4 >Integrating MS Windows networks with Samba</TITLE
7 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
22 NAME="INTEGRATE-MS-NETWORKS"
23 >Integrating MS Windows networks with Samba</A
35 >To identify the key functional mechanisms of MS Windows networking
36 to enable the deployment of Samba as a means of extending and/or
37 replacing MS Windows NT/2000 technology.</P
46 >Name resolution in a pure Unix/Linux TCP/IP
52 >Name resolution as used within MS Windows
58 >How browsing functions and how to deploy stable
59 and dependable browsing using Samba
64 >MS Windows security options and how to
65 configure Samba for seemless integration
70 >Configuration of Samba as:</P
77 >A stand-alone server</P
81 >An MS Windows NT 3.x/4.0 security domain member
86 >An alternative to an MS Windows NT 3.x/4.0 Domain Controller
99 >Name Resolution in a pure Unix/Linux world</A
102 >The key configuration files covered in this section are:</P
117 >/etc/resolv.conf</TT
131 >/etc/nsswitch.conf</TT
147 >Contains a static list of IP Addresses and names.
151 CLASS="PROGRAMLISTING"
152 > 127.0.0.1 localhost localhost.localdomain
153 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE
160 name resolution mechanism so that uses do not need to remember
163 >Network packets that are sent over the physical network transport
164 layer communicate not via IP addresses but rather using the Media
165 Access Control address, or MAC address. IP Addresses are currently
166 32 bits in length and are typically presented as four (4) decimal
167 numbers that are separated by a dot (or period). eg: 168.192.1.1</P
169 >MAC Addresses use 48 bits (or 6 bytes) and are typically represented
170 as two digit hexadecimal numbers separated by colons. eg:
173 >Every network interfrace must have an MAC address. Associated with
174 a MAC address there may be one or more IP addresses. There is NO
175 relationship between an IP address and a MAC address, all such assignments
176 are arbitary or discretionary in nature. At the most basic level all
177 network communications takes place using MAC addressing. Since MAC
178 addresses must be globally unique, and generally remains fixed for
179 any particular interface, the assignment of an IP address makes sense
180 from a network management perspective. More than one IP address can
181 be assigned per MAC address. One address must be the primary IP address,
182 this is the address that will be returned in the ARP reply.</P
184 >When a user or a process wants to communicate with another machine
185 the protocol implementation ensures that the "machine name" or "host
186 name" is resolved to an IP address in a manner that is controlled
187 by the TCP/IP configuration control files. The file
191 > is one such file.</P
193 >When the IP address of the destination interface has been
194 determined a protocol called ARP/RARP is used to identify
195 the MAC address of the target interface. ARP stands for Address
196 Resolution Protocol, and is a broadcast oriented method that
197 uses UDP (User Datagram Protocol) to send a request to all
198 interfaces on the local network segment using the all 1's MAC
199 address. Network interfaces are programmed to respond to two
200 MAC addresses only; their own unique address and the address
201 ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
202 contain the MAC address and the primary IP address for each
208 > file is foundational to all
209 Unix/Linux TCP/IP installations and as a minumum will contain
210 the localhost and local network interface IP addresses and the
211 primary names by which they are known within the local machine.
212 This file helps to prime the pump so that a basic level of name
213 resolution can exist before any other method of name resolution
214 becomes available.</P
224 >/etc/resolv.conf</TT
228 >This file tells the name resolution libraries:</P
234 >The name of the domain to which the machine
240 >The name(s) of any domains that should be
241 automatically searched when trying to resolve unqualified
242 host names to their IP address
247 >The name or IP address of available Domain
248 Name Servers that may be asked to perform name to address
269 > is the primary means by
270 which the setting in /etc/resolv.conf may be affected. It is a
271 critical configuration file. This file controls the order by
272 which name resolution may procede. The typical structure is:</P
275 CLASS="PROGRAMLISTING"
280 >then both addresses should be returned. Please refer to the
281 man page for host.conf for further details.</P
291 >/etc/nsswitch.conf</TT
295 >This file controls the actual name resolution targets. The
296 file typically has resolver object specifications as follows:</P
299 CLASS="PROGRAMLISTING"
300 > # /etc/nsswitch.conf
302 # Name Service Switch configuration file.
306 # Alternative entries for password authentication are:
307 # passwd: compat files nis ldap winbind
312 # Alternative entries for host name resolution are:
313 # hosts: files dns nis nis+ hesoid db compat ldap wins
314 networks: nis files dns
319 services: nis files</PRE
322 >Of course, each of these mechanisms requires that the appropriate
323 facilities and/or services are correctly configured.</P
325 >It should be noted that unless a network request/message must be
326 sent, TCP/IP networks are silent. All TCP/IP communications assumes a
327 principal of speaking only when necessary.</P
329 >Samba version 2.2.0 will add Linux support for extensions to
330 the name service switch infrastructure so that linux clients will
331 be able to obtain resolution of MS Windows NetBIOS names to IP
332 Addresses. To gain this functionality Samba needs to be compiled
333 with appropriate arguments to the make command (ie: <B
336 nsswitch/libnss_wins.so</B
337 >). The resulting library should
338 then be installed in the <TT
342 the "wins" parameter needs to be added to the "hosts:" line in
345 >/etc/nsswitch.conf</TT
346 > file. At this point it
347 will be possible to ping any MS Windows machine by it's NetBIOS
348 machine name, so long as that machine is within the workgroup to
349 which both the samba machine and the MS Windows machine belong.</P
358 >Name resolution as used within MS Windows networking</A
361 >MS Windows networking is predicated about the name each machine
362 is given. This name is known variously (and inconsistently) as
363 the "computer name", "machine name", "networking name", "netbios name",
364 "SMB name". All terms mean the same thing with the exception of
365 "netbios name" which can apply also to the name of the workgroup or the
366 domain name. The terms "workgroup" and "domain" are really just a
367 simply name with which the machine is associated. All NetBIOS names
368 are exactly 16 characters in length. The 16th character is reserved.
369 It is used to store a one byte value that indicates service level
370 information for the NetBIOS name that is registered. A NetBIOS machine
371 name is therefore registered for each service type that is provided by
372 the client/server.</P
374 >The following are typical NetBIOS name/service type registrations:</P
377 CLASS="PROGRAMLISTING"
378 > Unique NetBIOS Names:
379 MACHINENAME<00> = Server Service is running on MACHINENAME
380 MACHINENAME<03> = Generic Machine Name (NetBIOS name)
381 MACHINENAME<20> = LanMan Server service is running on MACHINENAME
382 WORKGROUP<1b> = Domain Master Browser
385 WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
386 WORKGROUP<1c> = Domain Controllers / Netlogon Servers
387 WORKGROUP<1d> = Local Master Browsers
388 WORKGROUP<1e> = Internet Name Resolvers</PRE
391 >It should be noted that all NetBIOS machines register their own
392 names as per the above. This is in vast contrast to TCP/IP
393 installations where traditionally the system administrator will
394 determine in the /etc/hosts or in the DNS database what names
395 are associated with each IP address.</P
397 >One further point of clarification should be noted, the <TT
401 file and the DNS records do not provide the NetBIOS name type information
402 that MS Windows clients depend on to locate the type of service that may
403 be needed. An example of this is what happens when an MS Windows client
404 wants to locate a domain logon server. It find this service and the IP
405 address of a server that provides it by performing a lookup (via a
406 NetBIOS broadcast) for enumeration of all machines that have
407 registered the name type *<1c>. A logon request is then sent to each
408 IP address that is returned in the enumerated list of IP addresses. Which
409 ever machine first replies then ends up providing the logon services.</P
411 >The name "workgroup" or "domain" really can be confusing since these
412 have the added significance of indicating what is the security
413 architecture of the MS Windows network. The term "workgroup" indicates
414 that the primary nature of the network environment is that of a
415 peer-to-peer design. In a WORKGROUP all machines are responsible for
416 their own security, and generally such security is limited to use of
417 just a password (known as SHARE MODE security). In most situations
418 with peer-to-peer networking the users who control their own machines
419 will simply opt to have no security at all. It is possible to have
420 USER MODE security in a WORKGROUP environment, thus requiring use
421 of a user name and a matching password.</P
423 >MS Windows networking is thus predetermined to use machine names
424 for all local and remote machine message passing. The protocol used is
425 called Server Message Block (SMB) and this is implemented using
426 the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
427 be encapsulated using LLC (Logical Link Control) protocol - in which case
428 the resulting protocol is called NetBEUI (Network Basic Extended User
429 Interface). NetBIOS can also be run over IPX (Internetworking Packet
430 Exchange) protocol as used by Novell NetWare, and it can be run
431 over TCP/IP protocols - in which case the resulting protocol is called
432 NBT or NetBT, the NetBIOS over TCP/IP.</P
434 >MS Windows machines use a complex array of name resolution mechanisms.
435 Since we are primarily concerned with TCP/IP this demonstration is
436 limited to this area.</P
443 >The NetBIOS Name Cache</A
446 >All MS Windows machines employ an in memory buffer in which is
447 stored the NetBIOS names and IP addresses for all external
448 machines that that machine has communicated with over the
449 past 10-15 minutes. It is more efficient to obtain an IP address
450 for a machine from the local cache than it is to go through all the
451 configured name resolution mechanisms.</P
453 >If a machine whose name is in the local name cache has been shut
454 down before the name had been expired and flushed from the cache, then
455 an attempt to exchange a message with that machine will be subject
456 to time-out delays. i.e.: Its name is in the cache, so a name resolution
457 lookup will succeed, but the machine can not respond. This can be
458 frustrating for users - but it is a characteristic of the protocol.</P
460 >The MS Windows utility that allows examination of the NetBIOS
461 name cache is called "nbtstat". The Samba equivalent of this
462 is called "nmblookup".</P
473 >This file is usually located in MS Windows NT 4.0 or
476 >C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
478 the IP Address and the machine name in matched pairs. The
482 > file performs NetBIOS name
483 to IP address mapping oriented.</P
485 >It typically looks like:</P
488 CLASS="PROGRAMLISTING"
489 > # Copyright (c) 1998 Microsoft Corp.
491 # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
492 # over TCP/IP) stack for Windows98
494 # This file contains the mappings of IP addresses to NT computernames
495 # (NetBIOS) names. Each entry should be kept on an individual line.
496 # The IP address should be placed in the first column followed by the
497 # corresponding computername. The address and the comptername
498 # should be separated by at least one space or tab. The "#" character
499 # is generally used to denote the start of a comment (see the exceptions
502 # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
503 # files and offers the following extensions:
506 # #DOM:<domain>
507 # #INCLUDE <filename>
510 # \0xnn (non-printing character support)
512 # Following any entry in the file with the characters "#PRE" will cause
513 # the entry to be preloaded into the name cache. By default, entries are
514 # not preloaded, but are parsed only after dynamic name resolution fails.
516 # Following an entry with the "#DOM:<domain>" tag will associate the
517 # entry with the domain specified by <domain>. This affects how the
518 # browser and logon services behave in TCP/IP environments. To preload
519 # the host name associated with #DOM entry, it is necessary to also add a
520 # #PRE to the line. The <domain> is always preloaded although it will not
521 # be shown when the name cache is viewed.
523 # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
524 # software to seek the specified <filename> and parse it as if it were
525 # local. <filename> is generally a UNC-based name, allowing a
526 # centralized lmhosts file to be maintained on a server.
527 # It is ALWAYS necessary to provide a mapping for the IP address of the
528 # server prior to the #INCLUDE. This mapping must use the #PRE directive.
529 # In addtion the share "public" in the example below must be in the
530 # LanManServer list of "NullSessionShares" in order for client machines to
531 # be able to read the lmhosts file successfully. This key is under
532 # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
533 # in the registry. Simply add "public" to the list found there.
535 # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
536 # statements to be grouped together. Any single successful include
537 # will cause the group to succeed.
539 # Finally, non-printing characters can be embedded in mappings by
540 # first surrounding the NetBIOS name in quotations, then using the
541 # \0xnn notation to specify a hex value for a non-printing character.
543 # The following example illustrates all of these extensions:
545 # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
546 # 102.54.94.102 "appname \0x14" #special app server
547 # 102.54.94.123 popular #PRE #source server
548 # 102.54.94.117 localsrv #PRE #needed for the include
551 # #INCLUDE \\localsrv\public\lmhosts
552 # #INCLUDE \\rhino\public\lmhosts
555 # In the above example, the "appname" server contains a special
556 # character in its name, the "popular" and "localsrv" server names are
557 # preloaded, and the "rhino" server name is specified so it can be used
558 # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
559 # system is unavailable.
561 # Note that the whole file is parsed including comments on each lookup,
562 # so keeping the number of comments to a minimum will improve performance.
563 # Therefore it is not advisable to simply add lmhosts file entries onto the
564 # end of this file.</PRE
576 >This file is usually located in MS Windows NT 4.0 or 2000 in
579 >C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
581 the IP Address and the IP hostname in matched pairs. It can be
582 used by the name resolution infrastructure in MS Windows, depending
583 on how the TCP/IP environment is configured. This file is in
584 every way the equivalent of the Unix/Linux <TT
598 >This capability is configured in the TCP/IP setup area in the network
599 configuration facility. If enabled an elaborate name resolution sequence
600 is followed the precise nature of which isdependant on what the NetBIOS
601 Node Type parameter is configured to. A Node Type of 0 means use
602 NetBIOS broadcast (over UDP broadcast) is first used if the name
603 that is the subject of a name lookup is not found in the NetBIOS name
604 cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
605 Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
606 WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
618 >A WINS (Windows Internet Name Server) service is the equivaent of the
619 rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
620 the names and IP addresses that are registered by a Windows client
621 if the TCP/IP setup has been given at least one WINS Server IP Address.</P
623 >To configure Samba to be a WINS server the following parameter needs
624 to be added to the <TT
630 CLASS="PROGRAMLISTING"
631 > wins support = Yes</PRE
634 >To configure Samba to use a WINS server the following parameters are
635 needed in the smb.conf file:</P
638 CLASS="PROGRAMLISTING"
640 wins server = xxx.xxx.xxx.xxx</PRE
649 of the WINS server.</P
658 >How browsing functions and how to deploy stable and
659 dependable browsing using Samba</A
662 >As stated above, MS Windows machines register their NetBIOS names
663 (i.e.: the machine name for each service type in operation) on start
664 up. Also, as stated above, the exact method by which this name registration
665 takes place is determined by whether or not the MS Windows client/server
666 has been given a WINS server address, whether or not LMHOSTS lookup
667 is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P
669 >In the case where there is no WINS server all name registrations as
670 well as name lookups are done by UDP broadcast. This isolates name
671 resolution to the local subnet, unless LMHOSTS is used to list all
672 names and IP addresses. In such situations Samba provides a means by
673 which the samba server name may be forcibly injected into the browse
674 list of a remote MS Windows network (using the "remote announce" parameter).</P
676 >Where a WINS server is used, the MS Windows client will use UDP
677 unicast to register with the WINS server. Such packets can be routed
678 and thus WINS allows name resolution to function across routed networks.</P
680 >During the startup process an election will take place to create a
681 local master browser if one does not already exist. On each NetBIOS network
682 one machine will be elected to function as the domain master browser. This
683 domain browsing has nothing to do with MS security domain control.
684 Instead, the domain master browser serves the role of contacting each local
685 master browser (found by asking WINS or from LMHOSTS) and exchanging browse
686 list contents. This way every master browser will eventually obtain a complete
687 list of all machines that are on the network. Every 11-15 minutes an election
688 is held to determine which machine will be the master browser. By the nature of
689 the election criteria used, the machine with the highest uptime, or the
690 most senior protocol version, or other criteria, will win the election
691 as domain master browser.</P
693 >Clients wishing to browse the network make use of this list, but also depend
694 on the availability of correct name resolution to the respective IP
695 address/addresses. </P
697 >Any configuration that breaks name resolution and/or browsing intrinsics
698 will annoy users because they will have to put up with protracted
699 inability to use the network services.</P
701 >Samba supports a feature that allows forced synchonisation
702 of browse lists across routed networks using the "remote
703 browse sync" parameter in the smb.conf file. This causes Samba
704 to contact the local master browser on a remote network and
705 to request browse list synchronisation. This effectively bridges
706 two networks that are separated by routers. The two remote
707 networks may use either broadcast based name resolution or WINS
708 based name resolution, but it should be noted that the "remote
709 browse sync" parameter provides browse list synchronisation - and
710 that is distinct from name to address resolution, in other
711 words, for cross subnet browsing to function correctly it is
712 essential that a name to address resolution mechanism be provided.
713 This mechanism could be via DNS, <TT
725 >MS Windows security options and how to configure
726 Samba for seemless integration</A
729 >MS Windows clients may use encrypted passwords as part of a
730 challenege/response authentication model (a.k.a. NTLMv1) or
731 alone, or clear text strings for simple password based
732 authentication. It should be realized that with the SMB
733 protocol the password is passed over the network either
734 in plain text or encrypted, but not both in the same
735 authentication requets.</P
737 >When encrypted passwords are used a password that has been
738 entered by the user is encrypted in two ways:</P
744 >An MD4 hash of the UNICODE of the password
745 string. This is known as the NT hash.
750 >The password is converted to upper case,
751 and then padded or trucated to 14 bytes. This string is
752 then appended with 5 bytes of NULL characters and split to
753 form two 56 bit DES keys to encrypt a "magic" 8 byte value.
754 The resulting 16 bytes for the LanMan hash.
759 >You should refer to the <A
760 HREF="ENCRYPTION.html"
762 >Password Encryption</A
763 > chapter in this HOWTO collection
764 for more details on the inner workings</P
766 >MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x
767 and version 4.0 pre-service pack 3 will use either mode of
768 password authentication. All versions of MS Windows that follow
769 these versions no longer support plain text passwords by default.</P
771 >MS Windows clients have a habit of dropping network mappings that
772 have been idle for 10 minutes or longer. When the user attempts to
773 use the mapped drive connection that has been dropped, the client
774 re-establishes the connection using
775 a cached copy of the password.</P
777 >When Microsoft changed the default password mode, they dropped support for
778 caching of the plain text password. This means that when the registry
779 parameter is changed to re-enable use of plain text passwords it appears to
780 work, but when a dropped mapping attempts to revalidate it will fail if
781 the remote authentication server does not support encrypted passwords.
782 This means that it is definitely not a good idea to re-enable plain text
783 password support in such clients.</P
785 >The following parameters can be used to work around the
786 issue of Windows 9x client upper casing usernames and
787 password before transmitting them to the SMB server
788 when using clear text authentication.</P
791 CLASS="PROGRAMLISTING"
793 HREF="smb.conf.5.html#PASSWORDLEVEL"
803 HREF="smb.conf.5.html#USERNAMELEVEL"
814 >By default Samba will lower case the username before attempting
815 to lookup the user in the database of local system accounts.
816 Because UNIX usernames conventionally only contain lower case
823 is rarely even needed.</P
825 >However, password on UNIX systems often make use of mixed case
826 characters. This means that in order for a user on a Windows 9x
827 client to connect to a Samba server using clear text authentication,
833 > must be set to the maximum
834 number of upper case letter which <I
838 is a password. Note that is the server OS uses the traditional
839 DES version of crypt(), then a <TT
845 of 8 will result in case insensitive passwords as seen from Windows
846 users. This will also result in longer login times as Samba
847 hash to compute the permutations of the password string and
848 try them one by one until a match is located (or all combinations fail).</P
850 >The best option to adopt is to enable support for encrypted passwords
851 where ever Samba is used. There are three configuration possibilities
852 for support of encrypted passwords:</P
859 >Use MS Windows NT as an authentication server</A
862 >This method involves the additions of the following parameters
863 in the smb.conf file:</P
866 CLASS="PROGRAMLISTING"
867 > encrypt passwords = Yes
869 password server = "NetBIOS_name_of_PDC"</PRE
872 >There are two ways of identifying whether or not a username and
873 password pair was valid or not. One uses the reply information provided
874 as part of the authentication messaging process, the other uses
875 just and error code.</P
877 >The down-side of this mode of configuration is the fact that
878 for security reasons Samba will send the password server a bogus
879 username and a bogus password and if the remote server fails to
880 reject the username and password pair then an alternative mode
881 of identification of validation is used. Where a site uses password
882 lock out after a certain number of failed authentication attempts
883 this will result in user lockouts.</P
885 >Use of this mode of authentication does require there to be
886 a standard Unix account for the user, this account can be blocked
887 to prevent logons by other than MS Windows clients.</P
895 >Make Samba a member of an MS Windows NT security domain</A
898 >This method involves additon of the following paramters in the smb.conf file:</P
901 CLASS="PROGRAMLISTING"
902 > encrypt passwords = Yes
904 workgroup = "name of NT domain"
905 password server = *</PRE
908 >The use of the "*" argument to "password server" will cause samba
909 to locate the domain controller in a way analogous to the way
910 this is done within MS Windows NT.</P
912 >In order for this method to work the Samba server needs to join the
913 MS Windows NT security domain. This is done as follows:</P
919 >On the MS Windows NT domain controller using
920 the Server Manager add a machine account for the Samba server.
925 >Next, on the Linux system execute:
928 >smbpasswd -r PDC_NAME -j DOMAIN_NAME</B
934 >Use of this mode of authentication does require there to be
935 a standard Unix account for the user in order to assign
936 a uid once the account has been authenticated by the remote
937 Windows DC. This account can be blocked to prevent logons by
938 other than MS Windows clients by things such as setting an invalid
944 >An alternative to assigning UIDs to Windows users on a
945 Samba member server is presented in the <A
950 this HOWTO collection.</P
958 >Configure Samba as an authentication server</A
961 >This mode of authentication demands that there be on the
962 Unix/Linux system both a Unix style account as well as an
963 smbpasswd entry for the user. The Unix system account can be
964 locked if required as only the encrypted password will be
965 used for SMB client authentication.</P
967 >This method involves addition of the following parameters to
968 the smb.conf file:</P
971 CLASS="PROGRAMLISTING"
972 >## please refer to the Samba PDC HOWTO chapter later in
973 ## this collection for more details
975 encrypt passwords = Yes
978 ; an OS level of 33 or more is recommended
982 path = /somewhare/in/file/system
986 >in order for this method to work a Unix system account needs
987 to be created for each user, as well as for each MS Windows NT/2000
988 machine. The following structure is required.</P
998 >A user account that may provide a home directory should be
999 created. The following Linux system commands are typical of
1000 the procedure for creating an account.</P
1003 CLASS="PROGRAMLISTING"
1004 > # useradd -s /bin/bash -d /home/"userid" -m "userid"
1006 Enter Password: <pw>
1008 # smbpasswd -a "userid"
1009 Enter Password: <pw></PRE
1018 >MS Windows NT Machine Accounts</A
1021 >These are required only when Samba is used as a domain
1022 controller. Refer to the Samba-PDC-HOWTO for more details.</P
1025 CLASS="PROGRAMLISTING"
1026 > # useradd -s /bin/false -d /dev/null "machine_name"\$
1027 # passwd -l "machine_name"\$
1028 # smbpasswd -a -m "machine_name"</PRE
1042 >Samba provides a flexible means to operate as...</P
1048 >A Stand-alone server - No special action is needed
1049 other than to create user accounts. Stand-alone servers do NOT
1050 provide network logon services, meaning that machines that use this
1051 server do NOT perform a domain logon but instead make use only of
1052 the MS Windows logon which is local to the MS Windows
1058 >An MS Windows NT 3.x/4.0 security domain member.
1063 >An alternative to an MS Windows NT 3.x/4.0
git.samba.org / samba.git / blob