testing can really tell.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976592"></a>Write Raw</h2></div></div><div></div></div><p>
+The <a class="indexterm" name="id2976602"></a><i class="parameter"><tt>write raw</tt></i> operation is designed to be an optimized, low-latency
+file write operation. A server may choose to not support it, however, and Samba makes support for
+<a class="indexterm" name="id2976618"></a><i class="parameter"><tt>write raw</tt></i> optional, with it being enabled by default.
+</p><p>
+Some machines may find <a class="indexterm" name="id2976637"></a><i class="parameter"><tt>write raw</tt></i> slower than normal write, in which
+case you may wish to change this option.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976655"></a>Slow Logins</h2></div></div><div></div></div><p>
+Slow logins are almost always due to the password checking time. Using
+the lowest practical <a class="indexterm" name="id2976666"></a><i class="parameter"><tt>password level</tt></i> will improve things.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976683"></a>Client Tuning</h2></div></div><div></div></div><p>
+Often a speed problem can be traced to the client. The client (for
+example Windows for Workgroups) can often be tuned for better TCP
+performance. Check the sections on the various clients in
+<link linkend="Other-Clients">.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976707"></a>Samba Performance Problem Due to Changing Linux Kernel</h2></div></div><div></div></div><p>
+A user wrote the following to the mailing list:
+</p><p>
+I am running Gentoo on my server and Samba 2.2.8a. Recently
+I changed kernel version from <tt class="filename">linux-2.4.19-gentoo-r10</tt> to
+<tt class="filename">linux-2.4.20-wolk4.0s</tt>. And now I have a performance issue with Samba.
+Many of you will probably say, “<span class="quote">Move to vanilla sources!</span>”
+Well, I tried that and it didn't work. I have a 100mb LAN and two computers (Linux and
+Windows 2000). The Linux server shares directories with DivX files, the client
+(Windows 2000) plays them via LAN. Before when I was running the 2.4.19 kernel
+everything was fine, but now movies freeze and stop. I tried moving
+files between the server and Windows and it is terribly slow.
+</p><p>
+The answer he was given is:
+</p><p>
+Grab the mii-tool and check the duplex settings on the NIC.
+My guess is that it is a link layer issue, not an application
+layer problem. Also run ifconfig and verify that the framing
+error, collisions, and so on, look normal for ethernet.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2976766"></a>Corrupt tdb Files</h2></div></div><div></div></div><p>
+Our Samba PDC server has been hosting three TB of data to our 500+ users
+[Windows NT/XP] for the last three years using Samba without a problem.
+Today all shares went very slow. Also the main smbd kept
+spawning new processes so we had 1600+ running smbd's (normally we avg. 250).
+It crashed the SUN E3500 cluster twice. After a lot of searching, I
+decided to <b class="command">rm /var/locks/*.tdb</b>. Happy again.
+</p><p>
+<span class="emphasis"><em>Question:</em></span> Is there any method of keeping the *.tdb files in top condition or
+how can I detect early corruption?
+</p><p>
+<span class="emphasis"><em>Answer:</em></span> Yes, run <b class="command">tdbbackup</b> each time after stopping nmbd and before starting nmbd.
+</p><p>
+<span class="emphasis"><em>Question:</em></span> What I also would like to mention is that the service latency seems
+a lot lower than before the locks cleanup. Any ideas on keeping it top notch?
+</p><p>
+<span class="emphasis"><em>Answer:</em></span> Yes. Same answer as for previous question!
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Other-Clients.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DNSDHCP.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 38. Samba and Other CIFS Clients </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 40. DNS and DHCP Configuration Guide</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The Samba Checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The Samba Checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id2969273">Introduction</a></dt><dt><a href="diagnosis.html#id2969311">Assumptions</a></dt><dt><a href="diagnosis.html#id2969546">The Tests</a></dt></dl></dd><dt>34. <a href="problems.html">Analyzing and Solving Samba Problems</a></dt><dd><dl><dt><a href="problems.html#id2971255">Diagnostics Tools</a></dt><dd><dl><dt><a href="problems.html#id2971276">Debugging with Samba Itself</a></dt><dt><a href="problems.html#id2971441">Tcpdump</a></dt><dt><a href="problems.html#id2971477">Ethereal</a></dt><dt><a href="problems.html#id2971621">The Windows Network Monitor</a></dt></dl></dd><dt><a href="problems.html#id2971938">Useful URLs</a></dt><dt><a href="problems.html#id2971978">Getting Mailing List Help</a></dt><dt><a href="problems.html#id2972155">How to Get Off the Mailing Lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id2972309">Introduction</a></dt><dt><a href="bugreport.html#id2972372">General Information</a></dt><dt><a href="bugreport.html#id2972408">Debug Levels</a></dt><dt><a href="bugreport.html#id2972617">Internal Errors</a></dt><dt><a href="bugreport.html#id2972752">Attaching to a Running Process</a></dt><dt><a href="bugreport.html#id2972799">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The Samba Checklist</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part II. Server Configuration Basics</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="FastStart.html" title="Chapter 3. Fast Start for the Impatient"><link rel="next" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part II. Server Configuration Basics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="type"></a>Server Configuration Basics</h1></div></div><div></div></div><div class="partintro" lang="en"><div><div><div><h1 class="title"><a name="id2885842"></a>First Steps in Server Configuration</h1></div></div><div></div></div><p>
+Samba can operate in various modes within SMB networks. This HOWTO section contains information on
+configuring samba to function as the type of server your network requires. Please read this
+section carefully.
+</p><div class="toc"><p><b>Table of Contents</b></p><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2885999">Features and Benefits</a></dt><dt><a href="ServerType.html#id2886097">Server Types</a></dt><dt><a href="ServerType.html#id2886186">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2886291">User Level Security</a></dt><dt><a href="ServerType.html#id2886413">Share Level Security</a></dt><dt><a href="ServerType.html#id2886525">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886821">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2886928">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2887204">Password Checking</a></dt><dt><a href="ServerType.html#id2887400">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2887429">What Makes Samba a Server?</a></dt><dt><a href="ServerType.html#id2887468">What Makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2887504">What Makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2887542">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2870050">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2870321">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2870336">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2889080">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2889458">Domain Control Example Configuration</a></dt><dt><a href="samba-pdc.html#id2889951">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2889989">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890004">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2890439">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2890570">Common Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2890577">$ Cannot Be Included in Machine Name</a></dt><dt><a href="samba-pdc.html#id2890661">Joining Domain Fails Because of Existing Machine Account</a></dt><dt><a href="samba-pdc.html#id2890722">The System Cannot Log You On (C000019B)</a></dt><dt><a href="samba-pdc.html#id2890822">The Machine Trust Account Is Not Accessible</a></dt><dt><a href="samba-pdc.html#id2890899">Account Disabled</a></dt><dt><a href="samba-pdc.html#id2890932">Domain Controller Unavailable</a></dt><dt><a href="samba-pdc.html#id2890954">Cannot Log onto Domain Member Workstation After Joining Domain</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2891162">Features and Benefits</a></dt><dt><a href="samba-bdc.html#id2891552">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2891580">MS Windows NT4-style Domain Control</a></dt><dt><a href="samba-bdc.html#id2891874">LDAP Configuration Notes</a></dt><dt><a href="samba-bdc.html#id2892094">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2892115">What Qualifies a Domain Controller on the Network?</a></dt><dt><a href="samba-bdc.html#id2892157">How does a Workstation find its Domain Controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892268">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892538">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2892768">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2892791">Machine Accounts Keep Expiring</a></dt><dt><a href="samba-bdc.html#id2892845">Can Samba Be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2892880">How Do I Replicate the smbpasswd File?</a></dt><dt><a href="samba-bdc.html#id2892948">Can I Do This All with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2893185">Features and Benefits</a></dt><dt><a href="domain-member.html#machine-trust-accounts">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2893524">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2893846">Managing Domain Machine Accounts using NT4 Server Manager</a></dt><dt><a href="domain-member.html#id2894113">On-the-Fly Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2894194">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2894418">Joining an NT4-type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2894926">Why Is This Better Than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2895131">Configure smb.conf</a></dt><dt><a href="domain-member.html#id2895267">Configure /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the Computer Account</a></dt><dt><a href="domain-member.html#ads-test-server">Testing Server Setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2895840">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2895877">Sharing User ID Mappings between Samba Domain Members</a></dt><dt><a href="domain-member.html#id2896009">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2896038">Cannot Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2896072">Adding Machine to Domain Fails</a></dt><dt><a href="domain-member.html#id2896237">I Can't Join a Windows 2003 PDC</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2896324">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2896363">Background</a></dt><dt><a href="StandAloneServer.html#id2896435">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#RefDocServer">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#SimplePrintServer">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2897068">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2897131">Note</a></dt></dl></dd></dl></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="FastStart.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ServerType.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Fast Start for the Impatient </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. Server Types and Security Modes</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Unicode/Charsets</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows Networks with Samba"><link rel="next" href="Backup.html" title="Chapter 28. Samba Backup Techniques"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 27. Unicode/Charsets</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="unicode"></a>Chapter 27. Unicode/Charsets</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">TAKAHASHI</span> <span class="surname">Motonobu</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:monyo@home.monyo.com">monyo@home.monyo.com</a>></tt></p></div></div></div></div><div><p class="pubdate">25 March 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="unicode.html#id2963374">Features and Benefits</a></dt><dt><a href="unicode.html#id2963419">What Are Charsets and Unicode?</a></dt><dt><a href="unicode.html#id2963499">Samba and Charsets</a></dt><dt><a href="unicode.html#id2963627">Conversion from Old Names</a></dt><dt><a href="unicode.html#id2963643">Japanese Charsets</a></dt><dt><a href="unicode.html#id2963781">Common Errors</a></dt><dd><dl><dt><a href="unicode.html#id2963788">CP850.so Can't Be Found</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963374"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Every industry eventually matures. One of the great areas of maturation is in
+the focus that has been given over the past decade to make it possible for anyone
+anywhere to use a computer. It has not always been that way, in fact, not so long
+ago it was common for software to be written for exclusive use in the country of
+origin.
+</p><p>
+Of all the effort that has been brought to bear on providing native language support
+for all computer users, the efforts of the <ulink url="http://www.openi18n.org/">Openi18n organization</ulink> is deserving of
+special mention.
+</p><p>
+Samba-2.x supported a single locale through a mechanism called
+<span class="emphasis"><em>codepages</em></span>. Samba-3 is destined to become a truly trans-global
+file and printer-sharing platform.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963419"></a>What Are Charsets and Unicode?</h2></div></div><div></div></div><p>
+Computers communicate in numbers. In texts, each number will be
+translated to a corresponding letter. The meaning that will be assigned
+to a certain number depends on the <span class="emphasis"><em>character set (charset)
+</em></span> that is used.
+</p><p>
+A charset can be seen as a table that is used to translate numbers to
+letters. Not all computers use the same charset (there are charsets
+with German umlauts, Japanese characters, and so on). Usually a charset contains
+256 characters, which means that storing a character with it takes
+exactly one byte. </p><p>
+There are also charsets that support even more characters,
+but those need twice as much storage space (or more). These
+charsets can contain <b class="command">256 * 256 = 65536</b> characters, which
+is more than all possible characters one could think of. They are called
+multibyte charsets because they use more then one byte to
+store one character.
+</p><p>
+A standardized multibyte charset is <ulink url="http://www.unicode.org/">unicode</ulink>.
+A big advantage of using a multibyte charset is that you only need one; there
+is no need to make sure two computers use the same charset when they are
+communicating.
+</p><p>Old Windows clients use single-byte charsets, named
+<i class="parameter"><tt>codepages</tt></i>, by Microsoft. However, there is no support for
+negotiating the charset to be used in the SMB/CIFS protocol. Thus, you
+have to make sure you are using the same charset when talking to an older client.
+Newer clients (Windows NT, 200x, XP) talk unicode over the wire.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963499"></a>Samba and Charsets</h2></div></div><div></div></div><p>
+As of Samba-3.0, Samba can (and will) talk unicode over the wire. Internally,
+Samba knows of three kinds of character sets:
+</p><div class="variablelist"><dl><dt><span class="term"><a class="indexterm" name="id2963521"></a><i class="parameter"><tt>unix charset</tt></i></span></dt><dd><p>
+ This is the charset used internally by your operating system.
+ The default is <tt class="constant">UTF-8</tt>, which is fine for most
+ systems, which covers all characters in all languages. The default in previous Samba releases was <tt class="constant">ASCII</tt>.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2963558"></a><i class="parameter"><tt>display charset</tt></i></span></dt><dd><p>This is the charset Samba will use to print messages
+ on your screen. It should generally be the same as the <i class="parameter"><tt>unix charset</tt></i>.
+ </p></dd><dt><span class="term"><a class="indexterm" name="id2963592"></a><i class="parameter"><tt>dos charset</tt></i></span></dt><dd><p>This is the charset Samba uses when communicating with
+ DOS and Windows 9x/Me clients. It will talk unicode to all newer clients.
+ The default depends on the charsets you have installed on your system.
+ Run <b class="command">testparm -v | grep "dos charset"</b> to see
+ what the default is on your system.
+ </p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963627"></a>Conversion from Old Names</h2></div></div><div></div></div><p>Because previous Samba versions did not do any charset conversion,
+characters in filenames are usually not correct in the UNIX charset but only
+for the local charset used by the DOS/Windows clients.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963643"></a>Japanese Charsets</h2></div></div><div></div></div><p>Samba does not work correctly with Japanese charsets yet. Here are
+points of attention when setting it up:</p><div class="itemizedlist"><ul type="disc"><li><p>You should set <a class="indexterm" name="id2963664"></a><i class="parameter"><tt>mangling method</tt></i> = hash</p></li><li><p>There are various iconv() implementations around and not
+ all of them work equally well. glibc2's iconv() has a critical problem
+ in CP932. libiconv-1.8 works with CP932 but still has some problems and
+ does not work with EUC-JP.</p></li><li><p>You should set <a class="indexterm" name="id2963693"></a><i class="parameter"><tt>dos charset</tt></i> = CP932, not
+ Shift_JIS, SJIS.</p></li><li><p>Currently only <a class="indexterm" name="id2963713"></a><i class="parameter"><tt>UNIX charset</tt></i> = CP932
+ will work (but still has some problems...) because of iconv() issues.
+ <a class="indexterm" name="id2963729"></a><i class="parameter"><tt>UNIX charset</tt></i> = EUC-JP does not work well because of
+ iconv() issues.</p></li><li><p>Currently Samba-3.0 does not support <a class="indexterm" name="id2963749"></a><i class="parameter"><tt>UNIX charset</tt></i> = UTF8-MAC/CAP/HEX/JIS*.</p></li></ul></div><p>More information (in Japanese) is available at: <ulink url="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html">http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html</ulink>.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963781"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963788"></a>CP850.so Can't Be Found</h3></div></div><div></div></div><p>“<span class="quote">Samba is complaining about a missing <tt class="filename">CP850.so</tt> file.</span>”</p><p><span class="emphasis"><em>Answer:</em></span> CP850 is the default <a class="indexterm" name="id2963814"></a><i class="parameter"><tt>dos charset</tt></i>.
+ The <a class="indexterm" name="id2963828"></a><i class="parameter"><tt>dos charset</tt></i> is used to convert data to the codepage used by your dos clients.
+ If you do not have any dos clients, you can safely ignore this message. </p><p>CP850 should be supported by your local iconv implementation. Make sure you have all the required packages installed.
+ If you compiled Samba from source, make sure to configure found iconv.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="integrate-ms-networks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Backup.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 26. Integrating MS Windows Networks with Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 28. Samba Backup Techniques</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">June 30, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id2964134">Quick Migration Guide</a></dt><dt><a href="upgrading-to-3.0.html#id2964257">New Features in Samba-3</a></dt><dt><a href="upgrading-to-3.0.html#id2964410">Configuration Parameter Changes</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2964433">Removed Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964564">New Parameters</a></dt><dt><a href="upgrading-to-3.0.html#id2964983">Modified Parameters (Changes in Behavior):</a></dt></dl></dd><dt><a href="upgrading-to-3.0.html#id2965064">New Functionality</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id2965071">Databases</a></dt><dt><a href="upgrading-to-3.0.html#id2965324">Changes in Behavior</a></dt><dt><a href="upgrading-to-3.0.html#id2965395">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id2965417">Passdb Backends and Authentication</a></dt><dt><a href="upgrading-to-3.0.html#id2965577">LDAP</a></dt></dl></dd></dl></div><p>
+This chapter deals exclusively with the differences between Samba-3.0.0 and Samba-2.2.8a.
+It points out where configuration parameters have changed, and provides a simple guide for
+the move from 2.2.x to 3.0.0.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964134"></a>Quick Migration Guide</h2></div></div><div></div></div><p>
+Samba-3.0.0 default behavior should be approximately the same as Samba-2.2.x.
+The default behavior when the new parameter <a class="indexterm" name="id2964147"></a><i class="parameter"><tt>passdb backend</tt></i>
+is not defined in the <tt class="filename">smb.conf</tt> file provides the same default behviour as Samba-2.2.x
+with <a class="indexterm" name="id2964171"></a><i class="parameter"><tt>encrypt passwords</tt></i> = Yes, and
+will use the <tt class="filename">smbpasswd</tt> database.
+</p><p>
+So why say that <span class="emphasis"><em>behavior should be approximately the same as Samba-2.2.x?</em></span> Because
+Samba-3.0.0 can negotiate new protocols, such as support for native Unicode, that may result in
+differing protocol code paths being taken. The new behavior under such circumstances is not
+exactly the same as the old one. The good news is that the domain and machine SIDs will be
+preserved across the upgrade.
+</p><p>
+If the Samba-2.2.x system was using an LDAP backend, and there is no time to update the LDAP
+database, then make sure that <a class="indexterm" name="id2964213"></a><i class="parameter"><tt>passdb backend</tt></i> = ldapsam_compat
+is specified in the <tt class="filename">smb.conf</tt> file. For the rest, behavior should remain more or less the same.
+At a later date, when there is time to implement a new Samba-3 compatible LDAP backend, it is possible
+to migrate the old LDAP database to the new one through use of the <b class="command">pdbedit</b>.
+See <link linkend="pdbeditthing">.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964257"></a>New Features in Samba-3</h2></div></div><div></div></div><p>
+The major new features are:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Active Directory support. This release is able to join an ADS realm
+ as a member server and authenticate users using LDAP/kerberos.
+ </p></li><li><p>
+ Unicode support. Samba will now negotiate unicode on the wire and
+ internally there is a much better infrastructure for multi-byte
+ and unicode character sets.
+ </p></li><li><p>
+ New authentication system. The internal authentication system has
+ been almost completely rewritten. Most of the changes are internal,
+ but the new authoring system is also very configurable.
+ </p></li><li><p>
+ New filename mangling system. The filename mangling system has been
+ completely rewritten. An internal database now stores mangling maps
+ persistently.
+ </p></li><li><p>
+ New “<span class="quote">net</span>” command. A new “<span class="quote">net</span>” command has been added. It is
+ somewhat similar to the “<span class="quote">net</span>” command in Windows. Eventually, we
+ plan to replace a bunch of other utilities (such as smbpasswd)
+ with subcommands in “<span class="quote">net</span>”.
+ </p></li><li><p>
+ Samba now negotiates NT-style status32 codes on the wire. This
+ considerably improves error handling.
+ </p></li><li><p>
+ Better Windows 200x/XP printing support including publishing
+ printer attributes in Active Directory.
+ </p></li><li><p>
+ New loadable RPC modules for passdb backends and character sets.
+ </p></li><li><p>
+ New default dual-daemon winbindd support for better performance.
+ </p></li><li><p>
+ Support for migrating from a Windows NT 4.0 domain to a Samba
+ domain and maintaining user, group and domain SIDs.
+ </p></li><li><p>
+ Support for establishing trust relationships with Windows NT 4.0
+ Domain Controllers.
+ </p></li><li><p>
+ Initial support for a distributed Winbind architecture using
+ an LDAP directory for storing SID to UID/GID mappings.
+ </p></li><li><p>
+ Major updates to the Samba documentation tree.
+ </p></li><li><p>
+ Full support for client and server SMB signing to ensure
+ compatibility with default Windows 2003 security settings.
+ </p></li></ol></div><p>
+Plus lots of other improvements!
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964410"></a>Configuration Parameter Changes</h2></div></div><div></div></div><p>
+This section contains a brief listing of changes to <tt class="filename">smb.conf</tt> options
+in the 3.0.0 release. Please refer to the smb.conf(5) man page for
+complete descriptions of new or modified parameters.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964433"></a>Removed Parameters</h3></div></div><div></div></div><p>(Ordered Alphabetically):</p><div class="itemizedlist"><ul type="disc"><li><p>admin log </p></li><li><p>alternate permissions </p></li><li><p>character set </p></li><li><p>client codepage </p></li><li><p>code page directory </p></li><li><p>coding system </p></li><li><p>domain admin group </p></li><li><p>domain guest group </p></li><li><p>force unknown acl user </p></li><li><p>nt smb support </p></li><li><p>post script </p></li><li><p>printer driver </p></li><li><p>printer driver file </p></li><li><p>printer driver location </p></li><li><p>status </p></li><li><p>stip dot </p></li><li><p>total print jobs </p></li><li><p>use rhosts </p></li><li><p>valid chars </p></li><li><p>vfs options </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964564"></a>New Parameters</h3></div></div><div></div></div><p>(New parameters have been grouped by function):</p><p>Remote Management</p><div class="itemizedlist"><ul type="disc"><li><p>abort shutdown script </p></li><li><p>shutdown script </p></li></ul></div><p>User and Group Account Management:</p><div class="itemizedlist"><ul type="disc"><li><p>add group script </p></li><li><p>add machine script </p></li><li><p>add user to group script </p></li><li><p>algorithmic rid base </p></li><li><p>delete group script </p></li><li><p>delete user from group script </p></li><li><p>passdb backend </p></li><li><p>set primary group script </p></li></ul></div><p>Authentication:</p><div class="itemizedlist"><ul type="disc"><li><p>auth methods </p></li><li><p>realm </p></li></ul></div><p>Protocol Options:</p><div class="itemizedlist"><ul type="disc"><li><p>client lanman auth </p></li><li><p>client NTLMv2 auth </p></li><li><p>client schannel </p></li><li><p>client signing </p></li><li><p>client use spnego </p></li><li><p>disable netbios </p></li><li><p>ntlm auth </p></li><li><p>paranoid server security </p></li><li><p>server schannel </p></li><li><p>server signing </p></li><li><p>smb ports </p></li><li><p>use spnego </p></li></ul></div><p>File Service:</p><div class="itemizedlist"><ul type="disc"><li><p>get quota command </p></li><li><p>hide special files </p></li><li><p>hide unwriteable files </p></li><li><p>hostname lookups </p></li><li><p>kernel change notify </p></li><li><p>mangle prefix </p></li><li><p>map acl inherit </p></li><li><p>msdfs proxy </p></li><li><p>set quota command </p></li><li><p>use sendfile </p></li><li><p>vfs objects </p></li></ul></div><p>Printing:</p><div class="itemizedlist"><ul type="disc"><li><p>max reported print jobs </p></li></ul></div><p>Unicode and Character Sets:</p><div class="itemizedlist"><ul type="disc"><li><p>display charset </p></li><li><p>dos charset </p></li><li><p>unicode </p></li><li><p>UNIX charset </p></li></ul></div><p>SID to UID/GID Mappings:</p><div class="itemizedlist"><ul type="disc"><li><p>idmap backend </p></li><li><p>idmap gid </p></li><li><p>idmap uid </p></li><li><p>winbind enable local accounts </p></li><li><p>winbind trusted domains only </p></li><li><p>template primary group </p></li><li><p>enable rid algorithm </p></li></ul></div><p>LDAP:</p><div class="itemizedlist"><ul type="disc"><li><p>ldap delete dn </p></li><li><p>ldap group suffix </p></li><li><p>ldap idmap suffix </p></li><li><p>ldap machine suffix </p></li><li><p>ldap passwd sync </p></li><li><p>ldap trust ids </p></li><li><p>ldap user suffix </p></li></ul></div><p>General Configuration:</p><div class="itemizedlist"><ul type="disc"><li><p>preload modules </p></li><li><p>privatedir </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964983"></a>Modified Parameters (Changes in Behavior):</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>encrypt passwords (enabled by default) </p></li><li><p>mangling method (set to hash2 by default) </p></li><li><p>passwd chat </p></li><li><p>passwd program </p></li><li><p>password server </p></li><li><p>restrict anonymous (integer value) </p></li><li><p>security (new ads value) </p></li><li><p>strict locking (enabled by default) </p></li><li><p>winbind cache time (increased to 5 minutes) </p></li><li><p>winbind uid (deprecated in favor of idmap uid) </p></li><li><p>winbind gid (deprecated in favor of idmap gid) </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2965064"></a>New Functionality</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2965071"></a>Databases</h3></div></div><div></div></div><p>
+ This section contains brief descriptions of any new databases
+ introduced in Samba-3. Please remember to backup your existing
+ ${lock directory}/*tdb before upgrading to Samba-3. Samba will
+ upgrade databases as they are opened (if necessary), but downgrading
+ from 3.0 to 2.2 is an unsupported path.
+ </p><p>
+ The new tdb files are described in <link linkend="tdbfiledesc">.
+ </p><div class="table"><a name="tdbfiledesc"></a><p class="title"><b>Table 30.1. TDB File Descriptions</b></p><table summary="TDB File Descriptions" border="1"><colgroup><col align="left"><col align="justify"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="justify">Description</th><th align="center">Backup?</th></tr></thead><tbody><tr><td align="left">account_policy</td><td align="justify">User policy settings</td><td align="left">yes</td></tr><tr><td align="left">gencache</td><td align="justify">Generic caching db</td><td align="left">no</td></tr><tr><td align="left">group_mapping</td><td align="justify"><p>Mapping table from Windows groups/SID to UNIX groups</p></td><td align="left">yes</td></tr><tr><td align="left">idmap</td><td align="justify"><p>new ID map table from SIDS to UNIX UIDs/GIDs</p></td><td align="left">yes</td></tr><tr><td align="left">namecache</td><td align="justify">Name resolution cache entries</td><td align="left">no</td></tr><tr><td align="left">netlogon_unigrp</td><td align="justify"><p>Cache of universal group membership obtained when operating
+ as a member of a Windows domain</p></td><td align="left">no</td></tr><tr><td align="left">printing/*.tdb</td><td align="justify"><p>Cached output from `lpq command' created on a per print
+ service basis</p></td><td align="left">no</td></tr><tr><td align="left">registry</td><td align="justify"><p>Read-only Samba registry skeleton that provides support for
+ exporting various db tables via the winreg RPCs</p></td><td align="left">no</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2965324"></a>Changes in Behavior</h3></div></div><div></div></div><p>
+ The following issues are known changes in behavior between Samba-2.2 and
+ Samba-3 that may affect certain installations of Samba.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ When operating as a member of a Windows domain, Samba-2.2 would
+ map any users authenticated by the remote DC to the “<span class="quote">guest account</span>”
+ if a uid could not be obtained via the getpwnam() call. Samba-3
+ rejects the connection as NT_STATUS_LOGON_FAILURE. There is no
+ current work around to re-establish the Samba-2.2 behavior.
+ </p></li><li><p>
+ When adding machines to a Samba-2.2 controlled domain, the
+ “<span class="quote">add user script</span>” was used to create the UNIX identity of the
+ Machine Trust Account. Samba-3 introduces a new “<span class="quote">add machine
+ script</span>” that must be specified for this purpose. Samba-3 will
+ not fall back to using the “<span class="quote">add user script</span>” in the absence of
+ an “<span class="quote">add machine script</span>”.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2965395"></a>Charsets</h3></div></div><div></div></div><p>
+ You might experience problems with special characters when communicating with old DOS
+ clients. Codepage support has changed in Samba-3. Read <link linkend="unicode">, for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2965417"></a>Passdb Backends and Authentication</h3></div></div><div></div></div><p>
+ There have been a few new changes that Samba administrators should be
+ aware of when moving to Samba-3.
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Encrypted passwords have been enabled by default in order to
+ interoperate better with out-of-the-box Windows client
+ installations. This does mean that either (a) a Samba account
+ must be created for each user, or (b) “<span class="quote">encrypt passwords = no</span>”
+ must be explicitly defined in <tt class="filename">smb.conf</tt>.
+ </p></li><li><p>
+ Inclusion of new <a class="indexterm" name="id2965466"></a><i class="parameter"><tt>security</tt></i> = ads option for integration
+ with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.
+ </p></li></ol></div><p>
+ Samba-3 also includes the possibility of setting up chains
+ of authentication methods
+ (<a class="indexterm" name="id2965488"></a><i class="parameter"><tt>auth methods</tt></i>) and account
+ storage backends
+ (<a class="indexterm" name="id2965503"></a><i class="parameter"><tt>passdb backend</tt></i>).
+ Please refer to the <tt class="filename">smb.conf</tt>
+ man page and <link linkend="passdb">, for details. While both parameters assume sane default
+ values, it is likely that you will need to understand what the
+ values actually mean in order to ensure Samba operates correctly.
+ </p><p>
+<a class="indexterm" name="id2965538"></a>
+ Certain functions of the <b class="command">smbpasswd</b> tool have been split between the
+ new <b class="command">smbpasswd</b> utility, the <b class="command">net</b> tool and the new <b class="command">pdbedit</b>
+ utility. See the respective man pages for details.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2965577"></a>LDAP</h3></div></div><div></div></div><p>
+ This section outlines the new features effecting Samba/LDAP integration.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2965590"></a>New Schema</h4></div></div><div></div></div><p>
+ A new object class (sambaSamAccount) has been introduced to replace
+ the old sambaAccount. This change aids us in the renaming of attributes
+ to prevent clashes with attributes from other vendors. There is a
+ conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF
+ file to the new schema.
+ </p><p>
+ Example:
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt>ldapsearch .... -b "ou=people,dc=..." > old.ldif
+ <tt class="prompt">$ </tt>convertSambaAccount <DOM SID> old.ldif new.ldif
+ </pre><p>
+ The <DOM SID> can be obtained by running
+</p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>net getlocalsid <DOMAINNAME></tt></b>
+</pre><p>
+ on the Samba PDC as root.
+ </p><p>
+ The old sambaAccount schema may still be used by specifying the
+ <i class="parameter"><tt>ldapsam_compat</tt></i> passdb backend. However, the sambaAccount and
+ associated attributes have been moved to the historical section of
+ the schema file and must be uncommented before use if needed.
+ The Samba-2.2 object class declaration for a sambaAccount has not changed
+ in the Samba-3 samba.schema file.
+ </p><p>
+ Other new object classes and their uses include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ sambaDomain domain information used to allocate RIDs
+ for users and groups as necessary. The attributes are added
+ in “<span class="quote">ldap suffix</span>” directory entry automatically if
+ an idmap UID/GID range has been set and the “<span class="quote">ldapsam</span>”
+ passdb backend has been selected.
+ </p></li><li><p>
+ sambaGroupMapping an object representing the
+ relationship between a posixGroup and a Windows
+ group/SID. These entries are stored in the “<span class="quote">ldap
+ group suffix</span>” and managed by the “<span class="quote">net groupmap</span>” command.
+ </p></li><li><p>
+ sambaUNIXIdPool created in the “<span class="quote">ldap idmap suffix</span>” entry
+ automatically and contains the next available “<span class="quote">idmap UID</span>” and
+ “<span class="quote">idmap GID</span>”.
+ </p></li><li><p>
+ sambaIdmapEntry object storing a mapping between a
+ SID and a UNIX UID/GID. These objects are created by the
+ idmap_ldap module as needed.
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2965767"></a>New Suffix for Searching</h4></div></div><div></div></div><p>
+ The following new smb.conf parameters have been added to aid in directing
+ certain LDAP queries when <i class="parameter"><tt>passdb backend = ldapsam://...</tt></i> has been
+ specified.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>ldap suffix used to search for user and computer accounts.</p></li><li><p>ldap user suffix used to store user accounts.</p></li><li><p>ldap machine suffix used to store Machine Trust Accounts.</p></li><li><p>ldap group suffix location of posixGroup/sambaGroupMapping entries.</p></li><li><p>ldap idmap suffix location of sambaIdmapEntry objects.</p></li></ul></div><p>
+ If an <i class="parameter"><tt>ldap suffix</tt></i> is defined, it will be appended to all of the
+ remaining sub-suffix parameters. In this case, the order of the suffix
+ listings in smb.conf is important. Always place the <i class="parameter"><tt>ldap suffix</tt></i> first
+ in the list.
+ </p><p>
+ Due to a limitation in Samba's <tt class="filename">smb.conf</tt> parsing, you should not surround
+ the DNs with quotation marks.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2965876"></a>IdMap LDAP Support</h4></div></div><div></div></div><p>
+ Samba-3 supports an ldap backend for the idmap subsystem. The
+ following options inform Samba that the idmap table should be
+ stored on the directory server onterose in the "ou=idmap,dc=quenya,dc=org" partition.
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>idmap backend = ldap:ldap://onterose/</tt></i></td></tr><tr><td><i class="parameter"><tt>ldap idmap suffix = ou=idmap,dc=quenya,dc=org</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap uid = 40000-50000</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap gid = 40000-50000</tt></i></td></tr></table><p>
+ This configuration allows Winbind installations on multiple servers to
+ share a UID/GID number space, thus avoiding the interoperability problems
+ with NFS that were present in Samba-2.2.
+ </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 21. Winbind: Use of Domain Accounts</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="VFS.html" title="Chapter 20. Stackable VFS modules"><link rel="next" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 21. Winbind: Use of Domain Accounts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="winbind"></a>Chapter 21. Winbind: Use of Domain Accounts</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tpot@linuxcare.com.au">tpot@linuxcare.com.au</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Naag</span> <span class="surname">Mummaneni</span></h3><span class="contrib">Notes for Solaris</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:getnag@rediffmail.com">getnag@rediffmail.com</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="surname">Trostel</span></h3><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:jtrostel@snapserver.com">jtrostel@snapserver.com</a>></tt></p></div><span class="orgname">SNAP<br></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">27 June 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="winbind.html#id2949352">Features and Benefits</a></dt><dt><a href="winbind.html#id2949476">Introduction</a></dt><dt><a href="winbind.html#id2949558">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2949633">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2949664">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2949693">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2949726">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2949752">Name Service Switch</a></dt><dt><a href="winbind.html#id2949887">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2949965">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2949998">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2950035">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2950042">Introduction</a></dt><dt><a href="winbind.html#id2950108">Requirements</a></dt><dt><a href="winbind.html#id2950191">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2951948">Conclusion</a></dt><dt><a href="winbind.html#id2951967">Common Errors</a></dt><dd><dl><dt><a href="winbind.html#id2952021">NSCD Problem Warning</a></dt><dt><a href="winbind.html#id2952067">Winbind Is Not Resolving Users and Groups</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949352"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ Integration of UNIX and Microsoft Windows NT through a unified logon has
+ been considered a “<span class="quote">holy grail</span>” in heterogeneous computing environments for
+ a long time.
+ </p><p>
+ There is one other facility without which UNIX and Microsoft Windows network
+ interoperability would suffer greatly. It is imperative that there be a
+ mechanism for sharing files across UNIX systems and to be able to assign
+ domain user and group ownerships with integrity.
+ </p><p>
+ <span class="emphasis"><em>winbind</em></span> is a component of the Samba suite of programs that
+ solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft
+ RPC calls, Pluggable Authentication Modules, and the Name Service Switch to
+ allow Windows NT domain users to appear and operate as UNIX users on a UNIX
+ machine. This chapter describes the Winbind system, explaining the functionality
+ it provides, how it is configured, and how it works internally.
+ </p><p>
+ Winbind provides three separate functions:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Authentication of user credentials (via PAM).
+ </p></li><li><p>
+ Identity resolution (via NSS).
+ </p></li><li><p>
+ Winbind maintains a database called winbind_idmap.tdb in which it stores
+ mappings between UNIX UIDs / GIDs and NT SIDs. This mapping is used only
+ for users and groups that do not have a local UID/GID. It stored the UID/GID
+ allocated from the idmap uid/gid range that it has mapped to the NT SID.
+ If <i class="parameter"><tt>idmap backend</tt></i> has been specified as ldapsam:url
+ then instead of using a local mapping Winbind will obtain this information
+ from the LDAP database.
+ </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ If <b class="command">winbindd</b> is not running, smbd (which calls <b class="command">winbindd</b>) will fall back to
+ using purely local information from <tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/group</tt> and no dynamic
+ mapping will be used.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949476"></a>Introduction</h2></div></div><div></div></div><p>It is well known that UNIX and Microsoft Windows NT have
+ different models for representing user and group information and
+ use different technologies for implementing them. This fact has
+ made it difficult to integrate the two systems in a satisfactory
+ manner.</p><p>One common solution in use today has been to create
+ identically named user accounts on both the UNIX and Windows systems
+ and use the Samba suite of programs to provide file and print services
+ between the two. This solution is far from perfect, however, as
+ adding and deleting users on both sets of machines becomes a chore
+ and two sets of passwords are required both of which
+ can lead to synchronization problems between the UNIX and Windows
+ systems and confusion for users.</p><p>We divide the unified logon problem for UNIX machines into
+ three smaller problems:</p><div class="itemizedlist"><ul type="disc"><li><p>Obtaining Windows NT user and group information.
+ </p></li><li><p>Authenticating Windows NT users.
+ </p></li><li><p>Password changing for Windows NT users.
+ </p></li></ul></div><p>Ideally, a prospective solution to the unified logon problem
+ would satisfy all the above components without duplication of
+ information on the UNIX machines and without creating additional
+ tasks for the system administrator when maintaining users and
+ groups on either system. The Winbind system provides a simple
+ and elegant solution to all three components of the unified logon
+ problem.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949558"></a>What Winbind Provides</h2></div></div><div></div></div><p>Winbind unifies UNIX and Windows NT account management by
+ allowing a UNIX box to become a full member of an NT domain. Once
+ this is done the UNIX box will see NT users and groups as if
+ they were “<span class="quote">native</span>” UNIX users and groups, allowing the NT domain
+ to be used in much the same manner that NIS+ is used within
+ UNIX-only environments.</p><p>The end result is that whenever any
+ program on the UNIX machine asks the operating system to lookup
+ a user or group name, the query will be resolved by asking the
+ NT Domain Controller for the specified domain to do the lookup.
+ Because Winbind hooks into the operating system at a low level
+ (via the NSS name resolution modules in the C library), this
+ redirection to the NT Domain Controller is completely
+ transparent.</p><p>Users on the UNIX machine can then use NT user and group
+ names as they would “<span class="quote">native</span>” UNIX names. They can chown files
+ so they are owned by NT domain users or even login to the
+ UNIX machine and run a UNIX X-Window session as a domain user.</p><p>The only obvious indication that Winbind is being used is
+ that user and group names take the form <tt class="constant">DOMAIN\user</tt> and
+ <tt class="constant">DOMAIN\group</tt>. This is necessary as it allows Winbind to determine
+ that redirection to a Domain Controller is wanted for a particular
+ lookup and which trusted domain is being referenced.</p><p>Additionally, Winbind provides an authentication service
+ that hooks into the Pluggable Authentication Modules (PAM) system
+ to provide authentication via an NT domain to any PAM-enabled
+ applications. This capability solves the problem of synchronizing
+ passwords between systems since all passwords are stored in a single
+ location (on the Domain Controller).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949633"></a>Target Uses</h3></div></div><div></div></div><p>Winbind is targeted at organizations that have an
+ existing NT-based domain infrastructure into which they wish
+ to put UNIX workstations or servers. Winbind will allow these
+ organizations to deploy UNIX workstations without having to
+ maintain a separate account infrastructure. This greatly
+ simplifies the administrative overhead of deploying UNIX
+ workstations into an NT-based organization.</p><p>Another interesting way in which we expect Winbind to
+ be used is as a central part of UNIX-based appliances. Appliances
+ that provide file and print services to Microsoft-based networks
+ will be able to use Winbind to provide seamless integration of
+ the appliance into the domain.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949664"></a>How Winbind Works</h2></div></div><div></div></div><p>The Winbind system is designed around a client/server
+ architecture. A long running <b class="command">winbindd</b> daemon
+ listens on a UNIX domain socket waiting for requests
+ to arrive. These requests are generated by the NSS and PAM
+ clients and is processed sequentially.</p><p>The technologies used to implement Winbind are described
+ in detail below.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949693"></a>Microsoft Remote Procedure Calls</h3></div></div><div></div></div><p>Over the last few years, efforts have been underway
+ by various Samba Team members to decode various aspects of
+ the Microsoft Remote Procedure Call (MSRPC) system. This
+ system is used for most network-related operations between
+ Windows NT machines including remote management, user authentication
+ and print spooling. Although initially this work was done
+ to aid the implementation of Primary Domain Controller (PDC)
+ functionality in Samba, it has also yielded a body of code that
+ can be used for other purposes.</p><p>Winbind uses various MSRPC calls to enumerate domain users
+ and groups and to obtain detailed information about individual
+ users or groups. Other MSRPC calls can be used to authenticate
+ NT domain users and to change user passwords. By directly querying
+ a Windows PDC for user and group information, Winbind maps the
+ NT account information onto UNIX user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949726"></a>Microsoft Active Directory Services</h3></div></div><div></div></div><p>
+ Since late 2001, Samba has gained the ability to
+ interact with Microsoft Windows 2000 using its “<span class="quote">Native
+ Mode</span>” protocols, rather than the NT4 RPC services.
+ Using LDAP and Kerberos, a Domain Member running
+ Winbind can enumerate users and groups in exactly the
+ same way as a Windows 200x client would, and in so doing
+ provide a much more efficient and effective Winbind implementation.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949752"></a>Name Service Switch</h3></div></div><div></div></div><p>The Name Service Switch, or NSS, is a feature that is
+ present in many UNIX operating systems. It allows system
+ information such as hostnames, mail aliases and user information
+ to be resolved from different sources. For example, a standalone
+ UNIX workstation may resolve system information from a series of
+ flat files stored on the local filesystem. A networked workstation
+ may first attempt to resolve system information from local files,
+ and then consult an NIS database for user information or a DNS server
+ for hostname information.</p><p>The NSS application programming interface allows Winbind
+ to present itself as a source of system information when
+ resolving UNIX usernames and groups. Winbind uses this interface,
+ and information obtained from a Windows NT server using MSRPC
+ calls to provide a new source of account enumeration. Using standard
+ UNIX library calls, one can enumerate the users and groups on
+ a UNIX machine running Winbind and see all users and groups in
+ a NT domain plus any trusted domain as though they were local
+ users and groups.</p><p>The primary control file for NSS is
+ <tt class="filename">/etc/nsswitch.conf</tt>.
+ When a UNIX application makes a request to do a lookup,
+ the C library looks in <tt class="filename">/etc/nsswitch.conf</tt>
+ for a line that matches the service type being requested, for
+ example the “<span class="quote">passwd</span>” service type is used when user or group names
+ are looked up. This config line specifies which implementations
+ of that service should be tried and in what order. If the passwd
+ config line is:</p><pre class="screen">
+ passwd: files example
+ </pre><p>then the C library will first load a module called
+ <tt class="filename">/lib/libnss_files.so</tt> followed by
+ the module <tt class="filename">/lib/libnss_example.so</tt>. The
+ C library will dynamically load each of these modules in turn
+ and call resolver functions within the modules to try to resolve
+ the request. Once the request is resolved, the C library returns the
+ result to the application.</p><p>This NSS interface provides an easy way for Winbind
+ to hook into the operating system. All that needs to be done
+ is to put <tt class="filename">libnss_winbind.so</tt> in <tt class="filename">/lib/</tt>
+ then add “<span class="quote">winbind</span>” into <tt class="filename">/etc/nsswitch.conf</tt> at
+ the appropriate place. The C library will then call Winbind to
+ resolve user and group names.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949887"></a>Pluggable Authentication Modules</h3></div></div><div></div></div><p>Pluggable Authentication Modules, also known as PAM,
+ is a system for abstracting authentication and authorization
+ technologies. With a PAM module it is possible to specify different
+ authentication methods for different system applications without
+ having to recompile these applications. PAM is also useful
+ for implementing a particular policy for authorization. For example,
+ a system administrator may only allow console logins from users
+ stored in the local password file but only allow users resolved from
+ a NIS database to log in over the network.</p><p>Winbind uses the authentication management and password
+ management PAM interface to integrate Windows NT users into a
+ UNIX system. This allows Windows NT users to log in to a UNIX
+ machine and be authenticated against a suitable Primary Domain
+ Controller. These users can also change their passwords and have
+ this change take effect directly on the Primary Domain Controller.
+ </p><p>PAM is configured by providing control files in the directory
+ <tt class="filename">/etc/pam.d/</tt> for each of the services that
+ require authentication. When an authentication request is made
+ by an application, the PAM code in the C library looks up this
+ control file to determine what modules to load to do the
+ authentication check and in what order. This interface makes adding
+ a new authentication service for Winbind very easy. All that needs
+ to be done is that the <tt class="filename">pam_winbind.so</tt> module
+ is copied to <tt class="filename">/lib/security/</tt> and the PAM
+ control files for relevant services are updated to allow
+ authentication via Winbind. See the PAM documentation
+ in <link linkend="pam"> for more information.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949965"></a>User and Group ID Allocation</h3></div></div><div></div></div><p>When a user or group is created under Windows NT/200x
+ it is allocated a numerical relative identifier (RID). This is
+ slightly different from UNIX which has a range of numbers that are
+ used to identify users, and the same range in which to identify
+ groups. It is Winbind's job to convert RIDs to UNIX ID numbers and
+ vice versa. When Winbind is configured, it is given part of the UNIX
+ user ID space and a part of the UNIX group ID space in which to
+ store Windows NT users and groups. If a Windows NT user is
+ resolved for the first time, it is allocated the next UNIX ID from
+ the range. The same process applies for Windows NT groups. Over
+ time, Winbind will have mapped all Windows NT users and groups
+ to UNIX user IDs and group IDs.</p><p>The results of this mapping are stored persistently in
+ an ID mapping database held in a tdb database). This ensures that
+ RIDs are mapped to UNIX IDs in a consistent way.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949998"></a>Result Caching</h3></div></div><div></div></div><p>
+<a class="indexterm" name="id2950010"></a>
+ An active system can generate a lot of user and group
+ name lookups. To reduce the network cost of these lookups, Winbind
+ uses a caching scheme based on the SAM sequence number supplied
+ by NT Domain Controllers. User or group information returned
+ by a PDC is cached by Winbind along with a sequence number also
+ returned by the PDC. This sequence number is incremented by
+ Windows NT whenever any user or group information is modified. If
+ a cached entry has expired, the sequence number is requested from
+ the PDC and compared against the sequence number of the cached entry.
+ If the sequence numbers do not match, then the cached information
+ is discarded and up-to-date information is requested directly
+ from the PDC.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2950035"></a>Installation and Configuration</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2950042"></a>Introduction</h3></div></div><div></div></div><p>
+This section describes the procedures used to get Winbind up and
+running. Winbind is capable of providing access
+and authentication control for Windows Domain users through an NT
+or Windows 200x PDC for regular services, such as telnet and ftp, as
+well for Samba services.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ <span class="emphasis"><em>Why should I do this?</em></span>
+ </p><p>This allows the Samba administrator to rely on the
+ authentication mechanisms on the Windows NT/200x PDC for the authentication
+ of Domain Members. Windows NT/200x users no longer need to have separate
+ accounts on the Samba server.
+ </p></li><li><p>
+ <span class="emphasis"><em>Who should be reading this document?</em></span>
+ </p><p>
+ This document is designed for system administrators. If you are
+ implementing Samba on a file server and wish to (fairly easily)
+ integrate existing Windows NT/200x users from your PDC onto the
+ Samba server, this document is for you.
+ </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2950108"></a>Requirements</h3></div></div><div></div></div><p>
+If you have a Samba configuration file that you are currently using, <span class="emphasis"><em>BACK IT UP!</em></span>
+If your system already uses PAM, <span class="emphasis"><em>back up the <tt class="filename">/etc/pam.d</tt> directory
+contents!</em></span> If you haven't already made a boot disk, <span class="emphasis"><em>MAKE ONE NOW!</em></span>
+</p><p>
+Messing with the PAM configuration files can make it nearly impossible to log in to your machine. That's
+why you want to be able to boot back into your machine in single user mode and restore your
+<tt class="filename">/etc/pam.d</tt> back to the original state they were in if you get frustrated with the
+way things are going.
+</p><p>
+The latest version of Samba-3 includes a functioning winbindd daemon. Please refer to the <ulink url="http://samba.org/">main Samba Web page</ulink> or, better yet, your closest Samba mirror site for
+instructions on downloading the source code.
+</p><p>
+To allow domain users the ability to access Samba shares and files, as well as potentially other services
+provided by your Samba machine, PAM must be set up properly on your
+machine. In order to compile the Winbind modules, you should have at least the PAM development libraries installed
+on your system. Please refer the PAM web site <ulink url="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</ulink>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2950191"></a>Testing Things Out</h3></div></div><div></div></div><p>
+Before starting, it is probably best to kill off all the Samba-related daemons running on your server.
+Kill off all <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> processes that may be running. To use PAM,
+make sure that you have the standard PAM package that supplies the <tt class="filename">/etc/pam.d</tt>
+directory structure, including the PAM modules that are used by PAM-aware services, several pam libraries,
+and the <tt class="filename">/usr/doc</tt> and <tt class="filename">/usr/man</tt> entries for pam. Winbind built
+better in Samba if the pam-devel package is also installed. This package includes the header files
+needed to compile PAM-aware applications.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2950252"></a>Configure <tt class="filename">nsswitch.conf</tt> and the Winbind Libraries on Linux and Solaris</h4></div></div><div></div></div><p>
+PAM is a standard component of most current generation UNIX/Linux systems. Unfortunately, few systems install
+the <tt class="filename">pam-devel</tt> libraries that are needed to build PAM-enabled Samba. Additionally, Samba-3
+may auto-install the Winbind files into their correct locations on your system, so before you get too far down
+the track be sure to check if the following configuration is really
+necessary. You may only need to configure
+<tt class="filename">/etc/nsswitch.conf</tt>.
+</p><p>
+The libraries needed to run the <span class="application">winbindd</span> daemon through nsswitch need to be copied to their proper locations:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/libnss_winbind.so /lib</tt></b>
+</pre><p>
+</p><p>
+I also found it necessary to make the following symbolic link:
+</p><p>
+<tt class="prompt">root# </tt> <b class="userinput"><tt>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</tt></b>
+</p><p>And, in the case of Sun Solaris:</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2</tt></b>
+</pre><p>
+Now, as root you need to edit <tt class="filename">/etc/nsswitch.conf</tt> to
+allow user and group entries to be visible from the <span class="application">winbindd</span>
+daemon. My <tt class="filename">/etc/nsswitch.conf</tt> file look like
+this after editing:
+</p><pre class="programlisting">
+ passwd: files winbind
+ shadow: files
+ group: files winbind
+</pre><p>
+The libraries needed by the <b class="command">winbindd</b> daemon will be automatically
+entered into the <b class="command">ldconfig</b> cache the next time
+your system reboots, but it is faster (and you do not need to reboot) if you do it manually:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>/sbin/ldconfig -v | grep winbind</tt></b>
+</p><p>
+This makes <tt class="filename">libnss_winbind</tt> available to winbindd
+and echos back a check to you.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2950492"></a>NSS Winbind on AIX</h4></div></div><div></div></div><p>(This section is only for those running AIX.)</p><p>
+The Winbind AIX identification module gets built as <tt class="filename">libnss_winbind.so</tt> in the
+nsswitch directory of the Samba source. This file can be copied to <tt class="filename">/usr/lib/security</tt>,
+and the AIX naming convention would indicate that it should be named WINBIND. A stanza like the following:
+</p><pre class="programlisting">
+WINBIND:
+ program = /usr/lib/security/WINBIND
+ options = authonly
+</pre><p>
+can then be added to <tt class="filename">/usr/lib/security/methods.cfg</tt>. This module only supports
+identification, but there have been success reports using the standard Winbind PAM module for
+authentication. Use caution configuring loadable authentication
+modules since you can make
+it impossible to logon to the system. More information about the AIX authentication module API can
+be found at “<span class="quote">Kernel Extensions and Device Support Programming Concepts for AIX</span>”<ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/sec_load_mod.htm">
+in Chapter 18(John, there is no section like this in 18). Loadable Authentication Module Programming
+Interface</ulink> and more information on administering the modules
+can be found at <ulink url="http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/iandaadmin.htm"> System
+Management Guide: Operating System and Devices.</ulink>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2950584"></a>Configure smb.conf</h4></div></div><div></div></div><p>
+Several parameters are needed in the <tt class="filename">smb.conf</tt> file to control the behavior of <span class="application">winbindd</span>. These
+are described in more detail in the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> man page. My <tt class="filename">smb.conf</tt> file, as shown in <link linkend="winbindcfg">, was modified to include the necessary entries in the [global] section.
+</p><div class="example"><a name="winbindcfg"></a><p class="title"><b>Example 21.1. smb.conf for Winbind set-up</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td># separate domain and username with '+', like DOMAIN+username</td></tr><tr><td><i class="parameter"><tt>winbind separator = +</tt></i></td></tr><tr><td># use uids from 10000 to 20000 for domain users</td></tr><tr><td><i class="parameter"><tt>idmap uid = 10000-20000</tt></i></td></tr><tr><td># use gids from 10000 to 20000 for domain groups</td></tr><tr><td><i class="parameter"><tt>winbind gid = 10000-20000</tt></i></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><i class="parameter"><tt>winbind enum users = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>winbind enum groups = yes</tt></i></td></tr><tr><td># give winbind users a real shell (only needed if they have telnet access)</td></tr><tr><td><i class="parameter"><tt>template homedir = /home/winnt/%D/%U</tt></i></td></tr><tr><td><i class="parameter"><tt>template shell = /bin/bash</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2950748"></a>Join the Samba Server to the PDC Domain</h4></div></div><div></div></div><p>
+Enter the following command to make the Samba server join the
+PDC domain, where <i class="replaceable"><tt>DOMAIN</tt></i> is the name of
+your Windows domain and <i class="replaceable"><tt>Administrator</tt></i> is
+a domain user who has administrative privileges in the domain.
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/net rpc join -S PDC -U Administrator</tt></b>
+</p><p>
+The proper response to the command should be: “<span class="quote">Joined the domain
+<i class="replaceable"><tt>DOMAIN</tt></i></span>” where <i class="replaceable"><tt>DOMAIN</tt></i>
+is your DOMAIN name.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2950807"></a>Starting and Testing the <b class="command">winbindd</b> Daemon</h4></div></div><div></div></div><p>
+Eventually, you will want to modify your Samba startup script to
+automatically invoke the winbindd daemon when the other parts of
+Samba start, but it is possible to test out just the Winbind
+portion first. To start up Winbind services, enter the following
+command as root:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/winbindd</tt></b>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The above assumes that Samba has been installed in the <tt class="filename">/usr/local/samba</tt>
+directory tree. You may need to search for the location of Samba files if this is not the
+location of <b class="command">winbindd</b> on your system.
+</p></div><p>
+Winbindd can now also run in “<span class="quote">dual daemon modei</span>”. This will make it
+run as two processes. The first will answer all requests from the cache,
+thus making responses to clients faster. The other will
+update the cache for the query that the first has just responded.
+The advantage of this is that responses stay accurate and are faster.
+You can enable dual daemon mode by adding <tt class="option">-B</tt> to the commandline:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/winbindd -B</tt></b>
+</p><p>
+I'm always paranoid and like to make sure the daemon is really running.
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>ps -ae | grep winbindd</tt></b>
+</p><p>
+This command should produce output like this, if the daemon is running you would expect
+to see a report something like this:
+</p><pre class="screen">
+3025 ? 00:00:00 winbindd
+</pre><p>
+Now, for the real test, try to get some information about the users on your PDC:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -u</tt></b>
+</p><p>
+This should echo back a list of users on your Windows users on
+your PDC. For example, I get the following response:
+</p><pre class="screen">
+ CEO+Administrator
+ CEO+burdell
+ CEO+Guest
+ CEO+jt-ad
+ CEO+krbtgt
+ CEO+TsInternetUser
+</pre><p>
+Obviously, I have named my domain “<span class="quote">CEO</span>” and my <a class="indexterm" name="id2950988"></a><i class="parameter"><tt>winbind separator</tt></i> is “<span class="quote">+</span>”.
+</p><p>
+You can do the same sort of thing to get group information from the PDC:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/local/samba/bin/wbinfo -g</tt></b>
+ CEO+Domain Admins
+ CEO+Domain Users
+ CEO+Domain Guests
+ CEO+Domain Computers
+ CEO+Domain Controllers
+ CEO+Cert Publishers
+ CEO+Schema Admins
+ CEO+Enterprise Admins
+ CEO+Group Policy Creator Owners
+</pre><p>
+The function <b class="command">getent</b> can now be used to get unified
+lists of both local and PDC users and groups. Try the following command:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b>
+</p><p>
+You should get a list that looks like your <tt class="filename">/etc/passwd</tt>
+list followed by the domain users with their new UIDs, GIDs, home
+directories and default shells.
+</p><p>
+The same thing can be done for groups with the command:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>getent group</tt></b>
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2951103"></a>Fix the init.d Startup Scripts</h4></div></div><div></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2951110"></a>Linux</h5></div></div><div></div></div><p>
+The <span class="application">winbindd</span> daemon needs to start up after the <span class="application">smbd</span> and <span class="application">nmbd</span> daemons are running.
+To accomplish this task, you need to modify the startup scripts of your system.
+They are located at <tt class="filename">/etc/init.d/smb</tt> in Red Hat Linux and they are located in
+<tt class="filename">/etc/init.d/samba</tt> in Debian Linux. Edit your
+script to add commands to invoke this daemon in the proper sequence. My
+startup script starts up <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> from the
+<tt class="filename">/usr/local/samba/bin</tt> directory directly. The <b class="command">start</b>
+function in the script looks like this:
+</p><pre class="programlisting">
+start() {
+ KIND="SMB"
+ echo -n $"Starting $KIND services: "
+ daemon /usr/local/samba/bin/smbd $SMBDOPTIONS
+ RETVAL=$?
+ echo
+ KIND="NMB"
+ echo -n $"Starting $KIND services: "
+ daemon /usr/local/samba/bin/nmbd $NMBDOPTIONS
+ RETVAL2=$?
+ echo
+ KIND="Winbind"
+ echo -n $"Starting $KIND services: "
+ daemon /usr/local/samba/bin/winbindd
+ RETVAL3=$?
+ echo
+ [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
+ touch /var/lock/subsys/smb || RETVAL=1
+ return $RETVAL
+}
+</pre><p>If you would like to run winbindd in dual daemon mode, replace
+the line :
+</p><pre class="programlisting">
+ daemon /usr/local/samba/bin/winbindd
+</pre><p>
+
+in the example above with:
+
+</p><pre class="programlisting">
+ daemon /usr/local/samba/bin/winbindd -B
+</pre><p>.
+</p><p>
+The <b class="command">stop</b> function has a corresponding entry to shut down the
+services and looks like this:
+</p><pre class="programlisting">
+stop() {
+ KIND="SMB"
+ echo -n $"Shutting down $KIND services: "
+ killproc smbd
+ RETVAL=$?
+ echo
+ KIND="NMB"
+ echo -n $"Shutting down $KIND services: "
+ killproc nmbd
+ RETVAL2=$?
+ echo
+ KIND="Winbind"
+ echo -n $"Shutting down $KIND services: "
+ killproc winbindd
+ RETVAL3=$?
+ [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \
+ rm -f /var/lock/subsys/smb
+ echo ""
+ return $RETVAL
+}
+</pre></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2951286"></a>Solaris</h5></div></div><div></div></div><p>
+Winbind does not work on Solaris 9, see <link linkend="winbind-solaris9"> for details.
+</p><p>
+On Solaris, you need to modify the <tt class="filename">/etc/init.d/samba.server</tt> startup script. It
+usually only starts smbd and nmbd but should now start winbindd, too. If you have Samba installed in
+<tt class="filename">/usr/local/samba/bin</tt>, the file could contains something like this:
+</p><pre class="programlisting">
+ ##
+ ## samba.server
+ ##
+
+ if [ ! -d /usr/bin ]
+ then # /usr not mounted
+ exit
+ fi
+
+ killproc() { # kill the named process(es)
+ pid=`/usr/bin/ps -e |
+ /usr/bin/grep -w $1 |
+ /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
+ [ "$pid" != "" ] && kill $pid
+ }
+
+ # Start/stop processes required for Samba server
+
+ case "$1" in
+
+ 'start')
+ #
+ # Edit these lines to suit your installation (paths, workgroup, host)
+ #
+ echo Starting SMBD
+ /usr/local/samba/bin/smbd -D -s \
+ /usr/local/samba/smb.conf
+
+ echo Starting NMBD
+ /usr/local/samba/bin/nmbd -D -l \
+ /usr/local/samba/var/log -s /usr/local/samba/smb.conf
+
+ echo Starting Winbind Daemon
+ /usr/local/samba/bin/winbindd
+ ;;
+
+ 'stop')
+ killproc nmbd
+ killproc smbd
+ killproc winbindd
+ ;;
+
+ *)
+ echo "Usage: /etc/init.d/samba.server { start | stop }"
+ ;;
+ esac
+</pre><p>
+Again, if you would like to run Samba in dual daemon mode, replace:
+</p><pre class="programlisting">
+ /usr/local/samba/bin/winbindd
+</pre><p>
+in the script above with:
+</p><pre class="programlisting">
+ /usr/local/samba/bin/winbindd -B
+</pre><p>
+</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2951403"></a>Restarting</h5></div></div><div></div></div><p>
+If you restart the <span class="application">smbd</span>, <span class="application">nmbd</span>, and <span class="application">winbindd</span> daemons at this point, you
+should be able to connect to the Samba server as a Domain Member just as
+if you were a local user.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2951439"></a>Configure Winbind and PAM</h4></div></div><div></div></div><p>
+If you have made it this far, you know that <b class="command">winbindd</b> and Samba are working
+together. If you want to use Winbind to provide authentication for other
+services, keep reading. The PAM configuration files need to be altered in
+this step. (Did you remember to make backups of your original
+<tt class="filename">/etc/pam.d</tt> files? If not, do it now.)
+</p><p>
+You will need a PAM module to use winbindd with these other services. This
+module will be compiled in the <tt class="filename">../source/nsswitch</tt> directory
+by invoking the command:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>make nsswitch/pam_winbind.so</tt></b>
+</p><p>
+from the <tt class="filename">../source</tt> directory. The
+<tt class="filename">pam_winbind.so</tt> file should be copied to the location of
+your other PAM security modules. On my RedHat system, this was the
+<tt class="filename">/lib/security</tt> directory. On Solaris, the PAM security
+modules reside in <tt class="filename">/usr/lib/security</tt>.
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>cp ../samba/source/nsswitch/pam_winbind.so /lib/security</tt></b>
+</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2951551"></a>Linux/FreeBSD-specific PAM configuration</h5></div></div><div></div></div><p>
+The <tt class="filename">/etc/pam.d/samba</tt> file does not need to be changed. I
+just left this file as it was:
+</p><pre class="programlisting">
+ auth required /lib/security/pam_stack.so service=system-auth
+ account required /lib/security/pam_stack.so service=system-auth
+</pre><p>
+The other services that I modified to allow the use of Winbind
+as an authentication service were the normal login on the console (or a terminal
+session), telnet logins, and ftp service. In order to enable these
+services, you may first need to change the entries in
+<tt class="filename">/etc/xinetd.d</tt> (or <tt class="filename">/etc/inetd.conf</tt>).
+Red Hat Linux 7.1 and later uses the new xinetd.d structure, in this case you need
+to change the lines in <tt class="filename">/etc/xinetd.d/telnet</tt>
+and <tt class="filename">/etc/xinetd.d/wu-ftp</tt> from
+</p><pre class="programlisting">
+ enable = no
+</pre><p>
+to:
+</p><pre class="programlisting">
+ enable = yes
+</pre><p>
+For ftp services to work properly, you will also need to either
+have individual directories for the domain users already present on
+the server, or change the home directory template to a general
+directory for all domain users. These can be easily set using
+the <tt class="filename">smb.conf</tt> global entry
+<a class="indexterm" name="id2951653"></a><i class="parameter"><tt>template homedir</tt></i>.
+</p><p>
+The <tt class="filename">/etc/pam.d/ftp</tt> file can be changed
+to allow Winbind ftp access in a manner similar to the
+samba file. My <tt class="filename">/etc/pam.d/ftp</tt> file was
+changed to look like this:
+</p><pre class="programlisting">
+auth required /lib/security/pam_listfile.so item=user sense=deny \
+ file=/etc/ftpusers onerr=succeed
+auth sufficient /lib/security/pam_winbind.so
+auth required /lib/security/pam_stack.so service=system-auth
+auth required /lib/security/pam_shells.so
+account sufficient /lib/security/pam_winbind.so
+account required /lib/security/pam_stack.so service=system-auth
+session required /lib/security/pam_stack.so service=system-auth
+</pre><p>
+The <tt class="filename">/etc/pam.d/login</tt> file can be changed nearly the
+same way. It now looks like this:
+</p><pre class="programlisting">
+auth required /lib/security/pam_securetty.so
+auth sufficient /lib/security/pam_winbind.so
+auth sufficient /lib/security/pam_UNIX.so use_first_pass
+auth required /lib/security/pam_stack.so service=system-auth
+auth required /lib/security/pam_nologin.so
+account sufficient /lib/security/pam_winbind.so
+account required /lib/security/pam_stack.so service=system-auth
+password required /lib/security/pam_stack.so service=system-auth
+session required /lib/security/pam_stack.so service=system-auth
+session optional /lib/security/pam_console.so
+</pre><p>
+In this case, I added the </p><pre class="programlisting">auth sufficient /lib/security/pam_winbind.so</pre><p>
+lines as before, but also added the </p><pre class="programlisting">required pam_securetty.so</pre><p>
+above it, to disallow root logins over the network. I also added a
+</p><pre class="programlisting">sufficient /lib/security/pam_unix.so use_first_pass</pre><p>
+line after the <b class="command">winbind.so</b> line to get rid of annoying
+double prompts for passwords.
+</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2951787"></a>Solaris-specific configuration</h5></div></div><div></div></div><p>
+The <tt class="filename">/etc/pam.conf</tt> needs to be changed. I changed this file so my Domain
+users can logon both locally as well as telnet. The following are the changes
+that I made. You can customize the <tt class="filename">pam.conf</tt> file as per your requirements, but
+be sure of those changes because in the worst case it will leave your system
+nearly impossible to boot.
+</p><pre class="programlisting">
+#
+#ident "@(#)pam.conf 1.14 99/09/16 SMI"
+#
+# Copyright (c) 1996-1999, Sun Microsystems, Inc.
+# All Rights Reserved.
+#
+# PAM configuration
+#
+# Authentication management
+#
+login auth required /usr/lib/security/pam_winbind.so
+login auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass
+login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass
+#
+rlogin auth sufficient /usr/lib/security/pam_winbind.so
+rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
+rlogin auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass
+#
+dtlogin auth sufficient /usr/lib/security/pam_winbind.so
+dtlogin auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass
+#
+rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
+other auth sufficient /usr/lib/security/pam_winbind.so
+other auth required /usr/lib/security/$ISA/pam_UNIX.so.1 try_first_pass
+#
+# Account management
+#
+login account sufficient /usr/lib/security/pam_winbind.so
+login account requisite /usr/lib/security/$ISA/pam_roles.so.1
+login account required /usr/lib/security/$ISA/pam_UNIX.so.1
+#
+dtlogin account sufficient /usr/lib/security/pam_winbind.so
+dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
+dtlogin account required /usr/lib/security/$ISA/pam_UNIX.so.1
+#
+other account sufficient /usr/lib/security/pam_winbind.so
+other account requisite /usr/lib/security/$ISA/pam_roles.so.1
+other account required /usr/lib/security/$ISA/pam_UNIX.so.1
+#
+# Session management
+#
+other session required /usr/lib/security/$ISA/pam_UNIX.so.1
+#
+# Password management
+#
+#other password sufficient /usr/lib/security/pam_winbind.so
+other password required /usr/lib/security/$ISA/pam_UNIX.so.1
+dtsession auth required /usr/lib/security/$ISA/pam_UNIX.so.1
+#
+# Support for Kerberos V5 authentication (uncomment to use Kerberos)
+#
+#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other account optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other session optional /usr/lib/security/$ISA/pam_krb5.so.1
+#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
+</pre><p>
+I also added a <i class="parameter"><tt>try_first_pass</tt></i> line after the <tt class="filename">winbind.so</tt>
+line to get rid of annoying double prompts for passwords.
+</p><p>
+Now restart your Samba and try connecting through your application that you
+configured in the pam.conf.
+</p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2951948"></a>Conclusion</h2></div></div><div></div></div><p>The Winbind system, through the use of the Name Service
+Switch, Pluggable Authentication Modules, and appropriate
+Microsoft RPC calls have allowed us to provide seamless
+integration of Microsoft Windows NT domain users on a
+UNIX system. The result is a great reduction in the administrative
+cost of running a mixed UNIX and NT network.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2951967"></a>Common Errors</h2></div></div><div></div></div><p>Winbind has a number of limitations in its current
+ released version that we hope to overcome in future
+ releases:</p><div class="itemizedlist"><ul type="disc"><li><p>Winbind is currently only available for
+ the Linux, Solaris, AIX, and IRIX operating systems, although ports to other operating
+ systems are certainly possible. For such ports to be feasible,
+ we require the C library of the target operating system to
+ support the Name Service Switch and Pluggable Authentication
+ Modules systems. This is becoming more common as NSS and
+ PAM gain support among UNIX vendors.</p></li><li><p>The mappings of Windows NT RIDs to UNIX IDs
+ is not made algorithmically and depends on the order in which
+ unmapped users or groups are seen by Winbind. It may be difficult
+ to recover the mappings of RID to UNIX ID mapping if the file
+ containing this information is corrupted or destroyed.</p></li><li><p>Currently the Winbind PAM module does not take
+ into account possible workstation and logon time restrictions
+ that may be set for Windows NT users, this is
+ instead up to the PDC to enforce.</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2952021"></a>NSCD Problem Warning</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Do not under any circumstances run <b class="command">nscd</b> on any system
+ on which <b class="command">winbindd</b> is running.
+ </p></div><p>
+ If <b class="command">nscd</b> is running on the UNIX/Linux system, then
+ even though NSSWITCH is correctly configured it will not be possible to resolve
+ domain users and groups for file and directory controls.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2952067"></a>Winbind Is Not Resolving Users and Groups</h3></div></div><div></div></div><p>“<span class="quote">
+ My <tt class="filename">smb.conf</tt> file is correctly configured. I have specified
+ <a class="indexterm" name="id2952087"></a><i class="parameter"><tt>idmap uid</tt></i> = 12000,
+ and <a class="indexterm" name="id2952101"></a><i class="parameter"><tt>idmap gid</tt></i> = 3000-3500
+ and <b class="command">winbind</b> is running. When I do the following it all works fine.
+ </span>”</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -u</tt></b>
+MIDEARTH+maryo
+MIDEARTH+jackb
+MIDEARTH+ameds
+...
+MIDEARTH+root
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>wbinfo -g</tt></b>
+MIDEARTH+Domain Users
+MIDEARTH+Domain Admins
+MIDEARTH+Domain Guests
+...
+MIDEARTH+Accounts
+
+<tt class="prompt">root# </tt><b class="userinput"><tt>getent passwd</tt></b>
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+...
+maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
+</pre><p>“<span class="quote">
+But the following command just fails:
+<pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>chown maryo a_file</tt></b>
+chown: `maryo': invalid user
+</pre>
+This is driving me nuts! What can be wrong?
+</span>”</p><p>
+Same problem as the one above.
+Your system is likely running <b class="command">nscd</b>, the name service
+caching daemon. Shut it down, do not restart it! You will find your problem resolved.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="VFS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AdvancedNetworkManagement.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 20. Stackable VFS modules </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 22. Advanced Network Management</td></tr></table></div></body></html>
git.samba.org / samba.git / commitdiff