4 >SAMBA Project Documentation</TITLE
7 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
18 NAME="SAMBA-PROJECT-DOCUMENTATION"
25 NAME="SAMBA-PROJECT-DOCUMENTATION"
26 >SAMBA Project Documentation</A
41 >This book is a collection of HOWTOs added to Samba documentation over the years.
42 I try to ensure that all are current, but sometimes the is a larger job
43 than one person can maintain. The most recent version of this document
45 HREF="http://www.samba.org/"
47 >http://www.samba.org/</A
49 on the "Documentation" page. Please send updates to <A
50 HREF="mailto:jerry@samba.org"
66 >How to Install and Test SAMBA</A
73 >Step 0: Read the man pages</A
78 >Step 1: Building the Binaries</A
83 >Step 2: The all important step</A
88 >Step 3: Create the smb configuration file.</A
93 >Step 4: Test your config file with
102 >Step 5: Starting the smbd and nmbd</A
109 >Step 5a: Starting from inetd.conf</A
114 >Step 5b. Alternative: starting it as a daemon</A
121 >Step 6: Try listing the shares available on your
127 >Step 7: Try connecting with the unix client</A
132 >Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
133 Win2k, OS/2, etc... client</A
138 >What If Things Don't Work?</A
145 >Diagnosing Problems</A
155 >Choosing the Protocol Level</A
160 >Printing from UNIX to a Client PC</A
170 >Mapping Usernames</A
175 >Other Character Sets</A
184 >LanMan and NT Password Encryption in Samba 2.x</A
196 >How does it work?</A
201 >Important Notes About Security</A
208 >Advantages of SMB Encryption</A
213 >Advantages of non-encrypted passwords</A
221 NAME="SMBPASSWDFILEFORMAT"
223 >The smbpasswd file</A
228 >The smbpasswd Command</A
233 >Setting up Samba to support LanManager Encryption</A
240 >Hosting a Microsoft Distributed File System tree on Samba</A
263 >Printing Support in Samba 2.2.x</A
282 >Creating [print$]</A
287 >Setting Drivers for Existing Printers</A
292 >Support a large number of printers</A
297 >Adding New Printers via the Windows NT APW</A
302 >Samba and Printer Ports</A
309 >The Imprints Toolset</A
316 >What is Imprints?</A
321 >Creating Printer Driver Packages</A
326 >The Imprints server</A
331 >The Installation Client</A
341 >Migration to from Samba 2.0.x to 2.2.x</A
348 >security = domain in Samba 2.x</A
355 >Joining an NT Domain with Samba 2.2</A
360 >Samba and Windows 2000 Domains</A
365 >Why is this better than security = server?</A
372 >How to Configure Samba 2.2 as a Primary Domain Controller</A
379 >Prerequisite Reading</A
389 >Configuring the Samba Domain Controller</A
394 >Creating Machine Trust Accounts and Joining Clients
402 >Manually creating machine trust accounts</A
407 >Creating machine trust accounts "on the fly"</A
414 >Common Problems and Errors</A
419 >System Policies and Profiles</A
424 >What other help can I get ?</A
429 >Domain Control for Windows 9x/ME</A
436 >Configuration Instructions: Network Logons</A
441 >Configuration Instructions: Setting up Roaming User Profiles</A
448 >Windows NT Configuration</A
453 >Windows 9X Configuration</A
458 >Win9X and WinNT Configuration</A
463 >Windows 9X Profile Setup</A
468 >Windows NT Workstation 4.0</A
473 >Windows NT Server</A
478 >Sharing Profiles between W95 and NT Workstation 4.0</A
487 >DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
494 >Unifed Logons between Windows NT and UNIX using Winbind</A
511 >What Winbind Provides</A
525 >How Winbind Works</A
532 >Microsoft Remote Procedure Calls</A
537 >Name Service Switch</A
542 >Pluggable Authentication Modules</A
547 >User and Group ID Allocation</A
559 >Installation and Configuration</A
576 >UNIX Permission Bits and WIndows NT Access Control Lists</A
583 >Viewing and changing UNIX permissions using the NT
589 >How to view file security on a Samba share</A
594 >Viewing file ownership</A
599 >Viewing file or directory permissions</A
611 >Directory Permissions</A
618 >Modifying file or directory permissions</A
623 >Interaction with the standard Samba create mask
629 >Interaction with the standard Samba file attribute
651 >How can I configure OS/2 Warp Connect or
652 OS/2 Warp 4 as a client for Samba?</A
657 >How can I configure OS/2 Warp 3 (not Connect),
658 OS/2 1.2, 1.3 or 2.x for Samba?</A
663 >Are there any other issues when OS/2 (any version)
664 is used as a client?</A
669 >How do I get printer driver download working
679 >HOWTO Access Samba source code via CVS</A
691 >CVS Access to samba.org</A
698 >Access via CVSweb</A
716 >Chapter 1. How to Install and Test SAMBA</A
724 >1.1. Step 0: Read the man pages</A
727 >The man pages distributed with SAMBA contain
728 lots of useful info that will help to get you started.
729 If you don't know how to read man pages then try
738 >nroff -man smbd.8 | more
743 >Other sources of information are pointed to
744 by the Samba web site,<A
745 HREF="http://www.samba.org/"
747 > http://www.samba.org</A
756 >1.2. Step 1: Building the Binaries</A
759 >To do this, first run the program <B
763 > in the source directory. This should automatically
764 configure Samba for your operating system. If you have unusual
765 needs then you may wish to run</P
778 >first to see what special options you can enable.
791 >will create the binaries. Once it's successfully
792 compiled you can use </P
804 >to install the binaries and manual pages. You can
805 separately install the binaries and/or man pages using</P
831 >Note that if you are upgrading for a previous version
832 of Samba you might like to know that the old versions of
833 the binaries will be renamed with a ".old" extension. You
834 can go back to the previous version with</P
847 >if you find this version a disaster!</P
855 >1.3. Step 2: The all important step</A
858 >At this stage you must fetch yourself a
859 coffee or other drink you find stimulating. Getting the rest
860 of the install right can sometimes be tricky, so you will
863 >If you have installed samba before then you can skip
872 >1.4. Step 3: Create the smb configuration file.</A
875 >There are sample configuration files in the examples
876 subdirectory in the distribution. I suggest you read them
877 carefully so you can see how the options go together in
878 practice. See the man page for all the options.</P
880 >The simplest useful configuration file would be
881 something like this:</P
890 CLASS="PROGRAMLISTING"
903 >which would allow connections by anyone with an
904 account on the server, using either their login name or
905 "homes" as the service name. (Note that I also set the
906 workgroup that Samba is part of. See BROWSING.txt for defails)</P
915 > file. You need to create it
918 >Make sure you put the smb.conf file in the same place
919 you specified in the<TT
925 >/usr/local/samba/lib/</TT
928 >For more information about security settings for the
929 [homes] share please refer to the document UNIX_SECURITY.txt.</P
937 >1.5. Step 4: Test your config file with
944 >It's important that you test the validity of your
948 > file using the testparm program.
949 If testparm runs OK then it will list the loaded services. If
950 not it will give an error message.</P
952 >Make sure it runs OK and that the services look
953 resonable before proceeding. </P
961 >1.6. Step 5: Starting the smbd and nmbd</A
964 >You must choose to start smbd and nmbd either
965 as daemons or from <B
969 to do both! Either you can put them in <TT
972 > and have them started on demand
976 >, or you can start them as
977 daemons either from the command line or in <TT
980 >. See the man pages for details
981 on the command line options. Take particular care to read
982 the bit about what user you need to be in order to start
983 Samba. In many cases you must be root.</P
985 >The main advantage of starting <B
992 > as a daemon is that they will
993 respond slightly more quickly to an initial connection
994 request. This is, however, unlikely to be a problem.</P
1001 >1.6.1. Step 5a: Starting from inetd.conf</A
1004 >NOTE; The following will be different if
1005 you use NIS or NIS+ to distributed services maps.</P
1011 What is defined at port 139/tcp. If nothing is defined
1012 then add a line like this:</P
1017 >netbios-ssn 139/tcp</B
1021 >similarly for 137/udp you should have an entry like:</P
1026 >netbios-ns 137/udp</B
1032 >/etc/inetd.conf</TT
1034 and add two lines something like this:</P
1043 CLASS="PROGRAMLISTING"
1044 > netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
1045 netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
1052 >The exact syntax of <TT
1054 >/etc/inetd.conf</TT
1056 varies between unixes. Look at the other entries in inetd.conf
1059 >NOTE: Some unixes already have entries like netbios_ns
1060 (note the underscore) in <TT
1064 You must either edit <TT
1070 >/etc/inetd.conf</TT
1071 > to make them consistant.</P
1073 >NOTE: On many systems you may need to use the
1074 "interfaces" option in smb.conf to specify the IP address
1075 and netmask of your interfaces. Run <B
1079 as root if you don't know what the broadcast is for your
1083 > tries to determine it at run
1084 time, but fails on somunixes. See the section on "testing nmbd"
1085 for a method of finding if you need to do this.</P
1087 >!!!WARNING!!! Many unixes only accept around 5
1088 parameters on the command line in <TT
1092 This means you shouldn't use spaces between the options and
1093 arguments, or you should use a script, and start the script
1102 >, perhaps just send
1103 it a HUP. If you have installed an earlier version of <B
1106 > then you may need to kill nmbd as well.</P
1114 >1.6.2. Step 5b. Alternative: starting it as a daemon</A
1117 >To start the server as a daemon you should create
1118 a script something like this one, perhaps calling
1131 CLASS="PROGRAMLISTING"
1133 /usr/local/samba/bin/smbd -D
1134 /usr/local/samba/bin/nmbd -D
1141 >then make it executable with <B
1147 >You can then run <B
1151 hand or execute it from <TT
1157 >To kill it send a kill signal to the processes
1166 >NOTE: If you use the SVR4 style init system then
1167 you may like to look at the <TT
1169 >examples/svr4-startup</TT
1171 script to make Samba fit into that system.</P
1180 >1.7. Step 6: Try listing the shares available on your
1200 >Your should get back a list of shares available on
1201 your server. If you don't then something is incorrectly setup.
1202 Note that this method can also be used to see what shares
1203 are available on other LanManager clients (such as WfWg).</P
1205 >If you choose user level security then you may find
1206 that Samba requests a password before it will list the shares.
1210 > man page for details. (you
1211 can force it to list the shares without a password by
1212 adding the option -U% to the command line. This will not work
1213 with non-Samba servers)</P
1221 >1.8. Step 7: Try connecting with the unix client</A
1233 > //yourhostname/aservice</I
1245 would be the name of the host where you installed <B
1254 any service you have defined in the <TT
1258 file. Try your user name if you just have a [homes] section
1264 >For example if your unix host is bambi and your login
1265 name is fred you would type:</P
1273 >smbclient //bambi/fred
1284 >1.9. Step 8: Try connecting from a DOS, WfWg, Win9x, WinNT,
1285 Win2k, OS/2, etc... client</A
1288 >Try mounting disks. eg:</P
1292 >C:\WINDOWS\> </TT
1296 >net use d: \\servername\service
1301 >Try printing. eg:</P
1305 >C:\WINDOWS\> </TT
1310 \\servername\spoolservice</B
1316 >C:\WINDOWS\> </TT
1325 >Celebrate, or send me a bug report!</P
1333 >1.10. What If Things Don't Work?</A
1336 >If nothing works and you start to think "who wrote
1337 this pile of trash" then I suggest you do step 2 again (and
1338 again) till you calm down.</P
1340 >Then you might read the file DIAGNOSIS.txt and the
1341 FAQ. If you are still stuck then try the mailing list or
1342 newsgroup (look in the README for details). Samba has been
1343 successfully installed at thousands of sites worldwide, so maybe
1344 someone else has hit your problem and has overcome it. You could
1345 also use the WWW site to scan back issues of the samba-digest.</P
1347 >When you fix the problem PLEASE send me some updates to the
1348 documentation (or source code) so that the next person will find it
1356 >1.10.1. Diagnosing Problems</A
1359 >If you have instalation problems then go to
1363 > to try to find the
1372 >1.10.2. Scope IDs</A
1375 >By default Samba uses a blank scope ID. This means
1376 all your windows boxes must also have a blank scope ID.
1377 If you really want to use a non-blank scope ID then you will
1378 need to use the -i <scope> option to nmbd, smbd, and
1379 smbclient. All your PCs will need to have the same setting for
1380 this to work. I do not recommend scope IDs.</P
1388 >1.10.3. Choosing the Protocol Level</A
1391 >The SMB protocol has many dialects. Currently
1392 Samba supports 5, called CORE, COREPLUS, LANMAN1,
1395 >You can choose what maximum protocol to support
1399 > file. The default is
1400 NT1 and that is the best for the vast majority of sites.</P
1402 >In older versions of Samba you may have found it
1403 necessary to use COREPLUS. The limitations that led to
1404 this have mostly been fixed. It is now less likely that you
1405 will want to use less than LANMAN1. The only remaining advantage
1406 of COREPLUS is that for some obscure reason WfWg preserves
1407 the case of passwords in this protocol, whereas under LANMAN1,
1408 LANMAN2 or NT1 it uppercases all passwords before sending them,
1409 forcing you to use the "password level=" option in some cases.</P
1411 >The main advantage of LANMAN2 and NT1 is support for
1412 long filenames with some clients (eg: smbclient, Windows NT
1415 >See the smb.conf(5) manual page for more details.</P
1417 >Note: To support print queue reporting you may find
1418 that you have to use TCP/IP as the default protocol under
1419 WfWg. For some reason if you leave Netbeui as the default
1420 it may break the print queue reporting on some systems.
1421 It is presumably a WfWg bug.</P
1429 >1.10.4. Printing from UNIX to a Client PC</A
1432 >To use a printer that is available via a smb-based
1433 server from a unix host you will need to compile the
1434 smbclient program. You then need to install the script
1435 "smbprint". Read the instruction in smbprint for more details.
1438 >There is also a SYSV style script that does much
1439 the same thing called smbprint.sysv. It contains instructions.</P
1450 >One area which sometimes causes trouble is locking.</P
1452 >There are two types of locking which need to be
1453 performed by a SMB server. The first is "record locking"
1454 which allows a client to lock a range of bytes in a open file.
1455 The second is the "deny modes" that are specified when a file
1458 >Samba supports "record locking" using the fcntl() unix system
1459 call. This is often implemented using rpc calls to a rpc.lockd process
1460 running on the system that owns the filesystem. Unfortunately many
1461 rpc.lockd implementations are very buggy, particularly when made to
1462 talk to versions from other vendors. It is not uncommon for the
1463 rpc.lockd to crash.</P
1465 >There is also a problem translating the 32 bit lock
1466 requests generated by PC clients to 31 bit requests supported
1467 by most unixes. Unfortunately many PC applications (typically
1468 OLE2 applications) use byte ranges with the top bit set
1469 as semaphore sets. Samba attempts translation to support
1470 these types of applications, and the translation has proved
1471 to be quite successful.</P
1473 >Strictly a SMB server should check for locks before
1474 every read and write call on a file. Unfortunately with the
1475 way fcntl() works this can be slow and may overstress the
1476 rpc.lockd. It is also almost always unnecessary as clients
1477 are supposed to independently make locking calls before reads
1478 and writes anyway if locking is important to them. By default
1479 Samba only makes locking calls when explicitly asked
1480 to by a client, but if you set "strict locking = yes" then it will
1481 make lock checking calls on every read and write. </P
1483 >You can also disable by range locking completely
1484 using "locking = no". This is useful for those shares that
1485 don't support locking or don't need it (such as cdroms). In
1486 this case Samba fakes the return codes of locking calls to
1487 tell clients that everything is OK.</P
1489 >The second class of locking is the "deny modes". These
1490 are set by an application when it opens a file to determine
1491 what types of access should be allowed simultaneously with
1492 its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE
1493 or DENY_ALL. There are also special compatability modes called
1494 DENY_FCB and DENY_DOS.</P
1496 >You can disable share modes using "share modes = no".
1497 This may be useful on a heavily loaded server as the share
1498 modes code is very slow. See also the FAST_SHARE_MODES
1499 option in the Makefile for a way to do full share modes
1500 very fast using shared memory (if your OS supports it).</P
1508 >1.10.6. Mapping Usernames</A
1511 >If you have different usernames on the PCs and
1512 the unix server then take a look at the "username map" option.
1513 See the smb.conf man page for details.</P
1521 >1.10.7. Other Character Sets</A
1524 >If you have problems using filenames with accented
1525 characters in them (like the German, French or Scandinavian
1526 character sets) then I recommmend you look at the "valid chars"
1527 option in smb.conf and also take a look at the validchars
1528 package in the examples directory.</P
1537 >Chapter 2. LanMan and NT Password Encryption in Samba 2.x</A
1545 >2.1. Introduction</A
1548 >With the development of LanManager and Windows NT
1549 compatible password encryption for Samba, it is now able
1550 to validate user connections in exactly the same way as
1551 a LanManager or Windows NT server.</P
1553 >This document describes how the SMB password encryption
1554 algorithm works and what issues there are in choosing whether
1555 you want to use it. You should read it carefully, especially
1556 the part about security and the "PROS and CONS" section.</P
1564 >2.2. How does it work?</A
1567 >LanManager encryption is somewhat similar to UNIX
1568 password encryption. The server uses a file containing a
1569 hashed value of a user's password. This is created by taking
1570 the user's plaintext password, capitalising it, and either
1571 truncating to 14 bytes or padding to 14 bytes with null bytes.
1572 This 14 byte value is used as two 56 bit DES keys to encrypt
1573 a 'magic' eight byte value, forming a 16 byte value which is
1574 stored by the server and client. Let this value be known as
1575 the "hashed password".</P
1577 >Windows NT encryption is a higher quality mechanism,
1578 consisting of doing an MD4 hash on a Unicode version of the user's
1579 password. This also produces a 16 byte hash value that is
1582 >When a client (LanManager, Windows for WorkGroups, Windows
1583 95 or Windows NT) wishes to mount a Samba drive (or use a Samba
1584 resource), it first requests a connection and negotiates the
1585 protocol that the client and server will use. In the reply to this
1586 request the Samba server generates and appends an 8 byte, random
1587 value - this is stored in the Samba server after the reply is sent
1588 and is known as the "challenge". The challenge is different for
1589 every client connection.</P
1591 >The client then uses the hashed password (16 byte values
1592 described above), appended with 5 null bytes, as three 56 bit
1593 DES keys, each of which is used to encrypt the challenge 8 byte
1594 value, forming a 24 byte value known as the "response".</P
1596 >In the SMB call SMBsessionsetupX (when user level security
1597 is selected) or the call SMBtconX (when share level security is
1598 selected), the 24 byte response is returned by the client to the
1599 Samba server. For Windows NT protocol levels the above calculation
1600 is done on both hashes of the user's password and both responses are
1601 returned in the SMB call, giving two 24 byte values.</P
1603 >The Samba server then reproduces the above calculation, using
1604 its own stored value of the 16 byte hashed password (read from the
1608 > file - described later) and the challenge
1609 value that it kept from the negotiate protocol reply. It then checks
1610 to see if the 24 byte value it calculates matches the 24 byte value
1611 returned to it from the client.</P
1613 >If these values match exactly, then the client knew the
1614 correct password (or the 16 byte hashed value - see security note
1615 below) and is thus allowed access. If not, then the client did not
1616 know the correct password and is denied access.</P
1618 >Note that the Samba server never knows or stores the cleartext
1619 of the user's password - just the 16 byte hashed values derived from
1620 it. Also note that the cleartext password or 16 byte hashed values
1621 are never transmitted over the network - thus increasing security.</P
1629 >2.3. Important Notes About Security</A
1632 >The unix and SMB password encryption techniques seem similar
1633 on the surface. This similarity is, however, only skin deep. The unix
1634 scheme typically sends clear text passwords over the nextwork when
1635 logging in. This is bad. The SMB encryption scheme never sends the
1636 cleartext password over the network but it does store the 16 byte
1637 hashed values on disk. This is also bad. Why? Because the 16 byte hashed
1638 values are a "password equivalent". You cannot derive the user's
1639 password from them, but they could potentially be used in a modified
1640 client to gain access to a server. This would require considerable
1641 technical knowledge on behalf of the attacker but is perfectly possible.
1642 You should thus treat the smbpasswd file as though it contained the
1643 cleartext passwords of all your users. Its contents must be kept
1644 secret, and the file should be protected accordingly.</P
1646 >Ideally we would like a password scheme which neither requires
1647 plain text passwords on the net or on disk. Unfortunately this
1648 is not available as Samba is stuck with being compatible with
1649 other SMB systems (WinNT, WfWg, Win95 etc). </P
1669 >Note that Windows NT 4.0 Service pack 3 changed the
1670 default for permissible authentication so that plaintext
1673 > sent over the wire.
1674 The solution to this is either to switch to encrypted passwords
1675 with Samba or edit the Windows NT registry to re-enable plaintext
1676 passwords. See the document WinNT.txt for details on how to do
1679 >Other Microsoft operating systems which also exhibit
1680 this behavior includes</P
1686 >MS DOS Network client 3.0 with
1687 the basic network redirector installed</P
1691 >Windows 95 with the network redirector
1706 >All current release of
1707 Microsoft SMB/CIFS clients support authentication via the
1708 SMB Challenge/Response mechanism described here. Enabling
1709 clear text authentication does not disable the ability
1710 of the client to particpate in encrypted authentication.</P
1721 >2.3.1. Advantages of SMB Encryption</A
1728 >plain text passwords are not passed across
1729 the network. Someone using a network sniffer cannot just
1730 record passwords going to the SMB server.</P
1734 >WinNT doesn't like talking to a server
1735 that isn't using SMB encrypted passwords. It will refuse
1736 to browse the server if the server is also in user level
1737 security mode. It will insist on prompting the user for the
1738 password on each connection, which is very annoying. The
1739 only things you can do to stop this is to use SMB encryption.
1750 >2.3.2. Advantages of non-encrypted passwords</A
1757 >plain text passwords are not kept
1762 >uses same password file as other unix
1763 services such as login and ftp</P
1767 >you are probably already using other
1768 services (such as telnet and ftp) which send plain text
1769 passwords over the net, so sending them for SMB isn't
1782 NAME="SMBPASSWDFILEFORMAT"
1784 >The smbpasswd file</A
1787 >In order for Samba to participate in the above protocol
1788 it must be able to look up the 16 byte hashed values given a user name.
1789 Unfortunately, as the UNIX password value is also a one way hash
1790 function (ie. it is impossible to retrieve the cleartext of the user's
1791 password given the UNIX hash of it), a separate password file
1792 containing this 16 byte value must be kept. To minimise problems with
1793 these two password files, getting out of sync, the UNIX <TT
1803 >, is provided to generate
1804 a smbpasswd file from a UNIX <TT
1810 >To generate the smbpasswd file from your <TT
1814 > file use the following command :</P
1822 >cat /etc/passwd | mksmbpasswd.sh
1823 > /usr/local/samba/private/smbpasswd</B
1827 >If you are running on a system that uses NIS, use</P
1835 >ypcat passwd | mksmbpasswd.sh
1836 > /usr/local/samba/private/smbpasswd</B
1843 > program is found in
1844 the Samba source directory. By default, the smbpasswd file is
1849 >/usr/local/samba/private/smbpasswd</TT
1852 >The owner of the <TT
1854 >/usr/local/samba/private/</TT
1856 directory should be set to root, and the permissions on it should
1859 >chmod 500 /usr/local/samba/private</B
1863 >Likewise, the smbpasswd file inside the private directory should
1864 be owned by root and the permissions on is should be set to 0600
1867 >chmod 600 smbpasswd</B
1870 >The format of the smbpasswd file is (The line has been
1871 wrapped here. It should appear as one entry per line in
1872 your smbpasswd file.)</P
1881 CLASS="PROGRAMLISTING"
1882 >username:uid:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
1883 [Account type]:LCT-<last-change-time>:Long name
1890 >Although only the <TT
1904 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</I
1915 > last-change-time</I
1917 > sections are significant
1918 and are looked at in the Samba code.</P
1922 > important that there by 32
1923 'X' characters between the two ':' characters in the XXX sections -
1924 the smbpasswd and Samba code will fail to validate any entries that
1925 do not have 32 characters between ':' characters. The first XXX
1926 section is for the Lanman password hash, the second is for the
1927 Windows NT version.</P
1929 >When the password file is created all users have password entries
1930 consisting of 32 'X' characters. By default this disallows any access
1931 as this user. When a user has a password set, the 'X' characters change
1932 to 32 ascii hexadecimal digits (0-9, A-F). These are an ascii
1933 representation of the 16 byte hashed value of a user's password.</P
1935 >To set a user to have no password (not recommended), edit the file
1936 using vi, and replace the first 11 characters with the ascii text
1940 > (minus the quotes).</P
1942 >For example, to clear the password for user bob, his smbpasswd file
1943 entry would look like :</P
1952 CLASS="PROGRAMLISTING"
1953 > bob:100:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U ]:LCT-00000000:Bob's full name:/bobhome:/bobshell
1960 >If you are allowing users to use the smbpasswd command to set
1961 their own passwords, you may want to give users NO PASSWORD initially
1962 so they do not have to enter a previous password when changing to their
1963 new password (not recommended). In order for you to allow this the
1967 > program must be able to connect to the
1971 > daemon as that user with no password. Enable this
1972 by adding the line :</P
1976 >null passwords = yes</B
1979 >to the [global] section of the smb.conf file (this is why
1980 the above scenario is not recommended). Preferably, allocate your
1981 users a default password to begin with, so you do not have
1982 to enable this on your server.</P
1986 >This file should be protected very
1987 carefully. Anyone with access to this file can (with enough knowledge of
1988 the protocols) gain access to your SMB server. The file is thus more
1989 sensitive than a normal unix <TT
2000 >2.5. The smbpasswd Command</A
2003 >The smbpasswd command maintains the two 32 byte password fields
2004 in the smbpasswd file. If you wish to make it similar to the unix
2014 >/usr/local/samba/bin/</TT
2016 main Samba binary directory).</P
2018 >Note that as of Samba 1.9.18p4 this program <EM
2021 > setuid root (the new <B
2025 code enforces this restriction so it cannot be run this way by
2031 > now works in a client-server mode
2032 where it contacts the local smbd to change the user's password on its
2033 behalf. This has enormous benefits - as follows.</P
2039 >smbpasswd no longer has to be setuid root -
2040 an enormous range of potential security problems is
2048 > now has the capability
2049 to change passwords on Windows NT servers (this only works when
2050 the request is sent to the NT Primary Domain Controller if you
2051 are changing an NT Domain user's password).</P
2055 >To run smbpasswd as a normal user just type :</P
2069 >Old SMB password: </TT
2073 ><type old value here -
2074 or hit return if there was no old password></B
2080 >New SMB Password: </TT
2084 ><type new value>
2091 >Repeat New SMB Password: </TT
2095 ><re-type new value
2100 >If the old value does not match the current value stored for
2101 that user, or the two new values do not match each other, then the
2102 password will not be changed.</P
2104 >If invoked by an ordinary user it will only allow the user
2105 to change his or her own Samba password.</P
2107 >If run by the root user smbpasswd may take an optional
2108 argument, specifying the user name whose SMB password you wish to
2109 change. Note that when run as root smbpasswd does not prompt for
2110 or check the old password value, thus allowing root to set passwords
2111 for users who have forgotten their passwords.</P
2116 > is designed to work in the same way
2117 and be familiar to UNIX users who use the <B
2126 >For more details on using <B
2130 to the man page which will always be the definitive reference.</P
2138 >2.6. Setting up Samba to support LanManager Encryption</A
2141 >This is a very brief description on how to setup samba to
2142 support password encryption. </P
2149 >compile and install samba as usual</P
2153 >enable encrypted passwords in <TT
2156 > by adding the line <B
2160 > in the [global] section</P
2164 >create the initial <TT
2168 password file in the place you specified in the Makefile
2169 (--prefix=<dir>). See the notes under the <A
2170 HREF="#SMBPASSWDFILEFORMAT"
2171 >The smbpasswd File</A
2173 section earlier in the document for details.</P
2177 >Note that you can test things using smbclient.</P
2185 >Chapter 3. Hosting a Microsoft Distributed File System tree on Samba</A
2193 >3.1. Instructions</A
2196 >The Distributed File System (or Dfs) provides a means of
2197 separating the logical view of files and directories that users
2198 see from the actual physical locations of these resources on the
2199 network. It allows for higher availability, smoother storage expansion,
2200 load balancing etc. For more information about Dfs, refer to <A
2201 HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
2203 > Microsoft documentation</A
2206 >This document explains how to host a Dfs tree on a Unix
2207 machine (for Dfs-aware clients to browse) using Samba.</P
2209 >To enable SMB-based DFS for Samba, configure it with the
2215 > option. Once built, a
2216 Samba server can be made a Dfs server by setting the global
2218 HREF="smb.conf.5.html#HOSTMSDFS"
2226 > parameter in the <TT
2230 > file. You designate a share as a Dfs root using the share
2232 HREF="smb.conf.5.html#MSDFSROOT"
2240 > parameter. A Dfs root directory on
2241 Samba hosts Dfs links in the form of symbolic links that point
2242 to other servers. For example, a symbolic link
2245 >junction->msdfs:storage1\share1</TT
2247 the share directory acts as the Dfs junction. When Dfs-aware
2248 clients attempt to access the junction link, they are redirected
2249 to the storage location (in this case, \\storage1\share1).</P
2251 >Dfs trees on Samba work with all Dfs-aware clients ranging
2252 from Windows 95 to 2000.</P
2254 >Here's an example of setting up a Dfs tree on a Samba
2264 CLASS="PROGRAMLISTING"
2265 ># The smb.conf file:
2267 netbios name = SAMBA
2271 path = /export/dfsroot
2279 >In the /export/dfsroot directory we set up our dfs links to
2280 other servers on the network.</P
2288 >cd /export/dfsroot</B
2298 >chown root /export/dfsroot</B
2308 >chmod 755 /export/dfsroot</B
2318 >ln -s msdfs:storageA\\shareA linka</B
2328 >ln -s msdfs:serverB\\share,serverC\\share linkb</B
2332 >You should set up the permissions and ownership of
2333 the directory acting as the Dfs root such that only designated
2334 users can create, delete or modify the msdfs links. Also note
2335 that symlink names should be all lowercase. This limitation exists
2336 to have Samba avoid trying all the case combinations to get at
2337 the link name. Finally set up the symbolic links to point to the
2338 network shares you want, and start Samba.</P
2340 >Users on Dfs-aware clients can now browse the Dfs tree
2341 on the Samba server at \\samba\dfs. Accessing
2342 links linka or linkb (which appear as directories to the client)
2343 takes users directly to the appropriate shares on the network.</P
2357 >Windows clients need to be rebooted
2358 if a previously mounted non-dfs share is made a dfs
2359 root or vice versa. A better way is to introduce a
2360 new share and make it the dfs root.</P
2364 >Currently there's a restriction that msdfs
2365 symlink names should all be lowercase.</P
2369 >For security purposes, the directory
2370 acting as the root of the Dfs tree should have ownership
2371 and permissions set so that only designated users can
2372 modify the symbolic links in the directory.</P
2383 >Chapter 4. Printing Support in Samba 2.2.x</A
2391 >4.1. Introduction</A
2394 >Beginning with the 2.2.0 release, Samba supports
2395 the native Windows NT printing mechanisms implemented via
2396 MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
2397 Samba only supported LanMan printing calls.</P
2399 >The additional functionality provided by the new
2400 SPOOLSS support includes:</P
2406 >Support for downloading printer driver
2407 files to Windows 95/98/NT/2000 clients upon demand.
2412 >Uploading of printer drivers via the
2413 Windows NT Add Printer Wizard (APW) or the
2414 Imprints tool set (refer to <A
2415 HREF="http://imprints.sourceforge.net"
2417 >http://imprints.sourceforge.net</A
2423 >Support for the native MS-RPC printing
2424 calls such as StartDocPrinter, EnumJobs(), etc... (See
2425 the MSDN documentation at <A
2426 HREF="http://msdn.microsoft.com/"
2428 >http://msdn.microsoft.com/</A
2430 for more information on the Win32 printing API)
2435 >Support for NT Access Control Lists (ACL)
2436 on printer objects</P
2440 >Improved support for printer queue manipulation
2441 through the use of an internal databases for spooled job
2446 >There has been some initial confusion about what all this means
2447 and whether or not it is a requirement for printer drivers to be
2448 installed on a Samba host in order to support printing from Windows
2449 clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients
2450 require that the Samba server possess a valid driver for the printer.
2451 This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients
2452 can use the local APW for installing drivers to be used with a Samba
2453 served printer. This is the same behavior exhibited by Windows 9x clients.
2454 As a side note, Samba does not use these drivers in any way to process
2455 spooled files. They are utilized entirely by the clients.</P
2457 >The following MS KB article, may be of some help if you are dealing with
2458 Windows 2000 clients: <EM
2459 >How to Add Printers with No User
2460 Interaction in Windows 2000</EM
2464 HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
2466 >http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A
2475 >4.2. Configuration</A
2489 >[print$] vs. [printer$]</B
2496 >Previous versions of Samba recommended using a share named [printer$].
2497 This name was taken from the printer$ service created by Windows 9x
2498 clients when a printer was shared. Windows 9x printer servers always have
2499 a printer$ service which provides read-only access via no
2500 password in order to support printer driver downloads.</P
2502 >However, the initial implementation allowed for a
2506 >printer driver location</I
2509 to be used on a per share basis to specify the location of
2510 the driver files associated with that printer. Another
2517 a means of defining the printer driver name to be sent to
2520 >These parameters, including <TT
2526 > parameter, are being depreciated and should not
2527 be used in new installations. For more information on this change,
2528 you should refer to the <A
2530 >Migration section</A
2532 of this document.</P
2543 >4.2.1. Creating [print$]</A
2546 >In order to support the uploading of printer driver
2547 files, you must first configure a file share named [print$].
2548 The name of this share is hard coded in Samba's internals so
2549 the name is very important (print$ is the service used by
2550 Windows NT print servers to provide support for printer driver
2553 >You should modify the server's smb.conf file to create the
2554 following file share (of course, some of the parameter values,
2555 such as 'path' are arbitrary and should be replaced with
2556 appropriate values for your site):</P
2565 CLASS="PROGRAMLISTING"
2567 path = /usr/local/samba/printers
2571 ; since this share is configured as read only, then we need
2572 ; a 'write list'. Check the file system permissions to make
2573 ; sure this account can copy files to the share. If this
2574 ; is setup to a non-root account, then it should also exist
2575 ; as a 'printer admin'
2576 write list = ntadmin</PRE
2583 HREF="smb.conf.5.html#WRITELIST"
2591 > is used to allow administrative
2592 level user accounts to have write access in order to update files
2593 on the share. See the <A
2594 HREF="smb./conf.5.html"
2598 > for more information on configuring file shares.</P
2600 >The requirement for <A
2601 HREF="smb.conf.5.html#GUESTOK"
2608 > depends upon how your
2609 site is configured. If users will be guaranteed to have
2610 an account on the Samba host, then this is a non-issue.</P
2618 >The non-issue is that if all your Windows NT users are guaranteed to be
2619 authenticated by the Samba server (such as a domain member server and the NT
2620 user has already been validated by the Domain Controller in
2621 order to logon to the Windows NT console), then guest access
2622 is not necessary. Of course, in a workgroup environment where
2623 you just want to be able to print without worrying about
2624 silly accounts and security, then configure the share for
2625 guest access. You'll probably want to add <A
2626 HREF="smb.conf.5.html#MAPTOGUEST"
2630 >map to guest = Bad User</B
2632 > in the [global] section as well. Make sure
2633 you understand what this parameter does before using it
2638 >In order for a Windows NT print server to support
2639 the downloading of driver files by multiple client architectures,
2640 it must create subdirectories within the [print$] service
2641 which correspond to each of the supported client architectures.
2642 Samba follows this model as well.</P
2644 >Next create the directory tree below the [print$] share
2645 for each architecture you wish to support.</P
2654 CLASS="PROGRAMLISTING"
2656 |-W32X86 ; "Windows NT x86"
2657 |-WIN40 ; "Windows 95/98"
2658 |-W32ALPHA ; "Windows NT Alpha_AXP"
2659 |-W32MIPS ; "Windows NT R4000"
2660 |-W32PPC ; "Windows NT PowerPC"</PRE
2677 >ATTENTION! REQUIRED PERMISSIONS</B
2684 >In order to currently add a new driver to you Samba host,
2685 one of two conditions must hold true:</P
2691 >The account used to connect to the Samba host
2692 must have a uid of 0 (i.e. a root account)</P
2696 >The account used to connect to the Samba host
2697 must be a member of the <A
2698 HREF="smb.conf.5.html#PRINTERADMIN"
2711 >Of course, the connected account must still possess access
2712 to add files to the subdirectories beneath [print$]. Remember
2713 that all file shares are set to 'read only' by default.</P
2719 >Once you have created the required [print$] service and
2720 associated subdirectories, simply log onto the Samba server using
2727 from a Windows NT 4.0 client. Navigate to the "Printers" folder
2728 on the Samba server. You should see an initial listing of printers
2729 that matches the printer shares defined on your Samba host.</P
2737 >4.2.2. Setting Drivers for Existing Printers</A
2740 >The initial listing of printers in the Samba host's
2741 Printers folder will have no real printer driver assigned
2742 to them. By default, in Samba 2.2.0 this driver name was set to
2744 >NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER</EM
2746 Later versions changed this to a NULL string to allow the use
2747 tof the local Add Printer Wizard on NT/2000 clients.
2748 Attempting to view the printer properties for a printer
2749 which has this default driver assigned will result in
2750 the error message:</P
2753 >Device settings cannot be displayed. The driver
2754 for the specified printer is not installed, only spooler
2755 properties will be displayed. Do you want to install the
2759 >Click "No" in the error dialog and you will be presented with
2760 the printer properties window. The way assign a driver to a
2761 printer is to either</P
2767 >Use the "New Driver..." button to install
2768 a new printer driver, or</P
2772 >Select a driver from the popup list of
2773 installed drivers. Initially this list will be empty.</P
2777 >If you wish to install printer drivers for client
2778 operating systems other than "Windows NT x86", you will need
2779 to use the "Sharing" tab of the printer properties dialog.</P
2781 >Assuming you have connected with a root account, you
2782 will also be able modify other printer properties such as
2783 ACLs and device settings using this dialog box.</P
2785 >A few closing comments for this section, it is possible
2786 on a Windows NT print server to have printers
2787 listed in the Printers folder which are not shared. Samba does
2788 not make this distinction. By definition, the only printers of
2789 which Samba is aware are those which are specified as shares in
2795 >Another interesting side note is that Windows NT clients do
2796 not use the SMB printer share, but rather can print directly
2797 to any printer on another Windows NT host using MS-RPC. This
2798 of course assumes that the printing client has the necessary
2799 privileges on the remote host serving the printer. The default
2800 permissions assigned by Windows NT to a printer gives the "Print"
2801 permissions to the "Everyone" well-known group.</P
2809 >4.2.3. Support a large number of printers</A
2812 >One issue that has arisen during the development
2813 phase of Samba 2.2 is the need to support driver downloads for
2814 100's of printers. Using the Windows NT APW is somewhat
2815 awkward to say the list. If more than one printer are using the
2817 HREF="rpcclient.1.html"
2822 setdriver command</B
2824 > can be used to set the driver
2825 associated with an installed driver. The following is example
2826 of how this could be accomplished:</P
2835 CLASS="PROGRAMLISTING"
2840 >rpcclient pogo -U root%secret -c "enumdrivers"
2841 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2844 Printer Driver Info 1:
2845 Driver Name: [HP LaserJet 4000 Series PS]
2847 Printer Driver Info 1:
2848 Driver Name: [HP LaserJet 2100 Series PS]
2850 Printer Driver Info 1:
2851 Driver Name: [HP LaserJet 4Si/4SiMX PS]
2856 >rpcclient pogo -U root%secret -c "enumprinters"
2857 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2859 name:[\\POGO\hp-print]
2860 description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
2866 >rpcclient pogo -U root%secret \
2870 > -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
2871 Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
2872 Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
2884 >4.2.4. Adding New Printers via the Windows NT APW</A
2887 >By default, Samba offers all printer shares defined in <TT
2891 in the "Printers..." folder. Also existing in this folder is the Windows NT
2892 Add Printer Wizard icon. The APW will be show only if</P
2898 >The connected user is able to successfully
2899 execute an OpenPrinterEx(\\server) with administrative
2900 priviledges (i.e. root or <TT
2911 HREF="smb.conf.5.html#SHOWADDPRINTERWIZARD"
2917 add printer wizard = yes</I
2925 >In order to be able to use the APW to successfully add a printer to a Samba
2927 HREF="smb.conf.5.html#ADDPRINTERCOMMAND"
2936 > must have a defined value. The program
2937 hook must successfully add the printer to the system (i.e.
2941 > or appropriate files) and
2947 >When using the APW from a client, if the named printer share does
2951 > will execute the <TT
2957 > and reparse to the <TT
2961 to attempt to locate the new printer share. If the share is still not defined,
2962 an error of "Access Denied" is returned to the client. Note that the
2966 >add printer program</I
2968 > is executed under the context
2969 of the connected user, not necessarily a root account.</P
2971 >There is a complementing <A
2972 HREF="smb.conf.5.html#DELETEPRINTERCOMMAND"
2981 > for removing entries from the "Printers..."
2990 >4.2.5. Samba and Printer Ports</A
2993 >Windows NT/2000 print servers associate a port with each printer. These normally
2994 take the form of LPT1:, COM1:, FILE:, etc... Samba must also support the
2995 concept of ports associated with a printer. By default, only one printer port,
2996 named "Samba Printer Port", exists on a system. Samba does not really a port in
2997 order to print, rather it is a requirement of Windows clients. </P
2999 >Note that Samba does not support the concept of "Printer Pooling" internally
3000 either. This is when a logical printer is assigned to multiple ports as
3001 a form of load balancing or fail over.</P
3003 >If you require that multiple ports be defined for some reason,
3008 HREF="smb.conf.5.html#ENUMPORTSCOMMAND"
3017 > which can be used to define an external program
3018 that generates a listing of ports on a system.</P
3027 >4.3. The Imprints Toolset</A
3030 >The Imprints tool set provides a UNIX equivalent of the
3031 Windows NT Add Printer Wizard. For complete information, please
3032 refer to the Imprints web site at <A
3033 HREF="http://imprints.sourceforge.net/"
3035 > http://imprints.sourceforge.net/</A
3036 > as well as the documentation
3037 included with the imprints source distribution. This section will
3038 only provide a brief introduction to the features of Imprints.</P
3045 >4.3.1. What is Imprints?</A
3048 >Imprints is a collection of tools for supporting the goals
3055 >Providing a central repository information
3056 regarding Windows NT and 95/98 printer driver packages</P
3060 >Providing the tools necessary for creating
3061 the Imprints printer driver packages.</P
3065 >Providing an installation client which
3066 will obtain and install printer drivers on remote Samba
3067 and Windows NT 4 print servers.</P
3077 >4.3.2. Creating Printer Driver Packages</A
3080 >The process of creating printer driver packages is beyond
3081 the scope of this document (refer to Imprints.txt also included
3082 with the Samba distribution for more information). In short,
3083 an Imprints driver package is a gzipped tarball containing the
3084 driver files, related INF files, and a control file needed by the
3085 installation client.</P
3093 >4.3.3. The Imprints server</A
3096 >The Imprints server is really a database server that
3097 may be queried via standard HTTP mechanisms. Each printer
3098 entry in the database has an associated URL for the actual
3099 downloading of the package. Each package is digitally signed
3100 via GnuPG which can be used to verify that package downloaded
3101 is actually the one referred in the Imprints database. It is
3104 > recommended that this security check
3113 >4.3.4. The Installation Client</A
3116 >More information regarding the Imprints installation client
3117 is available in the <TT
3119 >Imprints-Client-HOWTO.ps</TT
3121 file included with the imprints source package.</P
3123 >The Imprints installation client comes in two forms.</P
3129 >a set of command line Perl scripts</P
3133 >a GTK+ based graphical interface to
3134 the command line perl scripts</P
3138 >The installation client (in both forms) provides a means
3139 of querying the Imprints database server for a matching
3140 list of known printer model names as well as a means to
3141 download and install the drivers on remote Samba and Windows
3142 NT print servers.</P
3144 >The basic installation process is in four steps and
3145 perl code is wrapped around <B
3161 CLASS="PROGRAMLISTING"
3163 foreach (supported architecture for a given driver)
3165 1. rpcclient: Get the appropriate upload directory
3166 on the remote server
3167 2. smbclient: Upload the driver files
3168 3. rpcclient: Issues an AddPrinterDriver() MS-RPC
3171 4. rpcclient: Issue an AddPrinterEx() MS-RPC to actually
3172 create the printer</PRE
3178 >One of the problems encountered when implementing
3179 the Imprints tool set was the name space issues between
3180 various supported client architectures. For example, Windows
3181 NT includes a driver named "Apple LaserWriter II NTX v51.8"
3182 and Windows 95 callsits version of this driver "Apple
3183 LaserWriter II NTX"</P
3185 >The problem is how to know what client drivers have
3186 been uploaded for a printer. As astute reader will remember
3187 that the Windows NT Printer Properties dialog only includes
3188 space for one printer driver name. A quick look in the
3189 Windows NT 4.0 system registry at</P
3193 >HKLM\System\CurrentControlSet\Control\Print\Environment
3197 >will reveal that Windows NT always uses the NT driver
3198 name. This is ok as Windows NT always requires that at least
3199 the Windows NT version of the printer driver is present.
3200 However, Samba does not have the requirement internally.
3201 Therefore, how can you use the NT driver name if is has not
3202 already been installed?</P
3204 >The way of sidestepping this limitation is to require
3205 that all Imprints printer driver packages include both the Intel
3206 Windows NT and 95/98 printer drivers and that NT driver is
3219 >Migration to from Samba 2.0.x to 2.2.x</A
3222 >Given that printer driver management has changed (we hope improved) in
3223 2.2 over prior releases, migration from an existing setup to 2.2 can
3224 follow several paths.</P
3226 >Windows clients have a tendency to remember things for quite a while.
3227 For example, if a Windows NT client has attached to a Samba 2.0 server,
3228 it will remember the server as a LanMan printer server. Upgrading
3229 the Samba host to 2.2 makes support for MSRPC printing possible, but
3230 the NT client will still remember the previous setting.</P
3232 >In order to give an NT client printing "amesia" (only necessary if you
3233 want to use the newer MSRPC printing functionality in Samba), delete
3234 the registry keys associated with the print server contained in
3237 >[HKLM\SYSTEM\CurrentControlSet\Control\Print]</TT
3239 spooler service on the client should be stopped prior to doing this:</P
3243 >C:\WINNT\ ></TT
3247 >net stop spooler</B
3252 >All the normal disclaimers about editing the registry go
3254 > Be careful, and know what you are doing.</P
3256 >The spooler service should be restarted after you have finished
3257 removing the appropriate registry entries by replacing the
3261 > command above with <B
3266 >Windows 9x clients will continue to use LanMan printing calls
3267 with a 2.2 Samba server so there is no need to perform any of these
3268 modifications on non-NT clients.</P
3288 >The following smb.conf parameters are considered to be depreciated and will
3289 be removed soon. Do not use them in new installations</P
3298 >printer driver file (G)</I
3308 >printer driver (S)</I
3318 >printer driver location (S)</I
3329 >Here are the possible scenarios for supporting migration:</P
3335 >If you do not desire the new Windows NT
3336 print driver support, nothing needs to be done.
3337 All existing parameters work the same.</P
3341 >If you want to take advantage of NT printer
3342 driver support but do not want to migrate the
3343 9x drivers to the new setup, the leave the existing
3344 printers.def file. When smbd attempts to locate a
3345 9x driver for the printer in the TDB and fails it
3346 will drop down to using the printers.def (and all
3347 associated parameters). The <B
3351 tool will also remain for backwards compatibility but will
3352 be moved to the "this tool is the old way of doing it"
3357 >If you install a Windows 9x driver for a printer
3358 on your Samba host (in the printing TDB), this information will
3359 take precedence and the three old printing parameters
3360 will be ignored (including print driver location).</P
3364 >If you want to migrate an existing <TT
3368 file into the new setup, the current only solution is to use the Windows
3369 NT APW to install the NT drivers and the 9x drivers. This can be scripted
3377 Imprints installation client at <A
3378 HREF="http://imprints.sourceforge.net/"
3380 >http://imprints.sourceforge.net/</A
3393 >Chapter 5. security = domain in Samba 2.x</A
3401 >5.1. Joining an NT Domain with Samba 2.2</A
3404 >In order for a Samba-2 server to join an NT domain,
3405 you must first add the NetBIOS name of the Samba server to the
3406 NT domain on the PDC using Server Manager for Domains. This creates
3407 the machine account in the domain (PDC) SAM. Note that you should
3408 add the Samba server as a "Windows NT Workstation or Server",
3411 > as a Primary or backup domain controller.</P
3413 >Assume you have a Samba-2 server with a NetBIOS name of
3417 > and are joining an NT domain called
3421 >, which has a PDC with a NetBIOS name
3425 > and two backup domain controllers
3426 with NetBIOS names <TT
3435 >In order to join the domain, first stop all Samba daemons
3436 and run the command:</P
3444 >smbpasswd -j DOM -r DOMPDC
3449 >as we are joining the domain DOM and the PDC for that domain
3450 (the only machine that has write access to the domain SAM database)
3451 is DOMPDC. If this is successful you will see the message:</P
3454 CLASS="COMPUTEROUTPUT"
3455 >smbpasswd: Joined domain DOM.</TT
3459 >in your terminal window. See the <A
3460 HREF="smbpasswd.8.html"
3463 > man page for more details.</P
3465 >There is existing development code to join a domain
3466 without having to create the machine trust account on the PDC
3467 beforehand. This code will hopefully be available soon
3468 in release branches as well.</P
3470 >This command goes through the machine account password
3471 change protocol, then writes the new (random) machine account
3472 password for this Samba server into a file in the same directory
3473 in which an smbpasswd file would be stored - normally :</P
3477 >/usr/local/samba/private</TT
3480 >In Samba 2.0.x, the filename looks like this:</P
3487 ><NT DOMAIN NAME></I
3501 > suffix stands for machine account
3502 password file. So in our example above, the file would be called:</P
3509 >In Samba 2.2, this file has been replaced with a TDB
3510 (Trivial Database) file named <TT
3516 >This file is created and owned by root and is not
3517 readable by any other user. It is the key to the domain-level
3518 security for your system, and should be treated as carefully
3519 as a shadow password file.</P
3521 >Now, before restarting the Samba daemons you must
3523 HREF="smb.conf.5.html"
3530 > file to tell Samba it should now use domain security.</P
3532 >Change (or add) your <A
3533 HREF="smb.conf.5.html#SECURITY"
3541 > line in the [global] section
3542 of your smb.conf to read:</P
3546 >security = domain</B
3550 HREF="smb.conf.5.html#WORKGROUP"
3558 > line in the [global] section to read: </P
3565 >as this is the name of the domain we are joining. </P
3567 >You must also have the parameter <A
3568 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
3573 >encrypt passwords</I
3580 > in order for your users to authenticate to the NT PDC.</P
3582 >Finally, add (or modify) a <A
3583 HREF="smb.conf.5.html#PASSWORDSERVER"
3588 >password server =</I
3591 > line in the [global]
3592 section to read: </P
3596 >password server = DOMPDC DOMBDC1 DOMBDC2</B
3599 >These are the primary and backup domain controllers Samba
3600 will attempt to contact in order to authenticate users. Samba will
3601 try to contact each of these servers in order, so you may want to
3602 rearrange this list in order to spread out the authentication load
3603 among domain controllers.</P
3605 >Alternatively, if you want smbd to automatically determine
3606 the list of Domain controllers to use for authentication, you may
3607 set this line to be :</P
3611 >password server = *</B
3614 >This method, which was introduced in Samba 2.0.6,
3615 allows Samba to use exactly the same mechanism that NT does. This
3616 method either broadcasts or uses a WINS database in order to
3617 find domain controllers to authenticate against.</P
3619 >Finally, restart your Samba daemons and get ready for
3620 clients to begin using domain security!</P
3628 >5.2. Samba and Windows 2000 Domains</A
3631 >Many people have asked regarding the state of Samba's ability to participate in
3632 a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
3633 2000 domain operating in mixed or native mode.</P
3635 >There is much confusion between the circumstances that require a "mixed" mode
3636 Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
3637 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
3638 domain. By default, a Win2k DC in "native" mode will still support
3639 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
3640 NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
3642 >The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
3643 for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
3644 the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
3645 Computers" MMC (Microsoft Management Console) plugin.</P
3653 >5.3. Why is this better than security = server?</A
3656 >Currently, domain security in Samba doesn't free you from
3657 having to create local Unix users to represent the users attaching
3658 to your server. This means that if domain user <TT
3662 > attaches to your domain security Samba server, there needs
3663 to be a local Unix user fred to represent that user in the Unix
3664 filesystem. This is very similar to the older Samba security mode
3666 HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
3668 >security = server</A
3670 where Samba would pass through the authentication request to a Windows
3671 NT server in the same way as a Windows 95 or Windows 98 server would.
3674 >Please refer to the <A
3679 > for information on a system to automatically
3680 assign UNIX uids and gids to Windows NT Domain users and groups.
3681 This code is available in development branches only at the moment,
3682 but will be moved to release branches soon.</P
3684 >The advantage to domain-level security is that the
3685 authentication in domain-level security is passed down the authenticated
3686 RPC channel in exactly the same way that an NT server would do it. This
3687 means Samba servers now participate in domain trust relationships in
3688 exactly the same way NT servers do (i.e., you can add Samba servers into
3689 a resource domain and have the authentication passed on from a resource
3690 domain PDC to an account domain PDC.</P
3692 >In addition, with <B
3694 >security = server</B
3696 daemon on a server has to keep a connection open to the
3697 authenticating server for as long as that daemon lasts. This can drain
3698 the connection resources on a Microsoft NT server and cause it to run
3699 out of available connections. With <B
3701 >security = domain</B
3703 however, the Samba daemons connect to the PDC/BDC only for as long
3704 as is necessary to authenticate the user, and then drop the connection,
3705 thus conserving PDC connection resources.</P
3707 >And finally, acting in the same manner as an NT server
3708 authenticating to a PDC means that as part of the authentication
3709 reply, the Samba server gets the user identification information such
3710 as the user SID, the list of NT groups the user belongs to, etc. All
3711 this information will allow Samba to be extended in the future into
3712 a mode the developers currently call appliance mode. In this mode,
3713 no local Unix users will be necessary, and Samba will generate Unix
3714 uids and gids from the information passed back from the PDC when a
3715 user is authenticated, making a Samba server truly plug and play
3716 in an NT domain environment. Watch for this code soon.</P
3720 > Much of the text of this document
3721 was first published in the Web magazine <A
3722 HREF="http://www.linuxworld.com"
3727 HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
3739 >Chapter 6. How to Configure Samba 2.2 as a Primary Domain Controller</A
3747 >6.1. Prerequisite Reading</A
3750 >Before you continue readingin this chapter, please make sure
3751 that you are comfortable with configuring basic files services
3752 in smb.conf and how to enable and administrate password
3753 encryption in Samba. Theses two topics are covered in the
3755 HREF="smb.conf.5.html"
3763 HREF="EMCRYPTION.html"
3765 >Encryption chapter</A
3767 of this HOWTO Collection.</P
3785 >Author's Note :</EM
3786 > This document is a combination
3787 of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ.
3788 Both documents are superceeded by this one.</P
3792 >Version of Samba prior to release 2.2 had marginal capabilities to
3793 act as a Windows NT 4.0 Primary Domain Controller (PDC). Beginning with
3794 Samba 2.2.0, we are proud to announce official support for Windows NT 4.0
3795 style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through
3796 SP1) clients. This article outlines the steps necessary for configuring Samba
3797 as a PDC. It is necessary to have a working Samba server prior to implementing the
3798 PDC functionality. If you have not followed the steps outlined in
3800 HREF="UNIX_INSTALL.html"
3802 > UNIX_INSTALL.html</A
3804 that your server is configured correctly before proceeding. Another good
3806 HREF="smb.conf.5.html"
3810 >. The following functionality should work in 2.2:</P
3816 > domain logons for Windows NT 4.0/2000 clients.
3821 > placing a Windows 9x client in user level security
3826 > retrieving a list of users and groups from a Samba PDC to
3827 Windows 9x/NT/2000 clients
3832 > roving (roaming) user profiles
3837 > Windows NT 4.0 style system policies
3853 >Windows 2000 Service Pack 2 Clients</B
3860 > Samba 2.2.1 is required for PDC functionality when using Windows 2000
3868 >The following pieces of functionality are not included in the 2.2 release:</P
3874 > Windows NT 4 domain trusts
3879 > SAM replication with Windows NT 4.0 Domain Controllers
3880 (i.e. a Samba PDC and a Windows NT BDC or vice versa)
3885 > Adding users via the User Manager for Domains
3890 > Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
3896 >Please note that Windows 9x clients are not true members of a domain
3897 for reasons outlined in this article. Therefore the protocol for
3898 support Windows 9x style domain logons is completely different
3899 from NT4 domain logons and has been officially supported for some
3902 >Implementing a Samba PDC can basically be divided into 2 broad
3910 > Configuring the Samba PDC
3915 > Creating machine trust accounts and joining clients
3921 >There are other minor details such as user profiles, system
3922 policies, etc... However, these are not necessarily specific
3923 to a Samba PDC as much as they are related to Windows NT networking
3924 concepts. They will be mentioned only briefly here.</P
3932 >6.3. Configuring the Samba Domain Controller</A
3935 >The first step in creating a working Samba PDC is to
3936 understand the parameters necessary in smb.conf. I will not
3937 attempt to re-explain the parameters here as they are more that
3938 adequately covered in <A
3939 HREF="smb.conf.5.html"
3943 >. For convenience, the parameters have been
3944 linked with the actual smb.conf description.</P
3946 >Here is an example smb.conf for acting as a PDC:</P
3955 CLASS="PROGRAMLISTING"
3957 ; Basic server settings
3959 HREF="smb.conf.5.html#NETBIOSNAME"
3969 HREF="smb.conf.5.html#WORKGROUP"
3979 ; we should act as the domain and local master browser
3981 HREF="smb.conf.5.html#OSLEVEL"
3986 HREF="smb.conf.5.html#PERFERREDMASTER"
3988 >preferred master</A
3991 HREF="smb.conf.5.html#DOMAINMASTER"
3996 HREF="smb.conf.5.html#LOCALMASTER"
4001 ; security settings (must user security = user)
4003 HREF="smb.conf.5.html#SECURITYEQUALSUSER"
4008 ; encrypted passwords are a requirement for a PDC
4010 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
4012 >encrypt passwords</A
4015 ; support domain logons
4017 HREF="smb.conf.5.html#DOMAINLOGONS"
4022 ; where to store user profiles?
4024 HREF="smb.conf.5.html#LOGONPATH"
4027 > = \\%N\profiles\%u
4029 ; where is a user's home directory and where should it
4032 HREF="smb.conf.5.html#LOGONDRIVE"
4037 HREF="smb.conf.5.html#LOGONHOME"
4042 ; specify a generic logon script for all users
4043 ; this is a relative **DOS** path to the [netlogon] share
4045 HREF="smb.conf.5.html#LOGONSCRIPT"
4050 ; necessary share for domain controller
4053 HREF="smb.conf.5.html#PATH"
4056 > = /usr/local/samba/lib/netlogon
4058 HREF="smb.conf.5.html#WRITEABLE"
4063 HREF="smb.conf.5.html#WRITELIST"
4073 ; share for storing user profiles
4076 HREF="smb.conf.5.html#PATH"
4079 > = /export/smb/ntprofile
4081 HREF="smb.conf.5.html#WRITEABLE"
4086 HREF="smb.conf.5.html#CREATEMASK"
4091 HREF="smb.conf.5.html#DIRECTORYMASK"
4100 >There are a couple of points to emphasize in the above configuration.</P
4106 > Encrypted passwords must be enabled. For more details on how
4107 to do this, refer to <A
4108 HREF="ENCRYPTION.html"
4116 > The server must support domain logons and a
4125 > The server must be the domain master browser in order for Windows
4126 client to locate the server as a DC. Please refer to the various
4127 Network Browsing documentation included with this distribution for
4133 >As Samba 2.2 does not offer a complete implementation of group mapping between
4134 Windows NT groups and UNIX groups (this is really quite complicated to explain
4135 in a short space), you should refer to the <A
4136 HREF="smb.conf.5.html#DOMAINADMINUSERS"
4141 HREF="smb.conf.5.html#DOMAINADMINGROUP"
4145 > smb.conf parameters for information of creating a Domain Admins
4154 >6.4. Creating Machine Trust Accounts and Joining Clients
4158 >A machine trust account is a samba user account owned by a computer.
4159 The account password acts as the shared secret for secure
4160 communication with the Domain Controller. This is a security feature
4161 to prevent an unauthorized machine with the same netbios name from
4162 joining the domain and gaining access to domain user/group accounts.
4163 Hence a Windows 9x host is never a true member of a domain because it does
4164 not posses a machine trust account, and thus has no shared secret with the DC.</P
4166 >On a Windows NT PDC, these machine trust account passwords are stored
4167 in the registry. A Samba PDC stores these accounts in the same location
4168 as user LanMan and NT password hashes (currently <TT
4172 However, machine trust accounts only possess and use the NT password hash.</P
4174 >Because Samba requires machine accounts to possess a UNIX uid from
4175 which an Windows NT SID can be generated, all of these accounts
4176 must have an entry in <TT
4180 Future releases will alleviate the need to create
4186 >There are two means of creating machine trust accounts.</P
4192 > Manual creation before joining the client to the domain. In this case,
4193 the password is set to a known value -- the lower case of the
4194 machine's netbios name.
4199 > Creation of the account at the time of joining the domain. In
4200 this case, the session key of the administrative account used to join
4201 the client to the domain acts as an encryption key for setting the
4202 password to a random value (This is the recommended method).
4212 >6.4.1. Manually creating machine trust accounts</A
4215 >The first step in creating a machine trust account by hand is to
4216 create an entry for the machine in /etc/passwd. This can be done
4220 > or any 'add userr' command which is normally
4221 used to create new UNIX accounts. The following is an example for a Linux
4222 based Samba server:</P
4227 >/usr/sbin/useradd -g 100 -d /dev/null -c <TT
4230 >machine_nickname</I
4232 > -m -s /bin/false <TT
4242 > entry will list the machine name
4243 with a $ appended, won't have a passwd, will have a null shell and no
4244 home directory. For example a machine called 'doppy' would have an
4248 > entry like this :</P
4257 CLASS="PROGRAMLISTING"
4258 >doppy$:x:505:501:<TT
4261 >machine_nickname</I
4263 >:/dev/null:/bin/false</PRE
4272 >machine_nickname</I
4274 > can be any descriptive name for the
4275 pc i.e. BasementComputer. The <TT
4280 > absolutely must be
4281 the netbios name of the pc to be added to the domain. The "$" must append the netbios
4282 name of the pc or samba will not recognize this as a machine account</P
4284 >Now that the UNIX account has been created, the next step is to create
4285 the smbpasswd entry for the machine containing the well known initial
4286 trust account password. This can be done using the <A
4287 HREF="smbpasswd.6.html"
4299 > smbpasswd -a -m <TT
4311 > is the machine's netbios
4325 >Join the client to the domain immediately</B
4332 > Manually creating a machine trust account using this method is the
4333 equivalent of creating a machine account on a Windows NT PDC using
4334 the "Server Manager". From the time at which the account is created
4335 to the time which th client joins the domain and changes the password,
4336 your domain is vulnerable to an intruder joining your domain using a
4337 a machine with the same netbios name. A PDC inherently trusts
4338 members of the domain and will serve out a large degree of user
4339 information to such clients. You have been warned!
4352 >6.4.2. Creating machine trust accounts "on the fly"</A
4355 >The second, and most recommended way of creating machine trust accounts
4356 is to create them as needed at the time the client is joined to
4357 the domain. You will need to include a value for the <A
4358 HREF="smb.conf.5.html#ADDUSERSCRIPT"
4362 parameter. Below is an example from a RedHat 6.2 Linux system.</P
4371 CLASS="PROGRAMLISTING"
4372 >add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
4378 >In Samba 2.2.1, <EM
4379 >only the root account</EM
4380 > can be used to create
4381 machine accounts like this. Therefore, it is required to create
4382 an entry in smbpasswd for <EM
4387 > be set to s different password that the
4391 > entry for security reasons.</P
4400 >6.5. Common Problems and Errors</A
4410 >I cannot include a '$' in a machine name.</EM
4414 > A 'machine name' in (typically) <TT
4418 of the machine name with a '$' appended. FreeBSD (and other BSD
4419 systems ?) won't create a user with a '$' in their name.
4422 > The problem is only in the program used to make the entry, once
4423 made, it works perfectly. So create a user without the '$' and
4427 > to edit the entry, adding the '$'. Or create
4428 the whole entry with vipw if you like, make sure you use a
4435 >I get told "You already have a connection to the Domain...."
4436 or "Cannot join domain, the credentials supplied conflict with an
4437 existing set.." when creating a machine account.</EM
4441 > This happens if you try to create a machine account from the
4442 machine itself and already have a connection (e.g. mapped drive)
4443 to a share (or IPC$) on the Samba PDC. The following command
4444 will remove all network drive connections:
4456 > Further, if the machine is a already a 'member of a workgroup' that
4457 is the same name as the domain you are joining (bad idea) you will
4458 get this message. Change the workgroup name to something else, it
4459 does not matter what, reboot, and try again.
4465 >The system can not log you on (C000019B)....</EM
4469 >I joined the domain successfully but after upgrading
4470 to a newer version of the Samba code I get the message, "The system
4471 can not log you on (C000019B), Please try a gain or consult your
4472 system administrator" when attempting to logon.
4475 > This occurs when the domain SID stored in
4478 >private/WORKGROUP.SID</TT
4480 changed. For example, you remove the file and <B
4484 creates a new one. Or you are swapping back and forth between
4485 versions 2.0.7, TNG and the HEAD branch code (not recommended). The
4486 only way to correct the problem is to restore the original domain
4487 SID or remove the domain client from the domain and rejoin.
4493 >The machine account for this computer either does not
4494 exist or is not accessible.</EM
4498 > When I try to join the domain I get the message "The machine account
4499 for this computer either does not exist or is not accessible". Whats
4503 > This problem is caused by the PDC not having a suitable machine account.
4504 If you are using the <TT
4510 accounts then this would indicate that it has not worked. Ensure the domain
4511 admin user system is working.
4514 > Alternatively if you are creating account entries manually then they
4515 have not been created correctly. Make sure that you have the entry
4516 correct for the machine account in smbpasswd file on the Samba PDC.
4517 If you added the account using an editor rather than using the smbpasswd
4518 utility, make sure that the account name is the machine netbios name
4519 with a '$' appended to it ( ie. computer_name$ ). There must be an entry
4520 in both /etc/passwd and the smbpasswd file. Some people have reported
4521 that inconsistent subnet masks between the Samba server and the NT
4522 client have caused this problem. Make sure that these are consistent
4523 for both client and server.
4529 >When I attempt to login to a Samba Domain from a NT4/W2K workstation,
4530 I get a message about my account being disabled.</EM
4534 > This problem is caused by a PAM related bug in Samba 2.2.0. This bug is
4535 fixed in 2.2.1. Other symptoms could be unaccessible shares on
4536 NT/W2K member servers in the domain or the following error in your smbd.log:
4537 passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
4540 > At first be ensure to enable the useraccounts with <B
4544 >, this is normaly done, when you create an account.
4547 > In order to work around this problem in 2.2.0, configure the
4556 >/etc/pam.d/samba</TT
4567 CLASS="PROGRAMLISTING"
4568 > account required pam_permit.so
4575 > If you want to remain backward compatibility to samba 2.0.x use
4579 >, it's also possible to use
4583 >. There are some bugs if you try to
4587 >, if you need this, be ensure to use
4588 the most recent version of this file.
4599 >6.6. System Policies and Profiles</A
4602 >Much of the information necessary to implement System Policies and
4603 Roving User Profiles in a Samba domain is the same as that for
4604 implementing these same items in a Windows NT 4.0 domain.
4605 You should read the white paper <A
4606 HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
4609 Profiles and Policies in Windows NT 4.0</A
4610 > available from Microsoft.</P
4612 >Here are some additional details:</P
4619 >What about Windows NT Policy Editor ?</EM
4623 > To create or edit <TT
4627 the NT Server Policy Editor, <B
4631 is included with NT Server but <EM
4632 >not NT Workstation</EM
4634 There is a Policy Editor on a NTws
4635 but it is not suitable for creating <EM
4636 >Domain Policies</EM
4638 Further, although the Windows 95
4639 Policy Editor can be installed on an NT Workstation/Server, it will not
4640 work with NT policies because the registry key that are set by the policy templates.
4641 However, the files from the NT Server will run happily enough on an NTws.
4644 >poledit.exe, common.adm</TT
4649 to put the two *.adm files in <TT
4653 the binary will look for them unless told otherwise. Note also that that
4654 directory is 'hidden'.
4657 > The Windows NT policy editor is also included with the Service Pack 3 (and
4658 later) for Windows NT 4.0. Extract the files using <B
4660 >servicepackname /x</B
4665 > for service pack 6a. The policy editor,
4669 > and the associated template files (*.adm) should
4670 be extracted as well. It is also possible to downloaded the policy template
4671 files for Office97 and get a copy of the policy editor. Another possible
4672 location is with the Zero Administration Kit available for download from Microsoft.
4678 >Can Win95 do Policies ?</EM
4682 > Install the group policy handler for Win9x to pick up group
4683 policies. Look on the Win98 CD in <TT
4685 >\tools\reskit\netadmin\poledit</TT
4687 Install group policies on a Win9x client by double-clicking
4691 >. Log off and on again a couple of
4692 times and see if Win98 picks up group policies. Unfortunately this needs
4693 to be done on every Win9x machine that uses group policies....
4696 > If group policies don't work one reports suggests getting the updated
4697 (read: working) grouppol.dll for Windows 9x. The group list is grabbed
4704 >How do I get 'User Manager' and 'Server Manager'</EM
4708 > Since I don't need to buy an NT Server CD now, how do I get
4709 the 'User Manager for Domains', the 'Server Manager' ?
4712 > Microsoft distributes a version of these tools called nexus for
4713 installation on Windows 95 systems. The tools set includes
4724 >User Manager for Domains</P
4732 > Click here to download the archived file <A
4733 HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
4735 >ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
4739 > The Windows NT 4.0 version of the 'User Manager for
4740 Domains' and 'Server Manager' are available from Microsoft via ftp
4742 HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
4744 >ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
4756 >6.7. What other help can I get ?</A
4759 >There are many sources of information available in the form
4760 of mailing lists, RFC's and documentation. The docs that come
4761 with the samba distribution contain very good explanations of
4762 general SMB topics such as browsing.</P
4769 >What are some diagnostics tools I can use to debug the domain logon
4770 process and where can I find them?</EM
4774 > One of the best diagnostic tools for debugging problems is Samba itself.
4775 You can use the -d option for both smbd and nmbd to specifiy what
4776 'debug level' at which to run. See the man pages on smbd, nmbd and
4777 smb.conf for more information on debugging options. The debug
4778 level can range from 1 (the default) to 10 (100 for debugging passwords).
4781 > Another helpful method of debugging is to compile samba using the
4785 > flag. This will include debug
4786 information in the binaries and allow you to attach gdb to the
4787 running smbd / nmbd process. In order to attach gdb to an smbd
4788 process for an NT workstation, first get the workstation to make the
4789 connection. Pressing ctrl-alt-delete and going down to the domain box
4790 is sufficient (at least, on the first time you join the domain) to
4791 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
4792 maintains an open connection, and therefore there will be an smbd
4793 process running (assuming that you haven't set a really short smbd
4794 idle timeout) So, in between pressing ctrl alt delete, and actually
4795 typing in your password, you can gdb attach and continue.
4798 > Some useful samba commands worth investigating:
4805 >testparam | more</P
4809 >smbclient -L //{netbios name of server}</P
4813 > An SMB enabled version of tcpdump is available from
4815 HREF="http://www.tcpdump.org/"
4817 >http://www.tcpdup.org/</A
4819 Ethereal, another good packet sniffer for UNIX and Win32
4820 hosts, can be downloaded from <A
4821 HREF="http://www.ethereal.com/"
4823 >http://www.ethereal.com</A
4827 > For tracing things on the Microsoft Windows NT, Network Monitor
4828 (aka. netmon) is available on the Microsoft Developer Network CD's,
4829 the Windows NT Server install CD and the SMS CD's. The version of
4830 netmon that ships with SMS allows for dumping packets between any two
4831 computers (ie. placing the network interface in promiscuous mode).
4832 The version on the NT Server install CD will only allow monitoring
4833 of network traffic directed to the local NT box and broadcasts on the
4834 local subnet. Be aware that Ethereal can read and write netmon
4841 >How do I install 'Network Monitor' on an NT Workstation
4842 or a Windows 9x box?</EM
4846 > Installing netmon on an NT workstation requires a couple
4847 of steps. The following are for installing Netmon V4.00.349, which comes
4848 with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
4849 Workstation 4.0. The process should be similar for other version of
4850 Windows NT / Netmon. You will need both the Microsoft Windows
4851 NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
4854 > Initially you will need to install 'Network Monitor Tools and Agent'
4855 on the NT Server. To do this
4862 >Goto Start - Settings - Control Panel -
4863 Network - Services - Add </P
4867 >Select the 'Network Monitor Tools and Agent' and
4872 >Click 'OK' on the Network Control Panel.
4877 >Insert the Windows NT Server 4.0 install CD
4882 > At this point the Netmon files should exist in
4885 >%SYSTEMROOT%\System32\netmon\*.*</TT
4887 Two subdirectories exist as well, <TT
4891 which contains the necessary DLL's for parsing the netmon packet
4898 > In order to install the Netmon tools on an NT Workstation, you will
4899 first need to install the 'Network Monitor Agent' from the Workstation
4907 >Goto Start - Settings - Control Panel -
4908 Network - Services - Add</P
4912 >Select the 'Network Monitor Agent' and click
4917 >Click 'OK' on the Network Control Panel.
4922 >Insert the Windows NT Workstation 4.0 install
4923 CD when prompted.</P
4927 > Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
4928 to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
4929 permissions as you deem appropriate for your site. You will need
4930 administrative rights on the NT box to run netmon.
4933 > To install Netmon on a Windows 9x box install the network monitor agent
4934 from the Windows 9x CD (\admin\nettools\netmon). There is a readme
4935 file located with the netmon driver files on the CD if you need
4936 information on how to do this. Copy the files from a working
4937 Netmon installation.
4942 > The following is a list if helpful URLs and other links:
4949 >Home of Samba site <A
4950 HREF="http://samba.org"
4952 > http://samba.org</A
4953 >. We have a mirror near you !</P
4960 on the Samba mirrors might mention your problem. If so,
4961 it might mean that the developers are working on it.</P
4965 >See how Scott Merrill simulates a BDC behavior at
4967 HREF="http://www.skippy.net/linux/smb-howto.html"
4969 > http://www.skippy.net/linux/smb-howto.html</A
4974 >Although 2.0.7 has almost had its day as a PDC, David Bannon will
4975 keep the 2.0.7 PDC pages at <A
4976 HREF="http://bioserve.latrobe.edu.au/samba"
4978 > http://bioserve.latrobe.edu.au/samba</A
4979 > going for a while yet.</P
4983 >Misc links to CIFS information
4985 HREF="http://samba.org/cifs/"
4987 >http://samba.org/cifs/</A
4992 >NT Domains for Unix <A
4993 HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
4995 > http://mailhost.cb1.com/~lkcl/ntdom/</A
5000 >FTP site for older SMB specs:
5002 HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
5004 > ftp://ftp.microsoft.com/developr/drg/CIFS/</A
5016 >How do I get help from the mailing lists ?</EM
5020 > There are a number of Samba related mailing lists. Go to <A
5021 HREF="http://samba.org"
5023 >http://samba.org</A
5024 >, click on your nearest mirror
5025 and then click on <B
5028 > and then click on <B
5030 > Samba related mailing lists</B
5034 > For questions relating to Samba TNG go to
5036 HREF="http://www.samba-tng.org/"
5038 >http://www.samba-tng.org/</A
5040 It has been requested that you don't post questions about Samba-TNG to the
5041 main stream Samba lists.</P
5043 > If you post a message to one of the lists please observe the following guide lines :
5050 > Always remember that the developers are volunteers, they are
5051 not paid and they never guarantee to produce a particular feature at
5052 a particular time. Any time lines are 'best guess' and nothing more.
5057 > Always mention what version of samba you are using and what
5058 operating system its running under. You should probably list the
5059 relevant sections of your smb.conf file, at least the options
5060 in [global] that affect PDC support.</P
5064 >In addition to the version, if you obtained Samba via
5065 CVS mention the date when you last checked it out.</P
5069 > Try and make your question clear and brief, lots of long,
5070 convoluted questions get deleted before they are completely read !
5071 Don't post html encoded messages (if you can select colour or font
5076 > If you run one of those nifty 'I'm on holidays' things when
5077 you are away, make sure its configured to not answer mailing lists.
5082 > Don't cross post. Work out which is the best list to post to
5083 and see what happens, ie don't post to both samba-ntdom and samba-technical.
5084 Many people active on the lists subscribe to more
5085 than one list and get annoyed to see the same message two or more times.
5086 Often someone will see a message and thinking it would be better dealt
5087 with on another, will forward it on for you.</P
5091 >You might include <EM
5094 log files written at a debug level set to as much as 20.
5095 Please don't send the entire log but enough to give the context of the
5100 >(Possibly) If you have a complete netmon trace ( from the opening of
5101 the pipe to the error ) you can send the *.CAP file as well.</P
5105 >Please think carefully before attaching a document to an email.
5106 Consider pasting the relevant parts into the body of the message. The samba
5107 mailing lists go to a huge number of people, do they all need a copy of your
5108 smb.conf in their attach directory ?</P
5115 >How do I get off the mailing lists ?</EM
5119 >To have your name removed from a samba mailing list, go to the
5120 same place you went to to get on it. Go to <A
5121 HREF="http://lists.samba.org/"
5123 >http://lists.samba.org</A
5125 click on your nearest mirror and then click on <B
5131 > Samba related mailing lists</B
5134 HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
5140 > Please don't post messages to the list asking to be removed, you will just
5141 be referred to the above address (unless that process failed in some way...)
5152 >6.8. Domain Control for Windows 9x/ME</A
5161 >The following section contains much of the original
5162 DOMAIN.txt file previously included with Samba. Much of
5163 the material is based on what went into the book Special
5164 Edition, Using Samba. (Richard Sharpe)</P
5168 >A domain and a workgroup are exactly the same thing in terms of network
5169 browsing. The difference is that a distributable authentication
5170 database is associated with a domain, for secure login access to a
5171 network. Also, different access rights can be granted to users if they
5172 successfully authenticate against a domain logon server (NT server and
5173 other systems based on NT server support this, as does at least Samba TNG now).</P
5175 >The SMB client logging on to a domain has an expectation that every other
5176 server in the domain should accept the same authentication information.
5177 Network browsing functionality of domains and workgroups is
5178 identical and is explained in BROWSING.txt. It should be noted, that browsing
5179 is total orthogonal to logon support.</P
5181 >Issues related to the single-logon network model are discussed in this
5182 document. Samba supports domain logons, network logon scripts, and user
5183 profiles for MS Windows for workgroups and MS Windows 9X clients.</P
5185 >When an SMB client in a domain wishes to logon it broadcast requests for a
5186 logon server. The first one to reply gets the job, and validates its
5187 password using whatever mechanism the Samba administrator has installed.
5188 It is possible (but very stupid) to create a domain where the user
5189 database is not shared between servers, ie they are effectively workgroup
5190 servers advertising themselves as participating in a domain. This
5191 demonstrates how authentication is quite different from but closely
5192 involved with domains.</P
5194 >Another thing commonly associated with single-logon domains is remote
5195 administration over the SMB protocol. Again, there is no reason why this
5196 cannot be implemented with an underlying username database which is
5197 different from the Windows NT SAM. Support for the Remote Administration
5198 Protocol is planned for a future release of Samba.</P
5200 >Network logon support as discussed in this section is aimed at Window for
5201 Workgroups, and Windows 9X clients. </P
5203 >Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51.
5204 It is possible to specify: the profile location; script file to be loaded
5205 on login; the user's home directory; and for NT a kick-off time could also
5206 now easily be supported. However, there are some differences between Win9X
5207 profile support and WinNT profile support. These are discussed below.</P
5209 >With NT Workstations, all this does not require the use or intervention of
5210 an NT 4.0 or NT 3.51 server: Samba can now replace the logon services
5211 provided by an NT server, to a limited and experimental degree (for example,
5212 running "User Manager for Domains" will not provide you with access to
5213 a domain created by a Samba Server).</P
5215 >With Win95, the help of an NT server can be enlisted, both for profile storage
5216 and for user authentication. For details on user authentication, see
5217 security_level.txt. For details on profile storage, see below.</P
5219 >Using these features you can make your clients verify their logon via
5220 the Samba server; make clients run a batch file when they logon to
5221 the network and download their preferences, desktop and start menu.</P
5223 >Before launching into the configuration instructions, it is worthwhile looking
5224 at how a Win9X client performs a logon:</P
5231 > The client broadcasts (to the IP broadcast address of the subnet it is in)
5232 a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the
5233 NetBIOS layer. The client chooses the first response it receives, which
5234 contains the NetBIOS name of the logon server to use in the format of
5240 > The client then connects to that server, logs on (does an SMBsessetupX) and
5241 then connects to the IPC$ share (using an SMBtconX).
5246 > The client then does a NetWkstaUserLogon request, which retrieves the name
5247 of the user's logon script.
5252 > The client then connects to the NetLogon share and searches for this
5253 and if it is found and can be read, is retrieved and executed by the client.
5254 After this, the client disconnects from the NetLogon share.
5259 > The client then sends a NetUserGetInfo request to the server, to retrieve
5260 the user's home share, which is used to search for profiles. Since the
5261 response to the NetUserGetInfo request does not contain much more
5262 the user's home share, profiles for Win9X clients MUST reside in the user
5268 > The client then connects to the user's home share and searches for the
5269 user's profile. As it turns out, you can specify the users home share as
5270 a sharename and path. For example, \\server\fred\.profile.
5271 If the profiles are found, they are implemented.
5276 > The client then disconnects from the user's home share, and reconnects to
5277 the NetLogon share and looks for CONFIG.POL, the policies file. If this is
5278 found, it is read and implemented.
5288 >6.8.1. Configuration Instructions: Network Logons</A
5291 >To use domain logons and profiles you need to do the following:</P
5298 > Create a share called [netlogon] in your smb.conf. This share should
5299 be readable by all users, and probably should not be writeable. This
5300 share will hold your network logon scripts, and the CONFIG.POL file
5301 (Note: for details on the CONFIG.POL file, how to use it, what it is,
5302 refer to the Microsoft Windows NT Administration documentation.
5303 The format of these files is not known, so you will need to use
5307 > For example I have used:
5317 CLASS="PROGRAMLISTING"
5319 path = /data/dos/netlogon
5327 > Note that it is important that this share is not writeable by ordinary
5328 users, in a secure environment: ordinary users should not be allowed
5329 to modify or add files that another user's computer would then download
5335 > in the [global] section of smb.conf set the following:
5345 CLASS="PROGRAMLISTING"
5346 >domain logons = yes
5347 logon script = %U.bat
5354 > The choice of batch file is, of course, up to you. The above would
5355 give each user a separate batch file as the %U will be changed to
5356 their username automatically. The other standard % macros may also be
5357 used. You can make the batch files come from a subdirectory by using
5368 CLASS="PROGRAMLISTING"
5369 >logon script = scripts\%U.bat
5378 > create the batch files to be run when the user logs in. If the batch
5379 file doesn't exist then no batch file will be run.
5382 > In the batch files you need to be careful to use DOS style cr/lf line
5383 endings. If you don't then DOS may get confused. I suggest you use a
5384 DOS editor to remotely edit the files if you don't know how to produce
5385 DOS style files under unix.
5390 > Use smbclient with the -U option for some users to make sure that
5391 the \\server\NETLOGON share is available, the batch files are
5392 visible and they are readable by the users.
5397 > you will probabaly find that your clients automatically mount the
5398 \\SERVER\NETLOGON share as drive z: while logging in. You can put
5399 some useful programs there to execute from the batch files.
5415 >security mode and master browsers</B
5422 >There are a few comments to make in order to tie up some
5423 loose ends. There has been much debate over the issue of whether
5424 or not it is ok to configure Samba as a Domain Controller in security
5425 modes other than <TT
5428 >. The only security mode
5429 which will not work due to technical reasons is <TT
5440 mode security is really just a variation on SMB user level security.</P
5442 >Actually, this issue is also closer tied to the debate on whether
5443 or not Samba must be the domain master browser for its workgroup
5444 when operating as a DC. While it may technically be possible
5445 to configure a server as such (after all, browsing and domain logons
5446 are two distinctly different functions), it is not a good idea to
5447 so. You should remember that the DC must register the DOMAIN#1b netbios
5448 name. This is the name used by Windows clients to locate the DC.
5449 Windows clients do not distinguish between the DC and the DMB.
5450 For this reason, it is very wise to configure the Samba DC as the DMB.</P
5452 >Now back to the issue of configuring a Samba DC to use a mode other
5453 than "security = user". If a Samba host is configured to use
5454 another SMB server or DC in order to validate user connection
5455 requests, then it is a fact that some other machine on the network
5456 (the "password server") knows more about user than the Samba host.
5457 99% of the time, this other host is a domain controller. Now
5458 in order to operate in domain mode security, the "workgroup" parameter
5459 must be set to the name of the Windows NT domain (which already
5460 has a domain controller, right?)</P
5462 >Therefore configuring a Samba box as a DC for a domain that
5463 already by definition has a PDC is asking for trouble.
5464 Therefore, you should always configure the Samba DC to be the DMB
5477 >6.8.2. Configuration Instructions: Setting up Roaming User Profiles</A
5500 > Roaming profiles support is different
5501 for Win9X and WinNT.</P
5507 >Before discussing how to configure roaming profiles, it is useful to see how
5508 Win9X and WinNT clients implement these features.</P
5510 >Win9X clients send a NetUserGetInfo request to the server to get the user's
5511 profiles location. However, the response does not have room for a separate
5512 profiles location field, only the users home share. This means that Win9X
5513 profiles are restricted to being in the user's home directory.</P
5515 >WinNT clients send a NetSAMLogon RPC request, which contains many fields,
5516 including a separate field for the location of the user's profiles.
5517 This means that support for profiles is different for Win9X and WinNT.</P
5524 >6.8.2.1. Windows NT Configuration</A
5527 >To support WinNT clients, inn the [global] section of smb.conf set the
5528 following (for example):</P
5537 CLASS="PROGRAMLISTING"
5538 >logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
5544 >The default for this option is \\%N\%U\profile, namely
5545 \\sambaserver\username\profile. The \\N%\%U service is created
5546 automatically by the [homes] service.
5547 If you are using a samba server for the profiles, you _must_ make the
5548 share specified in the logon path browseable. </P
5556 >[lkcl 26aug96 - we have discovered a problem where Windows clients can
5557 maintain a connection to the [homes] share in between logins. The
5558 [homes] share must NOT therefore be used in a profile path.]</P
5568 >6.8.2.2. Windows 9X Configuration</A
5571 >To support Win9X clients, you must use the "logon home" parameter. Samba has
5572 now been fixed so that "net use/home" now works as well, and it, too, relies
5573 on the "logon home" parameter.</P
5575 >By using the logon home parameter, you are restricted to putting Win9X
5576 profiles in the user's home directory. But wait! There is a trick you
5577 can use. If you set the following in the [global] section of your
5587 CLASS="PROGRAMLISTING"
5588 >logon home = \\%L\%U\.profiles</PRE
5594 >then your Win9X clients will dutifully put their clients in a subdirectory
5595 of your home directory called .profiles (thus making them hidden).</P
5597 >Not only that, but 'net use/home' will also work, because of a feature in
5598 Win9X. It removes any directory stuff off the end of the home directory area
5599 and only uses the server and share portion. That is, it looks like you
5600 specified \\%L\%U for "logon home".</P
5608 >6.8.2.3. Win9X and WinNT Configuration</A
5611 >You can support profiles for both Win9X and WinNT clients by setting both the
5612 "logon home" and "logon path" parameters. For example:</P
5621 CLASS="PROGRAMLISTING"
5622 >logon home = \\%L\%U\.profiles
5623 logon path = \\%L\profiles\%U</PRE
5635 >I have not checked what 'net use /home' does on NT when "logon home" is
5646 >6.8.2.4. Windows 9X Profile Setup</A
5649 >When a user first logs in on Windows 9X, the file user.DAT is created,
5650 as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
5651 These directories and their contents will be merged with the local
5652 versions stored in c:\windows\profiles\username on subsequent logins,
5653 taking the most recent from each. You will need to use the [global]
5654 options "preserve case = yes", "short case preserve = yes" and
5655 "case sensitive = no" in order to maintain capital letters in shortcuts
5656 in any of the profile folders.</P
5658 >The user.DAT file contains all the user's preferences. If you wish to
5659 enforce a set of preferences, rename their user.DAT file to user.MAN,
5660 and deny them write access to this file.</P
5667 > On the Windows 95 machine, go to Control Panel | Passwords and
5668 select the User Profiles tab. Select the required level of
5669 roaming preferences. Press OK, but do _not_ allow the computer
5675 > On the Windows 95 machine, go to Control Panel | Network |
5676 Client for Microsoft Networks | Preferences. Select 'Log on to
5677 NT Domain'. Then, ensure that the Primary Logon is 'Client for
5678 Microsoft Networks'. Press OK, and this time allow the computer
5684 >Under Windows 95, Profiles are downloaded from the Primary Logon.
5685 If you have the Primary Logon as 'Client for Novell Networks', then
5686 the profiles and logon script will be downloaded from your Novell
5687 Server. If you have the Primary Logon as 'Windows Logon', then the
5688 profiles will be loaded from the local machine - a bit against the
5689 concept of roaming profiles, if you ask me.</P
5691 >You will now find that the Microsoft Networks Login box contains
5692 [user, password, domain] instead of just [user, password]. Type in
5693 the samba server's domain name (or any other domain known to exist,
5694 but bear in mind that the user will be authenticated against this
5695 domain and profiles downloaded from it, if that domain logon server
5696 supports it), user name and user's password.</P
5698 >Once the user has been successfully validated, the Windows 95 machine
5699 will inform you that 'The user has not logged on before' and asks you
5700 if you wish to save the user's preferences? Select 'yes'.</P
5702 >Once the Windows 95 client comes up with the desktop, you should be able
5703 to examine the contents of the directory specified in the "logon path"
5704 on the samba server and verify that the "Desktop", "Start Menu",
5705 "Programs" and "Nethood" folders have been created.</P
5707 >These folders will be cached locally on the client, and updated when
5708 the user logs off (if you haven't made them read-only by then :-).
5709 You will find that if the user creates further folders or short-cuts,
5710 that the client will merge the profile contents downloaded with the
5711 contents of the profile directory already on the local client, taking
5712 the newest folders and short-cuts from each set.</P
5714 >If you have made the folders / files read-only on the samba server,
5715 then you will get errors from the w95 machine on logon and logout, as
5716 it attempts to merge the local and the remote profile. Basically, if
5717 you have any errors reported by the w95 machine, check the unix file
5718 permissions and ownership rights on the profile directory contents,
5719 on the samba server.</P
5721 >If you have problems creating user profiles, you can reset the user's
5722 local desktop cache, as shown below. When this user then next logs in,
5723 they will be told that they are logging in "for the first time".</P
5730 > instead of logging in under the [user, password, domain] dialog,
5736 > run the regedit.exe program, and look in:
5739 > HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
5742 > you will find an entry, for each user, of ProfilePath. Note the
5743 contents of this key (likely to be c:\windows\profiles\username),
5744 then delete the key ProfilePath for the required user.
5747 > [Exit the registry editor].
5754 > - before deleting the contents of the
5756 the ProfilePath (this is likely to be c:\windows\profiles\username),
5757 ask them if they have any important files stored on their desktop
5758 or in their start menu. delete the contents of the directory
5759 ProfilePath (making a backup if any of the files are needed).
5762 > This will have the effect of removing the local (read-only hidden
5763 system file) user.DAT in their profile directory, as well as the
5764 local "desktop", "nethood", "start menu" and "programs" folders.
5769 > search for the user's .PWL password-cacheing file in the c:\windows
5770 directory, and delete it.
5775 > log off the windows 95 client.
5780 > check the contents of the profile path (see "logon path" described
5781 above), and delete the user.DAT or user.MAN file for the user,
5782 making a backup if required.
5787 >If all else fails, increase samba's debug log levels to between 3 and 10,
5788 and / or run a packet trace program such as tcpdump or netmon.exe, and
5789 look for any error reports.</P
5791 >If you have access to an NT server, then first set up roaming profiles
5792 and / or netlogons on the NT server. Make a packet trace, or examine
5793 the example packet traces provided with NT server, and see what the
5794 differences are with the equivalent samba trace.</P
5802 >6.8.2.5. Windows NT Workstation 4.0</A
5805 >When a user first logs in to a Windows NT Workstation, the profile
5806 NTuser.DAT is created. The profile location can be now specified
5807 through the "logon path" parameter. </P
5815 >[lkcl 10aug97 - i tried setting the path to
5816 \\samba-server\homes\profile, and discovered that this fails because
5817 a background process maintains the connection to the [homes] share
5818 which does _not_ close down in between user logins. you have to
5819 have \\samba-server\%L\profile, where user is the username created
5820 from the [homes] share].</P
5824 >There is a parameter that is now available for use with NT Profiles:
5825 "logon drive". This should be set to "h:" or any other drive, and
5826 should be used in conjunction with the new "logon home" parameter.</P
5828 >The entry for the NT 4.0 profile is a _directory_ not a file. The NT
5829 help on profiles mentions that a directory is also created with a .PDS
5830 extension. The user, while logging in, must have write permission to
5831 create the full profile path (and the folder with the .PDS extension)
5832 [lkcl 10aug97 - i found that the creation of the .PDS directory failed,
5833 and had to create these manually for each user, with a shell script.
5834 also, i presume, but have not tested, that the full profile path must
5835 be browseable just as it is for w95, due to the manner in which they
5836 attempt to create the full profile path: test existence of each path
5837 component; create path component].</P
5839 >In the profile directory, NT creates more folders than 95. It creates
5840 "Application Data" and others, as well as "Desktop", "Nethood",
5841 "Start Menu" and "Programs". The profile itself is stored in a file
5842 NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
5843 its purpose is currently unknown.</P
5845 >You can use the System Control Panel to copy a local profile onto
5846 a samba server (see NT Help on profiles: it is also capable of firing
5847 up the correct location in the System Control Panel for you). The
5848 NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
5849 turns a profile into a mandatory one.</P
5857 >[lkcl 10aug97 - i notice that NT Workstation tells me that it is
5858 downloading a profile from a slow link. whether this is actually the
5859 case, or whether there is some configuration issue, as yet unknown,
5860 that makes NT Workstation _think_ that the link is a slow one is a
5861 matter to be resolved].</P
5863 >[lkcl 20aug97 - after samba digest correspondance, one user found, and
5864 another confirmed, that profiles cannot be loaded from a samba server
5865 unless "security = user" and "encrypt passwords = yes" (see the file
5866 ENCRYPTION.txt) or "security = server" and "password server = ip.address.
5867 of.yourNTserver" are used. either of these options will allow the NT
5868 workstation to access the samba server using LAN manager encrypted
5869 passwords, without the user intervention normally required by NT
5870 workstation for clear-text passwords].</P
5872 >[lkcl 25aug97 - more comments received about NT profiles: the case of
5873 the profile _matters_. the file _must_ be called NTuser.DAT or, for
5874 a mandatory profile, NTuser.MAN].</P
5884 >6.8.2.6. Windows NT Server</A
5887 >There is nothing to stop you specifying any path that you like for the
5888 location of users' profiles. Therefore, you could specify that the
5889 profile be stored on a samba server, or any other SMB server, as long as
5890 that SMB server supports encrypted passwords.</P
5898 >6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A
5912 >Potentially outdated or incorrect material follows</B
5919 >I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
5925 >The default logon path is \\%N\U%. NT Workstation will attempt to create
5926 a directory "\\samba-server\username.PDS" if you specify the logon path
5927 as "\\samba-server\username" with the NT User Manager. Therefore, you
5928 will need to specify (for example) "\\samba-server\username\profile".
5929 NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
5930 is more likely to succeed.</P
5932 >If you then want to share the same Start Menu / Desktop with W95, you will
5933 need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
5934 this has its drawbacks: i created a shortcut to telnet.exe, which attempts
5935 to run from the c:\winnt\system32 directory. this directory is obviously
5936 unlikely to exist on a Win95-only host].</P
5938 > If you have this set up correctly, you will find separate user.DAT and
5939 NTuser.DAT files in the same profile directory.</P
5947 >[lkcl 25aug97 - there are some issues to resolve with downloading of
5948 NT profiles, probably to do with time/date stamps. i have found that
5949 NTuser.DAT is never updated on the workstation after the first time that
5950 it is copied to the local workstation profile directory. this is in
5951 contrast to w95, where it _does_ transfer / update profiles correctly].</P
5963 >6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
5977 >Possibly Outdated Material</B
5984 > This appendix was originally authored by John H Terpstra of
5985 the Samba Team and is included here for posterity.
5995 The term "Domain Controller" and those related to it refer to one specific
5996 method of authentication that can underly an SMB domain. Domain Controllers
5997 prior to Windows NT Server 3.1 were sold by various companies and based on
5998 private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
5999 Microsoft-specific ways of distributing the user authentication database.
6000 See DOMAIN.txt for examples of how Samba can participate in or create
6001 SMB domains based on shared authentication database schemes other than the
6004 >Windows NT Server can be installed as either a plain file and print server
6005 (WORKGROUP workstation or server) or as a server that participates in Domain
6006 Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
6007 The same is true for OS/2 Warp Server, Digital Pathworks and other similar
6008 products, all of which can participate in Domain Control along with Windows NT.</P
6010 >To many people these terms can be confusing, so let's try to clear the air.</P
6012 >Every Windows NT system (workstation or server) has a registry database.
6013 The registry contains entries that describe the initialization information
6014 for all services (the equivalent of Unix Daemons) that run within the Windows
6015 NT environment. The registry also contains entries that tell application
6016 software where to find dynamically loadable libraries that they depend upon.
6017 In fact, the registry contains entries that describes everything that anything
6018 may need to know to interact with the rest of the system.</P
6020 >The registry files can be located on any Windows NT machine by opening a
6021 command prompt and typing:</P
6026 > dir %SystemRoot%\System32\config</P
6028 >The environment variable %SystemRoot% value can be obtained by typing:</P
6033 >echo %SystemRoot%</P
6035 >The active parts of the registry that you may want to be familiar with are
6036 the files called: default, system, software, sam and security.</P
6038 >In a domain environment, Microsoft Windows NT domain controllers participate
6039 in replication of the SAM and SECURITY files so that all controllers within
6040 the domain have an exactly identical copy of each.</P
6042 >The Microsoft Windows NT system is structured within a security model that
6043 says that all applications and services must authenticate themselves before
6044 they can obtain permission from the security manager to do what they set out
6047 >The Windows NT User database also resides within the registry. This part of
6048 the registry contains the user's security identifier, home directory, group
6049 memberships, desktop profile, and so on.</P
6051 >Every Windows NT system (workstation as well as server) will have its own
6052 registry. Windows NT Servers that participate in Domain Security control
6053 have a database that they share in common - thus they do NOT own an
6054 independent full registry database of their own, as do Workstations and
6057 >The User database is called the SAM (Security Access Manager) database and
6058 is used for all user authentication as well as for authentication of inter-
6059 process authentication (ie: to ensure that the service action a user has
6060 requested is permitted within the limits of that user's privileges).</P
6062 >The Samba team have produced a utility that can dump the Windows NT SAM into
6063 smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
6064 /pub/samba/pwdump on your nearest Samba mirror for the utility. This
6065 facility is useful but cannot be easily used to implement SAM replication
6066 to Samba systems.</P
6068 >Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
6069 can participate in a Domain security system that is controlled by Windows NT
6070 servers that have been correctly configured. At most every domain will have
6071 ONE Primary Domain Controller (PDC). It is desirable that each domain will
6072 have at least one Backup Domain Controller (BDC).</P
6074 >The PDC and BDCs then participate in replication of the SAM database so that
6075 each Domain Controlling participant will have an up to date SAM component
6076 within its registry.</P
6084 >Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind</A
6095 >Integration of UNIX and Microsoft Windows NT through
6096 a unified logon has been considered a "holy grail" in heterogeneous
6097 computing environments for a long time. We present <EM
6100 >, a component of the Samba suite of programs as a
6101 solution to the unied logon problem. Winbind uses a UNIX implementation
6102 of Microsoft RPC calls, Pluggable Authentication Modules, and the Name
6103 Service Switch to allow Windows NT domain users to appear and operate
6104 as UNIX users on a UNIX machine. This paper describes the winbind
6105 system, explaining the functionality it provides, how it is configured,
6106 and how it works internally.</P
6114 >7.2. Introduction</A
6117 >It is well known that UNIX and Microsoft Windows NT have
6118 different models for representing user and group information and
6119 use different technologies for implementing them. This fact has
6120 made it difficult to integrate the two systems in a satisfactory
6123 >One common solution in use today has been to create
6124 identically named user accounts on both the UNIX and Windows systems
6125 and use the Samba suite of programs to provide file and print services
6126 between the two. This solution is far from perfect however, as
6127 adding and deleting users on both sets of machines becomes a chore
6128 and two sets of passwords are required both of which which
6129 can lead to synchronization problems between the UNIX and Windows
6130 systems and confusion for users.</P
6132 >We divide the unifed logon problem for UNIX machines into
6133 three smaller problems:</P
6139 >Obtaining Windows NT user and group information
6144 >Authenticating Windows NT users
6149 >Password changing for Windows NT users
6154 >Ideally, a prospective solution to the unified logon problem
6155 would satisfy all the above components without duplication of
6156 information on the UNIX machines and without creating additional
6157 tasks for the system administrator when maintaining users and
6158 groups on either system. The winbind system provides a simple
6159 and elegant solution to all three components of the unifed logon
6168 >7.3. What Winbind Provides</A
6171 >Winbind unifies UNIX and Windows NT account management by
6172 allowing a UNIX box to become a full member of a NT domain. Once
6173 this is done the UNIX box will see NT users and groups as if
6174 they were native UNIX users and groups, allowing the NT domain
6175 to be used in much the same manner that NIS+ is used within
6176 UNIX-only environments.</P
6178 >The end result is that whenever any
6179 program on the UNIX machine asks the operating system to lookup
6180 a user or group name, the query will be resolved by asking the
6181 NT domain controller for the specied domain to do the lookup.
6182 Because Winbind hooks into the operating system at a low level
6183 (via the NSS name resolution modules in the C library) this
6184 redirection to the NT domain controller is completely
6187 >Users on the UNIX machine can then use NT user and group
6188 names as they would use "native" UNIX names. They can chown files
6189 so that they are owned by NT domain users or even login to the
6190 UNIX machine and run a UNIX X-Window session as a domain user.</P
6192 >The only obvious indication that Winbind is being used is
6193 that user and group names take the form DOMAIN\user and
6194 DOMAIN\group. This is necessary as it allows Winbind to determine
6195 that redirection to a domain controller is wanted for a particular
6196 lookup and which trusted domain is being referenced.</P
6198 >Additionally, Winbind provides a authentication service
6199 that hooks into the Pluggable Authentication Modules (PAM) system
6200 to provide authentication via a NT domain to any PAM enabled
6201 applications. This capability solves the problem of synchronizing
6202 passwords between systems as all passwords are stored in a single
6203 location (on the domain controller).</P
6210 >7.3.1. Target Uses</A
6213 >Winbind is targeted at organizations that have an
6214 existing NT based domain infrastructure into which they wish
6215 to put UNIX workstations or servers. Winbind will allow these
6216 organizations to deploy UNIX workstations without having to
6217 maintain a separate account infrastructure. This greatly simplies
6218 the administrative overhead of deploying UNIX workstations into
6219 a NT based organization.</P
6221 >Another interesting way in which we expect Winbind to
6222 be used is as a central part of UNIX based appliances. Appliances
6223 that provide file and print services to Microsoft based networks
6224 will be able to use Winbind to provide seamless integration of
6225 the appliance into the domain.</P
6234 >7.4. How Winbind Works</A
6237 >The winbind system is designed around a client/server
6238 architecture. A long running <B
6242 listens on a UNIX domain socket waiting for requests
6243 to arrive. These requests are generated by the NSS and PAM
6244 clients and processed sequentially.</P
6246 >The technologies used to implement winbind are described
6254 >7.4.1. Microsoft Remote Procedure Calls</A
6257 >Over the last two years, efforts have been underway
6258 by various Samba Team members to decode various aspects of
6259 the Microsoft Remote Procedure Call (MSRPC) system. This
6260 system is used for most network related operations between
6261 Windows NT machines including remote management, user authentication
6262 and print spooling. Although initially this work was done
6263 to aid the implementation of Primary Domain Controller (PDC)
6264 functionality in Samba, it has also yielded a body of code which
6265 can be used for other purposes.</P
6267 >Winbind uses various MSRPC calls to enumerate domain users
6268 and groups and to obtain detailed information about individual
6269 users or groups. Other MSRPC calls can be used to authenticate
6270 NT domain users and to change user passwords. By directly querying
6271 a Windows PDC for user and group information, winbind maps the
6272 NT account information onto UNIX user and group names.</P
6280 >7.4.2. Name Service Switch</A
6283 >The Name Service Switch, or NSS, is a feature that is
6284 present in many UNIX operating systems. It allows system
6285 information such as hostnames, mail aliases and user information
6286 to be resolved from dierent sources. For example, a standalone
6287 UNIX workstation may resolve system information from a series of
6288 flat files stored on the local lesystem. A networked workstation
6289 may first attempt to resolve system information from local files,
6290 then consult a NIS database for user information or a DNS server
6291 for hostname information.</P
6293 >The NSS application programming interface allows winbind
6294 to present itself as a source of system information when
6295 resolving UNIX usernames and groups. Winbind uses this interface,
6296 and information obtained from a Windows NT server using MSRPC
6297 calls to provide a new source of account enumeration. Using standard
6298 UNIX library calls, one can enumerate the users and groups on
6299 a UNIX machine running winbind and see all users and groups in
6300 a NT domain plus any trusted domain as though they were local
6301 users and groups.</P
6303 >The primary control le for NSS is <TT
6307 >. When a UNIX application makes a request to do a lookup
6308 the C library looks in <TT
6310 >/etc/nsswitch.conf</TT
6312 for a line which matches the service type being requested, for
6313 example the "passwd" service type is used when user or group names
6314 are looked up. This config line species which implementations
6315 of that service should be tried andin what order. If the passwd
6320 >passwd: files example</B
6323 >then the C library will first load a module called
6326 >/lib/libnss_files.so</TT
6330 >/lib/libnss_example.so</TT
6332 C library will dynamically load each of these modules in turn
6333 and call resolver functions within the modules to try to resolve
6334 the request. Once the request is resolved the C library returns the
6335 result to the application.</P
6337 >This NSS interface provides a very easy way for Winbind
6338 to hook into the operating system. All that needs to be done
6341 >libnss_winbind.so</TT
6346 then add "winbind" into <TT
6348 >/etc/nsswitch.conf</TT
6350 the appropriate place. The C library will then call Winbind to
6351 resolve user and group names.</P
6359 >7.4.3. Pluggable Authentication Modules</A
6362 >Pluggable Authentication Modules, also known as PAM,
6363 is a system for abstracting authentication and authorization
6364 technologies. With a PAM module it is possible to specify different
6365 authentication methods for dierent system applications without
6366 having to recompile these applications. PAM is also useful
6367 for implementing a particular policy for authorization. For example,
6368 a system administrator may only allow console logins from users
6369 stored in the local password file but only allow users resolved from
6370 a NIS database to log in over the network.</P
6372 >Winbind uses the authentication management and password
6373 management PAM interface to integrate Windows NT users into a
6374 UNIX system. This allows Windows NT users to log in to a UNIX
6375 machine and be authenticated against a suitable Primary Domain
6376 Controller. These users can also change their passwords and have
6377 this change take eect directly on the Primary Domain Controller.
6380 >PAM is congured by providing control files in the directory
6384 > for each of the services that
6385 require authentication. When an authentication request is made
6386 by an application the PAM code in the C library looks up this
6387 control file to determine what modules to load to do the
6388 authentication check and in what order. This interface makes adding
6389 a new authentication service for Winbind very easy, all that needs
6390 to be done is that the <TT
6398 control files for relevant services are updated to allow
6399 authentication via winbind. See the PAM documentation
6400 for more details.</P
6408 >7.4.4. User and Group ID Allocation</A
6411 >When a user or group is created under Windows NT
6412 is it allocated a numerical relative identier (RID). This is
6413 slightly dierent to UNIX which has a range of numbers which are
6414 used to identify users, and the same range in which to identify
6415 groups. It is winbind's job to convert RIDs to UNIX id numbers and
6416 vice versa. When winbind is congured it is given part of the UNIX
6417 user id space and a part of the UNIX group id space in which to
6418 store Windows NT users and groups. If a Windows NT user is
6419 resolved for the first time, it is allocated the next UNIX id from
6420 the range. The same process applies for Windows NT groups. Over
6421 time, winbind will have mapped all Windows NT users and groups
6422 to UNIX user ids and group ids.</P
6424 >The results of this mapping are stored persistently in
6425 a ID mapping database held in a tdb database). This ensures that
6426 RIDs are mapped to UNIX IDs in a consistent way.</P
6434 >7.4.5. Result Caching</A
6437 >An active system can generate a lot of user and group
6438 name lookups. To reduce the network cost of these lookups winbind
6439 uses a caching scheme based on the SAM sequence number supplied
6440 by NT domain controllers. User or group information returned
6441 by a PDC is cached by winbind along with a sequence number also
6442 returned by the PDC. This sequence number is incremented by
6443 Windows NT whenever any user or group information is modied. If
6444 a cached entry has expired, the sequence number is requested from
6445 the PDC and compared against the sequence number of the cached entry.
6446 If the sequence numbers do not match, then the cached information
6447 is discarded and up to date information is requested directly
6457 >7.5. Installation and Configuration</A
6460 >The easiest way to install winbind is by using the packages
6463 >pub/samba/appliance/</TT
6465 directory on your nearest
6466 Samba mirror. These packages provide snapshots of the Samba source
6467 code and binaries already setup to provide the full functionality
6468 of winbind. This setup is a little more complex than a normal Samba
6469 build as winbind needs a small amount of functionality from a
6470 development code branch called SAMBA_TNG.</P
6472 >Once you have installed the packages you should read
6476 > man page which will provide you
6477 with conguration information and give you sample conguration files.
6478 You may also wish to update the main Samba daemons smbd and nmbd)
6479 with a more recent development release, such as the recently
6480 announced Samba 2.2 alpha release.</P
6488 >7.6. Limitations</A
6491 >Winbind has a number of limitations in its current
6492 released version which we hope to overcome in future
6499 >Winbind is currently only available for
6500 the Linux operating system, although ports to other operating
6501 systems are certainly possible. For such ports to be feasible,
6502 we require the C library of the target operating system to
6503 support the Name Service Switch and Pluggable Authentication
6504 Modules systems. This is becoming more common as NSS and
6505 PAM gain support among UNIX vendors.</P
6509 >The mappings of Windows NT RIDs to UNIX ids
6510 is not made algorithmically and depends on the order in which
6511 unmapped users or groups are seen by winbind. It may be difficult
6512 to recover the mappings of rid to UNIX id mapping if the file
6513 containing this information is corrupted or destroyed.</P
6517 >Currently the winbind PAM module does not take
6518 into account possible workstation and logon time restrictions
6519 that may be been set for Windows NT users.</P
6523 >Building winbind from source is currently
6524 quite tedious as it requires combining source code from two Samba
6525 branches. Work is underway to solve this by providing all
6526 the necessary functionality in the main Samba code branch.</P
6539 >The winbind system, through the use of the Name Service
6540 Switch, Pluggable Authentication Modules, and appropriate
6541 Microsoft RPC calls have allowed us to provide seamless
6542 integration of Microsoft Windows NT domain users on a
6543 UNIX system. The result is a great reduction in the administrative
6544 cost of running a mixed UNIX and NT network.</P
6552 >Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists</A
6560 >8.1. Viewing and changing UNIX permissions using the NT
6564 >New in the Samba 2.0.4 release is the ability for Windows
6565 NT clients to use their native security settings dialog box to
6566 view and modify the underlying UNIX permissions.</P
6568 >Note that this ability is careful not to compromise
6569 the security of the UNIX host Samba is running on, and
6570 still obeys all the file permission rules that a Samba
6571 administrator can set.</P
6573 >In Samba 2.0.4 and above the default value of the
6575 HREF="smb.conf.5.html#NTACLSUPPORT"
6583 > has been changed from
6591 manipulation of permissions is turned on by default.</P
6599 >8.2. How to view file security on a Samba share</A
6602 >From an NT 4.0 client, single-click with the right
6603 mouse button on any file or directory in a Samba mounted
6604 drive letter or UNC path. When the menu pops-up, click
6607 > entry at the bottom of
6608 the menu. This brings up the normal file properties dialog
6609 box, but with Samba 2.0.4 this will have a new tab along the top
6612 >. Click on this tab and you
6613 will see three buttons, <EM
6623 > button will cause either
6624 an error message <SPAN
6626 >A requested privilege is not held
6628 > to appear if the user is not the
6629 NT Administrator, or a dialog which is intended to allow an
6630 Administrator to add auditing requirements to a file if the
6631 user is logged on as the NT Administrator. This dialog is
6632 non-functional with a Samba share at this time, as the only
6633 useful button, the <B
6636 > button will not currently
6637 allow a list of users to be seen.</P
6645 >8.3. Viewing file ownership</A
6652 brings up a dialog box telling you who owns the given file. The
6653 owner name will be of the form :</P
6657 >"SERVER\user (Long name)"</B
6665 > is the NetBIOS name of
6666 the Samba server, <TT
6671 > is the user name of
6672 the UNIX user who owns the file, and <TT
6678 is the discriptive string identifying the user (normally found in the
6679 GECOS field of the UNIX password database). Click on the <B
6683 > button to remove this dialog.</P
6685 >If the parameter <TT
6694 > then the file owner will
6695 be shown as the NT user <B
6703 > button will not allow
6704 you to change the ownership of this file to yourself (clicking on
6705 it will display a dialog box complaining that the user you are
6706 currently logged onto the NT client cannot be found). The reason
6707 for this is that changing the ownership of a file is a privilaged
6708 operation in UNIX, available only to the <EM
6711 user. As clicking on this button causes NT to attempt to change
6712 the ownership of a file to the current user logged into the NT
6713 client this will not work with Samba at this time.</P
6715 >There is an NT chown command that will work with Samba
6716 and allow a user with Administrator privillage connected
6717 to a Samba 2.0.4 server as root to change the ownership of
6718 files on both a local NTFS filesystem or remote mounted NTFS
6719 or Samba drive. This is available as part of the <EM
6722 > NT security library written by Jeremy Allison of
6723 the Samba Team, available from the main Samba ftp site.</P
6731 >8.4. Viewing file or directory permissions</A
6734 >The third button is the <B
6738 button. Clicking on this brings up a dialog box that shows both
6739 the permissions and the UNIX owner of the file or directory.
6740 The owner is displayed in the form :</P
6744 >"SERVER\user (Long name)"</B
6752 > is the NetBIOS name of
6753 the Samba server, <TT
6758 > is the user name of
6759 the UNIX user who owns the file, and <TT
6765 is the discriptive string identifying the user (normally found in the
6766 GECOS field of the UNIX password database).</P
6768 >If the parameter <TT
6777 > then the file owner will
6778 be shown as the NT user <B
6782 permissions will be shown as NT "Full Control".</P
6784 >The permissions field is displayed differently for files
6785 and directories, so I'll describe the way file permissions
6786 are displayed first.</P
6793 >8.4.1. File Permissions</A
6796 >The standard UNIX user/group/world triple and
6797 the correspinding "read", "write", "execute" permissions
6798 triples are mapped by Samba into a three element NT ACL
6799 with the 'r', 'w', and 'x' bits mapped into the corresponding
6800 NT permissions. The UNIX world permissions are mapped into
6801 the global NT group <B
6805 by the list of permissions allowed for UNIX world. The UNIX
6806 owner and group permissions are displayed as an NT
6814 > icon respectively followed by the list
6815 of permissions allowed for the UNIX user and group.</P
6817 >As many UNIX permission sets don't map into common
6828 usually the permissions will be prefixed by the words <B
6830 > "Special Access"</B
6831 > in the NT display list.</P
6833 >But what happens if the file has no permissions allowed
6834 for a particular UNIX user group or world component ? In order
6835 to allow "no permissions" to be seen and modified then Samba
6838 >"Take Ownership"</B
6840 (which has no meaning in UNIX) and reports a component with
6841 no permissions as having the NT <B
6845 This was chosen of course to make it look like a zero, meaning
6846 zero permissions. More details on the decision behind this will
6855 >8.4.2. Directory Permissions</A
6858 >Directories on an NT NTFS file system have two
6859 different sets of permissions. The first set of permissions
6860 is the ACL set on the directory itself, this is usually displayed
6861 in the first set of parentheses in the normal <B
6865 NT style. This first set of permissions is created by Samba in
6866 exactly the same way as normal file permissions are, described
6867 above, and is displayed in the same way.</P
6869 >The second set of directory permissions has no real meaning
6870 in the UNIX permissions world and represents the <B
6873 > permissions that any file created within
6874 this directory would inherit.</P
6876 >Samba synthesises these inherited permissions for NT by
6877 returning as an NT ACL the UNIX permission mode that a new file
6878 created by Samba on this share would receive.</P
6887 >8.5. Modifying file or directory permissions</A
6890 >Modifying file and directory permissions is as simple
6891 as changing the displayed permissions in the dialog box, and
6895 > button. However, there are
6896 limitations that a user needs to be aware of, and also interactions
6897 with the standard Samba permission masks and mapping of DOS
6898 attributes that need to also be taken into account.</P
6900 >If the parameter <TT
6909 > then any attempt to set
6910 security permissions will fail with an <B
6916 >The first thing to note is that the <B
6920 button will not return a list of users in Samba 2.0.4 (it will give
6921 an error message of <B
6923 >"The remote proceedure call failed
6924 and did not execute"</B
6925 >). This means that you can only
6926 manipulate the current user/group/world permissions listed in
6927 the dialog box. This actually works quite well as these are the
6928 only permissions that UNIX actually has.</P
6930 >If a permission triple (either user, group, or world)
6931 is removed from the list of permissions in the NT dialog box,
6935 > button is pressed it will
6936 be applied as "no permissions" on the UNIX side. If you then
6937 view the permissions again the "no permissions" entry will appear
6941 > flag, as described above. This
6942 allows you to add permissions back to a file or directory once
6943 you have removed them from a triple component.</P
6945 >As UNIX supports only the "r", "w" and "x" bits of
6946 an NT ACL then if other NT security attributes such as "Delete
6947 access" are selected then they will be ignored when applied on
6948 the Samba server.</P
6950 >When setting permissions on a directory the second
6951 set of permissions (in the second set of parentheses) is
6952 by default applied to all files within that directory. If this
6953 is not what you want you must uncheck the <B
6956 permissions on existing files"</B
6957 > checkbox in the NT
6958 dialog before clicking <B
6963 >If you wish to remove all permissions from a
6964 user/group/world component then you may either highlight the
6965 component and click the <B
6969 or set the component to only have the special <B
6973 > permission (dsplayed as <B
6985 >8.6. Interaction with the standard Samba create mask
6989 >Note that with Samba 2.0.5 there are four new parameters
6990 to control this interaction. These are :</P
7002 >force security mode</I
7009 >directory security mask</I
7016 >force directory security mode</I
7020 >Once a user clicks <B
7024 permissions Samba maps the given permissions into a user/group/world
7025 r/w/x triple set, and then will check the changed permissions for a
7026 file against the bits set in the <A
7027 HREF="smb.conf.5.html#SECURITYMASK"
7036 > parameter. Any bits that
7037 were changed that are not set to '1' in this parameter are left alone
7038 in the file permissions.</P
7040 >Essentially, zero bits in the <TT
7046 mask may be treated as a set of bits the user is <EM
7049 allowed to change, and one bits are those the user is allowed to change.
7052 >If not set explicitly this parameter is set to the same value as
7054 HREF="smb.conf.5.html#CREATEMASK"
7063 > parameter to provide compatibility with Samba 2.0.4
7064 where this permission change facility was introduced. To allow a user to
7065 modify all the user/group/world permissions on a file, set this parameter
7068 >Next Samba checks the changed permissions for a file against
7069 the bits set in the <A
7070 HREF="smb.conf.5.html#FORCESECURITYMODE"
7075 >force security mode</I
7078 > parameter. Any bits
7079 that were changed that correspond to bits set to '1' in this parameter
7080 are forced to be set.</P
7082 >Essentially, bits set in the <TT
7085 >force security mode
7088 > parameter may be treated as a set of bits that, when
7089 modifying security on a file, the user has always set to be 'on'.</P
7091 >If not set explicitly this parameter is set to the same value
7093 HREF="smb.conf.5.html#FORCECREATEMODE"
7102 > parameter to provide compatibility
7103 with Samba 2.0.4 where the permission change facility was introduced.
7104 To allow a user to modify all the user/group/world permissions on a file,
7105 with no restrictions set this parameter to 000.</P
7118 > parameters are applied to the change
7119 request in that order.</P
7121 >For a directory Samba will perform the same operations as
7122 described above for a file except using the parameter <TT
7125 > directory security mask</I
7136 >force directory security mode
7139 > parameter instead of <TT
7142 >force security mode
7150 >directory security mask</I
7153 by default is set to the same value as the <TT
7159 > parameter and the <TT
7162 >force directory security
7165 > parameter by default is set to the same value as
7169 >force directory mode</I
7171 > parameter to provide
7172 compatibility with Samba 2.0.4 where the permission change facility
7175 >In this way Samba enforces the permission restrictions that
7176 an administrator can set on a Samba share, whilst still allowing users
7177 to modify the permission bits within that restriction.</P
7179 >If you want to set up a share that allows users full control
7180 in modifying the permission bits on their files and directories and
7181 doesn't force any particular bits to be set 'on', then set the following
7182 parameters in the <A
7183 HREF="smb.conf.5.html"
7190 > file in that share specific section :</P
7195 >security mask = 0777</I
7202 >force security mode = 0</I
7209 >directory security mask = 0777</I
7216 >force directory security mode = 0</I
7220 >As described, in Samba 2.0.4 the parameters :</P
7232 >force create mode</I
7246 >force directory mode</I
7250 >were used instead of the parameters discussed here.</P
7258 >8.7. Interaction with the standard Samba file attribute
7262 >Samba maps some of the DOS attribute bits (such as "read
7263 only") into the UNIX permissions of a file. This means there can
7264 be a conflict between the permission bits set via the security
7265 dialog and the permission bits set by the file attribute mapping.
7268 >One way this can show up is if a file has no UNIX read access
7269 for the owner it will show up as "read only" in the standard
7270 file attributes tabbed dialog. Unfortunately this dialog is
7271 the same one that contains the security info in another tab.</P
7273 >What this can mean is that if the owner changes the permissions
7274 to allow themselves read access using the security dialog, clicks
7278 > to get back to the standard attributes tab
7279 dialog, and then clicks <B
7282 > on that dialog, then
7283 NT will set the file permissions back to read-only (as that is what
7284 the attributes still say in the dialog). This means that after setting
7285 permissions and clicking <B
7288 > to get back to the
7289 attributes dialog you should always hit <B
7296 > to ensure that your changes
7297 are not overridden.</P
7305 >Chapter 9. OS2 Client HOWTO</A
7321 >9.1.1. How can I configure OS/2 Warp Connect or
7322 OS/2 Warp 4 as a client for Samba?</A
7325 >A more complete answer to this question can be
7327 HREF="http://carol.wins.uva.nl/~leeuw/samba/warp.html"
7329 > http://carol.wins.uva.nl/~leeuw/samba/warp.html</A
7332 >Basically, you need three components:</P
7338 >The File and Print Client ('IBM Peer')
7343 >TCP/IP ('Internet support')
7348 >The "NetBIOS over TCP/IP" driver ('TCPBEUI')
7353 >Installing the first two together with the base operating
7354 system on a blank system is explained in the Warp manual. If Warp
7355 has already been installed, but you now want to install the
7356 networking support, use the "Selective Install for Networking"
7357 object in the "System Setup" folder.</P
7359 >Adding the "NetBIOS over TCP/IP" driver is not described
7360 in the manual and just barely in the online documentation. Start
7361 MPTS.EXE, click on OK, click on "Configure LAPS" and click
7362 on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
7363 is then moved to 'Current Configuration'. Select that line,
7364 click on "Change number" and increase it from 0 to 1. Save this
7367 >If the Samba server(s) is not on your local subnet, you
7368 can optionally add IP names and addresses of these servers
7369 to the "Names List", or specify a WINS server ('NetBIOS
7370 Nameserver' in IBM and RFC terminology). For Warp Connect you
7371 may need to download an update for 'IBM Peer' to bring it on
7372 the same level as Warp 4. See the webpage mentioned above.</P
7380 >9.1.2. How can I configure OS/2 Warp 3 (not Connect),
7381 OS/2 1.2, 1.3 or 2.x for Samba?</A
7384 >You can use the free Microsoft LAN Manager 2.2c Client
7387 HREF="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/"
7389 > ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</A
7392 HREF="http://carol.wins.uva.nl/~leeuw/lanman.html"
7394 > http://carol.wins.uva.nl/~leeuw/lanman.html</A
7396 more information on how to install and use this client. In
7397 a nutshell, edit the file \OS2VER in the root directory of
7398 the OS/2 boot partition and add the lines:</P
7407 CLASS="PROGRAMLISTING"
7417 >before you install the client. Also, don't use the
7418 included NE2000 driver because it is buggy. Try the NE2000
7419 or NS2000 driver from
7421 HREF="ftp://ftp.cdrom.com/pub/os2/network/ndis/"
7423 > ftp://ftp.cdrom.com/pub/os2/network/ndis/</A
7433 >9.1.3. Are there any other issues when OS/2 (any version)
7434 is used as a client?</A
7437 >When you do a NET VIEW or use the "File and Print
7438 Client Resource Browser", no Samba servers show up. This can
7439 be fixed by a patch from <A
7440 HREF="http://carol.wins.uva.nl/~leeuw/samba/fix.html"
7442 > http://carol.wins.uva.nl/~leeuw/samba/fix.html</A
7444 The patch will be included in a later version of Samba. It also
7445 fixes a couple of other problems, such as preserving long
7446 filenames when objects are dragged from the Workplace Shell
7447 to the Samba server. </P
7455 >9.1.4. How do I get printer driver download working
7456 for OS/2 clients?</A
7459 >First, create a share called [PRINTDRV] that is
7460 world-readable. Copy your OS/2 driver files there. Note
7461 that the .EA_ files must still be separate, so you will need
7462 to use the original install files, and not copy an installed
7463 driver from an OS/2 system.</P
7465 >Install the NT driver first for that printer. Then,
7466 add to your smb.conf a paramater, "os2 driver map =
7472 >". Then, in the file
7479 name of the NT driver name to the OS/2 driver name as
7482 ><nt driver name> = <os2 driver
7483 name>.<device name>, e.g.:
7484 HP LaserJet 5L = LASERJET.HP LaserJet 5L</P
7486 >You can have multiple drivers mapped in this file.</P
7488 >If you only specify the OS/2 driver name, and not the
7489 device name, the first attempt to download the driver will
7490 actually download the files, but the OS/2 client will tell
7491 you the driver is not available. On the second attempt, it
7492 will work. This is fixed simply by adding the device name
7493 to the mapping, after which it will work on the first attempt.
7503 >Chapter 10. HOWTO Access Samba source code via CVS</A
7511 >10.1. Introduction</A
7514 >Samba is developed in an open environnment. Developers use CVS
7515 (Concurrent Versioning System) to "checkin" (also known as
7516 "commit") new source code. Samba's various CVS branches can
7517 be accessed via anonymouns CVS using the instructions
7518 detailed in this chapter.</P
7520 >This document is a modified version of the instructions found at
7522 HREF="http://samba.org/samba/cvs.html"
7524 >http://samba.org/samba/cvs.html</A
7533 >10.2. CVS Access to samba.org</A
7536 >The machine samba.org runs a publicly accessible CVS
7537 repository for access to the source code of several packages,
7538 including samba, rsync and jitterbug. There are two main ways of
7539 accessing the CVS server on this host.</P
7546 >10.2.1. Access via CVSweb</A
7549 >You can access the source code via your
7550 favourite WWW browser. This allows you to access the contents of
7551 individual files in the repository and also to look at the revision
7552 history and commit logs of individual files. You can also ask for a diff
7553 listing between any two versions on the repository.</P
7556 HREF="http://samba.org/cgi-bin/cvsweb"
7558 >http://samba.org/cgi-bin/cvsweb</A
7567 >10.2.2. Access via cvs</A
7570 >You can also access the source code via a
7571 normal cvs client. This gives you much more control over you can
7572 do with the repository and allows you to checkout whole source trees
7573 and keep them uptodate via normal cvs commands. This is the
7574 preferred method of access if you are a developer and not
7575 just a casual browser.</P
7577 >To download the latest cvs source code, point your
7578 browser at the URL : <A
7579 HREF="http://www.cyclic.com/"
7581 >http://www.cyclic.com/</A
7583 and click on the 'How to get cvs' link. CVS is free software under
7584 the GNU GPL (as is Samba). Note that there are several graphical CVS clients
7585 which provide a graphical interface to the sometimes mundane CVS commands.
7586 Links to theses clients are also available from http://www.cyclic.com.</P
7588 >To gain access via anonymous cvs use the following steps.
7589 For this example it is assumed that you want a copy of the
7590 samba source code. For the other source code repositories
7591 on this system just substitute the correct package name</P
7598 > Install a recent copy of cvs. All you really need is a
7599 copy of the cvs client binary.
7609 >cvs -d :pserver:cvs@samba.org:/cvsroot login</B
7613 > When it asks you for a password type <TT
7628 >cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B
7632 > This will create a directory called samba containing the
7633 latest samba source code (i.e. the HEAD tagged cvs branch). This
7634 currently corresponds to the 3.0 development tree.
7637 > CVS branches other HEAD can be obtained by using the <TT
7643 and defining a tag name. A list of branch tag names can be found on the
7644 "Development" page of the samba web site. A common request is to obtain the
7645 latest 2.2 release code. This could be done by using the following command.
7650 >cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B
7656 > Whenever you want to merge in the latest code changes use
7657 the following command from within the samba directory:
7662 >cvs update -d -P</B
git.samba.org / sfrench / samba-autobuild / .git / blob