1 <!doctype linuxdoc system> <!-- -*- SGML -*- -->
3 v 0.1 23 Aug 1997 Dan Shearer
4 Original Samba-meta-FAQ.sgml from Paul's sambafaq.sgml
7 Changed samba.canberra refs to samba.anu.../samba/
12 <title> Samba meta FAQ
14 <author>Dan Shearer & Paul Blackman, <tt>ictinus@samba.org</tt>
16 <date>v 0.3, 7 Oct '97
18 <abstract> This is the meta-Frequently Asked Questions (FAQ) document
19 for Samba, the free and very popular SMB and CIFS server product. It
20 contains overview information for the Samba suite of programs, a
21 quick-start guide, and pointers to all other Samba documentation. Other
22 FAQs exist for specific client and server issues, and HOWTO documents
23 for more extended topics to do with Samba software. Current to version
24 Samba 1.9.17. Please send any corrections to the author.
29 <sect> Quick Reference Guides to Samba Documentation<p><label id=quickref>
31 We are endeavouring to provide links here to every major class of
32 information about Samba or things related to Samba. We cannot list every
33 document, but we are aiming for all documents to be at most two
34 referrals from those listed here. This needs constant maintaining, so
35 please send the author your feedback.
37 <sect1> Samba for the Impatient<p><label id="impatient">
39 You know you should read the documentation but can't wait to start? What
40 you need to do then is follow the instructions in the following
41 documents in the order given. This should be enough to get a fairly
42 simple site going quickly. If you have any problems, refer back to this
43 meta-FAQ and follow the links to find more reading material.
47 <label id="ImpGet"><tag/Getting Samba:/ The fastest way to get Samba
48 going is and install it is to have an operating system for which the
49 Samba team has put together an installation package. To see if your OS
50 is included have a look at the directory
51 /pub/samba/Binary_Packages/"OS_Vendor" on your nearest <url
52 url="../MIRRORS" name="mirror site">. If it is included follow the
53 installation instructions in the README file there and then do some <ref id="ImpTest"
54 name="basic testing">. If you are not so fortunate, follow the normal <ref
55 id="WhereFrom" name="download instructions"> and then continue with <ref
56 id="ImpInst" name="building and installing Samba">.
58 <label id="ImpInst"><tag/Building and Installing Samba:/ At the moment
59 there are two kinds of Samba server installs besides the prepackaged
60 binaries mentioned in the previous step. You need to decide if you have a <url url="../UNIX_INSTALL.txt"
61 name="Unix or close relative"> or <url
62 url="Samba-Server-FAQ.html#PortInfo" name="other supported operating system">.
64 <label id="ImpTest"><tag/Basic Testing:/ Try to connect using the
65 supplied smbclient command-line program. You need to know the IP
66 hostname of your server. A service name must be defined in smb.conf, as
67 given in the examples (under many operating systems if there is a
68 [homes] service you can just use a valid username.) Then type
70 smbclient \\hostname\servicename
72 Under most Unixes you will need to put the parameters within quotation
73 marks. If this works, try connecting from one of the SMB clients you
74 were planning to use with Samba.
76 <label id="ImpDebug"><tag/Debug sequence:/ If you think you have completed the
77 previous step and things aren't working properly work through
78 <url url="../DIAGNOSIS.txt" name="the diagnosis recipe.">
80 <label id="ImpExp"><tag/Exporting files to SMB clients:/ You should read the manual pages
81 for smb.conf, but here is a <url url="Samba-Server-FAQ.html#Exporting"
82 name="quick answer guide.">
84 <label id="ImpControl"><tag/Controlling user access:/ the quickest and dirtiest way of sharing
85 resources is to use <ref id="ShareModeSecurity" name="share level
86 security."> If you want to spend more time and have a proper username
87 and password database you must read the paragraph on <ref
88 id="DomainModeSecurity" name="domain mode security."> If you want
89 encryption (eg you are using Windows NT clients) follow the <url
90 url="Samba-Server-FAQ.html#SMBEncryptionSteps" name="SMB encryption
93 <label id="ImpBrowse"><tag/Browsing:/ if you are happy to type in "\\samba-server\sharename"
94 at the client end then do not read any further. Otherwise you need to
95 understand the <ref id="BrowsingDefinitions" name="browsing terminology">
96 and read <url url="Samba-Server-FAQ.html#NameBrowsing">.
98 <label id="ImpPrint"><tag/Printing:/ See the <url url="Samba-Server-FAQ.html#Printing"
99 name="printing quick answer guide.">
103 If you have got everything working to this point, you can expect Samba
104 to be stable and secure: these are its greatest strengths. However Samba
105 has a great deal to offer and to go further you must do some more
106 reading. Speed and security optimisations, printer accounting, network
107 logons, roving profiles, browsing across multiple subnets and so on are
108 all covered either in this document or in those it refers to.
110 <sect1> All Samba Documentation<p><label id=AllDocs>
114 <item> Meta-FAQ. This is the mother of all documents, and is the one you
115 are reading now. The latest version is always at <url
116 url="http://samba.org/[.....]"> but there is probably a much
117 nearer <url url="../MIRRORS" name="mirror site"> which you should use
120 <item> <url url="Samba-Server-FAQ.html"> is the best starting point for
121 information about server-side issues. Includes configuration tips and
122 pointers for Samba on particular operating systems (with 40 to choose
125 <item> <url url="Samba-Client-FAQ.html"> is the best starting point for
126 information about client-side issues, includes a list of all clients
127 that are known to work with Samba.
131 <sect> General Information<p><label id="general_info">
133 All about Samba - what it is, how to get it, related sources of
134 information, how to understand the numbering scheme, pizza
137 <sect1> What is Samba?<p><label id="introduction">
139 Samba is a suite of programs which work together to allow clients to
140 access to a server's filespace and printers via the SMB (Server Message
141 Block) and CIFS (Common Internet Filesystem) protocols. Initially
142 written for Unix, Samba now also runs on Netware, OS/2, VMS, StratOS and
143 Amigas. Ports to BeOS and other operating systems are underway. Samba
144 gives the capability for these operating systems to behave much like a
145 LAN Server, Windows NT Server or Pathworks machine, only with added
146 functionality and flexibility designed to make life easier for
149 This means that using Samba you can share a server's disks and printers
150 to many sorts of network clients, including Lan Manager, Windows for
151 Workgroups, Windows NT, Linux, OS/2, and AIX. There is also a generic
152 client program supplied as part of the Samba suite which gives a user on
153 the server an ftp-like interface to access filespace and printers on any
154 other SMB/CIFS servers.
156 SMB has been implemented over many protocols, including XNS, NBT, IPX,
157 NetBEUI and TCP/IP. Samba only uses TCP/IP. This is not likely to change
158 although there have been some requests for NetBEUI support.
160 Many users report that compared to other SMB implementations Samba is
161 more stable, faster, and compatible with more clients. Administrators of
162 some large installations say that Samba is the only SMB server available
163 which will scale to many tens of thousands of users without crashing.
164 The easy way to test these claims is to download it and try it for
167 The suite is supplied with full source code under the <url
168 url="../COPYING" name="GNU Public License">. The GPL means that you can
169 use Samba for whatever purpose you wish (including changing the source
170 or selling it for money) but under all circumstances the source code
171 must be made freely available. A copy of the GPL must always be included
172 in any copy of the package.
174 The primary creator of the Samba suite is Andrew Tridgell. Later
175 versions incorporate much effort by many helpers. The man pages
176 and this FAQ were originally written by Karl Auer.
178 <sect1> Where can I go for further information?<p><label id="more">
180 There are a number of places to look for more information on Samba,
185 <item>The mailing lists devoted to discussion of Samba-related matters.
186 See below for subscription information.
188 <item>The newsgroup comp.protocols.smb, which has a great deal of
189 discussion about Samba.
191 <item>The WWW site 'SAMBA Web Pages' at <url
192 url="http://samba.org/samba/"> includes:
195 <item>Links to man pages and documentation, including this FAQ
196 <item>A comprehensive survey of Samba users
197 <item>A searchable hypertext archive of the Samba mailing list
198 <item>Links to Samba source code, binaries, and mirrors of both
199 <item>This FAQ and the rest in its family
204 <sect1>How do I subscribe to the Samba Mailing Lists?<p><label id="mailinglist">
206 Surf to <url url="http://lists.samba.org/"> for an overview of all the mailing lists.
208 <sect1> Something's gone wrong - what should I do?<p><label id="wrong">
210 <bf>[#] *** IMPORTANT! *** [#]</bf>
213 DO NOT post messages on mailing lists or in newsgroups until you have
214 carried out the first three steps given here!
216 <enum> <item> See if there are any likely looking entries in this FAQ!
217 If you have just installed Samba, have you run through the checklist in
218 <url url="ftp://samba.org/pub/samba/DIAGNOSIS.txt"
219 name="DIAGNOSIS.txt">? It can save you a lot of time and effort.
220 DIAGNOSIS.txt can also be found in the docs directory of the Samba
223 <item> Read the man pages for smbd, nmbd and smb.conf, looking for
224 topics that relate to what you are trying to do.
226 <item> If there is no obvious solution to hand, try to get a look at
227 the log files for smbd and/or nmbd for the period during which you
228 were having problems. You may need to reconfigure the servers to
229 provide more extensive debugging information - usually level 2 or
230 level 3 provide ample debugging info. Inspect these logs closely,
231 looking particularly for the string "Error:".
233 <item> If you need urgent help and are willing to pay for it see
234 <ref id="PaidSupport" name="Paid Support">.
238 If you still haven't got anywhere, ask the mailing list or newsgroup. In
239 general nobody minds answering questions provided you have followed the
240 preceding steps. It might be a good idea to scan the archives of the
241 mailing list, which are available through the Samba web site described
242 in the previous section. When you post be sure to include a good
243 description of your environment and your problem.
245 If you successfully solve a problem, please mail the FAQ maintainer a
246 succinct description of the symptom, the problem and the solution, so
247 that an explanation can be incorporated into the next version.
249 <sect1> How do I submit patches or bug reports?<p>
251 If you make changes to the source code, <em>please</em> submit these patches
252 so that everyone else gets the benefit of your work. This is one of
253 the most important aspects to the maintainence of Samba. Send all
254 patches to <htmlurl url="mailto:samba@samba.org" name="samba@samba.org">. Do not send patches to Andrew Tridgell or any
255 other individual, they may be lost if you do.
260 If you are sending a patch to fix a problem then please don't just use
261 standard diff format. As an example, samba@samba.org received this patch from
270 How are we supposed to work out what this does and where it goes? These
271 sort of patches only work if we both have identical files in the first
272 place. The Samba sources are constantly changing at the hands of multiple
273 developers, so it doesn't work.
275 Please use either context diffs or (even better) unified diffs. You
276 get these using "diff -c4" or "diff -u". If you don't have a diff that
277 can generate these then please send manualy commented patches to I
278 know what is being changed and where. Most patches are applied by hand so
279 the info must be clear.
281 This is a basic guideline that will assist us with assessing your problem
294 Network Layout (description):
296 What else is on machine (services, etc):
302 <item> what you did and what happened
304 <item> relevant parts of a debugging output file with debuglevel higher.
305 If you can't find the relevant parts, please ask before mailing
308 <item> anything else you think is useful to trace down the bug
312 <sect1> What if I have an URGENT message for the developers?<p>
314 If you have spotted something very serious and believe that it is
315 important to contact the developers quickly send a message to
316 samba-urgent@samba.org. This will be processed more quickly than
317 mail to samba@samba.org. Please think carefully before using this address. An
318 example of its use might be to report a security hole.
320 Examples of things <em>not</em> to send to samba-urgent include problems
321 getting Samba to work at all and bugs that cannot potentially cause damage.
323 <sect1> What if I need paid-for support?<p><label id=PaidSupport>
325 Samba has a large network of consultants who provide Samba support on a
326 commercial basis. The list is included in the package in <url
327 url="../Support.txt">, and the latest version will always be on the main
328 samba ftp site. Any company in the world can request that the samba team
329 include their details in Support.txt so we can give no guarantee of
332 <sect1> Pizza supply details<p><label id="pizza">
333 Those who have registered in the Samba survey as "Pizza Factory" will
334 already know this, but the rest may need some help. Andrew doesn't ask
335 for payment, but he does appreciate it when people give him
336 pizza. This calls for a little organisation when the pizza donor is
337 twenty thousand kilometres away, but it has been done.
340 <item> Ring up your local branch of an international pizza chain
341 and see if they honour their vouchers internationally. Pizza Hut do,
342 which is how the entire Canberra Linux Users Group got to eat pizza
343 one night, courtesy of someone in the US.
345 <item>Ring up a local pizza shop in Canberra and quote a credit
346 card number for a certain amount, and tell them that Andrew will be
347 collecting it (don't forget to tell him.) One kind soul from Germany
350 <item>Purchase a pizza voucher from your local pizza shop that has
351 no international affiliations and send it to Andrew. It is completely
352 useless but he can hang it on the wall next to the one he already has
355 <item>Air freight him a pizza with your favourite regional
356 flavours. It will probably get stuck in customs or torn apart by
357 hungry sniffer dogs but it will have been a noble gesture.
361 <sect>About the CIFS and SMB Protocols<p><label id="CifsSmb">
363 <sect1> What is the Server Message Block (SMB) Protocol?<p>
364 SMB is a filesharing protocol that has had several maintainers and
365 contributors over the years including Xerox, 3Com and most recently
366 Microsoft. Names for this protocol include LAN Manager and Microsoft
367 Networking. Parts of the specification has been made public at several
368 versions including in an X/Open document, as listed at
369 <url url="ftp://ftp.microsoft.com/developr/drg/CIFS/">. No specification
370 releases were made between 1992 and 1996, and during that period
371 Microsoft became the SMB implementor with the largest market share.
372 Microsoft developed the specification further for its products but for
373 various reasons connected with developer's workload rather than market
374 strategy did not make the changes public. This culminated with the
375 "Windows NT 0.12" version released with NT 3.5 in 1995 which had significant
376 improvements and bugs. Because Microsoft client systems are so popular,
377 it is fair to say that what Microsoft with Windows affects all suppliers
378 of SMB server products.
380 From 1994 Andrew Tridgell began doing some serious work on his
381 Smbserver (now Samba) product and with some helpers started to
382 implement more and more of these protocols. Samba began to take
383 a significant share of the SMB server market.
385 <sect1> What is the Common Internet Filesystem (CIFS)?<p>
386 The initial pressure for Microsoft to document their current SMB
387 implementation came from the Samba team, who kept coming across things
388 on the wire that Microsoft either didn't know about or hadn't documented
389 anywhere (even in the sourcecode to Windows NT.) Then Sun Microsystems
390 came out with their WebNFS initiative, designed to replace FTP for file
391 transfers on the Internet. There are many drawbacks to WebNFS (including
392 its scope - it aims to replace HTTP as well!) but the concept was
393 attractive. FTP is not very clever, and why should it be harder to get
394 files from across the world than across the room?
396 Some hasty revisions were made and an Internet Draft for the Common
397 Internet Filesystem (CIFS) was released. Note that CIFS is not an
398 Internet standard and is a very long way from becoming one, BUT the
399 protocol specification is in the public domain and ongoing discussions
400 concerning the spec take place on a public mailing list according to the
401 rules of the Internet Engineering Task Force. For more information and
402 pointers see <url url="http://samba.org/cifs/">
404 The following is taken from <url url="http://www.microsoft.com/intdev/cifs/">
407 CIFS defines a standard remote file system access protocol for use
408 over the Internet, enabling groups of users to work together and
409 share documents across the Internet or within their corporate
410 intranets. CIFS is an open, cross-platform technology based on the
411 native file-sharing protocols built into Microsoft® Windows® and
412 other popular PC operating systems, and supported on dozens of
413 other platforms, including UNIX®. With CIFS, millions of computer
414 users can open and share remote files on the Internet without having
415 to install new software or change the way they work."
418 If you consider CIFS as a backwardsly-compatible refinement of SMB that
419 will work reasonably efficiently over the Internet you won't be too far
422 The net effect is that Microsoft is now documenting large parts of their
423 Windows NT fileserver protocols. The security concepts embodied in
424 Windows NT are part of the specification, which is why Samba
425 documentation often talks in terms of Windows NT. However there is no
426 reason why a site shouldn't conduct all its file and printer sharing
427 with CIFS and yet have no Microsoft products at all.
429 <sect1> What is Browsing? <p>
430 The term "Browsing" causes a lot of confusion. It is the part of the
431 SMB/CIFS protocol which allows for resource discovery. For example, in
432 the Windows NT Explorer it is possible to see a "Network Neighbourhood"
433 of computers in the same SMB workgroup. Clicking on the name of one of
434 these machines brings up a list of file and printer resources for
435 connecting to. In this way you can cruise the network, seeing what
436 things are available. How this scales to the Internet is a subject for
437 debate. Look at the CIFS list archives to see what the experts think.
439 <sect>Designing A SMB and CIFS Network<p>
441 The big issues for installing any network of LAN or WAN file and print
446 <item>How and where usernames, passwords and other security information
449 <item>What method can be used for locating the resources that users have
452 <item>What protocols the clients can converse with
456 If you buy Netware, Windows NT or just about any other LAN fileserver
457 product you are expected to lock yourself into the product's preferred
458 answers to these questions. This tendancy is restrictive and often very
459 expensive for a site where there is only one kind of client or server,
460 and for sites with a mixture of operating systems it often makes it
461 impossible to share resources between some sets of users.
463 The Samba philosophy is to make things as easy as possible for
464 administators, which means allowing as many combinations of clients,
465 servers, operating systems and protocols as possible.
467 <sect1>Workgroups, Domains, Authentication and Browsing<p>
469 From the point of view of networking implementation, Domains and
470 Workgroups are <em>exactly</em> the same, except for the client logon
471 sequence. Some kind of distributed authentication database is associated
472 with a domain (there are quite a few choices) and this adds so much
473 flexibility that many people think of a domain as a completely different
474 entity to a workgroup. From Samba's point of view a client connecting to
475 a service presents an authentication token, and it if it is valid they
476 have access. Samba does not care what mechanism was used to generate
477 that token in the first place.
479 The SMB client logging on to a domain has an expectation that every other
480 server in the domain should accept the same authentication information.
481 However the network browsing functionality of domains and workgroups is
482 identical and is explained in <url url="../BROWSING.txt">.
484 There are some implementation differences: Windows 95 can be a member of
485 both a workgroup and a domain, but Windows NT cannot. Windows 95 also
486 has the concept of an "alternative workgroup". Samba can only be a
487 member of a single workgroup or domain, although this is due to change
488 with a future version when nmbd will be split into two daemons, one for
489 WINS and the other for browsing (<url url="../NetBIOS.txt"> explains
492 <sect2> Defining the Terms<p><label id="BrowseAndDomainDefs">
496 <tag/Workgroup/ means a collection of machines that maintain a common
497 browsing database containing information about their shared resources.
498 They do not necessarily have any security information in common (if they
499 do, it gets called a Domain.) The browsing database is dynamic, modified
500 as servers come and go on the network and as resources are added or
501 deleted. The term "browsing" refers to a user accessing the database via
502 whatever interface the client provides, eg the OS/2 Workplace Shell or
503 Windows 95 Explorer. SMB servers agree between themselves as to which
504 ones will maintain the browsing database. Workgroups can be anywhere on
505 a connected TCP/IP network, including on different subnets or even on
506 the Interet. This is a very tricky part of SMB to implement.
508 <tag/Master Browsers/ are machines which holds the master browsing
509 database for a workgroup or domain. There are two kinds of Master Browser:
513 <item> Domain Master Browser, which holds the master browsing
514 information for an entire domain, which may well cross multiple TCP/IP
517 <item> Local Master Browser, which holds the master browsing database
518 for a particular subnet and communicates with the Domain Master Browser
519 to get information on other subnets.
523 Subnets are differentiated because browsing is based on broadcasts, and
524 broadcasts do not pass through routers. Subnets are not routed: while it
525 is possible to have more than one subnet on a single network segment
526 this is regarded as very bad practice.
528 Master Browsers (both Domain and Local) are elected dynamically
529 according to an algorithm which is supposed to take into account the
530 machine's ability to sustain the browsing load. Samba can be configured
531 to always act as a master browser, ie it always wins elections under all
532 circumstances, even against systems such as a Windows NT Primary Domain
533 Controller which themselves expect to win.
535 There are also Backup Browsers which are promoted to Master Browsers in
536 the event of a Master Browser disappearing from the network.
538 Alternative terms include confusing variations such as "Browse Master",
539 and "Master Browser" which we are trying to eliminate from the Samba
542 <tag/Domain Controller/ is a term which comes from the Microsoft and IBM
543 etc implementation of the LAN Manager protocols. It is tied to
544 authentication. There are other ways of doing domain authentication, but
545 the Windows NT method has a large market share. The general issues are
546 discussed in <url url="../DOMAIN.txt"> and a Windows NT-specific
547 discussion is in <url url="../DOMAIN_CONTROL.txt">.
551 <sect2>Sharelevel (Workgroup) Security Services<p><label id="ShareModeSecurity">
553 With the Samba setting "security = SHARE", all shared resources
554 information about what password is associated with them but only hints
555 as to what usernames might be valid (the hint can be 'all users', in
556 which case any username will work. This is usually a bad idea, but
557 reflects both the initial implementations of SMB in the mid-80s and
558 its reincarnation with Windows for Workgroups in 1992. The idea behind
559 workgroup security was that small independant groups of people could
560 share information on an ad-hoc basis without there being an
561 authentication infrastructure present or requiring them to do more than
562 fill in a dialogue box.
564 <sect2>Authentication Domain Mode Services<p><label id="DomainModeSecurity">
566 With the Samba settings "security = USER" or "security = SERVER"
567 accesses to all resources are checked for username/password pair matches
568 in a more rigorous manner. To the client, this has the effect of
569 emulating a Microsoft Domain. The client is not concerned whether or not
570 Samba looks up a Windows NT SAM or does it in some other way.
572 <sect1>Authentication Schemes<p>
574 In the simple case authentication information is stored on a single
575 server and the user types a password on connecting for the first time.
576 However client operating systems often require a password before they
577 can be used at all, and in addition users usually want access to more
578 than one server. Asking users to remember many different passwords in
579 different contexts just does not work. Some kind of distributed
580 authentication database is needed. It must cope with password changes
581 and provide for assigning groups of users the same level of access
582 permissions. This is why Samba installations often choose to implement a
583 Domain model straight away.
585 Authentication decisions are some of the biggest in designing a network.
586 Are you going to use a scheme native to the client operating system,
587 native to the server operating system, or newly installed on both? A
588 list of options relevant to Samba (ie that make sense in the context of
589 the SMB protocol) follows. Any experiences with other setups would be
590 appreciated. [refer to server FAQ for "passwd chat" passwd program
591 password server etc etc...]
595 For Windows 95, Windows for Workgroups and most other clients Samba can
596 be a domain controller and share the password database via NIS
597 transparently. Windows NT is different.
598 <url url="http://www.dcs.qmw.ac.uk/~williams" name="Free NIS NT client">
602 Kerberos for US users only:
603 <url url="http://www.cygnus.com/product/unifying-security.html"
604 name="Kerberos overview">
605 <url url="http://www.cygnus.com/product/kerbnet-download.html"
606 name="Download Kerberos">
610 Other NT w/s logon hack via NT
612 <sect2>Default Server Method<p>
614 <sect2>Client-side Database Only<p>
616 <sect1>Post-Authentication: Netlogon, Logon Scripts, Profiles<p>
618 See <url url="../DOMAIN.txt">
620 <sect>Cross-Protocol File Sharing<p>
622 Samba is an important tool for...
626 File protocol gateways...
628 "Setting up a Linux File Server" http://vetrec.mit.edu/people/narf/linux.html
630 Two free implementations of Appletalk for Unix are Netatalk, <url
631 url="http://www.umich.edu/~rsug/netatalk/">, and CAP, <url
632 url="http://www.cs.mu.oz.au/appletalk/atalk.html">. What Samba offers MS
633 Windows users, these packages offer to Macs. For more info on these
634 packages, Samba, and Linux (and other UNIX-based systems) see <url
635 url="http://www.eats.com/linux_mac_win.html"> 3.5) Sniffing your nework
638 <sect>Miscellaneous<p><label id="miscellaneous">
639 <sect1>Is Samba Year 2000 compliant?<p><label id="Year2000Compliant">
640 The CIFS protocol that Samba implements
641 negotiates times in various formats, all of which
642 are able to cope with dates beyond 2000.