></TABLE
><P
></P
-> </P
+></P
></DIV
><DIV
CLASS="SECT1"
the program always prompts for the password if the server is a Samba server.
It also ignores the "-N" argument when querying some (but not all) of our
NT servers."</SPAN
-> </P
+></P
><P
>No, it does not ignore -N, it is just that your server rejected the
null password in the connection, so smbclient prompts for a password
></TABLE
><P
></P
-> </P
+></P
><P
>The setdriver call will fail if the printer doesn't already exist in
samba's view of the world. Either create the printer in cups and
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
-TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
+TITLE="Samba Backup Domain Controller to Samba Domain Control"
HREF="samba-bdc.html"><LINK
REL="NEXT"
TITLE="Samba as a NT4 or Win2k domain member"
><P
>This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
Windows2000 KDC. </P
-><P
->Pieces you need before you begin:</P
-><P
-><P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->a Windows 2000 server.</TD
-></TR
-><TR
-><TD
->samba 3.0 or higher.</TD
-></TR
-><TR
-><TD
->the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
-></TR
-><TR
-><TD
->the OpenLDAP development libraries.</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1343"
->8.1. Installing the required packages for Debian</A
-></H1
-><P
->On Debian you need to install the following packages:</P
-><P
-><P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->libkrb5-dev</TD
-></TR
-><TR
-><TD
->krb5-user</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1350"
->8.2. Installing the required packages for RedHat</A
-></H1
-><P
->On RedHat this means you should have at least: </P
-><P
-><P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->krb5-workstation (for kinit)</TD
-></TR
-><TR
-><TD
->krb5-libs (for linking with)</TD
-></TR
-><TR
-><TD
->krb5-devel (because you are compiling from source)</TD
-></TR
-></TBODY
-></TABLE
-><P
-></P
-></P
-><P
->in addition to the standard development environment.</P
-><P
->Note that these are not standard on a RedHat install, and you may need
-to get them off CD2.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1360"
->8.3. Compile Samba</A
+NAME="AEN1251"
+>8.1. Setup your <TT
+CLASS="FILENAME"
+>smb.conf</TT
+></A
></H1
><P
->If your kerberos libraries are in a non-standard location then
- remember to add the configure option --with-krb5=DIR.</P
-><P
->After you run configure make sure that include/config.h it
- generates contains
- lines like this:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->#define HAVE_KRB5 1
-#define HAVE_LDAP 1</PRE
-></P
-><P
->If it doesn't then configure did not find your krb5 libraries or
- your ldap libraries. Look in config.log to figure out why and fix
- it.</P
-><P
->Then compile and install Samba as usual. You must use at least the
- following 3 options in smb.conf:</P
+>You must use at least the following 3 options in smb.conf:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>You do *not* need a smbpasswd file, and older clients will
be authenticated as if "security = domain", although it won't do any harm
and allows you to have local users not in the domain.
- I expect that the above
- required options will change soon when we get better active
- directory integration.</P
+ I expect that the above required options will change soon when we get better
+ active directory integration.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1375"
->8.4. Setup your /etc/krb5.conf</A
+NAME="AEN1262"
+>8.2. Setup your <TT
+CLASS="FILENAME"
+>/etc/krb5.conf</TT
+></A
></H1
><P
>The minimal configuration for krb5.conf is:</P
><H1
CLASS="SECT1"
><A
-NAME="AEN1385"
->8.5. Create the computer account</A
+NAME="AEN1273"
+>8.3. Create the computer account</A
></H1
><P
>As a user that has write permission on the Samba private directory
><H2
CLASS="SECT2"
><A
-NAME="AEN1389"
->8.5.1. Possible errors</A
+NAME="AEN1277"
+>8.3.1. Possible errors</A
></H2
><P
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1397"
->8.6. Test your server setup</A
+NAME="AEN1285"
+>8.4. Test your server setup</A
></H1
><P
>On a Windows 2000 client try <B
><H1
CLASS="SECT1"
><A
-NAME="AEN1402"
->8.7. Testing with smbclient</A
+NAME="AEN1290"
+>8.5. Testing with smbclient</A
></H1
><P
>On your Samba server try to login to a Win2000 server or your Samba
><H1
CLASS="SECT1"
><A
-NAME="AEN1405"
->8.8. Notes</A
+NAME="AEN1293"
+>8.6. Notes</A
></H1
><P
->You must change administrator password at least once after DC install,
- to create the right encoding types</P
+>You must change administrator password at least once after DC
+install, to create the right encoding types</P
><P
>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
their defaults DNS setup. Maybe fixed in service packs?</P
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
+>Samba Backup Domain Controller to Samba Domain Control</TD
><TD
WIDTH="34%"
ALIGN="center"
TITLE="Unicode/Charsets"
HREF="unicode.html"><LINK
REL="NEXT"
-TITLE="Portability"
-HREF="portability.html"></HEAD
+TITLE="Samba performance issues"
+HREF="speed.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
ALIGN="right"
VALIGN="bottom"
><A
-HREF="portability.html"
+HREF="speed.html"
ACCESSKEY="N"
>Next</A
></TD
>Table of Contents</B
></DT
><DT
+>23. <A
+HREF="speed.html"
+>Samba performance issues</A
+></DT
+><DD
+><DL
+><DT
+>23.1. <A
+HREF="speed.html#AEN3443"
+>Comparisons</A
+></DT
+><DT
+>23.2. <A
+HREF="speed.html#AEN3449"
+>Socket options</A
+></DT
+><DT
+>23.3. <A
+HREF="speed.html#AEN3456"
+>Read size</A
+></DT
+><DT
+>23.4. <A
+HREF="speed.html#AEN3461"
+>Max xmit</A
+></DT
+><DT
+>23.5. <A
+HREF="speed.html#AEN3466"
+>Log level</A
+></DT
+><DT
+>23.6. <A
+HREF="speed.html#AEN3469"
+>Read raw</A
+></DT
+><DT
+>23.7. <A
+HREF="speed.html#AEN3474"
+>Write raw</A
+></DT
+><DT
+>23.8. <A
+HREF="speed.html#AEN3478"
+>Slow Clients</A
+></DT
+><DT
+>23.9. <A
+HREF="speed.html#AEN3482"
+>Slow Logins</A
+></DT
+><DT
+>23.10. <A
+HREF="speed.html#AEN3485"
+>Client tuning</A
+></DT
+></DL
+></DD
+><DT
>24. <A
HREF="portability.html"
>Portability</A
><DL
><DT
>24.1. <A
-HREF="portability.html#AEN3626"
+HREF="portability.html#AEN3525"
>HPUX</A
></DT
><DT
>24.2. <A
-HREF="portability.html#AEN3632"
+HREF="portability.html#AEN3531"
>SCO Unix</A
></DT
><DT
>24.3. <A
-HREF="portability.html#AEN3636"
+HREF="portability.html#AEN3535"
>DNIX</A
></DT
><DT
>24.4. <A
-HREF="portability.html#AEN3665"
+HREF="portability.html#AEN3564"
>RedHat Linux Rembrandt-II</A
></DT
><DT
>24.5. <A
-HREF="portability.html#AEN3671"
+HREF="portability.html#AEN3570"
>AIX</A
></DT
><DD
><DL
><DT
>24.5.1. <A
-HREF="portability.html#AEN3673"
+HREF="portability.html#AEN3572"
>Sequential Read Ahead</A
></DT
></DL
><DL
><DT
>25.1. <A
-HREF="other-clients.html#AEN3691"
+HREF="other-clients.html#AEN3590"
>Macintosh clients?</A
></DT
><DT
>25.2. <A
-HREF="other-clients.html#AEN3700"
+HREF="other-clients.html#AEN3599"
>OS2 Client</A
></DT
><DD
><DL
><DT
>25.2.1. <A
-HREF="other-clients.html#AEN3702"
+HREF="other-clients.html#AEN3601"
>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></DT
><DT
>25.2.2. <A
-HREF="other-clients.html#AEN3717"
+HREF="other-clients.html#AEN3616"
>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></DT
><DT
>25.2.3. <A
-HREF="other-clients.html#AEN3726"
+HREF="other-clients.html#AEN3625"
>Are there any other issues when OS/2 (any version)
is used as a client?</A
></DT
><DT
>25.2.4. <A
-HREF="other-clients.html#AEN3730"
+HREF="other-clients.html#AEN3629"
>How do I get printer driver download working
for OS/2 clients?</A
></DT
></DD
><DT
>25.3. <A
-HREF="other-clients.html#AEN3740"
+HREF="other-clients.html#AEN3639"
>Windows for Workgroups</A
></DT
><DD
><DL
><DT
>25.3.1. <A
-HREF="other-clients.html#AEN3742"
+HREF="other-clients.html#AEN3641"
>Use latest TCP/IP stack from Microsoft</A
></DT
><DT
>25.3.2. <A
-HREF="other-clients.html#AEN3747"
+HREF="other-clients.html#AEN3646"
>Delete .pwl files after password change</A
></DT
><DT
>25.3.3. <A
-HREF="other-clients.html#AEN3752"
+HREF="other-clients.html#AEN3651"
>Configure WfW password handling</A
></DT
><DT
>25.3.4. <A
-HREF="other-clients.html#AEN3756"
+HREF="other-clients.html#AEN3655"
>Case handling of passwords</A
></DT
><DT
>25.3.5. <A
-HREF="other-clients.html#AEN3761"
+HREF="other-clients.html#AEN3660"
>Use TCP/IP as default protocol</A
></DT
></DL
></DD
><DT
>25.4. <A
-HREF="other-clients.html#AEN3764"
+HREF="other-clients.html#AEN3663"
>Windows '95/'98</A
></DT
><DT
>25.5. <A
-HREF="other-clients.html#AEN3780"
+HREF="other-clients.html#AEN3679"
>Windows 2000 Service Pack 2</A
></DT
></DL
><DL
><DT
>26.1. <A
-HREF="compiling.html#AEN3807"
+HREF="compiling.html#AEN3706"
>Access Samba source code via CVS</A
></DT
><DD
><DL
><DT
>26.1.1. <A
-HREF="compiling.html#AEN3809"
+HREF="compiling.html#AEN3708"
>Introduction</A
></DT
><DT
>26.1.2. <A
-HREF="compiling.html#AEN3814"
+HREF="compiling.html#AEN3713"
>CVS Access to samba.org</A
></DT
></DL
></DD
><DT
>26.2. <A
-HREF="compiling.html#AEN3850"
+HREF="compiling.html#AEN3749"
>Accessing the samba sources via rsync and ftp</A
></DT
><DT
>26.3. <A
-HREF="compiling.html#AEN3856"
+HREF="compiling.html#AEN3755"
>Building the Binaries</A
></DT
+><DD
+><DL
+><DT
+>26.3.1. <A
+HREF="compiling.html#AEN3783"
+>Compiling samba with Active Directory support</A
+></DT
+></DL
+></DD
><DT
>26.4. <A
-HREF="compiling.html#AEN3884"
+HREF="compiling.html#AEN3812"
>Starting the smbd and nmbd</A
></DT
><DD
><DL
><DT
>26.4.1. <A
-HREF="compiling.html#AEN3894"
+HREF="compiling.html#AEN3822"
>Starting from inetd.conf</A
></DT
><DT
>26.4.2. <A
-HREF="compiling.html#AEN3923"
+HREF="compiling.html#AEN3851"
>Alternative: starting it as a daemon</A
></DT
></DL
><DL
><DT
>27.1. <A
-HREF="bugreport.html#AEN3946"
+HREF="bugreport.html#AEN3874"
>Introduction</A
></DT
><DT
>27.2. <A
-HREF="bugreport.html#AEN3956"
+HREF="bugreport.html#AEN3884"
>General info</A
></DT
><DT
>27.3. <A
-HREF="bugreport.html#AEN3962"
+HREF="bugreport.html#AEN3890"
>Debug levels</A
></DT
><DT
>27.4. <A
-HREF="bugreport.html#AEN3979"
+HREF="bugreport.html#AEN3907"
>Internal errors</A
></DT
><DT
>27.5. <A
-HREF="bugreport.html#AEN3989"
+HREF="bugreport.html#AEN3917"
>Attaching to a running process</A
></DT
><DT
>27.6. <A
-HREF="bugreport.html#AEN3992"
+HREF="bugreport.html#AEN3920"
>Patches</A
></DT
></DL
><DL
><DT
>28.1. <A
-HREF="diagnosis.html#AEN4015"
+HREF="diagnosis.html#AEN3943"
>Introduction</A
></DT
><DT
>28.2. <A
-HREF="diagnosis.html#AEN4020"
+HREF="diagnosis.html#AEN3948"
>Assumptions</A
></DT
><DT
>28.3. <A
-HREF="diagnosis.html#AEN4030"
+HREF="diagnosis.html#AEN3958"
>Tests</A
></DT
><DD
><DL
><DT
>28.3.1. <A
-HREF="diagnosis.html#AEN4032"
+HREF="diagnosis.html#AEN3960"
>Test 1</A
></DT
><DT
>28.3.2. <A
-HREF="diagnosis.html#AEN4038"
+HREF="diagnosis.html#AEN3966"
>Test 2</A
></DT
><DT
>28.3.3. <A
-HREF="diagnosis.html#AEN4044"
+HREF="diagnosis.html#AEN3972"
>Test 3</A
></DT
><DT
>28.3.4. <A
-HREF="diagnosis.html#AEN4059"
+HREF="diagnosis.html#AEN3987"
>Test 4</A
></DT
><DT
>28.3.5. <A
-HREF="diagnosis.html#AEN4064"
+HREF="diagnosis.html#AEN3992"
>Test 5</A
></DT
><DT
>28.3.6. <A
-HREF="diagnosis.html#AEN4070"
+HREF="diagnosis.html#AEN3998"
>Test 6</A
></DT
><DT
>28.3.7. <A
-HREF="diagnosis.html#AEN4078"
+HREF="diagnosis.html#AEN4006"
>Test 7</A
></DT
><DT
>28.3.8. <A
-HREF="diagnosis.html#AEN4104"
+HREF="diagnosis.html#AEN4032"
>Test 8</A
></DT
><DT
>28.3.9. <A
-HREF="diagnosis.html#AEN4121"
+HREF="diagnosis.html#AEN4049"
>Test 9</A
></DT
><DT
>28.3.10. <A
-HREF="diagnosis.html#AEN4129"
+HREF="diagnosis.html#AEN4057"
>Test 10</A
></DT
><DT
>28.3.11. <A
-HREF="diagnosis.html#AEN4135"
+HREF="diagnosis.html#AEN4063"
>Test 11</A
></DT
></DL
></DD
><DT
>28.4. <A
-HREF="diagnosis.html#AEN4140"
+HREF="diagnosis.html#AEN4068"
>Still having troubles?</A
></DT
></DL
ALIGN="right"
VALIGN="top"
><A
-HREF="portability.html"
+HREF="speed.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Portability</TD
+>Samba performance issues</TD
></TR
></TABLE
></DIV
CLASS="SECT1"
><A
NAME="AEN139"
->2.2. Use of the "Remote Announce" parameter</A
+>2.2. How browsing functions and how to deploy stable and
+dependable browsing using Samba</A
+></H1
+><P
+>As stated above, MS Windows machines register their NetBIOS names
+(i.e.: the machine name for each service type in operation) on start
+up. Also, as stated above, the exact method by which this name registration
+takes place is determined by whether or not the MS Windows client/server
+has been given a WINS server address, whether or not LMHOSTS lookup
+is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P
+><P
+>In the case where there is no WINS server all name registrations as
+well as name lookups are done by UDP broadcast. This isolates name
+resolution to the local subnet, unless LMHOSTS is used to list all
+names and IP addresses. In such situations Samba provides a means by
+which the samba server name may be forcibly injected into the browse
+list of a remote MS Windows network (using the "remote announce" parameter).</P
+><P
+>Where a WINS server is used, the MS Windows client will use UDP
+unicast to register with the WINS server. Such packets can be routed
+and thus WINS allows name resolution to function across routed networks.</P
+><P
+>During the startup process an election will take place to create a
+local master browser if one does not already exist. On each NetBIOS network
+one machine will be elected to function as the domain master browser. This
+domain browsing has nothing to do with MS security domain control.
+Instead, the domain master browser serves the role of contacting each local
+master browser (found by asking WINS or from LMHOSTS) and exchanging browse
+list contents. This way every master browser will eventually obtain a complete
+list of all machines that are on the network. Every 11-15 minutes an election
+is held to determine which machine will be the master browser. By the nature of
+the election criteria used, the machine with the highest uptime, or the
+most senior protocol version, or other criteria, will win the election
+as domain master browser.</P
+><P
+>Clients wishing to browse the network make use of this list, but also depend
+on the availability of correct name resolution to the respective IP
+address/addresses. </P
+><P
+>Any configuration that breaks name resolution and/or browsing intrinsics
+will annoy users because they will have to put up with protracted
+inability to use the network services.</P
+><P
+>Samba supports a feature that allows forced synchonisation
+of browse lists across routed networks using the "remote
+browse sync" parameter in the smb.conf file. This causes Samba
+to contact the local master browser on a remote network and
+to request browse list synchronisation. This effectively bridges
+two networks that are separated by routers. The two remote
+networks may use either broadcast based name resolution or WINS
+based name resolution, but it should be noted that the "remote
+browse sync" parameter provides browse list synchronisation - and
+that is distinct from name to address resolution, in other
+words, for cross subnet browsing to function correctly it is
+essential that a name to address resolution mechanism be provided.
+This mechanism could be via DNS, <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>,
+and so on.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN149"
+>2.3. Use of the "Remote Announce" parameter</A
></H1
><P
>The "remote announce" parameter of smb.conf can be used to forcibly ensure
><H1
CLASS="SECT1"
><A
-NAME="AEN153"
->2.3. Use of the "Remote Browse Sync" parameter</A
+NAME="AEN163"
+>2.4. Use of the "Remote Browse Sync" parameter</A
></H1
><P
>The "remote browse sync" parameter of smb.conf is used to announce to
><H1
CLASS="SECT1"
><A
-NAME="AEN158"
->2.4. Use of WINS</A
+NAME="AEN168"
+>2.5. Use of WINS</A
></H1
><P
>Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
><H1
CLASS="SECT1"
><A
-NAME="AEN169"
->2.5. Do NOT use more than one (1) protocol on MS Windows machines</A
+NAME="AEN179"
+>2.6. Do NOT use more than one (1) protocol on MS Windows machines</A
></H1
><P
>A very common cause of browsing problems results from installing more than
><H1
CLASS="SECT1"
><A
-NAME="AEN177"
->2.6. Name Resolution Order</A
+NAME="AEN187"
+>2.7. Name Resolution Order</A
></H1
><P
>Resolution of NetBIOS names to IP addresses can take place using a number
><H1
CLASS="SECT1"
><A
-NAME="AEN3946"
+NAME="AEN3874"
>27.1. Introduction</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3956"
+NAME="AEN3884"
>27.2. General info</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3962"
+NAME="AEN3890"
>27.3. Debug levels</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3979"
+NAME="AEN3907"
>27.4. Internal errors</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3989"
+NAME="AEN3917"
>27.5. Attaching to a running process</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3992"
+NAME="AEN3920"
>27.6. Patches</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3807"
+NAME="AEN3706"
>26.1. Access Samba source code via CVS</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN3809"
+NAME="AEN3708"
>26.1.1. Introduction</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3814"
+NAME="AEN3713"
>26.1.2. CVS Access to samba.org</A
></H2
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN3817"
+NAME="AEN3716"
>26.1.2.1. Access via CVSweb</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN3822"
+NAME="AEN3721"
>26.1.2.2. Access via cvs</A
></H3
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3850"
+NAME="AEN3749"
>26.2. Accessing the samba sources via rsync and ftp</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3856"
+NAME="AEN3755"
>26.3. Building the Binaries</A
></H1
><P
></P
><P
>if you find this version a disaster!</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN3783"
+>26.3.1. Compiling samba with Active Directory support</A
+></H2
+><P
+>In order to compile samba with ADS support, you need to have installed
+ on your system:
+ <P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>the MIT kerberos development libraries (either install from the sources or use a package). The heimdal libraries will not work.</TD
+></TR
+><TR
+><TD
+>the OpenLDAP development libraries.</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+>
+
+ </P
+><P
+>If your kerberos libraries are in a non-standard location then
+ remember to add the configure option --with-krb5=DIR.</P
+><P
+>After you run configure make sure that <TT
+CLASS="FILENAME"
+>include/config.h</TT
+> it generates contains lines like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>#define HAVE_KRB5 1
+#define HAVE_LDAP 1
+ </PRE
+></P
+><P
+>If it doesn't then configure did not find your krb5 libraries or
+ your ldap libraries. Look in config.log to figure out why and fix
+ it.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN3795"
+>26.3.1.1. Installing the required packages for Debian</A
+></H3
+><P
+>On Debian you need to install the following packages:</P
+><P
+> <P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>libkrb5-dev</TD
+></TR
+><TR
+><TD
+>krb5-user</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+>
+ </P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN3802"
+>26.3.1.2. Installing the required packages for RedHat</A
+></H3
+><P
+>On RedHat this means you should have at least: </P
+><P
+> <P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>krb5-workstation (for kinit)</TD
+></TR
+><TR
+><TD
+>krb5-libs (for linking with)</TD
+></TR
+><TR
+><TD
+>krb5-devel (because you are compiling from source)</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+>
+ </P
+><P
+>in addition to the standard development environment.</P
+><P
+>Note that these are not standard on a RedHat install, and you may need
+ to get them off CD2.</P
+></DIV
+></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN3884"
+NAME="AEN3812"
>26.4. Starting the smbd and nmbd</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3894"
+NAME="AEN3822"
>26.4.1. Starting from inetd.conf</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3923"
+NAME="AEN3851"
>26.4.2. Alternative: starting it as a daemon</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN4015"
+NAME="AEN3943"
>28.1. Introduction</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN4020"
+NAME="AEN3948"
>28.2. Assumptions</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN4030"
+NAME="AEN3958"
>28.3. Tests</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN4032"
+NAME="AEN3960"
>28.3.1. Test 1</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4038"
+NAME="AEN3966"
>28.3.2. Test 2</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4044"
+NAME="AEN3972"
>28.3.3. Test 3</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4059"
+NAME="AEN3987"
>28.3.4. Test 4</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4064"
+NAME="AEN3992"
>28.3.5. Test 5</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4070"
+NAME="AEN3998"
>28.3.6. Test 6</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4078"
+NAME="AEN4006"
>28.3.7. Test 7</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4104"
+NAME="AEN4032"
>28.3.8. Test 8</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4121"
+NAME="AEN4049"
>28.3.9. Test 9</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4129"
+NAME="AEN4057"
>28.3.10. Test 10</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN4135"
+NAME="AEN4063"
>28.3.11. Test 11</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN4140"
+NAME="AEN4068"
>28.4. Still having troubles?</A
></H1
><P
TITLE="Samba as a ADS domain member"
HREF="ads.html"><LINK
REL="NEXT"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"></HEAD
><BODY
CLASS="CHAPTER"
><H1
CLASS="SECT1"
><A
-NAME="AEN1427"
+NAME="AEN1315"
>9.1. Joining an NT Domain with Samba 3.0</A
></H1
><P
><B
CLASS="COMMAND"
>security = domain</B
-> or
- <B
-CLASS="COMMAND"
->security = ads</B
-> depending on if the PDC is
- NT4 or running Active Directory respectivly.</P
+></P
><P
>Next change the <A
HREF="smb.conf.5.html#WORKGROUP"
>root# </SAMP
><KBD
CLASS="USERINPUT"
->net join -S DOMPDC
+>net rpc join -S DOMPDC
-U<VAR
CLASS="REPLACEABLE"
>Administrator%password</VAR
><H1
CLASS="SECT1"
><A
-NAME="AEN1482"
->9.2. Samba and Windows 2000 Domains</A
-></H1
-><P
->Many people have asked regarding the state of Samba's ability to participate in
-a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode. The steps above apply
-to both NT4 and Windows 2000.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1485"
->9.3. Why is this better than security = server?</A
+NAME="AEN1369"
+>9.2. Why is this better than security = server?</A
></H1
><P
>Currently, domain security in Samba doesn't free you from
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
as the user SID, the list of NT groups the user belongs to, etc. </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE:</I
-></SPAN
> Much of the text of this document
was first published in the Web magazine <A
HREF="http://www.linuxworld.com"
>Doing
the NIS/NT Samba</A
>.</P
+></TD
+></TR
+></TABLE
+></DIV
></DIV
></DIV
><DIV
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Optional configuration</TD
+>Advanced Configuration</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Stackable VFS modules"
-HREF="vfs.html"><LINK
+TITLE="UNIX Permission Bits and Windows NT Access Control Lists"
+HREF="unix-permissions.html"><LINK
REL="NEXT"
-TITLE="Samba performance issues"
-HREF="speed.html"></HEAD
+TITLE="Configuring PAM for distributed but centrally
+managed authentication"
+HREF="pam.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="vfs.html"
+HREF="unix-permissions.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="speed.html"
+HREF="pam.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="GROUPMAPPING"
></A
->Chapter 19. Group mapping HOWTO</H1
+>Chapter 12. Group mapping HOWTO</H1
><P
>
Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
ALIGN="left"
VALIGN="top"
><A
-HREF="vfs.html"
+HREF="unix-permissions.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="speed.html"
+HREF="pam.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Stackable VFS modules</TD
+>UNIX Permission Bits and Windows NT Access Control Lists</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Samba performance issues</TD
+>Configuring PAM for distributed but centrally
+managed authentication</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Unified Logons between Windows NT and UNIX using Winbind"
-HREF="winbind.html"><LINK
+TITLE="Integrating MS Windows networks with Samba"
+HREF="integrate-ms-networks.html"><LINK
REL="NEXT"
-TITLE="Stackable VFS modules"
-HREF="vfs.html"></HEAD
+TITLE="Hosting a Microsoft Distributed File System tree on Samba"
+HREF="msdfs.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="winbind.html"
+HREF="integrate-ms-networks.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="vfs.html"
+HREF="msdfs.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="IMPROVED-BROWSING"
></A
->Chapter 17. Improved browsing in samba</H1
+>Chapter 18. Improved browsing in samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN3033"
->17.1. Overview of browsing</A
+NAME="AEN3047"
+>18.1. Overview of browsing</A
></H1
><P
>SMB networking provides a mechanism by which clients can access a list
><H1
CLASS="SECT1"
><A
-NAME="AEN3038"
->17.2. Browsing support in samba</A
+NAME="AEN3052"
+>18.2. Browsing support in samba</A
></H1
><P
>Samba facilitates browsing. The browsing is supported by nmbd
><H1
CLASS="SECT1"
><A
-NAME="AEN3046"
->17.3. Problem resolution</A
+NAME="AEN3060"
+>18.3. Problem resolution</A
></H1
><P
>If something doesn't work then hopefully the log.nmb file will help
><H1
CLASS="SECT1"
><A
-NAME="AEN3055"
->17.4. Browsing across subnets</A
+NAME="AEN3069"
+>18.4. Browsing across subnets</A
></H1
><P
>Since the release of Samba 1.9.17(alpha1) Samba has been
><H2
CLASS="SECT2"
><A
-NAME="AEN3060"
->17.4.1. How does cross subnet browsing work ?</A
+NAME="AEN3074"
+>18.4.1. How does cross subnet browsing work ?</A
></H2
><P
>Cross subnet browsing is a complicated dance, containing multiple
><H1
CLASS="SECT1"
><A
-NAME="AEN3095"
->17.5. Setting up a WINS server</A
+NAME="AEN3109"
+>18.5. Setting up a WINS server</A
></H1
><P
>Either a Samba machine or a Windows NT Server machine may be set up
><H1
CLASS="SECT1"
><A
-NAME="AEN3114"
->17.6. Setting up Browsing in a WORKGROUP</A
+NAME="AEN3128"
+>18.6. Setting up Browsing in a WORKGROUP</A
></H1
><P
>To set up cross subnet browsing on a network containing machines
><P
><PRE
CLASS="PROGRAMLISTING"
-> domain master = yes
- local master = yes
- preferred master = yes
- os level = 65</PRE
+>domain master = yes
+local master = yes
+preferred master = yes
+os level = 65</PRE
></P
><P
>The domain master browser may be the same machine as the WINS
><P
><PRE
CLASS="PROGRAMLISTING"
-> domain master = no
- local master = yes
- preferred master = yes
- os level = 65</PRE
+>domain master = no
+local master = yes
+preferred master = yes
+os level = 65</PRE
></P
><P
>Do not do this for more than one Samba server on each subnet,
><P
><PRE
CLASS="PROGRAMLISTING"
-> domain master = no
- local master = no
- preferred master = no
- os level = 0</PRE
+>domain master = no
+local master = no
+preferred master = no
+os level = 0</PRE
></P
></DIV
><DIV
><H1
CLASS="SECT1"
><A
-NAME="AEN3132"
->17.7. Setting up Browsing in a DOMAIN</A
+NAME="AEN3146"
+>18.7. Setting up Browsing in a DOMAIN</A
></H1
><P
>If you are adding Samba servers to a Windows NT Domain then
><P
><PRE
CLASS="PROGRAMLISTING"
-> domain master = no
- local master = yes
- preferred master = yes
- os level = 65</PRE
+>domain master = no
+local master = yes
+preferred master = yes
+os level = 65</PRE
></P
><P
>If you wish to have a Samba server fight the election with machines
><H1
CLASS="SECT1"
><A
-NAME="AEN3142"
->17.8. Forcing samba to be the master</A
+NAME="AEN3156"
+>18.8. Forcing samba to be the master</A
></H1
><P
>Who becomes the "master browser" is determined by an election process
><H1
CLASS="SECT1"
><A
-NAME="AEN3151"
->17.9. Making samba the domain master</A
+NAME="AEN3165"
+>18.9. Making samba the domain master</A
></H1
><P
>The domain master is responsible for collating the browse lists of
><H1
CLASS="SECT1"
><A
-NAME="AEN3169"
->17.10. Note about broadcast addresses</A
+NAME="AEN3183"
+>18.10. Note about broadcast addresses</A
></H1
><P
>If your network uses a "0" based broadcast address (for example if it
><H1
CLASS="SECT1"
><A
-NAME="AEN3172"
->17.11. Multiple interfaces</A
+NAME="AEN3186"
+>18.11. Multiple interfaces</A
></H1
><P
>Samba now supports machines with multiple network interfaces. If you
ALIGN="left"
VALIGN="top"
><A
-HREF="winbind.html"
+HREF="integrate-ms-networks.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="vfs.html"
+HREF="msdfs.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Unified Logons between Windows NT and UNIX using Winbind</TD
+>Integrating MS Windows networks with Samba</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Stackable VFS modules</TD
+>Hosting a Microsoft Distributed File System tree on Samba</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Optional configuration"
-HREF="optional.html"><LINK
+TITLE="Unified Logons between Windows NT and UNIX using Winbind"
+HREF="winbind.html"><LINK
REL="NEXT"
-TITLE="UNIX Permission Bits and Windows NT Access Control Lists"
-HREF="unix-permissions.html"></HEAD
+TITLE="Improved browsing in samba"
+HREF="improved-browsing.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="optional.html"
+HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="unix-permissions.html"
+HREF="improved-browsing.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="INTEGRATE-MS-NETWORKS"
></A
->Chapter 10. Integrating MS Windows networks with Samba</H1
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1517"
->10.1. Agenda</A
-></H1
+>Chapter 17. Integrating MS Windows networks with Samba</H1
><P
->To identify the key functional mechanisms of MS Windows networking
-to enable the deployment of Samba as a means of extending and/or
-replacing MS Windows NT/2000 technology.</P
-><P
->We will examine:</P
+>This section deals with NetBIOS over TCP/IP name to IP address resolution. If you
+your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
+section does not apply to your installation. If your installation involves use of
+NetBIOS over TCP/IP then this section may help you to resolve networking problems.</P
+><DIV
+CLASS="NOTE"
><P
></P
-><OL
-TYPE="1"
-><LI
-><P
->Name resolution in a pure Unix/Linux TCP/IP
- environment
- </P
-></LI
-><LI
-><P
->Name resolution as used within MS Windows
- networking
- </P
-></LI
-><LI
-><P
->How browsing functions and how to deploy stable
- and dependable browsing using Samba
- </P
-></LI
-><LI
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->MS Windows security options and how to
- configure Samba for seemless integration
- </P
-></LI
-><LI
+> NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
+ over Logical Link Control (LLC). On modern networks it is highly advised
+ to NOT run NetBEUI at all. Note also that there is NO such thing as
+ NetBEUI over TCP/IP - the existence of such a protocol is a complete
+ and utter mis-apprehension.</P
+></TD
+></TR
+></TABLE
+></DIV
><P
->Configuration of Samba as:</P
+>Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
+without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
+name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
+TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be
+used and UDP port 137 and TCP port 139 will not.</P
+><DIV
+CLASS="NOTE"
><P
></P
-><OL
-TYPE="a"
-><LI
-><P
->A stand-alone server</P
-></LI
-><LI
-><P
->An MS Windows NT 3.x/4.0 security domain member
- </P
-></LI
-><LI
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->An alternative to an MS Windows NT 3.x/4.0 Domain Controller
- </P
-></LI
-></OL
-></LI
-></OL
+>When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then
+the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
+Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).</P
+></TD
+></TR
+></TABLE
></DIV
+><P
+>When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that
+disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
+Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
+Use of DHCP with ADS is recommended as a further means of maintaining central control
+over client workstation network configuration.</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1539"
->10.2. Name Resolution in a pure Unix/Linux world</A
+NAME="AEN2932"
+>17.1. Name Resolution in a pure Unix/Linux world</A
></H1
><P
>The key configuration files covered in this section are:</P
><H2
CLASS="SECT2"
><A
-NAME="AEN1555"
->10.2.1. <TT
+NAME="AEN2948"
+>17.1.1. <TT
CLASS="FILENAME"
>/etc/hosts</TT
></A
><H2
CLASS="SECT2"
><A
-NAME="AEN1571"
->10.2.2. <TT
+NAME="AEN2964"
+>17.1.2. <TT
CLASS="FILENAME"
>/etc/resolv.conf</TT
></A
><H2
CLASS="SECT2"
><A
-NAME="AEN1582"
->10.2.3. <TT
+NAME="AEN2975"
+>17.1.3. <TT
CLASS="FILENAME"
>/etc/host.conf</TT
></A
><H2
CLASS="SECT2"
><A
-NAME="AEN1590"
->10.2.4. <TT
+NAME="AEN2983"
+>17.1.4. <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
></A
><H1
CLASS="SECT1"
><A
-NAME="AEN1602"
->10.3. Name resolution as used within MS Windows networking</A
+NAME="AEN2995"
+>17.2. Name resolution as used within MS Windows networking</A
></H1
><P
>MS Windows networking is predicated about the name each machine
><H2
CLASS="SECT2"
><A
-NAME="AEN1614"
->10.3.1. The NetBIOS Name Cache</A
+NAME="AEN3007"
+>17.2.1. The NetBIOS Name Cache</A
></H2
><P
>All MS Windows machines employ an in memory buffer in which is
><H2
CLASS="SECT2"
><A
-NAME="AEN1619"
->10.3.2. The LMHOSTS file</A
+NAME="AEN3012"
+>17.2.2. The LMHOSTS file</A
></H2
><P
>This file is usually located in MS Windows NT 4.0 or
><H2
CLASS="SECT2"
><A
-NAME="AEN1627"
->10.3.3. HOSTS file</A
+NAME="AEN3020"
+>17.2.3. HOSTS file</A
></H2
><P
>This file is usually located in MS Windows NT 4.0 or 2000 in
><H2
CLASS="SECT2"
><A
-NAME="AEN1632"
->10.3.4. DNS Lookup</A
+NAME="AEN3025"
+>17.2.4. DNS Lookup</A
></H2
><P
>This capability is configured in the TCP/IP setup area in the network
><H2
CLASS="SECT2"
><A
-NAME="AEN1635"
->10.3.5. WINS Lookup</A
+NAME="AEN3028"
+>17.2.5. WINS Lookup</A
></H2
><P
>A WINS (Windows Internet Name Server) service is the equivaent of the
of the WINS server.</P
></DIV
></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1647"
->10.4. How browsing functions and how to deploy stable and
-dependable browsing using Samba</A
-></H1
-><P
->As stated above, MS Windows machines register their NetBIOS names
-(i.e.: the machine name for each service type in operation) on start
-up. Also, as stated above, the exact method by which this name registration
-takes place is determined by whether or not the MS Windows client/server
-has been given a WINS server address, whether or not LMHOSTS lookup
-is enabled, or if DNS for NetBIOS name resolution is enabled, etc.</P
-><P
->In the case where there is no WINS server all name registrations as
-well as name lookups are done by UDP broadcast. This isolates name
-resolution to the local subnet, unless LMHOSTS is used to list all
-names and IP addresses. In such situations Samba provides a means by
-which the samba server name may be forcibly injected into the browse
-list of a remote MS Windows network (using the "remote announce" parameter).</P
-><P
->Where a WINS server is used, the MS Windows client will use UDP
-unicast to register with the WINS server. Such packets can be routed
-and thus WINS allows name resolution to function across routed networks.</P
-><P
->During the startup process an election will take place to create a
-local master browser if one does not already exist. On each NetBIOS network
-one machine will be elected to function as the domain master browser. This
-domain browsing has nothing to do with MS security domain control.
-Instead, the domain master browser serves the role of contacting each local
-master browser (found by asking WINS or from LMHOSTS) and exchanging browse
-list contents. This way every master browser will eventually obtain a complete
-list of all machines that are on the network. Every 11-15 minutes an election
-is held to determine which machine will be the master browser. By the nature of
-the election criteria used, the machine with the highest uptime, or the
-most senior protocol version, or other criteria, will win the election
-as domain master browser.</P
-><P
->Clients wishing to browse the network make use of this list, but also depend
-on the availability of correct name resolution to the respective IP
-address/addresses. </P
-><P
->Any configuration that breaks name resolution and/or browsing intrinsics
-will annoy users because they will have to put up with protracted
-inability to use the network services.</P
-><P
->Samba supports a feature that allows forced synchonisation
-of browse lists across routed networks using the "remote
-browse sync" parameter in the smb.conf file. This causes Samba
-to contact the local master browser on a remote network and
-to request browse list synchronisation. This effectively bridges
-two networks that are separated by routers. The two remote
-networks may use either broadcast based name resolution or WINS
-based name resolution, but it should be noted that the "remote
-browse sync" parameter provides browse list synchronisation - and
-that is distinct from name to address resolution, in other
-words, for cross subnet browsing to function correctly it is
-essential that a name to address resolution mechanism be provided.
-This mechanism could be via DNS, <TT
-CLASS="FILENAME"
->/etc/hosts</TT
->,
-and so on.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1657"
->10.5. MS Windows security options and how to configure
-Samba for seemless integration</A
-></H1
-><P
->MS Windows clients may use encrypted passwords as part of a
-challenege/response authentication model (a.k.a. NTLMv1) or
-alone, or clear text strings for simple password based
-authentication. It should be realized that with the SMB
-protocol the password is passed over the network either
-in plain text or encrypted, but not both in the same
-authentication requets.</P
-><P
->When encrypted passwords are used a password that has been
-entered by the user is encrypted in two ways:</P
-><P
-></P
-><UL
-><LI
-><P
->An MD4 hash of the UNICODE of the password
- string. This is known as the NT hash.
- </P
-></LI
-><LI
-><P
->The password is converted to upper case,
- and then padded or trucated to 14 bytes. This string is
- then appended with 5 bytes of NULL characters and split to
- form two 56 bit DES keys to encrypt a "magic" 8 byte value.
- The resulting 16 bytes for the LanMan hash.
- </P
-></LI
-></UL
-><P
->You should refer to the <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
->Password Encryption</A
-> chapter in this HOWTO collection
-for more details on the inner workings</P
-><P
->MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x
-and version 4.0 pre-service pack 3 will use either mode of
-password authentication. All versions of MS Windows that follow
-these versions no longer support plain text passwords by default.</P
-><P
->MS Windows clients have a habit of dropping network mappings that
-have been idle for 10 minutes or longer. When the user attempts to
-use the mapped drive connection that has been dropped, the client
-re-establishes the connection using
-a cached copy of the password.</P
-><P
->When Microsoft changed the default password mode, they dropped support for
-caching of the plain text password. This means that when the registry
-parameter is changed to re-enable use of plain text passwords it appears to
-work, but when a dropped mapping attempts to revalidate it will fail if
-the remote authentication server does not support encrypted passwords.
-This means that it is definitely not a good idea to re-enable plain text
-password support in such clients.</P
-><P
->The following parameters can be used to work around the
-issue of Windows 9x client upper casing usernames and
-password before transmitting them to the SMB server
-when using clear text authentication.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> <A
-HREF="smb.conf.5.html#PASSWORDLEVEL"
-TARGET="_top"
->passsword level</A
-> = <VAR
-CLASS="REPLACEABLE"
->integer</VAR
->
- <A
-HREF="smb.conf.5.html#USERNAMELEVEL"
-TARGET="_top"
->username level</A
-> = <VAR
-CLASS="REPLACEABLE"
->integer</VAR
-></PRE
-></P
-><P
->By default Samba will lower case the username before attempting
-to lookup the user in the database of local system accounts.
-Because UNIX usernames conventionally only contain lower case
-character, the <VAR
-CLASS="PARAMETER"
->username level</VAR
-> parameter
-is rarely even needed.</P
-><P
->However, password on UNIX systems often make use of mixed case
-characters. This means that in order for a user on a Windows 9x
-client to connect to a Samba server using clear text authentication,
-the <VAR
-CLASS="PARAMETER"
->password level</VAR
-> must be set to the maximum
-number of upper case letter which <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->could</I
-></SPAN
-> appear
-is a password. Note that is the server OS uses the traditional
-DES version of crypt(), then a <VAR
-CLASS="PARAMETER"
->password level</VAR
->
-of 8 will result in case insensitive passwords as seen from Windows
-users. This will also result in longer login times as Samba
-hash to compute the permutations of the password string and
-try them one by one until a match is located (or all combinations fail).</P
-><P
->The best option to adopt is to enable support for encrypted passwords
-where ever Samba is used. There are three configuration possibilities
-for support of encrypted passwords:</P
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1685"
->10.5.1. Use MS Windows NT as an authentication server</A
-></H2
-><P
->This method involves the additions of the following parameters
-in the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> encrypt passwords = Yes
- security = server
- password server = "NetBIOS_name_of_PDC"</PRE
-></P
-><P
->There are two ways of identifying whether or not a username and
-password pair was valid or not. One uses the reply information provided
-as part of the authentication messaging process, the other uses
-just and error code.</P
-><P
->The down-side of this mode of configuration is the fact that
-for security reasons Samba will send the password server a bogus
-username and a bogus password and if the remote server fails to
-reject the username and password pair then an alternative mode
-of identification of validation is used. Where a site uses password
-lock out after a certain number of failed authentication attempts
-this will result in user lockouts.</P
-><P
->Use of this mode of authentication does require there to be
-a standard Unix account for the user, this account can be blocked
-to prevent logons by other than MS Windows clients.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1693"
->10.5.2. Make Samba a member of an MS Windows NT security domain</A
-></H2
-><P
->This method involves additon of the following paramters in the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> encrypt passwords = Yes
- security = domain
- workgroup = "name of NT domain"
- password server = *</PRE
-></P
-><P
->The use of the "*" argument to "password server" will cause samba
-to locate the domain controller in a way analogous to the way
-this is done within MS Windows NT.</P
-><P
->In order for this method to work the Samba server needs to join the
-MS Windows NT security domain. This is done as follows:</P
-><P
-></P
-><UL
-><LI
-><P
->On the MS Windows NT domain controller using
- the Server Manager add a machine account for the Samba server.
- </P
-></LI
-><LI
-><P
->Next, on the Linux system execute:
- <B
-CLASS="COMMAND"
->smbpasswd -r PDC_NAME -j DOMAIN_NAME</B
->
- </P
-></LI
-></UL
-><P
->Use of this mode of authentication does require there to be
-a standard Unix account for the user in order to assign
-a uid once the account has been authenticated by the remote
-Windows DC. This account can be blocked to prevent logons by
-other than MS Windows clients by things such as setting an invalid
-shell in the <TT
-CLASS="FILENAME"
->/etc/passwd</TT
-> entry.</P
-><P
->An alternative to assigning UIDs to Windows users on a
-Samba member server is presented in the <A
-HREF="winbind.html"
-TARGET="_top"
->Winbind Overview</A
-> chapter in
-this HOWTO collection.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1710"
->10.5.3. Configure Samba as an authentication server</A
-></H2
-><P
->This mode of authentication demands that there be on the
-Unix/Linux system both a Unix style account as well as an
-smbpasswd entry for the user. The Unix system account can be
-locked if required as only the encrypted password will be
-used for SMB client authentication.</P
-><P
->This method involves addition of the following parameters to
-the smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->## please refer to the Samba PDC HOWTO chapter later in
-## this collection for more details
-[global]
- encrypt passwords = Yes
- security = user
- domain logons = Yes
- ; an OS level of 33 or more is recommended
- os level = 33
-
-[NETLOGON]
- path = /somewhare/in/file/system
- read only = yes</PRE
-></P
-><P
->in order for this method to work a Unix system account needs
-to be created for each user, as well as for each MS Windows NT/2000
-machine. The following structure is required.</P
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1717"
->10.5.3.1. Users</A
-></H3
-><P
->A user account that may provide a home directory should be
-created. The following Linux system commands are typical of
-the procedure for creating an account.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # useradd -s /bin/bash -d /home/"userid" -m "userid"
- # passwd "userid"
- Enter Password: <pw>
-
- # smbpasswd -a "userid"
- Enter Password: <pw></PRE
-></P
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1722"
->10.5.3.2. MS Windows NT Machine Accounts</A
-></H3
-><P
->These are required only when Samba is used as a domain
-controller. Refer to the Samba-PDC-HOWTO for more details.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # useradd -s /bin/false -d /dev/null "machine_name"\$
- # passwd -l "machine_name"\$
- # smbpasswd -a -m "machine_name"</PRE
-></P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1727"
->10.6. Conclusions</A
-></H1
-><P
->Samba provides a flexible means to operate as...</P
-><P
-></P
-><UL
-><LI
-><P
->A Stand-alone server - No special action is needed
- other than to create user accounts. Stand-alone servers do NOT
- provide network logon services, meaning that machines that use this
- server do NOT perform a domain logon but instead make use only of
- the MS Windows logon which is local to the MS Windows
- workstation/server.
- </P
-></LI
-><LI
-><P
->An MS Windows NT 3.x/4.0 security domain member.
- </P
-></LI
-><LI
-><P
->An alternative to an MS Windows NT 3.x/4.0
- Domain Controller.
- </P
-></LI
-></UL
-></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
ALIGN="left"
VALIGN="top"
><A
-HREF="optional.html"
+HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="unix-permissions.html"
+HREF="improved-browsing.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Optional configuration</TD
+>Unified Logons between Windows NT and UNIX using Winbind</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->UNIX Permission Bits and Windows NT Access Control Lists</TD
+>Improved browsing in samba</TD
></TR
></TABLE
></DIV
><DT
>2.2. <A
HREF="browsing-quick.html#AEN139"
->Use of the "Remote Announce" parameter</A
+>How browsing functions and how to deploy stable and
+dependable browsing using Samba</A
></DT
><DT
>2.3. <A
-HREF="browsing-quick.html#AEN153"
->Use of the "Remote Browse Sync" parameter</A
+HREF="browsing-quick.html#AEN149"
+>Use of the "Remote Announce" parameter</A
></DT
><DT
>2.4. <A
-HREF="browsing-quick.html#AEN158"
->Use of WINS</A
+HREF="browsing-quick.html#AEN163"
+>Use of the "Remote Browse Sync" parameter</A
></DT
><DT
>2.5. <A
-HREF="browsing-quick.html#AEN169"
->Do NOT use more than one (1) protocol on MS Windows machines</A
+HREF="browsing-quick.html#AEN168"
+>Use of WINS</A
></DT
><DT
>2.6. <A
-HREF="browsing-quick.html#AEN177"
+HREF="browsing-quick.html#AEN179"
+>Do NOT use more than one (1) protocol on MS Windows machines</A
+></DT
+><DT
+>2.7. <A
+HREF="browsing-quick.html#AEN187"
>Name Resolution Order</A
></DT
></DL
><DL
><DT
>3.1. <A
-HREF="passdb.html#AEN234"
+HREF="passdb.html#AEN244"
>Introduction</A
></DT
><DT
>3.2. <A
-HREF="passdb.html#AEN241"
+HREF="passdb.html#AEN251"
>Important Notes About Security</A
></DT
><DD
><DL
><DT
>3.2.1. <A
-HREF="passdb.html#AEN267"
+HREF="passdb.html#AEN277"
>Advantages of SMB Encryption</A
></DT
><DT
>3.2.2. <A
-HREF="passdb.html#AEN273"
+HREF="passdb.html#AEN283"
>Advantages of non-encrypted passwords</A
></DT
></DL
></DD
><DT
>3.3. <A
-HREF="passdb.html#AEN279"
+HREF="passdb.html#AEN289"
>The smbpasswd Command</A
></DT
><DT
>3.4. <A
-HREF="passdb.html#AEN310"
+HREF="passdb.html#AEN320"
>Plain text</A
></DT
><DT
>3.5. <A
-HREF="passdb.html#AEN315"
+HREF="passdb.html#AEN325"
>TDB</A
></DT
><DT
>3.6. <A
-HREF="passdb.html#AEN318"
+HREF="passdb.html#AEN328"
>LDAP</A
></DT
><DD
><DL
><DT
>3.6.1. <A
-HREF="passdb.html#AEN320"
+HREF="passdb.html#AEN330"
>Introduction</A
></DT
><DT
>3.6.2. <A
-HREF="passdb.html#AEN340"
+HREF="passdb.html#AEN350"
>Introduction</A
></DT
><DT
>3.6.3. <A
-HREF="passdb.html#AEN369"
+HREF="passdb.html#AEN379"
>Supported LDAP Servers</A
></DT
><DT
>3.6.4. <A
-HREF="passdb.html#AEN374"
+HREF="passdb.html#AEN384"
>Schema and Relationship to the RFC 2307 posixAccount</A
></DT
><DT
>3.6.5. <A
-HREF="passdb.html#AEN386"
+HREF="passdb.html#AEN396"
>Configuring Samba with LDAP</A
></DT
><DT
>3.6.6. <A
-HREF="passdb.html#AEN433"
+HREF="passdb.html#AEN443"
>Accounts and Groups management</A
></DT
><DT
>3.6.7. <A
-HREF="passdb.html#AEN438"
+HREF="passdb.html#AEN448"
>Security and sambaAccount</A
></DT
><DT
>3.6.8. <A
-HREF="passdb.html#AEN458"
+HREF="passdb.html#AEN468"
>LDAP specials attributes for sambaAccounts</A
></DT
><DT
>3.6.9. <A
-HREF="passdb.html#AEN528"
+HREF="passdb.html#AEN538"
>Example LDIF Entries for a sambaAccount</A
></DT
></DL
></DD
><DT
>3.7. <A
-HREF="passdb.html#AEN536"
+HREF="passdb.html#AEN546"
>MySQL</A
></DT
><DD
><DL
><DT
>3.7.1. <A
-HREF="passdb.html#AEN538"
+HREF="passdb.html#AEN548"
>Building</A
></DT
><DT
>3.7.2. <A
-HREF="passdb.html#AEN544"
+HREF="passdb.html#AEN554"
>Creating the database</A
></DT
><DT
>3.7.3. <A
-HREF="passdb.html#AEN554"
+HREF="passdb.html#AEN564"
>Configuring</A
></DT
><DT
>3.7.4. <A
-HREF="passdb.html#AEN571"
+HREF="passdb.html#AEN581"
>Using plaintext passwords or encrypted password</A
></DT
><DT
>3.7.5. <A
-HREF="passdb.html#AEN576"
+HREF="passdb.html#AEN586"
>Getting non-column data from the table</A
></DT
></DL
></DD
><DT
>3.8. <A
-HREF="passdb.html#AEN584"
+HREF="passdb.html#AEN594"
>Passdb XML plugin</A
></DT
><DD
><DL
><DT
>3.8.1. <A
-HREF="passdb.html#AEN586"
+HREF="passdb.html#AEN596"
>Building</A
></DT
><DT
>3.8.2. <A
-HREF="passdb.html#AEN592"
+HREF="passdb.html#AEN602"
>Usage</A
></DT
></DL
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Configuring PAM for distributed but centrally
-managed authentication"
-HREF="pam.html"><LINK
+TITLE="Improved browsing in samba"
+HREF="improved-browsing.html"><LINK
REL="NEXT"
-TITLE="Printing Support"
-HREF="printing.html"></HEAD
+TITLE="Stackable VFS modules"
+HREF="vfs.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="pam.html"
+HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="printing.html"
+HREF="vfs.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="MSDFS"
></A
->Chapter 13. Hosting a Microsoft Distributed File System tree on Samba</H1
+>Chapter 19. Hosting a Microsoft Distributed File System tree on Samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1997"
->13.1. Instructions</A
+NAME="AEN3200"
+>19.1. Instructions</A
></H1
><P
>The Distributed File System (or Dfs) provides a means of
><H2
CLASS="SECT2"
><A
-NAME="AEN2032"
->13.1.1. Notes</A
+NAME="AEN3235"
+>19.1.1. Notes</A
></H2
><P
></P
ALIGN="left"
VALIGN="top"
><A
-HREF="pam.html"
+HREF="improved-browsing.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="printing.html"
+HREF="vfs.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Configuring PAM for distributed but centrally
-managed authentication</TD
+>Improved browsing in samba</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Printing Support</TD
+>Stackable VFS modules</TD
></TR
></TABLE
></DIV
<HTML
><HEAD
><TITLE
->Optional configuration</TITLE
+>Advanced Configuration</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
TITLE="Samba as a NT4 or Win2k domain member"
HREF="domain-security.html"><LINK
REL="NEXT"
-TITLE="Integrating MS Windows networks with Samba"
-HREF="integrate-ms-networks.html"></HEAD
+TITLE="System Policies"
+HREF="advancednetworkmanagement.html"></HEAD
><BODY
CLASS="PART"
BGCOLOR="#FFFFFF"
ALIGN="right"
VALIGN="bottom"
><A
-HREF="integrate-ms-networks.html"
+HREF="advancednetworkmanagement.html"
ACCESSKEY="N"
>Next</A
></TD
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
->III. Optional configuration</H1
+>III. Advanced Configuration</H1
><DIV
CLASS="PARTINTRO"
><A
-NAME="AEN1503"
+NAME="AEN1387"
></A
><H1
>Introduction</H1
></DT
><DT
>10. <A
-HREF="integrate-ms-networks.html"
->Integrating MS Windows networks with Samba</A
+HREF="advancednetworkmanagement.html"
+>System Policies</A
></DT
><DD
><DL
><DT
>10.1. <A
-HREF="integrate-ms-networks.html#AEN1517"
->Agenda</A
-></DT
-><DT
->10.2. <A
-HREF="integrate-ms-networks.html#AEN1539"
->Name Resolution in a pure Unix/Linux world</A
+HREF="advancednetworkmanagement.html#AEN1401"
+>Basic System Policy Info</A
></DT
><DD
><DL
><DT
->10.2.1. <A
-HREF="integrate-ms-networks.html#AEN1555"
-><TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></A
-></DT
-><DT
->10.2.2. <A
-HREF="integrate-ms-networks.html#AEN1571"
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></A
-></DT
-><DT
->10.2.3. <A
-HREF="integrate-ms-networks.html#AEN1582"
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></A
-></DT
-><DT
->10.2.4. <A
-HREF="integrate-ms-networks.html#AEN1590"
-><TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></A
+>10.1.1. <A
+HREF="advancednetworkmanagement.html#AEN1445"
+>Creating Group Prolicy Files</A
></DT
></DL
></DD
><DT
-HREF="integrate-ms-networks.html#AEN1602"
->Name resolution as used within MS Windows networking</A
+HREF="advancednetworkmanagement.html#AEN1456"
+>Roaming Profiles</A
></DT
><DD
><DL
><DT
->10.3.1. <A
-HREF="integrate-ms-networks.html#AEN1614"
->The NetBIOS Name Cache</A
-></DT
-><DT
->10.3.2. <A
-HREF="integrate-ms-networks.html#AEN1619"
->The LMHOSTS file</A
+>10.2.1. <A
+HREF="advancednetworkmanagement.html#AEN1464"
+>Windows NT Configuration</A
></DT
><DT
-HREF="integrate-ms-networks.html#AEN1627"
->HOSTS file</A
+HREF="advancednetworkmanagement.html#AEN1473"
+>Windows 9X Configuration</A
></DT
><DT
-HREF="integrate-ms-networks.html#AEN1632"
->DNS Lookup</A
+HREF="advancednetworkmanagement.html#AEN1481"
+>Win9X and WinNT Configuration</A
></DT
><DT
-HREF="integrate-ms-networks.html#AEN1635"
->WINS Lookup</A
+HREF="advancednetworkmanagement.html#AEN1488"
+>Windows 9X Profile Setup</A
></DT
-></DL
-></DD
><DT
->10.4. <A
-HREF="integrate-ms-networks.html#AEN1647"
->How browsing functions and how to deploy stable and
-dependable browsing using Samba</A
+>10.2.5. <A
+HREF="advancednetworkmanagement.html#AEN1524"
+>Windows NT Workstation 4.0</A
></DT
><DT
->10.5. <A
-HREF="integrate-ms-networks.html#AEN1657"
->MS Windows security options and how to configure
-Samba for seemless integration</A
+>10.2.6. <A
+HREF="advancednetworkmanagement.html#AEN1532"
+>Windows NT/200x Server</A
></DT
-><DD
-><DL
><DT
-HREF="integrate-ms-networks.html#AEN1685"
->Use MS Windows NT as an authentication server</A
+HREF="advancednetworkmanagement.html#AEN1535"
+>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A
></DT
><DT
-HREF="integrate-ms-networks.html#AEN1693"
->Make Samba a member of an MS Windows NT security domain</A
+HREF="advancednetworkmanagement.html#AEN1542"
+>Windows NT 4</A
></DT
><DT
-HREF="integrate-ms-networks.html#AEN1710"
->Configure Samba as an authentication server</A
+HREF="advancednetworkmanagement.html#AEN1580"
+>Windows 2000/XP</A
></DT
></DL
></DD
-><DT
->10.6. <A
-HREF="integrate-ms-networks.html#AEN1727"
->Conclusions</A
-></DT
></DL
></DD
><DT
><DL
><DT
>11.1. <A
-HREF="unix-permissions.html#AEN1748"
+HREF="unix-permissions.html#AEN1663"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
>11.2. <A
-HREF="unix-permissions.html#AEN1752"
+HREF="unix-permissions.html#AEN1667"
>How to view file security on a Samba share</A
></DT
><DT
>11.3. <A
-HREF="unix-permissions.html#AEN1763"
+HREF="unix-permissions.html#AEN1678"
>Viewing file ownership</A
></DT
><DT
>11.4. <A
-HREF="unix-permissions.html#AEN1783"
+HREF="unix-permissions.html#AEN1698"
>Viewing file or directory permissions</A
></DT
><DD
><DL
><DT
>11.4.1. <A
-HREF="unix-permissions.html#AEN1798"
+HREF="unix-permissions.html#AEN1713"
>File Permissions</A
></DT
><DT
>11.4.2. <A
-HREF="unix-permissions.html#AEN1812"
+HREF="unix-permissions.html#AEN1727"
>Directory Permissions</A
></DT
></DL
></DD
><DT
>11.5. <A
-HREF="unix-permissions.html#AEN1819"
+HREF="unix-permissions.html#AEN1734"
>Modifying file or directory permissions</A
></DT
><DT
>11.6. <A
-HREF="unix-permissions.html#AEN1841"
+HREF="unix-permissions.html#AEN1756"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
>11.7. <A
-HREF="unix-permissions.html#AEN1905"
+HREF="unix-permissions.html#AEN1810"
>Interaction with the standard Samba file attribute
mapping</A
></DT
></DD
><DT
>12. <A
+HREF="groupmapping.html"
+>Group mapping HOWTO</A
+></DT
+><DT
+>13. <A
HREF="pam.html"
>Configuring PAM for distributed but centrally
managed authentication</A
><DD
><DL
><DT
-HREF="pam.html#AEN1926"
+HREF="pam.html#AEN1866"
>Samba and PAM</A
></DT
><DT
-HREF="pam.html#AEN1970"
+HREF="pam.html#AEN1915"
>Distributed Authentication</A
></DT
><DT
-HREF="pam.html#AEN1977"
+HREF="pam.html#AEN1920"
>PAM Configuration in smb.conf</A
></DT
></DL
></DD
><DT
->13. <A
-HREF="msdfs.html"
->Hosting a Microsoft Distributed File System tree on Samba</A
-></DT
-><DD
-><DL
-><DT
->13.1. <A
-HREF="msdfs.html#AEN1997"
->Instructions</A
-></DT
-><DD
-><DL
-><DT
->13.1.1. <A
-HREF="msdfs.html#AEN2032"
->Notes</A
-></DT
-></DL
-></DD
-></DL
-></DD
-><DT
>14. <A
HREF="printing.html"
>Printing Support</A
><DL
><DT
>14.1. <A
-HREF="printing.html#AEN2058"
+HREF="printing.html#AEN1946"
>Introduction</A
></DT
><DT
>14.2. <A
-HREF="printing.html#AEN2080"
+HREF="printing.html#AEN1968"
>Configuration</A
></DT
><DD
><DL
><DT
>14.2.1. <A
-HREF="printing.html#AEN2088"
+HREF="printing.html#AEN1976"
>Creating [print$]</A
></DT
><DT
>14.2.2. <A
-HREF="printing.html#AEN2123"
+HREF="printing.html#AEN2011"
>Setting Drivers for Existing Printers</A
></DT
><DT
>14.2.3. <A
-HREF="printing.html#AEN2139"
+HREF="printing.html#AEN2027"
>Support a large number of printers</A
></DT
><DT
>14.2.4. <A
-HREF="printing.html#AEN2150"
+HREF="printing.html#AEN2038"
>Adding New Printers via the Windows NT APW</A
></DT
><DT
>14.2.5. <A
-HREF="printing.html#AEN2180"
+HREF="printing.html#AEN2068"
>Samba and Printer Ports</A
></DT
></DL
></DD
><DT
>14.3. <A
-HREF="printing.html#AEN2188"
+HREF="printing.html#AEN2076"
>The Imprints Toolset</A
></DT
><DD
><DL
><DT
>14.3.1. <A
-HREF="printing.html#AEN2192"
+HREF="printing.html#AEN2080"
>What is Imprints?</A
></DT
><DT
>14.3.2. <A
-HREF="printing.html#AEN2202"
+HREF="printing.html#AEN2090"
>Creating Printer Driver Packages</A
></DT
><DT
>14.3.3. <A
-HREF="printing.html#AEN2205"
+HREF="printing.html#AEN2093"
>The Imprints server</A
></DT
><DT
>14.3.4. <A
-HREF="printing.html#AEN2209"
+HREF="printing.html#AEN2097"
>The Installation Client</A
></DT
></DL
></DD
><DT
>14.4. <A
-HREF="printing.html#AEN2231"
+HREF="printing.html#AEN2119"
>Diagnosis</A
></DT
><DD
><DL
><DT
>14.4.1. <A
-HREF="printing.html#AEN2233"
+HREF="printing.html#AEN2121"
>Introduction</A
></DT
><DT
>14.4.2. <A
-HREF="printing.html#AEN2249"
+HREF="printing.html#AEN2137"
>Debugging printer problems</A
></DT
><DT
>14.4.3. <A
-HREF="printing.html#AEN2258"
+HREF="printing.html#AEN2146"
>What printers do I have?</A
></DT
><DT
>14.4.4. <A
-HREF="printing.html#AEN2266"
+HREF="printing.html#AEN2154"
>Setting up printcap and print servers</A
></DT
><DT
>14.4.5. <A
-HREF="printing.html#AEN2294"
+HREF="printing.html#AEN2182"
>Job sent, no output</A
></DT
><DT
>14.4.6. <A
-HREF="printing.html#AEN2305"
+HREF="printing.html#AEN2193"
>Job sent, strange output</A
></DT
><DT
>14.4.7. <A
-HREF="printing.html#AEN2317"
+HREF="printing.html#AEN2205"
>Raw PostScript printed</A
></DT
><DT
>14.4.8. <A
-HREF="printing.html#AEN2320"
+HREF="printing.html#AEN2208"
>Advanced Printing</A
></DT
><DT
>14.4.9. <A
-HREF="printing.html#AEN2323"
+HREF="printing.html#AEN2211"
>Real debugging</A
></DT
></DL
><DL
><DT
>15.1. <A
-HREF="cups-printing.html#AEN2343"
+HREF="cups-printing.html#AEN2231"
>Introduction</A
></DT
><DT
>15.2. <A
-HREF="cups-printing.html#AEN2348"
+HREF="cups-printing.html#AEN2236"
>CUPS - RAW Print Through Mode</A
></DT
><DT
>15.3. <A
-HREF="cups-printing.html#AEN2403"
+HREF="cups-printing.html#AEN2291"
>The CUPS Filter Chains</A
></DT
><DT
>15.4. <A
-HREF="cups-printing.html#AEN2442"
+HREF="cups-printing.html#AEN2330"
>CUPS Print Drivers and Devices</A
></DT
><DD
><DL
><DT
>15.4.1. <A
-HREF="cups-printing.html#AEN2449"
+HREF="cups-printing.html#AEN2337"
>Further printing steps</A
></DT
></DL
></DD
><DT
>15.5. <A
-HREF="cups-printing.html#AEN2519"
+HREF="cups-printing.html#AEN2407"
>Limiting the number of pages users can print</A
></DT
><DT
>15.6. <A
-HREF="cups-printing.html#AEN2608"
+HREF="cups-printing.html#AEN2496"
>Advanced Postscript Printing from MS Windows</A
></DT
><DT
>15.7. <A
-HREF="cups-printing.html#AEN2623"
+HREF="cups-printing.html#AEN2511"
>Auto-Deletion of CUPS spool files</A
></DT
></DL
><DL
><DT
>16.1. <A
-HREF="winbind.html#AEN2685"
+HREF="winbind.html#AEN2573"
>Abstract</A
></DT
><DT
>16.2. <A
-HREF="winbind.html#AEN2689"
+HREF="winbind.html#AEN2577"
>Introduction</A
></DT
><DT
>16.3. <A
-HREF="winbind.html#AEN2702"
+HREF="winbind.html#AEN2590"
>What Winbind Provides</A
></DT
><DD
><DL
><DT
>16.3.1. <A
-HREF="winbind.html#AEN2709"
+HREF="winbind.html#AEN2597"
>Target Uses</A
></DT
></DL
></DD
><DT
>16.4. <A
-HREF="winbind.html#AEN2713"
+HREF="winbind.html#AEN2601"
>How Winbind Works</A
></DT
><DD
><DL
><DT
>16.4.1. <A
-HREF="winbind.html#AEN2718"
+HREF="winbind.html#AEN2606"
>Microsoft Remote Procedure Calls</A
></DT
><DT
>16.4.2. <A
-HREF="winbind.html#AEN2722"
+HREF="winbind.html#AEN2610"
>Microsoft Active Directory Services</A
></DT
><DT
>16.4.3. <A
-HREF="winbind.html#AEN2725"
+HREF="winbind.html#AEN2613"
>Name Service Switch</A
></DT
><DT
>16.4.4. <A
-HREF="winbind.html#AEN2741"
+HREF="winbind.html#AEN2629"
>Pluggable Authentication Modules</A
></DT
><DT
>16.4.5. <A
-HREF="winbind.html#AEN2749"
+HREF="winbind.html#AEN2637"
>User and Group ID Allocation</A
></DT
><DT
>16.4.6. <A
-HREF="winbind.html#AEN2753"
+HREF="winbind.html#AEN2641"
>Result Caching</A
></DT
></DL
></DD
><DT
>16.5. <A
-HREF="winbind.html#AEN2756"
+HREF="winbind.html#AEN2644"
>Installation and Configuration</A
></DT
><DD
><DL
><DT
>16.5.1. <A
-HREF="winbind.html#AEN2761"
+HREF="winbind.html#AEN2649"
>Introduction</A
></DT
><DT
>16.5.2. <A
-HREF="winbind.html#AEN2774"
+HREF="winbind.html#AEN2662"
>Requirements</A
></DT
><DT
>16.5.3. <A
-HREF="winbind.html#AEN2788"
+HREF="winbind.html#AEN2676"
>Testing Things Out</A
></DT
></DL
></DD
><DT
>16.6. <A
-HREF="winbind.html#AEN3013"
+HREF="winbind.html#AEN2901"
>Limitations</A
></DT
><DT
>16.7. <A
-HREF="winbind.html#AEN3023"
+HREF="winbind.html#AEN2911"
>Conclusion</A
></DT
></DL
></DD
><DT
>17. <A
-HREF="improved-browsing.html"
->Improved browsing in samba</A
+HREF="integrate-ms-networks.html"
+>Integrating MS Windows networks with Samba</A
></DT
><DD
><DL
><DT
>17.1. <A
-HREF="improved-browsing.html#AEN3033"
->Overview of browsing</A
+HREF="integrate-ms-networks.html#AEN2932"
+>Name Resolution in a pure Unix/Linux world</A
></DT
+><DD
+><DL
><DT
->17.2. <A
-HREF="improved-browsing.html#AEN3038"
->Browsing support in samba</A
+>17.1.1. <A
+HREF="integrate-ms-networks.html#AEN2948"
+><TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+></A
></DT
><DT
->17.3. <A
-HREF="improved-browsing.html#AEN3046"
->Problem resolution</A
+>17.1.2. <A
+HREF="integrate-ms-networks.html#AEN2964"
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></A
></DT
><DT
->17.4. <A
-HREF="improved-browsing.html#AEN3055"
->Browsing across subnets</A
+>17.1.3. <A
+HREF="integrate-ms-networks.html#AEN2975"
+><TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+></A
></DT
-><DD
-><DL
><DT
->17.4.1. <A
-HREF="improved-browsing.html#AEN3060"
->How does cross subnet browsing work ?</A
+>17.1.4. <A
+HREF="integrate-ms-networks.html#AEN2983"
+><TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+></A
></DT
></DL
></DD
><DT
->17.5. <A
-HREF="improved-browsing.html#AEN3095"
->Setting up a WINS server</A
-></DT
-><DT
->17.6. <A
-HREF="improved-browsing.html#AEN3114"
->Setting up Browsing in a WORKGROUP</A
+>17.2. <A
+HREF="integrate-ms-networks.html#AEN2995"
+>Name resolution as used within MS Windows networking</A
></DT
+><DD
+><DL
><DT
-HREF="improved-browsing.html#AEN3132"
->Setting up Browsing in a DOMAIN</A
+HREF="integrate-ms-networks.html#AEN3007"
+>The NetBIOS Name Cache</A
></DT
><DT
-HREF="improved-browsing.html#AEN3142"
->Forcing samba to be the master</A
+HREF="integrate-ms-networks.html#AEN3012"
+>The LMHOSTS file</A
></DT
><DT
-HREF="improved-browsing.html#AEN3151"
->Making samba the domain master</A
+HREF="integrate-ms-networks.html#AEN3020"
+>HOSTS file</A
></DT
><DT
-HREF="improved-browsing.html#AEN3169"
->Note about broadcast addresses</A
+HREF="integrate-ms-networks.html#AEN3025"
+>DNS Lookup</A
></DT
><DT
-HREF="improved-browsing.html#AEN3172"
->Multiple interfaces</A
+HREF="integrate-ms-networks.html#AEN3028"
+>WINS Lookup</A
></DT
></DL
></DD
+></DL
+></DD
><DT
>18. <A
-HREF="vfs.html"
->Stackable VFS modules</A
+HREF="improved-browsing.html"
+>Improved browsing in samba</A
></DT
><DD
><DL
><DT
>18.1. <A
-HREF="vfs.html#AEN3190"
->Introduction and configuration</A
+HREF="improved-browsing.html#AEN3047"
+>Overview of browsing</A
></DT
><DT
>18.2. <A
-HREF="vfs.html#AEN3199"
->Included modules</A
-></DT
-><DD
-><DL
-><DT
->18.2.1. <A
-HREF="vfs.html#AEN3201"
->audit</A
-></DT
-><DT
->18.2.2. <A
-HREF="vfs.html#AEN3209"
->recycle</A
+HREF="improved-browsing.html#AEN3052"
+>Browsing support in samba</A
></DT
><DT
-HREF="vfs.html#AEN3246"
->netatalk</A
+>18.3. <A
+HREF="improved-browsing.html#AEN3060"
+>Problem resolution</A
></DT
-></DL
-></DD
><DT
-HREF="vfs.html#AEN3253"
->VFS modules available elsewhere</A
+HREF="improved-browsing.html#AEN3069"
+>Browsing across subnets</A
></DT
><DD
><DL
><DT
->18.3.1. <A
-HREF="vfs.html#AEN3257"
->DatabaseFS</A
-></DT
-><DT
->18.3.2. <A
-HREF="vfs.html#AEN3265"
->vscan</A
+>18.4.1. <A
+HREF="improved-browsing.html#AEN3074"
+>How does cross subnet browsing work ?</A
></DT
></DL
></DD
-></DL
-></DD
-><DT
->19. <A
-HREF="groupmapping.html"
->Group mapping HOWTO</A
-></DT
><DT
->20. <A
-HREF="speed.html"
->Samba performance issues</A
-></DT
-><DD
-><DL
-><DT
->20.1. <A
-HREF="speed.html#AEN3320"
->Comparisons</A
+>18.5. <A
+HREF="improved-browsing.html#AEN3109"
+>Setting up a WINS server</A
></DT
><DT
-HREF="speed.html#AEN3326"
->Socket options</A
+HREF="improved-browsing.html#AEN3128"
+>Setting up Browsing in a WORKGROUP</A
></DT
><DT
-HREF="speed.html#AEN3333"
->Read size</A
+HREF="improved-browsing.html#AEN3146"
+>Setting up Browsing in a DOMAIN</A
></DT
><DT
-HREF="speed.html#AEN3338"
->Max xmit</A
+HREF="improved-browsing.html#AEN3156"
+>Forcing samba to be the master</A
></DT
><DT
-HREF="speed.html#AEN3343"
->Log level</A
+HREF="improved-browsing.html#AEN3165"
+>Making samba the domain master</A
></DT
><DT
-HREF="speed.html#AEN3346"
->Read raw</A
+HREF="improved-browsing.html#AEN3183"
+>Note about broadcast addresses</A
></DT
><DT
-HREF="speed.html#AEN3351"
->Write raw</A
+HREF="improved-browsing.html#AEN3186"
+>Multiple interfaces</A
></DT
+></DL
+></DD
><DT
-HREF="speed.html#AEN3355"
->Slow Clients</A
+HREF="msdfs.html"
+>Hosting a Microsoft Distributed File System tree on Samba</A
></DT
+><DD
+><DL
><DT
-HREF="speed.html#AEN3359"
->Slow Logins</A
+HREF="msdfs.html#AEN3200"
+>Instructions</A
></DT
+><DD
+><DL
><DT
-HREF="speed.html#AEN3362"
->Client tuning</A
+HREF="msdfs.html#AEN3235"
+>Notes</A
></DT
></DL
></DD
+></DL
+></DD
><DT
-HREF="groupprofiles.html"
->Creating Group Prolicy Files</A
+HREF="vfs.html"
+>Stackable VFS modules</A
></DT
><DD
><DL
><DT
-HREF="groupprofiles.html#AEN3410"
->Windows '9x</A
+HREF="vfs.html#AEN3259"
+>Introduction and configuration</A
></DT
><DT
-HREF="groupprofiles.html#AEN3420"
->Windows NT 4</A
+HREF="vfs.html#AEN3268"
+>Included modules</A
></DT
><DD
><DL
><DT
->21.2.1. <A
-HREF="groupprofiles.html#AEN3443"
->Side bar Notes</A
-></DT
-><DT
->21.2.2. <A
-HREF="groupprofiles.html#AEN3447"
->Mandatory profiles</A
+>20.2.1. <A
+HREF="vfs.html#AEN3270"
+>audit</A
></DT
><DT
-HREF="groupprofiles.html#AEN3450"
->moveuser.exe</A
+HREF="vfs.html#AEN3278"
+>recycle</A
></DT
><DT
-HREF="groupprofiles.html#AEN3453"
->Get SID</A
+HREF="vfs.html#AEN3315"
+>netatalk</A
></DT
></DL
></DD
><DT
->21.3. <A
-HREF="groupprofiles.html#AEN3458"
->Windows 2000/XP</A
+>20.3. <A
+HREF="vfs.html#AEN3322"
+>VFS modules available elsewhere</A
+></DT
+><DD
+><DL
+><DT
+>20.3.1. <A
+HREF="vfs.html#AEN3326"
+>DatabaseFS</A
+></DT
+><DT
+>20.3.2. <A
+HREF="vfs.html#AEN3334"
+>vscan</A
></DT
></DL
></DD
+></DL
+></DD
><DT
HREF="securing-samba.html"
>Securing Samba</A
></DT
><DD
><DL
><DT
-HREF="securing-samba.html#AEN3539"
+HREF="securing-samba.html#AEN3348"
>Introduction</A
></DT
><DT
-HREF="securing-samba.html#AEN3542"
+HREF="securing-samba.html#AEN3351"
>Using host based protection</A
></DT
><DT
-HREF="securing-samba.html#AEN3549"
+HREF="securing-samba.html#AEN3358"
>Using interface protection</A
></DT
><DT
-HREF="securing-samba.html#AEN3558"
+HREF="securing-samba.html#AEN3367"
>Using a firewall</A
></DT
><DT
-HREF="securing-samba.html#AEN3565"
+HREF="securing-samba.html#AEN3374"
>Using a IPC$ share deny</A
></DT
><DT
-HREF="securing-samba.html#AEN3574"
+HREF="securing-samba.html#AEN3383"
>Upgrading Samba</A
></DT
></DL
></DD
><DT
HREF="unicode.html"
>Unicode/Charsets</A
></DT
><DD
><DL
><DT
-HREF="unicode.html#AEN3588"
+HREF="unicode.html#AEN3397"
>What are charsets and unicode?</A
></DT
><DT
-HREF="unicode.html#AEN3597"
+HREF="unicode.html#AEN3406"
>Samba and charsets</A
></DT
></DL
ALIGN="right"
VALIGN="top"
><A
-HREF="integrate-ms-networks.html"
+HREF="advancednetworkmanagement.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Integrating MS Windows networks with Samba</TD
+>System Policies</TD
></TR
></TABLE
></DIV
><H1
CLASS="SECT1"
><A
-NAME="AEN3691"
+NAME="AEN3590"
>25.1. Macintosh clients?</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3700"
+NAME="AEN3599"
>25.2. OS2 Client</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN3702"
+NAME="AEN3601"
>25.2.1. How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></H2
><H2
CLASS="SECT2"
><A
-NAME="AEN3717"
+NAME="AEN3616"
>25.2.2. How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></H2
><H2
CLASS="SECT2"
><A
-NAME="AEN3726"
+NAME="AEN3625"
>25.2.3. Are there any other issues when OS/2 (any version)
is used as a client?</A
></H2
><H2
CLASS="SECT2"
><A
-NAME="AEN3730"
+NAME="AEN3629"
>25.2.4. How do I get printer driver download working
for OS/2 clients?</A
></H2
><H1
CLASS="SECT1"
><A
-NAME="AEN3740"
+NAME="AEN3639"
>25.3. Windows for Workgroups</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN3742"
+NAME="AEN3641"
>25.3.1. Use latest TCP/IP stack from Microsoft</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3747"
+NAME="AEN3646"
>25.3.2. Delete .pwl files after password change</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3752"
+NAME="AEN3651"
>25.3.3. Configure WfW password handling</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3756"
+NAME="AEN3655"
>25.3.4. Case handling of passwords</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN3761"
+NAME="AEN3660"
>25.3.5. Use TCP/IP as default protocol</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3764"
+NAME="AEN3663"
>25.4. Windows '95/'98</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3780"
+NAME="AEN3679"
>25.5. Windows 2000 Service Pack 2</A
></H1
><P
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="UNIX Permission Bits and Windows NT Access Control Lists"
-HREF="unix-permissions.html"><LINK
+TITLE="Group mapping HOWTO"
+HREF="groupmapping.html"><LINK
REL="NEXT"
-TITLE="Hosting a Microsoft Distributed File System tree on Samba"
-HREF="msdfs.html"></HEAD
+TITLE="Printing Support"
+HREF="printing.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="unix-permissions.html"
+HREF="groupmapping.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="msdfs.html"
+HREF="printing.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="PAM"
></A
->Chapter 12. Configuring PAM for distributed but centrally
+>Chapter 13. Configuring PAM for distributed but centrally
managed authentication</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1926"
->12.1. Samba and PAM</A
+NAME="AEN1866"
+>13.1. Samba and PAM</A
></H1
><P
>A number of Unix systems (eg: Sun Solaris), as well as the
CLASS="FILENAME"
>/etc/pam.d</TT
>.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> If the PAM authentication module (loadable link library file) is located in the
+ default location then it is not necessary to specify the path. In the case of
+ Linux, the default location is <TT
+CLASS="FILENAME"
+>/lib/security</TT
+>. If the module
+ is located other than default then the path may be specified as:
+
+ <PRE
+CLASS="PROGRAMLISTING"
+> eg: "auth required /other_path/pam_strange_module.so"
+ </PRE
+>
+ </P
+></TD
+></TR
+></TABLE
+></DIV
><P
>The following is an example <TT
CLASS="FILENAME"
><P
><PRE
CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_securetty.so
-auth required pam_nologin.so
-# auth required pam_dialup.so
-# auth optional pam_mail.so
-auth required pam_pwdb.so shadow md5
-# account requisite pam_time.so
-account required pam_pwdb.so
-session required pam_pwdb.so
-# session optional pam_lastlog.so
-# password required pam_cracklib.so retry=3
-password required pam_pwdb.so shadow md5</PRE
+> #%PAM-1.0
+ # The PAM configuration file for the `login' service
+ #
+ auth required pam_securetty.so
+ auth required pam_nologin.so
+ # auth required pam_dialup.so
+ # auth optional pam_mail.so
+ auth required pam_pwdb.so shadow md5
+ # account requisite pam_time.so
+ account required pam_pwdb.so
+ session required pam_pwdb.so
+ # session optional pam_lastlog.so
+ # password required pam_cracklib.so retry=3
+ password required pam_pwdb.so shadow md5</PRE
></P
><P
>PAM allows use of replacable modules. Those available on a
><P
><PRE
CLASS="PROGRAMLISTING"
->$ /bin/ls /lib/security
-pam_access.so pam_ftp.so pam_limits.so
-pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
-pam_cracklib.so pam_group.so pam_listfile.so
-pam_nologin.so pam_rootok.so pam_tally.so
-pam_deny.so pam_issue.so pam_mail.so
-pam_permit.so pam_securetty.so pam_time.so
-pam_dialup.so pam_lastlog.so pam_mkhomedir.so
-pam_pwdb.so pam_shells.so pam_unix.so
-pam_env.so pam_ldap.so pam_motd.so
-pam_radius.so pam_smbpass.so pam_unix_acct.so
-pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
-pam_userdb.so pam_warn.so pam_unix_session.so</PRE
+> $ /bin/ls /lib/security
+ pam_access.so pam_ftp.so pam_limits.so
+ pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
+ pam_cracklib.so pam_group.so pam_listfile.so
+ pam_nologin.so pam_rootok.so pam_tally.so
+ pam_deny.so pam_issue.so pam_mail.so
+ pam_permit.so pam_securetty.so pam_time.so
+ pam_dialup.so pam_lastlog.so pam_mkhomedir.so
+ pam_pwdb.so pam_shells.so pam_unix.so
+ pam_env.so pam_ldap.so pam_motd.so
+ pam_radius.so pam_smbpass.so pam_unix_acct.so
+ pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
+ pam_userdb.so pam_warn.so pam_unix_session.so</PRE
></P
><P
>The following example for the login program replaces the use of
><P
><PRE
CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `login' service
-#
-auth required pam_smbpass.so nodelay
-account required pam_smbpass.so nodelay
-session required pam_smbpass.so nodelay
-password required pam_smbpass.so nodelay</PRE
+> #%PAM-1.0
+ # The PAM configuration file for the `login' service
+ #
+ auth required pam_smbpass.so nodelay
+ account required pam_smbpass.so nodelay
+ session required pam_smbpass.so nodelay
+ password required pam_smbpass.so nodelay</PRE
></P
><P
>The following is the PAM configuration file for a particular
><P
><PRE
CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_pwdb.so shadow md5</PRE
+> #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
+ account required /lib/security/pam_pwdb.so audit nodelay
+ session required /lib/security/pam_pwdb.so nodelay
+ password required /lib/security/pam_pwdb.so shadow md5</PRE
></P
><P
>In the following example the decision has been made to use the
><P
><PRE
CLASS="PROGRAMLISTING"
->#%PAM-1.0
-# The PAM configuration file for the `samba' service
-#
-auth required /lib/security/pam_smbpass.so nodelay
-account required /lib/security/pam_pwdb.so audit nodelay
-session required /lib/security/pam_pwdb.so nodelay
-password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
+> #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required /lib/security/pam_smbpass.so nodelay
+ account required /lib/security/pam_pwdb.so audit nodelay
+ session required /lib/security/pam_pwdb.so nodelay
+ password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
></P
+><DIV
+CLASS="NOTE"
><P
->Note: PAM allows stacking of authentication mechanisms. It is
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>PAM allows stacking of authentication mechanisms. It is
also possible to pass information obtained within one PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
on the basis that it allows for easier administration. As with all issues in
life though, every decision makes trade-offs, so you may want examine the
PAM documentation for further helpful information.</P
+></TD
+></TR
+></TABLE
+></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1970"
->12.2. Distributed Authentication</A
+NAME="AEN1915"
+>13.2. Distributed Authentication</A
></H1
><P
>The astute administrator will realize from this that the
<B
CLASS="COMMAND"
>winbindd</B
->, and <B
-CLASS="COMMAND"
->rsync</B
-> (see
-<A
-HREF="http://rsync.samba.org/"
-TARGET="_top"
->http://rsync.samba.org/</A
->)
-will allow the establishment of a centrally managed, distributed
+>, and a distributed
+passdb backend, such as ldap, will allow the establishment of a
+centrally managed, distributed
user/password database that can also be used by all
PAM (eg: Linux) aware programs and applications. This arrangement
can have particularly potent advantages compared with the
><H1
CLASS="SECT1"
><A
-NAME="AEN1977"
->12.3. PAM Configuration in smb.conf</A
+NAME="AEN1920"
+>13.3. PAM Configuration in smb.conf</A
></H1
><P
>There is an option in smb.conf called <A
>.
The following is from the on-line help for this option in SWAT;</P
><P
->When Samba 2.2 is configure to enable PAM support (i.e.
+>When Samba is configured to enable PAM support (i.e.
<CODE
CLASS="CONSTANT"
>--with-pam</CODE
ALIGN="left"
VALIGN="top"
><A
-HREF="unix-permissions.html"
+HREF="groupmapping.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="msdfs.html"
+HREF="printing.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->UNIX Permission Bits and Windows NT Access Control Lists</TD
+>Group mapping HOWTO</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Hosting a Microsoft Distributed File System tree on Samba</TD
+>Printing Support</TD
></TR
></TABLE
></DIV
><H1
CLASS="SECT1"
><A
-NAME="AEN234"
+NAME="AEN244"
>3.1. Introduction</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN241"
+NAME="AEN251"
>3.2. Important Notes About Security</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN267"
+NAME="AEN277"
>3.2.1. Advantages of SMB Encryption</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN273"
+NAME="AEN283"
>3.2.2. Advantages of non-encrypted passwords</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN279"
+NAME="AEN289"
>3.3. The smbpasswd Command</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN310"
+NAME="AEN320"
>3.4. Plain text</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN315"
+NAME="AEN325"
>3.5. TDB</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN318"
+NAME="AEN328"
>3.6. LDAP</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN320"
+NAME="AEN330"
>3.6.1. Introduction</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN340"
+NAME="AEN350"
>3.6.2. Introduction</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN369"
+NAME="AEN379"
>3.6.3. Supported LDAP Servers</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN374"
+NAME="AEN384"
>3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN386"
+NAME="AEN396"
>3.6.5. Configuring Samba with LDAP</A
></H2
><DIV
><H3
CLASS="SECT3"
><A
-NAME="AEN388"
+NAME="AEN398"
>3.6.5.1. OpenLDAP configuration</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN405"
+NAME="AEN415"
>3.6.5.2. Configuring Samba</A
></H3
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN433"
+NAME="AEN443"
>3.6.6. Accounts and Groups management</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN438"
+NAME="AEN448"
>3.6.7. Security and sambaAccount</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN458"
+NAME="AEN468"
>3.6.8. LDAP specials attributes for sambaAccounts</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN528"
+NAME="AEN538"
>3.6.9. Example LDIF Entries for a sambaAccount</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN536"
+NAME="AEN546"
>3.7. MySQL</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN538"
+NAME="AEN548"
>3.7.1. Building</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN544"
+NAME="AEN554"
>3.7.2. Creating the database</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN554"
+NAME="AEN564"
>3.7.3. Configuring</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN571"
+NAME="AEN581"
>3.7.4. Using plaintext passwords or encrypted password</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN576"
+NAME="AEN586"
>3.7.5. Getting non-column data from the table</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN584"
+NAME="AEN594"
>3.8. Passdb XML plugin</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN586"
+NAME="AEN596"
>3.8.1. Building</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN592"
+NAME="AEN602"
>3.8.2. Usage</A
></H2
><P
TITLE="Appendixes"
HREF="appendixes.html"><LINK
REL="PREVIOUS"
-TITLE="Appendixes"
-HREF="appendixes.html"><LINK
+TITLE="Samba performance issues"
+HREF="speed.html"><LINK
REL="NEXT"
TITLE="Samba and other CIFS clients"
HREF="other-clients.html"></HEAD
ALIGN="left"
VALIGN="bottom"
><A
-HREF="appendixes.html"
+HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
><H1
CLASS="SECT1"
><A
-NAME="AEN3626"
+NAME="AEN3525"
>24.1. HPUX</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3632"
+NAME="AEN3531"
>24.2. SCO Unix</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3636"
+NAME="AEN3535"
>24.3. DNIX</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3665"
+NAME="AEN3564"
>24.4. RedHat Linux Rembrandt-II</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3671"
+NAME="AEN3570"
>24.5. AIX</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN3673"
+NAME="AEN3572"
>24.5.1. Sequential Read Ahead</A
></H2
><P
ALIGN="left"
VALIGN="top"
><A
-HREF="appendixes.html"
+HREF="speed.html"
ACCESSKEY="P"
>Prev</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Appendixes</TD
+>Samba performance issues</TD
><TD
WIDTH="34%"
ALIGN="center"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Hosting a Microsoft Distributed File System tree on Samba"
-HREF="msdfs.html"><LINK
+TITLE="Configuring PAM for distributed but centrally
+managed authentication"
+HREF="pam.html"><LINK
REL="NEXT"
TITLE="CUPS Printing Support"
HREF="cups-printing.html"></HEAD
ALIGN="left"
VALIGN="bottom"
><A
-HREF="msdfs.html"
+HREF="pam.html"
ACCESSKEY="P"
>Prev</A
></TD
><H1
CLASS="SECT1"
><A
-NAME="AEN2058"
+NAME="AEN1946"
>14.1. Introduction</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2080"
+NAME="AEN1968"
>14.2. Configuration</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN2088"
+NAME="AEN1976"
>14.2.1. Creating [print$]</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2123"
+NAME="AEN2011"
>14.2.2. Setting Drivers for Existing Printers</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2139"
+NAME="AEN2027"
>14.2.3. Support a large number of printers</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2150"
+NAME="AEN2038"
>14.2.4. Adding New Printers via the Windows NT APW</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2180"
+NAME="AEN2068"
>14.2.5. Samba and Printer Ports</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2188"
+NAME="AEN2076"
>14.3. The Imprints Toolset</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2192"
+NAME="AEN2080"
>14.3.1. What is Imprints?</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2202"
+NAME="AEN2090"
>14.3.2. Creating Printer Driver Packages</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2205"
+NAME="AEN2093"
>14.3.3. The Imprints server</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2209"
+NAME="AEN2097"
>14.3.4. The Installation Client</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2231"
+NAME="AEN2119"
>14.4. Diagnosis</A
></H1
><DIV
><H2
CLASS="SECT2"
><A
-NAME="AEN2233"
+NAME="AEN2121"
>14.4.1. Introduction</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2249"
+NAME="AEN2137"
>14.4.2. Debugging printer problems</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2258"
+NAME="AEN2146"
>14.4.3. What printers do I have?</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2266"
+NAME="AEN2154"
>14.4.4. Setting up printcap and print servers</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2294"
+NAME="AEN2182"
>14.4.5. Job sent, no output</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2305"
+NAME="AEN2193"
>14.4.6. Job sent, strange output</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2317"
+NAME="AEN2205"
>14.4.7. Raw PostScript printed</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2320"
+NAME="AEN2208"
>14.4.8. Advanced Printing</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2323"
+NAME="AEN2211"
>14.4.9. Real debugging</A
></H2
><P
ALIGN="left"
VALIGN="top"
><A
-HREF="msdfs.html"
+HREF="pam.html"
ACCESSKEY="P"
>Prev</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Hosting a Microsoft Distributed File System tree on Samba</TD
+>Configuring PAM for distributed but centrally
+managed authentication</TD
><TD
WIDTH="34%"
ALIGN="center"
<HTML
><HEAD
><TITLE
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TITLE
+>Samba Backup Domain Controller to Samba Domain Control</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
><A
NAME="SAMBA-BDC"
></A
->Chapter 7. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1
+>Chapter 7. Samba Backup Domain Controller to Samba Domain Control</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1278"
+NAME="AEN1193"
>7.1. Prerequisite Reading</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1282"
+NAME="AEN1197"
>7.2. Background</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1290"
+NAME="AEN1205"
>7.3. What qualifies a Domain Controller on the network?</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1293"
+NAME="AEN1208"
>7.3.1. How does a Workstation find its domain controller?</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1296"
+NAME="AEN1211"
>7.3.2. When is the PDC needed?</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1299"
+NAME="AEN1214"
>7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1304"
+NAME="AEN1219"
>7.5. How do I set up a Samba BDC?</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1321"
+NAME="AEN1236"
>7.5.1. How do I replicate the smbpasswd file?</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1325"
+NAME="AEN1240"
>7.5.2. Can I do this all with LDAP?</A
></H2
><P
><DT
>2.2. <A
HREF="browsing-quick.html#AEN139"
->Use of the "Remote Announce" parameter</A
+>How browsing functions and how to deploy stable and
+dependable browsing using Samba</A
></DT
><DT
>2.3. <A
-HREF="browsing-quick.html#AEN153"
->Use of the "Remote Browse Sync" parameter</A
+HREF="browsing-quick.html#AEN149"
+>Use of the "Remote Announce" parameter</A
></DT
><DT
>2.4. <A
-HREF="browsing-quick.html#AEN158"
->Use of WINS</A
+HREF="browsing-quick.html#AEN163"
+>Use of the "Remote Browse Sync" parameter</A
></DT
><DT
>2.5. <A
-HREF="browsing-quick.html#AEN169"
->Do NOT use more than one (1) protocol on MS Windows machines</A
+HREF="browsing-quick.html#AEN168"
+>Use of WINS</A
></DT
><DT
>2.6. <A
-HREF="browsing-quick.html#AEN177"
+HREF="browsing-quick.html#AEN179"
+>Do NOT use more than one (1) protocol on MS Windows machines</A
+></DT
+><DT
+>2.7. <A
+HREF="browsing-quick.html#AEN187"
>Name Resolution Order</A
></DT
></DL
><DL
><DT
>3.1. <A
-HREF="passdb.html#AEN234"
+HREF="passdb.html#AEN244"
>Introduction</A
></DT
><DT
>3.2. <A
-HREF="passdb.html#AEN241"
+HREF="passdb.html#AEN251"
>Important Notes About Security</A
></DT
><DT
>3.3. <A
-HREF="passdb.html#AEN279"
+HREF="passdb.html#AEN289"
>The smbpasswd Command</A
></DT
><DT
>3.4. <A
-HREF="passdb.html#AEN310"
+HREF="passdb.html#AEN320"
>Plain text</A
></DT
><DT
>3.5. <A
-HREF="passdb.html#AEN315"
+HREF="passdb.html#AEN325"
>TDB</A
></DT
><DT
>3.6. <A
-HREF="passdb.html#AEN318"
+HREF="passdb.html#AEN328"
>LDAP</A
></DT
><DT
>3.7. <A
-HREF="passdb.html#AEN536"
+HREF="passdb.html#AEN546"
>MySQL</A
></DT
><DT
>3.8. <A
-HREF="passdb.html#AEN584"
+HREF="passdb.html#AEN594"
>Passdb XML plugin</A
></DT
></DL
><DL
><DT
>4.1. <A
-HREF="servertype.html#AEN629"
+HREF="servertype.html#AEN639"
>Stand Alone Server</A
></DT
><DT
>4.2. <A
-HREF="servertype.html#AEN635"
+HREF="servertype.html#AEN646"
>Domain Member Server</A
></DT
><DT
>4.3. <A
-HREF="servertype.html#AEN641"
+HREF="servertype.html#AEN652"
>Domain Controller</A
></DT
></DL
><DT
>5. <A
HREF="securitylevels.html"
->Samba as Stand-Alone server (User and Share security level)</A
+>Samba as Stand-Alone Server</A
></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="securitylevels.html#AEN681"
+>User and Share security level</A
+></DT
+></DL
+></DD
><DT
>6. <A
HREF="samba-pdc.html"
><DL
><DT
>6.1. <A
-HREF="samba-pdc.html#AEN705"
+HREF="samba-pdc.html#AEN785"
>Prerequisite Reading</A
></DT
><DT
>6.2. <A
-HREF="samba-pdc.html#AEN710"
+HREF="samba-pdc.html#AEN790"
>Background</A
></DT
><DT
>6.3. <A
-HREF="samba-pdc.html#AEN748"
+HREF="samba-pdc.html#AEN830"
>Configuring the Samba Domain Controller</A
></DT
><DT
>6.4. <A
-HREF="samba-pdc.html#AEN790"
+HREF="samba-pdc.html#AEN872"
>Creating Machine Trust Accounts and Joining Clients to the Domain</A
></DT
><DT
>6.5. <A
-HREF="samba-pdc.html#AEN898"
+HREF="samba-pdc.html#AEN980"
>Common Problems and Errors</A
></DT
><DT
>6.6. <A
-HREF="samba-pdc.html#AEN946"
->System Policies and Profiles</A
-></DT
-><DT
->6.7. <A
-HREF="samba-pdc.html#AEN990"
+HREF="samba-pdc.html#AEN1026"
>What other help can I get?</A
></DT
><DT
-HREF="samba-pdc.html#AEN1104"
+HREF="samba-pdc.html#AEN1140"
>Domain Control for Windows 9x/ME</A
></DT
-><DT
->6.9. <A
-HREF="samba-pdc.html#AEN1242"
->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
-></DT
></DL
></DD
><DT
>7. <A
HREF="samba-bdc.html"
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
+>Samba Backup Domain Controller to Samba Domain Control</A
></DT
><DD
><DL
><DT
>7.1. <A
-HREF="samba-bdc.html#AEN1278"
+HREF="samba-bdc.html#AEN1193"
>Prerequisite Reading</A
></DT
><DT
>7.2. <A
-HREF="samba-bdc.html#AEN1282"
+HREF="samba-bdc.html#AEN1197"
>Background</A
></DT
><DT
>7.3. <A
-HREF="samba-bdc.html#AEN1290"
+HREF="samba-bdc.html#AEN1205"
>What qualifies a Domain Controller on the network?</A
></DT
><DT
>7.4. <A
-HREF="samba-bdc.html#AEN1299"
+HREF="samba-bdc.html#AEN1214"
>Can Samba be a Backup Domain Controller to an NT PDC?</A
></DT
><DT
>7.5. <A
-HREF="samba-bdc.html#AEN1304"
+HREF="samba-bdc.html#AEN1219"
>How do I set up a Samba BDC?</A
></DT
></DL
><DL
><DT
>8.1. <A
-HREF="ads.html#AEN1343"
->Installing the required packages for Debian</A
+HREF="ads.html#AEN1251"
+>Setup your <TT
+CLASS="FILENAME"
+>smb.conf</TT
+></A
></DT
><DT
>8.2. <A
-HREF="ads.html#AEN1350"
->Installing the required packages for RedHat</A
+HREF="ads.html#AEN1262"
+>Setup your <TT
+CLASS="FILENAME"
+>/etc/krb5.conf</TT
+></A
></DT
><DT
>8.3. <A
-HREF="ads.html#AEN1360"
->Compile Samba</A
-></DT
-><DT
->8.4. <A
-HREF="ads.html#AEN1375"
->Setup your /etc/krb5.conf</A
-></DT
-><DT
->8.5. <A
-HREF="ads.html#AEN1385"
+HREF="ads.html#AEN1273"
>Create the computer account</A
></DT
><DT
-HREF="ads.html#AEN1397"
+HREF="ads.html#AEN1285"
>Test your server setup</A
></DT
><DT
-HREF="ads.html#AEN1402"
+HREF="ads.html#AEN1290"
>Testing with smbclient</A
></DT
><DT
-HREF="ads.html#AEN1405"
+HREF="ads.html#AEN1293"
>Notes</A
></DT
></DL
><DL
><DT
>9.1. <A
-HREF="domain-security.html#AEN1427"
+HREF="domain-security.html#AEN1315"
>Joining an NT Domain with Samba 3.0</A
></DT
><DT
>9.2. <A
-HREF="domain-security.html#AEN1482"
->Samba and Windows 2000 Domains</A
-></DT
-><DT
->9.3. <A
-HREF="domain-security.html#AEN1485"
+HREF="domain-security.html#AEN1369"
>Why is this better than security = server?</A
></DT
></DL
><DT
>III. <A
HREF="optional.html"
->Optional configuration</A
+>Advanced Configuration</A
></DT
><DD
><DL
><DT
>10. <A
-HREF="integrate-ms-networks.html"
->Integrating MS Windows networks with Samba</A
+HREF="advancednetworkmanagement.html"
+>System Policies</A
></DT
><DD
><DL
><DT
>10.1. <A
-HREF="integrate-ms-networks.html#AEN1517"
->Agenda</A
+HREF="advancednetworkmanagement.html#AEN1401"
+>Basic System Policy Info</A
></DT
><DT
>10.2. <A
-HREF="integrate-ms-networks.html#AEN1539"
->Name Resolution in a pure Unix/Linux world</A
-></DT
-><DT
->10.3. <A
-HREF="integrate-ms-networks.html#AEN1602"
->Name resolution as used within MS Windows networking</A
-></DT
-><DT
->10.4. <A
-HREF="integrate-ms-networks.html#AEN1647"
->How browsing functions and how to deploy stable and
-dependable browsing using Samba</A
-></DT
-><DT
->10.5. <A
-HREF="integrate-ms-networks.html#AEN1657"
->MS Windows security options and how to configure
-Samba for seemless integration</A
-></DT
-><DT
->10.6. <A
-HREF="integrate-ms-networks.html#AEN1727"
->Conclusions</A
+HREF="advancednetworkmanagement.html#AEN1456"
+>Roaming Profiles</A
></DT
></DL
></DD
><DL
><DT
>11.1. <A
-HREF="unix-permissions.html#AEN1748"
+HREF="unix-permissions.html#AEN1663"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
>11.2. <A
-HREF="unix-permissions.html#AEN1752"
+HREF="unix-permissions.html#AEN1667"
>How to view file security on a Samba share</A
></DT
><DT
>11.3. <A
-HREF="unix-permissions.html#AEN1763"
+HREF="unix-permissions.html#AEN1678"
>Viewing file ownership</A
></DT
><DT
>11.4. <A
-HREF="unix-permissions.html#AEN1783"
+HREF="unix-permissions.html#AEN1698"
>Viewing file or directory permissions</A
></DT
><DT
>11.5. <A
-HREF="unix-permissions.html#AEN1819"
+HREF="unix-permissions.html#AEN1734"
>Modifying file or directory permissions</A
></DT
><DT
>11.6. <A
-HREF="unix-permissions.html#AEN1841"
+HREF="unix-permissions.html#AEN1756"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
>11.7. <A
-HREF="unix-permissions.html#AEN1905"
+HREF="unix-permissions.html#AEN1810"
>Interaction with the standard Samba file attribute
mapping</A
></DT
></DD
><DT
>12. <A
+HREF="groupmapping.html"
+>Group mapping HOWTO</A
+></DT
+><DT
+>13. <A
HREF="pam.html"
>Configuring PAM for distributed but centrally
managed authentication</A
><DD
><DL
><DT
-HREF="pam.html#AEN1926"
+HREF="pam.html#AEN1866"
>Samba and PAM</A
></DT
><DT
-HREF="pam.html#AEN1970"
+HREF="pam.html#AEN1915"
>Distributed Authentication</A
></DT
><DT
-HREF="pam.html#AEN1977"
+HREF="pam.html#AEN1920"
>PAM Configuration in smb.conf</A
></DT
></DL
></DD
><DT
->13. <A
-HREF="msdfs.html"
->Hosting a Microsoft Distributed File System tree on Samba</A
-></DT
-><DD
-><DL
-><DT
->13.1. <A
-HREF="msdfs.html#AEN1997"
->Instructions</A
-></DT
-></DL
-></DD
-><DT
>14. <A
HREF="printing.html"
>Printing Support</A
><DL
><DT
>14.1. <A
-HREF="printing.html#AEN2058"
+HREF="printing.html#AEN1946"
>Introduction</A
></DT
><DT
>14.2. <A
-HREF="printing.html#AEN2080"
+HREF="printing.html#AEN1968"
>Configuration</A
></DT
><DT
>14.3. <A
-HREF="printing.html#AEN2188"
+HREF="printing.html#AEN2076"
>The Imprints Toolset</A
></DT
><DT
>14.4. <A
-HREF="printing.html#AEN2231"
+HREF="printing.html#AEN2119"
>Diagnosis</A
></DT
></DL
><DL
><DT
>15.1. <A
-HREF="cups-printing.html#AEN2343"
+HREF="cups-printing.html#AEN2231"
>Introduction</A
></DT
><DT
>15.2. <A
-HREF="cups-printing.html#AEN2348"
+HREF="cups-printing.html#AEN2236"
>CUPS - RAW Print Through Mode</A
></DT
><DT
>15.3. <A
-HREF="cups-printing.html#AEN2403"
+HREF="cups-printing.html#AEN2291"
>The CUPS Filter Chains</A
></DT
><DT
>15.4. <A
-HREF="cups-printing.html#AEN2442"
+HREF="cups-printing.html#AEN2330"
>CUPS Print Drivers and Devices</A
></DT
><DT
>15.5. <A
-HREF="cups-printing.html#AEN2519"
+HREF="cups-printing.html#AEN2407"
>Limiting the number of pages users can print</A
></DT
><DT
>15.6. <A
-HREF="cups-printing.html#AEN2608"
+HREF="cups-printing.html#AEN2496"
>Advanced Postscript Printing from MS Windows</A
></DT
><DT
>15.7. <A
-HREF="cups-printing.html#AEN2623"
+HREF="cups-printing.html#AEN2511"
>Auto-Deletion of CUPS spool files</A
></DT
></DL
><DL
><DT
>16.1. <A
-HREF="winbind.html#AEN2685"
+HREF="winbind.html#AEN2573"
>Abstract</A
></DT
><DT
>16.2. <A
-HREF="winbind.html#AEN2689"
+HREF="winbind.html#AEN2577"
>Introduction</A
></DT
><DT
>16.3. <A
-HREF="winbind.html#AEN2702"
+HREF="winbind.html#AEN2590"
>What Winbind Provides</A
></DT
><DT
>16.4. <A
-HREF="winbind.html#AEN2713"
+HREF="winbind.html#AEN2601"
>How Winbind Works</A
></DT
><DT
>16.5. <A
-HREF="winbind.html#AEN2756"
+HREF="winbind.html#AEN2644"
>Installation and Configuration</A
></DT
><DT
>16.6. <A
-HREF="winbind.html#AEN3013"
+HREF="winbind.html#AEN2901"
>Limitations</A
></DT
><DT
>16.7. <A
-HREF="winbind.html#AEN3023"
+HREF="winbind.html#AEN2911"
>Conclusion</A
></DT
></DL
></DD
><DT
>17. <A
+HREF="integrate-ms-networks.html"
+>Integrating MS Windows networks with Samba</A
+></DT
+><DD
+><DL
+><DT
+>17.1. <A
+HREF="integrate-ms-networks.html#AEN2932"
+>Name Resolution in a pure Unix/Linux world</A
+></DT
+><DT
+>17.2. <A
+HREF="integrate-ms-networks.html#AEN2995"
+>Name resolution as used within MS Windows networking</A
+></DT
+></DL
+></DD
+><DT
+>18. <A
HREF="improved-browsing.html"
>Improved browsing in samba</A
></DT
><DD
><DL
><DT
-HREF="improved-browsing.html#AEN3033"
+HREF="improved-browsing.html#AEN3047"
>Overview of browsing</A
></DT
><DT
-HREF="improved-browsing.html#AEN3038"
+HREF="improved-browsing.html#AEN3052"
>Browsing support in samba</A
></DT
><DT
-HREF="improved-browsing.html#AEN3046"
+HREF="improved-browsing.html#AEN3060"
>Problem resolution</A
></DT
><DT
-HREF="improved-browsing.html#AEN3055"
+HREF="improved-browsing.html#AEN3069"
>Browsing across subnets</A
></DT
><DT
-HREF="improved-browsing.html#AEN3095"
+HREF="improved-browsing.html#AEN3109"
>Setting up a WINS server</A
></DT
><DT
-HREF="improved-browsing.html#AEN3114"
+HREF="improved-browsing.html#AEN3128"
>Setting up Browsing in a WORKGROUP</A
></DT
><DT
-HREF="improved-browsing.html#AEN3132"
+HREF="improved-browsing.html#AEN3146"
>Setting up Browsing in a DOMAIN</A
></DT
><DT
-HREF="improved-browsing.html#AEN3142"
+HREF="improved-browsing.html#AEN3156"
>Forcing samba to be the master</A
></DT
><DT
-HREF="improved-browsing.html#AEN3151"
+HREF="improved-browsing.html#AEN3165"
>Making samba the domain master</A
></DT
><DT
-HREF="improved-browsing.html#AEN3169"
+HREF="improved-browsing.html#AEN3183"
>Note about broadcast addresses</A
></DT
><DT
-HREF="improved-browsing.html#AEN3172"
+HREF="improved-browsing.html#AEN3186"
>Multiple interfaces</A
></DT
></DL
></DD
><DT
-HREF="vfs.html"
->Stackable VFS modules</A
+HREF="msdfs.html"
+>Hosting a Microsoft Distributed File System tree on Samba</A
></DT
><DD
><DL
><DT
->18.1. <A
-HREF="vfs.html#AEN3190"
->Introduction and configuration</A
-></DT
-><DT
->18.2. <A
-HREF="vfs.html#AEN3199"
->Included modules</A
-></DT
-><DT
->18.3. <A
-HREF="vfs.html#AEN3253"
->VFS modules available elsewhere</A
+>19.1. <A
+HREF="msdfs.html#AEN3200"
+>Instructions</A
></DT
></DL
></DD
><DT
->19. <A
-HREF="groupmapping.html"
->Group mapping HOWTO</A
-></DT
-><DT
>20. <A
-HREF="speed.html"
->Samba performance issues</A
+HREF="vfs.html"
+>Stackable VFS modules</A
></DT
><DD
><DL
><DT
>20.1. <A
-HREF="speed.html#AEN3320"
->Comparisons</A
+HREF="vfs.html#AEN3259"
+>Introduction and configuration</A
></DT
><DT
>20.2. <A
-HREF="speed.html#AEN3326"
->Socket options</A
+HREF="vfs.html#AEN3268"
+>Included modules</A
></DT
><DT
>20.3. <A
-HREF="speed.html#AEN3333"
->Read size</A
-></DT
-><DT
->20.4. <A
-HREF="speed.html#AEN3338"
->Max xmit</A
-></DT
-><DT
->20.5. <A
-HREF="speed.html#AEN3343"
->Log level</A
-></DT
-><DT
->20.6. <A
-HREF="speed.html#AEN3346"
->Read raw</A
-></DT
-><DT
->20.7. <A
-HREF="speed.html#AEN3351"
->Write raw</A
-></DT
-><DT
->20.8. <A
-HREF="speed.html#AEN3355"
->Slow Clients</A
-></DT
-><DT
->20.9. <A
-HREF="speed.html#AEN3359"
->Slow Logins</A
-></DT
-><DT
->20.10. <A
-HREF="speed.html#AEN3362"
->Client tuning</A
+HREF="vfs.html#AEN3322"
+>VFS modules available elsewhere</A
></DT
></DL
></DD
><DT
>21. <A
-HREF="groupprofiles.html"
->Creating Group Prolicy Files</A
-></DT
-><DD
-><DL
-><DT
->21.1. <A
-HREF="groupprofiles.html#AEN3410"
->Windows '9x</A
-></DT
-><DT
->21.2. <A
-HREF="groupprofiles.html#AEN3420"
->Windows NT 4</A
-></DT
-><DT
->21.3. <A
-HREF="groupprofiles.html#AEN3458"
->Windows 2000/XP</A
-></DT
-></DL
-></DD
-><DT
->22. <A
HREF="securing-samba.html"
>Securing Samba</A
></DT
><DD
><DL
><DT
-HREF="securing-samba.html#AEN3539"
+HREF="securing-samba.html#AEN3348"
>Introduction</A
></DT
><DT
-HREF="securing-samba.html#AEN3542"
+HREF="securing-samba.html#AEN3351"
>Using host based protection</A
></DT
><DT
-HREF="securing-samba.html#AEN3549"
+HREF="securing-samba.html#AEN3358"
>Using interface protection</A
></DT
><DT
-HREF="securing-samba.html#AEN3558"
+HREF="securing-samba.html#AEN3367"
>Using a firewall</A
></DT
><DT
-HREF="securing-samba.html#AEN3565"
+HREF="securing-samba.html#AEN3374"
>Using a IPC$ share deny</A
></DT
><DT
-HREF="securing-samba.html#AEN3574"
+HREF="securing-samba.html#AEN3383"
>Upgrading Samba</A
></DT
></DL
></DD
><DT
HREF="unicode.html"
>Unicode/Charsets</A
></DT
><DD
><DL
><DT
-HREF="unicode.html#AEN3588"
+HREF="unicode.html#AEN3397"
>What are charsets and unicode?</A
></DT
><DT
-HREF="unicode.html#AEN3597"
+HREF="unicode.html#AEN3406"
>Samba and charsets</A
></DT
></DL
><DD
><DL
><DT
+>23. <A
+HREF="speed.html"
+>Samba performance issues</A
+></DT
+><DD
+><DL
+><DT
+>23.1. <A
+HREF="speed.html#AEN3443"
+>Comparisons</A
+></DT
+><DT
+>23.2. <A
+HREF="speed.html#AEN3449"
+>Socket options</A
+></DT
+><DT
+>23.3. <A
+HREF="speed.html#AEN3456"
+>Read size</A
+></DT
+><DT
+>23.4. <A
+HREF="speed.html#AEN3461"
+>Max xmit</A
+></DT
+><DT
+>23.5. <A
+HREF="speed.html#AEN3466"
+>Log level</A
+></DT
+><DT
+>23.6. <A
+HREF="speed.html#AEN3469"
+>Read raw</A
+></DT
+><DT
+>23.7. <A
+HREF="speed.html#AEN3474"
+>Write raw</A
+></DT
+><DT
+>23.8. <A
+HREF="speed.html#AEN3478"
+>Slow Clients</A
+></DT
+><DT
+>23.9. <A
+HREF="speed.html#AEN3482"
+>Slow Logins</A
+></DT
+><DT
+>23.10. <A
+HREF="speed.html#AEN3485"
+>Client tuning</A
+></DT
+></DL
+></DD
+><DT
>24. <A
HREF="portability.html"
>Portability</A
><DL
><DT
>24.1. <A
-HREF="portability.html#AEN3626"
+HREF="portability.html#AEN3525"
>HPUX</A
></DT
><DT
>24.2. <A
-HREF="portability.html#AEN3632"
+HREF="portability.html#AEN3531"
>SCO Unix</A
></DT
><DT
>24.3. <A
-HREF="portability.html#AEN3636"
+HREF="portability.html#AEN3535"
>DNIX</A
></DT
><DT
>24.4. <A
-HREF="portability.html#AEN3665"
+HREF="portability.html#AEN3564"
>RedHat Linux Rembrandt-II</A
></DT
><DT
>24.5. <A
-HREF="portability.html#AEN3671"
+HREF="portability.html#AEN3570"
>AIX</A
></DT
></DL
><DL
><DT
>25.1. <A
-HREF="other-clients.html#AEN3691"
+HREF="other-clients.html#AEN3590"
>Macintosh clients?</A
></DT
><DT
>25.2. <A
-HREF="other-clients.html#AEN3700"
+HREF="other-clients.html#AEN3599"
>OS2 Client</A
></DT
><DT
>25.3. <A
-HREF="other-clients.html#AEN3740"
+HREF="other-clients.html#AEN3639"
>Windows for Workgroups</A
></DT
><DT
>25.4. <A
-HREF="other-clients.html#AEN3764"
+HREF="other-clients.html#AEN3663"
>Windows '95/'98</A
></DT
><DT
>25.5. <A
-HREF="other-clients.html#AEN3780"
+HREF="other-clients.html#AEN3679"
>Windows 2000 Service Pack 2</A
></DT
></DL
><DL
><DT
>26.1. <A
-HREF="compiling.html#AEN3807"
+HREF="compiling.html#AEN3706"
>Access Samba source code via CVS</A
></DT
><DT
>26.2. <A
-HREF="compiling.html#AEN3850"
+HREF="compiling.html#AEN3749"
>Accessing the samba sources via rsync and ftp</A
></DT
><DT
>26.3. <A
-HREF="compiling.html#AEN3856"
+HREF="compiling.html#AEN3755"
>Building the Binaries</A
></DT
><DT
>26.4. <A
-HREF="compiling.html#AEN3884"
+HREF="compiling.html#AEN3812"
>Starting the smbd and nmbd</A
></DT
></DL
><DL
><DT
>27.1. <A
-HREF="bugreport.html#AEN3946"
+HREF="bugreport.html#AEN3874"
>Introduction</A
></DT
><DT
>27.2. <A
-HREF="bugreport.html#AEN3956"
+HREF="bugreport.html#AEN3884"
>General info</A
></DT
><DT
>27.3. <A
-HREF="bugreport.html#AEN3962"
+HREF="bugreport.html#AEN3890"
>Debug levels</A
></DT
><DT
>27.4. <A
-HREF="bugreport.html#AEN3979"
+HREF="bugreport.html#AEN3907"
>Internal errors</A
></DT
><DT
>27.5. <A
-HREF="bugreport.html#AEN3989"
+HREF="bugreport.html#AEN3917"
>Attaching to a running process</A
></DT
><DT
>27.6. <A
-HREF="bugreport.html#AEN3992"
+HREF="bugreport.html#AEN3920"
>Patches</A
></DT
></DL
><DL
><DT
>28.1. <A
-HREF="diagnosis.html#AEN4015"
+HREF="diagnosis.html#AEN3943"
>Introduction</A
></DT
><DT
>28.2. <A
-HREF="diagnosis.html#AEN4020"
+HREF="diagnosis.html#AEN3948"
>Assumptions</A
></DT
><DT
>28.3. <A
-HREF="diagnosis.html#AEN4030"
+HREF="diagnosis.html#AEN3958"
>Tests</A
></DT
><DT
>28.4. <A
-HREF="diagnosis.html#AEN4140"
+HREF="diagnosis.html#AEN4068"
>Still having troubles?</A
></DT
></DL
TITLE="Type of installation"
HREF="type.html"><LINK
REL="PREVIOUS"
-TITLE="Samba as Stand-Alone server (User and Share security level)"
+TITLE="Samba as Stand-Alone Server"
HREF="securitylevels.html"><LINK
REL="NEXT"
-TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
+TITLE="Samba Backup Domain Controller to Samba Domain Control"
HREF="samba-bdc.html"></HEAD
><BODY
CLASS="CHAPTER"
><H1
CLASS="SECT1"
><A
-NAME="AEN705"
+NAME="AEN785"
>6.1. Prerequisite Reading</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN710"
+NAME="AEN790"
>6.2. Background</A
></H1
><P
><UL
><LI
><P
-> domain logons for Windows NT 4.0 / 200x / XP Professional clients.
+> Domain logons for Windows NT 4.0 / 200x / XP Professional clients.
</P
></LI
><LI
><P
-> placing Windows 9x / Me clients in user level security
+> Placing Windows 9x / Me clients in user level security
</P
></LI
><LI
><P
-> retrieving a list of users and groups from a Samba PDC to
+> Retrieving a list of users and groups from a Samba PDC to
Windows 9x / Me / NT / 200x / XP Professional clients
</P
></LI
><LI
><P
-> roaming user profiles
+> Roaming Profiles
</P
></LI
><LI
><P
-> Windows NT 4.0-style system policies
+> Network/System Policies
</P
></LI
></UL
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Roaming Profiles and System/Network policies are advanced network administration topics
+that are covered separately in this document.</P
+></TD
+></TR
+></TABLE
+></DIV
><P
>The following functionalities are new to the Samba 3.0 release:</P
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN748"
+NAME="AEN830"
>6.3. Configuring the Samba Domain Controller</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN790"
+NAME="AEN872"
>6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN833"
+NAME="AEN915"
>6.4.1. Manual Creation of Machine Trust Accounts</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN874"
+NAME="AEN956"
>6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN883"
+NAME="AEN965"
>6.4.3. Joining the Client to the Domain</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN898"
+NAME="AEN980"
>6.5. Common Problems and Errors</A
></H1
><P
><P
>I joined the domain successfully but after upgrading
to a newer version of the Samba code I get the message, "The system
- can not log you on (C000019B), Please try a gain or consult your
+ can not log you on (C000019B), Please try again or consult your
system administrator" when attempting to logon.
</P
><P
-> This occurs when the domain SID stored in
- <TT
-CLASS="FILENAME"
->private/WORKGROUP.SID</TT
-> is
- changed. For example, you remove the file and <B
-CLASS="COMMAND"
->smbd</B
-> automatically
- creates a new one. Or you are swapping back and forth between
- versions 2.0.7, TNG and the HEAD branch code (not recommended). The
- only way to correct the problem is to restore the original domain
- SID or remove the domain client from the domain and rejoin.
+> This occurs when the domain SID stored in the secrets.tdb database
+ is changed. The most common cause of a change in domain SID is when
+ the domain name and/or the server name (netbios name) is changed.
+ The only way to correct the problem is to restore the original domain
+ SID or remove the domain client from the domain and rejoin. The domain
+ SID may be reset using either the smbpasswd or rpcclient utilities.
</P
></LI
><LI
><H1
CLASS="SECT1"
><A
-NAME="AEN946"
->6.6. System Policies and Profiles</A
-></H1
-><P
->Much of the information necessary to implement System Policies and
-Roving User Profiles in a Samba domain is the same as that for
-implementing these same items in a Windows NT 4.0 domain.
-You should read the white paper <A
-HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
-TARGET="_top"
->Implementing
-Profiles and Policies in Windows NT 4.0</A
-> available from Microsoft.</P
-><P
->Here are some additional details:</P
-><P
-></P
-><UL
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->What about Windows NT Policy Editor?</I
-></SPAN
->
- </P
-><P
-> To create or edit <TT
-CLASS="FILENAME"
->ntconfig.pol</TT
-> you must use
- the NT Server Policy Editor, <B
-CLASS="COMMAND"
->poledit.exe</B
-> which
- is included with NT Server but <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->not NT Workstation</I
-></SPAN
->.
- There is a Policy Editor on a NTws
- but it is not suitable for creating <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Domain Policies</I
-></SPAN
->.
- Further, although the Windows 95
- Policy Editor can be installed on an NT Workstation/Server, it will not
- work with NT policies because the registry key that are set by the policy templates.
- However, the files from the NT Server will run happily enough on an NTws.
- You need <TT
-CLASS="FILENAME"
->poledit.exe, common.adm</TT
-> and <TT
-CLASS="FILENAME"
->winnt.adm</TT
->. It is convenient
- to put the two *.adm files in <TT
-CLASS="FILENAME"
->c:\winnt\inf</TT
-> which is where
- the binary will look for them unless told otherwise. Note also that that
- directory is 'hidden'.
- </P
-><P
-> The Windows NT policy editor is also included with the Service Pack 3 (and
- later) for Windows NT 4.0. Extract the files using <B
-CLASS="COMMAND"
->servicepackname /x</B
->,
- i.e. that's <B
-CLASS="COMMAND"
->Nt4sp6ai.exe /x</B
-> for service pack 6a. The policy editor,
- <B
-CLASS="COMMAND"
->poledit.exe</B
-> and the associated template files (*.adm) should
- be extracted as well. It is also possible to downloaded the policy template
- files for Office97 and get a copy of the policy editor. Another possible
- location is with the Zero Administration Kit available for download from Microsoft.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Can Win95 do Policies?</I
-></SPAN
->
- </P
-><P
-> Install the group policy handler for Win9x to pick up group
- policies. Look on the Win98 CD in <TT
-CLASS="FILENAME"
->\tools\reskit\netadmin\poledit</TT
->.
- Install group policies on a Win9x client by double-clicking
- <TT
-CLASS="FILENAME"
->grouppol.inf</TT
->. Log off and on again a couple of
- times and see if Win98 picks up group policies. Unfortunately this needs
- to be done on every Win9x machine that uses group policies....
- </P
-><P
-> If group policies don't work one reports suggests getting the updated
- (read: working) grouppol.dll for Windows 9x. The group list is grabbed
- from /etc/group.
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I get 'User Manager' and 'Server Manager'</I
-></SPAN
->
- </P
-><P
-> Since I don't need to buy an NT Server CD now, how do I get
- the 'User Manager for Domains', the 'Server Manager'?
- </P
-><P
-> Microsoft distributes a version of these tools called nexus for
- installation on Windows 95 systems. The tools set includes
- </P
-><P
-></P
-><UL
-><LI
-><P
->Server Manager</P
-></LI
-><LI
-><P
->User Manager for Domains</P
-></LI
-><LI
-><P
->Event Viewer</P
-></LI
-></UL
-><P
-> Click here to download the archived file <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
->
- </P
-><P
-> The Windows NT 4.0 version of the 'User Manager for
- Domains' and 'Server Manager' are available from Microsoft via ftp
- from <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
->
- </P
-></LI
-></UL
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN990"
->6.7. What other help can I get?</A
+NAME="AEN1026"
+>6.6. What other help can I get?</A
></H1
><P
>There are many sources of information available in the form
><H1
CLASS="SECT1"
><A
-NAME="AEN1104"
->6.8. Domain Control for Windows 9x/ME</A
+NAME="AEN1140"
+>6.7. Domain Control for Windows 9x/ME</A
></H1
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->The following section contains much of the original
-DOMAIN.txt file previously included with Samba. Much of
-the material is based on what went into the book <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Special
-Edition, Using Samba</I
-></SPAN
->, by Richard Sharpe.</P
-></TD
-></TR
-></TABLE
-></DIV
><P
>A domain and a workgroup are exactly the same thing in terms of network
browsing. The difference is that a distributable authentication
database is associated with a domain, for secure login access to a
network. Also, different access rights can be granted to users if they
-successfully authenticate against a domain logon server (NT server and
-other systems based on NT server support this, as does at least Samba TNG now).</P
+successfully authenticate against a domain logon server. Samba-3 does this
+now in the same way that MS Windows NT/2K.</P
><P
>The SMB client logging on to a domain has an expectation that every other
server in the domain should accept the same authentication information.
-Network browsing functionality of domains and workgroups is
-identical and is explained in BROWSING.txt. It should be noted, that browsing
-is totally orthogonal to logon support.</P
+Network browsing functionality of domains and workgroups is identical and
+is explained in this documentation under the browsing discussions.
+It should be noted, that browsing is totally orthogonal to logon support.</P
><P
>Issues related to the single-logon network model are discussed in this
section. Samba supports domain logons, network logon scripts, and user
profiles for MS Windows for workgroups and MS Windows 9X/ME clients
-which will be the focus of this section.</P
+which are the focus of this section.</P
><P
>When an SMB client in a domain wishes to logon it broadcast requests for a
logon server. The first one to reply gets the job, and validates its
><H2
CLASS="SECT2"
><A
-NAME="AEN1130"
->6.8.1. Configuration Instructions: Network Logons</A
+NAME="AEN1163"
+>6.7.1. Configuration Instructions: Network Logons</A
></H2
><P
>The main difference between a PDC and a Windows 9x logon
></TABLE
></DIV
></DIV
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1149"
->6.8.2. Configuration Instructions: Setting up Roaming User Profiles</A
-></H2
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE!</I
-></SPAN
-> Roaming profiles support is different
-for Win9X and WinNT.</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->Before discussing how to configure roaming profiles, it is useful to see how
-Win9X and WinNT clients implement these features.</P
-><P
->Win9X clients send a NetUserGetInfo request to the server to get the user's
-profiles location. However, the response does not have room for a separate
-profiles location field, only the user's home share. This means that Win9X
-profiles are restricted to being in the user's home directory.</P
-><P
->WinNT clients send a NetSAMLogon RPC request, which contains many fields,
-including a separate field for the location of the user's profiles.
-This means that support for profiles is different for Win9X and WinNT.</P
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1157"
->6.8.2.1. Windows NT Configuration</A
-></H3
-><P
->To support WinNT clients, in the [global] section of smb.conf set the
-following (for example):</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
-></P
-><P
->The default for this option is \\%N\%U\profile, namely
-\\sambaserver\username\profile. The \\N%\%U service is created
-automatically by the [homes] service.
-If you are using a samba server for the profiles, you _must_ make the
-share specified in the logon path browseable. </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 26aug96 - we have discovered a problem where Windows clients can
-maintain a connection to the [homes] share in between logins. The
-[homes] share must NOT therefore be used in a profile path.]</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1165"
->6.8.2.2. Windows 9X Configuration</A
-></H3
-><P
->To support Win9X clients, you must use the "logon home" parameter. Samba has
-now been fixed so that "net use/home" now works as well, and it, too, relies
-on the "logon home" parameter.</P
-><P
->By using the logon home parameter, you are restricted to putting Win9X
-profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the [global] section of your
-smb.conf file:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles</PRE
-></P
-><P
->then your Win9X clients will dutifully put their clients in a subdirectory
-of your home directory called .profiles (thus making them hidden).</P
-><P
->Not only that, but 'net use/home' will also work, because of a feature in
-Win9X. It removes any directory stuff off the end of the home directory area
-and only uses the server and share portion. That is, it looks like you
-specified \\%L\%U for "logon home".</P
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1173"
->6.8.2.3. Win9X and WinNT Configuration</A
-></H3
-><P
->You can support profiles for both Win9X and WinNT clients by setting both the
-"logon home" and "logon path" parameters. For example:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles
-logon path = \\%L\profiles\%U</PRE
-></P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->I have not checked what 'net use /home' does on NT when "logon home" is
-set as above.</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1180"
->6.8.2.4. Windows 9X Profile Setup</A
-></H3
-><P
->When a user first logs in on Windows 9X, the file user.DAT is created,
-as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
-These directories and their contents will be merged with the local
-versions stored in c:\windows\profiles\username on subsequent logins,
-taking the most recent from each. You will need to use the [global]
-options "preserve case = yes", "short preserve case = yes" and
-"case sensitive = no" in order to maintain capital letters in shortcuts
-in any of the profile folders.</P
-><P
->The user.DAT file contains all the user's preferences. If you wish to
-enforce a set of preferences, rename their user.DAT file to user.MAN,
-and deny them write access to this file.</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> On the Windows 95 machine, go to Control Panel | Passwords and
- select the User Profiles tab. Select the required level of
- roaming preferences. Press OK, but do _not_ allow the computer
- to reboot.
- </P
-></LI
-><LI
-><P
-> On the Windows 95 machine, go to Control Panel | Network |
- Client for Microsoft Networks | Preferences. Select 'Log on to
- NT Domain'. Then, ensure that the Primary Logon is 'Client for
- Microsoft Networks'. Press OK, and this time allow the computer
- to reboot.
- </P
-></LI
-></OL
-><P
->Under Windows 95, Profiles are downloaded from the Primary Logon.
-If you have the Primary Logon as 'Client for Novell Networks', then
-the profiles and logon script will be downloaded from your Novell
-Server. If you have the Primary Logon as 'Windows Logon', then the
-profiles will be loaded from the local machine - a bit against the
-concept of roaming profiles, if you ask me.</P
-><P
->You will now find that the Microsoft Networks Login box contains
-[user, password, domain] instead of just [user, password]. Type in
-the samba server's domain name (or any other domain known to exist,
-but bear in mind that the user will be authenticated against this
-domain and profiles downloaded from it, if that domain logon server
-supports it), user name and user's password.</P
-><P
->Once the user has been successfully validated, the Windows 95 machine
-will inform you that 'The user has not logged on before' and asks you
-if you wish to save the user's preferences? Select 'yes'.</P
-><P
->Once the Windows 95 client comes up with the desktop, you should be able
-to examine the contents of the directory specified in the "logon path"
-on the samba server and verify that the "Desktop", "Start Menu",
-"Programs" and "Nethood" folders have been created.</P
-><P
->These folders will be cached locally on the client, and updated when
-the user logs off (if you haven't made them read-only by then :-).
-You will find that if the user creates further folders or short-cuts,
-that the client will merge the profile contents downloaded with the
-contents of the profile directory already on the local client, taking
-the newest folders and short-cuts from each set.</P
-><P
->If you have made the folders / files read-only on the samba server,
-then you will get errors from the w95 machine on logon and logout, as
-it attempts to merge the local and the remote profile. Basically, if
-you have any errors reported by the w95 machine, check the Unix file
-permissions and ownership rights on the profile directory contents,
-on the samba server.</P
-><P
->If you have problems creating user profiles, you can reset the user's
-local desktop cache, as shown below. When this user then next logs in,
-they will be told that they are logging in "for the first time".</P
-><P
-></P
-><OL
-TYPE="1"
-><LI
-><P
-> instead of logging in under the [user, password, domain] dialog,
- press escape.
- </P
-></LI
-><LI
-><P
-> run the regedit.exe program, and look in:
- </P
-><P
-> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
- </P
-><P
-> you will find an entry, for each user, of ProfilePath. Note the
- contents of this key (likely to be c:\windows\profiles\username),
- then delete the key ProfilePath for the required user.
- </P
-><P
-> [Exit the registry editor].
- </P
-></LI
-><LI
-><P
-> <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->WARNING</I
-></SPAN
-> - before deleting the contents of the
- directory listed in
- the ProfilePath (this is likely to be c:\windows\profiles\username),
- ask them if they have any important files stored on their desktop
- or in their start menu. delete the contents of the directory
- ProfilePath (making a backup if any of the files are needed).
- </P
-><P
-> This will have the effect of removing the local (read-only hidden
- system file) user.DAT in their profile directory, as well as the
- local "desktop", "nethood", "start menu" and "programs" folders.
- </P
-></LI
-><LI
-><P
-> search for the user's .PWL password-caching file in the c:\windows
- directory, and delete it.
- </P
-></LI
-><LI
-><P
-> log off the windows 95 client.
- </P
-></LI
-><LI
-><P
-> check the contents of the profile path (see "logon path" described
- above), and delete the user.DAT or user.MAN file for the user,
- making a backup if required.
- </P
-></LI
-></OL
-><P
->If all else fails, increase samba's debug log levels to between 3 and 10,
-and / or run a packet trace program such as tcpdump or netmon.exe, and
-look for any error reports.</P
-><P
->If you have access to an NT server, then first set up roaming profiles
-and / or netlogons on the NT server. Make a packet trace, or examine
-the example packet traces provided with NT server, and see what the
-differences are with the equivalent samba trace.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1216"
->6.8.2.5. Windows NT Workstation 4.0</A
-></H3
-><P
->When a user first logs in to a Windows NT Workstation, the profile
-NTuser.DAT is created. The profile location can be now specified
-through the "logon path" parameter. </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 10aug97 - i tried setting the path to
-\\samba-server\homes\profile, and discovered that this fails because
-a background process maintains the connection to the [homes] share
-which does _not_ close down in between user logins. you have to
-have \\samba-server\%L\profile, where user is the username created
-from the [homes] share].</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->There is a parameter that is now available for use with NT Profiles:
-"logon drive". This should be set to "h:" or any other drive, and
-should be used in conjunction with the new "logon home" parameter.</P
-><P
->The entry for the NT 4.0 profile is a _directory_ not a file. The NT
-help on profiles mentions that a directory is also created with a .PDS
-extension. The user, while logging in, must have write permission to
-create the full profile path (and the folder with the .PDS extension)
-[lkcl 10aug97 - i found that the creation of the .PDS directory failed,
-and had to create these manually for each user, with a shell script.
-also, i presume, but have not tested, that the full profile path must
-be browseable just as it is for w95, due to the manner in which they
-attempt to create the full profile path: test existence of each path
-component; create path component].</P
-><P
->In the profile directory, NT creates more folders than 95. It creates
-"Application Data" and others, as well as "Desktop", "Nethood",
-"Start Menu" and "Programs". The profile itself is stored in a file
-NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
-its purpose is currently unknown.</P
-><P
->You can use the System Control Panel to copy a local profile onto
-a samba server (see NT Help on profiles: it is also capable of firing
-up the correct location in the System Control Panel for you). The
-NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
-turns a profile into a mandatory one.</P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 10aug97 - i notice that NT Workstation tells me that it is
-downloading a profile from a slow link. whether this is actually the
-case, or whether there is some configuration issue, as yet unknown,
-that makes NT Workstation _think_ that the link is a slow one is a
-matter to be resolved].</P
-><P
->[lkcl 20aug97 - after samba digest correspondence, one user found, and
-another confirmed, that profiles cannot be loaded from a samba server
-unless "security = user" and "encrypt passwords = yes" (see the file
-ENCRYPTION.txt) or "security = server" and "password server = ip.address.
-of.yourNTserver" are used. Either of these options will allow the NT
-workstation to access the samba server using LAN manager encrypted
-passwords, without the user intervention normally required by NT
-workstation for clear-text passwords].</P
-><P
->[lkcl 25aug97 - more comments received about NT profiles: the case of
-the profile _matters_. the file _must_ be called NTuser.DAT or, for
-a mandatory profile, NTuser.MAN].</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1229"
->6.8.2.6. Windows NT Server</A
-></H3
-><P
->There is nothing to stop you specifying any path that you like for the
-location of users' profiles. Therefore, you could specify that the
-profile be stored on a samba server, or any other SMB server, as long as
-that SMB server supports encrypted passwords.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><H3
-CLASS="SECT3"
-><A
-NAME="AEN1232"
->6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A
-></H3
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Potentially outdated or incorrect material follows</B
-></TH
-></TR
-><TR
-><TD
-> </TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->The default logon path is \\%N\%U. NT Workstation will attempt to create
-a directory "\\samba-server\username.PDS" if you specify the logon path
-as "\\samba-server\username" with the NT User Manager. Therefore, you
-will need to specify (for example) "\\samba-server\username\profile".
-NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
-is more likely to succeed.</P
-><P
->If you then want to share the same Start Menu / Desktop with W95, you will
-need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
-this has its drawbacks: i created a shortcut to telnet.exe, which attempts
-to run from the c:\winnt\system32 directory. this directory is obviously
-unlikely to exist on a Win95-only host].</P
-><P
-> If you have this set up correctly, you will find separate user.DAT and
-NTuser.DAT files in the same profile directory.</P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->[lkcl 25aug97 - there are some issues to resolve with downloading of
-NT profiles, probably to do with time/date stamps. i have found that
-NTuser.DAT is never updated on the workstation after the first time that
-it is copied to the local workstation profile directory. this is in
-contrast to w95, where it _does_ transfer / update profiles correctly].</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1242"
->6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
-></H1
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->Possibly Outdated Material</B
-></TH
-></TR
-><TR
-><TD
-> </TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-> This appendix was originally authored by John H Terpstra of
- the Samba Team and is included here for posterity.
- </P
-></TD
-></TR
-></TABLE
-></DIV
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE :</I
-></SPAN
->
-The term "Domain Controller" and those related to it refer to one specific
-method of authentication that can underly an SMB domain. Domain Controllers
-prior to Windows NT Server 3.1 were sold by various companies and based on
-private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
-Microsoft-specific ways of distributing the user authentication database.
-See DOMAIN.txt for examples of how Samba can participate in or create
-SMB domains based on shared authentication database schemes other than the
-Windows NT SAM.</P
-><P
->Windows NT Server can be installed as either a plain file and print server
-(WORKGROUP workstation or server) or as a server that participates in Domain
-Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
-The same is true for OS/2 Warp Server, Digital Pathworks and other similar
-products, all of which can participate in Domain Control along with Windows NT.</P
-><P
->To many people these terms can be confusing, so let's try to clear the air.</P
-><P
->Every Windows NT system (workstation or server) has a registry database.
-The registry contains entries that describe the initialization information
-for all services (the equivalent of Unix Daemons) that run within the Windows
-NT environment. The registry also contains entries that tell application
-software where to find dynamically loadable libraries that they depend upon.
-In fact, the registry contains entries that describes everything that anything
-may need to know to interact with the rest of the system.</P
-><P
->The registry files can be located on any Windows NT machine by opening a
-command prompt and typing:</P
-><P
-><SAMP
-CLASS="PROMPT"
->C:\WINNT\></SAMP
-> dir %SystemRoot%\System32\config</P
-><P
->The environment variable %SystemRoot% value can be obtained by typing:</P
-><P
-><SAMP
-CLASS="PROMPT"
->C:\WINNT></SAMP
->echo %SystemRoot%</P
-><P
->The active parts of the registry that you may want to be familiar with are
-the files called: default, system, software, sam and security.</P
-><P
->In a domain environment, Microsoft Windows NT domain controllers participate
-in replication of the SAM and SECURITY files so that all controllers within
-the domain have an exactly identical copy of each.</P
-><P
->The Microsoft Windows NT system is structured within a security model that
-says that all applications and services must authenticate themselves before
-they can obtain permission from the security manager to do what they set out
-to do.</P
-><P
->The Windows NT User database also resides within the registry. This part of
-the registry contains the user's security identifier, home directory, group
-memberships, desktop profile, and so on.</P
-><P
->Every Windows NT system (workstation as well as server) will have its own
-registry. Windows NT Servers that participate in Domain Security control
-have a database that they share in common - thus they do NOT own an
-independent full registry database of their own, as do Workstations and
-plain Servers.</P
-><P
->The User database is called the SAM (Security Access Manager) database and
-is used for all user authentication as well as for authentication of inter-
-process authentication (i.e. to ensure that the service action a user has
-requested is permitted within the limits of that user's privileges).</P
-><P
->The Samba team have produced a utility that can dump the Windows NT SAM into
-smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
-/pub/samba/pwdump on your nearest Samba mirror for the utility. This
-facility is useful but cannot be easily used to implement SAM replication
-to Samba systems.</P
-><P
->Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
-can participate in a Domain security system that is controlled by Windows NT
-servers that have been correctly configured. Almost every domain will have
-ONE Primary Domain Controller (PDC). It is desirable that each domain will
-have at least one Backup Domain Controller (BDC).</P
-><P
->The PDC and BDCs then participate in replication of the SAM database so that
-each Domain Controlling participant will have an up to date SAM component
-within its registry.</P
></DIV
></DIV
><DIV
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Samba as Stand-Alone server (User and Share security level)</TD
+>Samba as Stand-Alone Server</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
+>Samba Backup Domain Controller to Samba Domain Control</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Creating Group Prolicy Files"
-HREF="groupprofiles.html"><LINK
+TITLE="Stackable VFS modules"
+HREF="vfs.html"><LINK
REL="NEXT"
TITLE="Unicode/Charsets"
HREF="unicode.html"></HEAD
ALIGN="left"
VALIGN="bottom"
><A
-HREF="groupprofiles.html"
+HREF="vfs.html"
ACCESSKEY="P"
>Prev</A
></TD
><A
NAME="SECURING-SAMBA"
></A
->Chapter 22. Securing Samba</H1
+>Chapter 21. Securing Samba</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN3539"
->22.1. Introduction</A
+NAME="AEN3348"
+>21.1. Introduction</A
></H1
><P
>This note was attached to the Samba 2.2.8 release notes as it contained an
><H1
CLASS="SECT1"
><A
-NAME="AEN3542"
->22.2. Using host based protection</A
+NAME="AEN3351"
+>21.2. Using host based protection</A
></H1
><P
>In many installations of Samba the greatest threat comes for outside
><H1
CLASS="SECT1"
><A
-NAME="AEN3549"
->22.3. Using interface protection</A
+NAME="AEN3358"
+>21.3. Using interface protection</A
></H1
><P
>By default Samba will accept connections on any network interface that
><H1
CLASS="SECT1"
><A
-NAME="AEN3558"
->22.4. Using a firewall</A
+NAME="AEN3367"
+>21.4. Using a firewall</A
></H1
><P
>Many people use a firewall to deny access to services that they don't
><H1
CLASS="SECT1"
><A
-NAME="AEN3565"
->22.5. Using a IPC$ share deny</A
+NAME="AEN3374"
+>21.5. Using a IPC$ share deny</A
></H1
><P
>If the above methods are not suitable, then you could also place a
><H1
CLASS="SECT1"
><A
-NAME="AEN3574"
->22.6. Upgrading Samba</A
+NAME="AEN3383"
+>21.6. Upgrading Samba</A
></H1
><P
>Please check regularly on http://www.samba.org/ for updates and
ALIGN="left"
VALIGN="top"
><A
-HREF="groupprofiles.html"
+HREF="vfs.html"
ACCESSKEY="P"
>Prev</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Creating Group Prolicy Files</TD
+>Stackable VFS modules</TD
><TD
WIDTH="34%"
ALIGN="center"
<HTML
><HEAD
><TITLE
->Samba as Stand-Alone server (User and Share security level)</TITLE
+>Samba as Stand-Alone Server</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
><A
NAME="SECURITYLEVELS"
></A
->Chapter 5. Samba as Stand-Alone server (User and Share security level)</H1
+>Chapter 5. Samba as Stand-Alone Server</H1
+><P
+>In this section the function and purpose of Samba's <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>security</I
+></SPAN
+>
+modes are described.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN681"
+>5.1. User and Share security level</A
+></H1
><P
>A SMB server tells the client at startup what "security level" it is
running. There are two options "share level" and "user level". Which
everything is initiated and controlled by the client, and the server
can only tell the client what is available and whether an action is
allowed. </P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN684"
+>5.1.1. User Level Security</A
+></H2
><P
>I'll describe user level security first, as its simpler. In user level
security the client will send a "session setup" command directly after
as an authentication tag for that username/password. The client can
maintain multiple authentication contexts in this way (WinDD is an
example of an application that does this)</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN694"
+>5.1.2. Share Level Security</A
+></H2
><P
>Ok, now for share level security. In share level security the client
authenticates itself separately for each share. It will send a
line. The password is then checked in turn against these "possible
usernames". If a match is found then the client is authenticated as
that user.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN698"
+>5.1.3. Server Level Security</A
+></H2
><P
>Finally "server level" security. In server level security the samba
server reports to the client that it is in user level security. The
parameter "password server =" that points to the real authentication server.
That real authentication server can be another Samba server or can be a
Windows NT server, the later natively capable of encrypted password support.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN703"
+>5.1.3.1. Configuring Samba for Seemless Windows Network Integration</A
+></H3
+><P
+>MS Windows clients may use encrypted passwords as part of a challenege/response
+authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple
+password based authentication. It should be realized that with the SMB protocol
+the password is passed over the network either in plain text or encrypted, but
+not both in the same authentication requests.</P
+><P
+>When encrypted passwords are used a password that has been entered by the user
+is encrypted in two ways:</P
+><P
+></P
+><UL
+><LI
+><P
+>An MD4 hash of the UNICODE of the password
+ string. This is known as the NT hash.
+ </P
+></LI
+><LI
+><P
+>The password is converted to upper case,
+ and then padded or trucated to 14 bytes. This string is
+ then appended with 5 bytes of NULL characters and split to
+ form two 56 bit DES keys to encrypt a "magic" 8 byte value.
+ The resulting 16 bytes for the LanMan hash.
+ </P
+></LI
+></UL
+><P
+>MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
+pre-service pack 3 will use either mode of password authentication. All
+versions of MS Windows that follow these versions no longer support plain
+text passwords by default.</P
+><P
+>MS Windows clients have a habit of dropping network mappings that have been idle
+for 10 minutes or longer. When the user attempts to use the mapped drive
+connection that has been dropped, the client re-establishes the connection using
+a cached copy of the password.</P
+><P
+>When Microsoft changed the default password mode, support was dropped for caching
+of the plain text password. This means that when the registry parameter is changed
+to re-enable use of plain text passwords it appears to work, but when a dropped
+service connection mapping attempts to revalidate it will fail if the remote
+authentication server does not support encrypted passwords. This means that it
+is definitely not a good idea to re-enable plain text password support in such clients.</P
+><P
+>The following parameters can be used to work around the issue of Windows 9x client
+upper casing usernames and password before transmitting them to the SMB server
+when using clear text authentication.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> <A
+HREF="smb.conf.5.html#PASSWORDLEVEL"
+TARGET="_top"
+>passsword level</A
+> = <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>
+ <A
+HREF="smb.conf.5.html#USERNAMELEVEL"
+TARGET="_top"
+>username level</A
+> = <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></PRE
+></P
+><P
+>By default Samba will lower case the username before attempting to lookup the user
+in the database of local system accounts. Because UNIX usernames conventionally
+only contain lower case character, the <VAR
+CLASS="PARAMETER"
+>username level</VAR
+> parameter
+is rarely needed.</P
+><P
+>However, passwords on UNIX systems often make use of mixed case characters.
+This means that in order for a user on a Windows 9x client to connect to a Samba
+server using clear text authentication, the <VAR
+CLASS="PARAMETER"
+>password level</VAR
+>
+must be set to the maximum number of upper case letter which <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>could</I
+></SPAN
+>
+appear is a password. Note that is the server OS uses the traditional DES version
+of crypt(), then a <VAR
+CLASS="PARAMETER"
+>password level</VAR
+> of 8 will result in case
+insensitive passwords as seen from Windows users. This will also result in longer
+login times as Samba hash to compute the permutations of the password string and
+try them one by one until a match is located (or all combinations fail).</P
+><P
+>The best option to adopt is to enable support for encrypted passwords
+where ever Samba is used. There are three configuration possibilities
+for support of encrypted passwords:</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN729"
+>5.1.3.2. Use MS Windows NT as an authentication server</A
+></H3
+><P
+>This method involves the additions of the following parameters in the smb.conf file:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> encrypt passwords = Yes
+ security = server
+ password server = "NetBIOS_name_of_PDC"</PRE
+></P
+><P
+>There are two ways of identifying whether or not a username and
+password pair was valid or not. One uses the reply information provided
+as part of the authentication messaging process, the other uses
+just and error code.</P
+><P
+>The down-side of this mode of configuration is the fact that
+for security reasons Samba will send the password server a bogus
+username and a bogus password and if the remote server fails to
+reject the username and password pair then an alternative mode
+of identification of validation is used. Where a site uses password
+lock out after a certain number of failed authentication attempts
+this will result in user lockouts.</P
+><P
+>Use of this mode of authentication does require there to be
+a standard Unix account for the user, this account can be blocked
+to prevent logons by other than MS Windows clients.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN737"
+>5.1.4. Domain Level Security</A
+></H2
+><P
+>When samba is operating in <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>security = domain</I
+></SPAN
+> mode this means that
+the Samba server has a domain security trust account (a machine account) and will cause
+all authentication requests to be passed through to the domain controllers.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN741"
+>5.1.4.1. Samba as a member of an MS Windows NT security domain</A
+></H3
+><P
+>This method involves additon of the following paramters in the smb.conf file:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> encrypt passwords = Yes
+ security = domain
+ workgroup = "name of NT domain"
+ password server = *</PRE
+></P
+><P
+>The use of the "*" argument to "password server" will cause samba to locate the
+domain controller in a way analogous to the way this is done within MS Windows NT.
+This is the default behaviour.</P
+><P
+>In order for this method to work the Samba server needs to join the
+MS Windows NT security domain. This is done as follows:</P
+><P
+></P
+><UL
+><LI
+><P
+>On the MS Windows NT domain controller using
+ the Server Manager add a machine account for the Samba server.
+ </P
+></LI
+><LI
+><P
+>Next, on the Linux system execute:
+ <B
+CLASS="COMMAND"
+>smbpasswd -r PDC_NAME -j DOMAIN_NAME</B
+>
+ </P
+></LI
+></UL
+><P
+>Use of this mode of authentication does require there to be a standard Unix account
+for the user in order to assign a uid once the account has been authenticated by
+the remote Windows DC. This account can be blocked to prevent logons by other than
+MS Windows clients by things such as setting an invalid shell in the
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry. </P
+><P
+>An alternative to assigning UIDs to Windows users on a Samba member server is
+presented in the <A
+HREF="winbind.html"
+TARGET="_top"
+>Winbind Overview</A
+> chapter
+in this HOWTO collection.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN758"
+>5.1.5. ADS Level Security</A
+></H2
+><P
+>For information about the configuration option please refer to the entire section entitled
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Samba as an ADS Domain Member.</I
+></SPAN
+></P
+></DIV
+></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
-HREF="optional.html"><LINK
+TITLE="Appendixes"
+HREF="appendixes.html"><LINK
REL="PREVIOUS"
-TITLE="Group mapping HOWTO"
-HREF="groupmapping.html"><LINK
+TITLE="Appendixes"
+HREF="appendixes.html"><LINK
REL="NEXT"
-TITLE="Creating Group Prolicy Files"
-HREF="groupprofiles.html"></HEAD
+TITLE="Portability"
+HREF="portability.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="groupmapping.html"
+HREF="appendixes.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="groupprofiles.html"
+HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="SPEED"
></A
->Chapter 20. Samba performance issues</H1
+>Chapter 23. Samba performance issues</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN3320"
->20.1. Comparisons</A
+NAME="AEN3443"
+>23.1. Comparisons</A
></H1
><P
>The Samba server uses TCP to talk to the client. Thus if you are
><H1
CLASS="SECT1"
><A
-NAME="AEN3326"
->20.2. Socket options</A
+NAME="AEN3449"
+>23.2. Socket options</A
></H1
><P
>There are a number of socket options that can greatly affect the
><H1
CLASS="SECT1"
><A
-NAME="AEN3333"
->20.3. Read size</A
+NAME="AEN3456"
+>23.3. Read size</A
></H1
><P
>The option "read size" affects the overlap of disk reads/writes with
><H1
CLASS="SECT1"
><A
-NAME="AEN3338"
->20.4. Max xmit</A
+NAME="AEN3461"
+>23.4. Max xmit</A
></H1
><P
>At startup the client and server negotiate a "maximum transmit" size,
><H1
CLASS="SECT1"
><A
-NAME="AEN3343"
->20.5. Log level</A
+NAME="AEN3466"
+>23.5. Log level</A
></H1
><P
>If you set the log level (also known as "debug level") higher than 2
><H1
CLASS="SECT1"
><A
-NAME="AEN3346"
->20.6. Read raw</A
+NAME="AEN3469"
+>23.6. Read raw</A
></H1
><P
>The "read raw" operation is designed to be an optimised, low-latency
><H1
CLASS="SECT1"
><A
-NAME="AEN3351"
->20.7. Write raw</A
+NAME="AEN3474"
+>23.7. Write raw</A
></H1
><P
>The "write raw" operation is designed to be an optimised, low-latency
><H1
CLASS="SECT1"
><A
-NAME="AEN3355"
->20.8. Slow Clients</A
+NAME="AEN3478"
+>23.8. Slow Clients</A
></H1
><P
>One person has reported that setting the protocol to COREPLUS rather
><H1
CLASS="SECT1"
><A
-NAME="AEN3359"
->20.9. Slow Logins</A
+NAME="AEN3482"
+>23.9. Slow Logins</A
></H1
><P
>Slow logins are almost always due to the password checking time. Using
><H1
CLASS="SECT1"
><A
-NAME="AEN3362"
->20.10. Client tuning</A
+NAME="AEN3485"
+>23.10. Client tuning</A
></H1
><P
>Often a speed problem can be traced to the client. The client (for
ALIGN="left"
VALIGN="top"
><A
-HREF="groupmapping.html"
+HREF="appendixes.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="groupprofiles.html"
+HREF="portability.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Group mapping HOWTO</TD
+>Appendixes</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
-HREF="optional.html"
+HREF="appendixes.html"
ACCESSKEY="U"
>Up</A
></TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Creating Group Prolicy Files</TD
+>Portability</TD
></TR
></TABLE
></DIV
><DIV
CLASS="PARTINTRO"
><A
-NAME="AEN600"
+NAME="AEN610"
></A
><H1
>Introduction</H1
><DL
><DT
>4.1. <A
-HREF="servertype.html#AEN629"
+HREF="servertype.html#AEN639"
>Stand Alone Server</A
></DT
><DT
>4.2. <A
-HREF="servertype.html#AEN635"
+HREF="servertype.html#AEN646"
>Domain Member Server</A
></DT
><DT
>4.3. <A
-HREF="servertype.html#AEN641"
+HREF="servertype.html#AEN652"
>Domain Controller</A
></DT
><DD
><DL
><DT
>4.3.1. <A
-HREF="servertype.html#AEN644"
+HREF="servertype.html#AEN655"
>Domain Controller Types</A
></DT
></DL
><DT
>5. <A
HREF="securitylevels.html"
->Samba as Stand-Alone server (User and Share security level)</A
+>Samba as Stand-Alone Server</A
+></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="securitylevels.html#AEN681"
+>User and Share security level</A
+></DT
+><DD
+><DL
+><DT
+>5.1.1. <A
+HREF="securitylevels.html#AEN684"
+>User Level Security</A
+></DT
+><DT
+>5.1.2. <A
+HREF="securitylevels.html#AEN694"
+>Share Level Security</A
+></DT
+><DT
+>5.1.3. <A
+HREF="securitylevels.html#AEN698"
+>Server Level Security</A
+></DT
+><DT
+>5.1.4. <A
+HREF="securitylevels.html#AEN737"
+>Domain Level Security</A
></DT
><DT
+>5.1.5. <A
+HREF="securitylevels.html#AEN758"
+>ADS Level Security</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
>6. <A
HREF="samba-pdc.html"
>Samba as an NT4 or Win2k Primary Domain Controller</A
><DL
><DT
>6.1. <A
-HREF="samba-pdc.html#AEN705"
+HREF="samba-pdc.html#AEN785"
>Prerequisite Reading</A
></DT
><DT
>6.2. <A
-HREF="samba-pdc.html#AEN710"
+HREF="samba-pdc.html#AEN790"
>Background</A
></DT
><DT
>6.3. <A
-HREF="samba-pdc.html#AEN748"
+HREF="samba-pdc.html#AEN830"
>Configuring the Samba Domain Controller</A
></DT
><DT
>6.4. <A
-HREF="samba-pdc.html#AEN790"
+HREF="samba-pdc.html#AEN872"
>Creating Machine Trust Accounts and Joining Clients to the Domain</A
></DT
><DD
><DL
><DT
>6.4.1. <A
-HREF="samba-pdc.html#AEN833"
+HREF="samba-pdc.html#AEN915"
>Manual Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.2. <A
-HREF="samba-pdc.html#AEN874"
+HREF="samba-pdc.html#AEN956"
>"On-the-Fly" Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.3. <A
-HREF="samba-pdc.html#AEN883"
+HREF="samba-pdc.html#AEN965"
>Joining the Client to the Domain</A
></DT
></DL
></DD
><DT
>6.5. <A
-HREF="samba-pdc.html#AEN898"
+HREF="samba-pdc.html#AEN980"
>Common Problems and Errors</A
></DT
><DT
>6.6. <A
-HREF="samba-pdc.html#AEN946"
->System Policies and Profiles</A
-></DT
-><DT
->6.7. <A
-HREF="samba-pdc.html#AEN990"
+HREF="samba-pdc.html#AEN1026"
>What other help can I get?</A
></DT
><DT
-HREF="samba-pdc.html#AEN1104"
+HREF="samba-pdc.html#AEN1140"
>Domain Control for Windows 9x/ME</A
></DT
><DD
><DL
><DT
-HREF="samba-pdc.html#AEN1130"
+HREF="samba-pdc.html#AEN1163"
>Configuration Instructions: Network Logons</A
></DT
-><DT
->6.8.2. <A
-HREF="samba-pdc.html#AEN1149"
->Configuration Instructions: Setting up Roaming User Profiles</A
-></DT
></DL
></DD
-><DT
->6.9. <A
-HREF="samba-pdc.html#AEN1242"
->DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
-></DT
></DL
></DD
><DT
>7. <A
HREF="samba-bdc.html"
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
+>Samba Backup Domain Controller to Samba Domain Control</A
></DT
><DD
><DL
><DT
>7.1. <A
-HREF="samba-bdc.html#AEN1278"
+HREF="samba-bdc.html#AEN1193"
>Prerequisite Reading</A
></DT
><DT
>7.2. <A
-HREF="samba-bdc.html#AEN1282"
+HREF="samba-bdc.html#AEN1197"
>Background</A
></DT
><DT
>7.3. <A
-HREF="samba-bdc.html#AEN1290"
+HREF="samba-bdc.html#AEN1205"
>What qualifies a Domain Controller on the network?</A
></DT
><DD
><DL
><DT
>7.3.1. <A
-HREF="samba-bdc.html#AEN1293"
+HREF="samba-bdc.html#AEN1208"
>How does a Workstation find its domain controller?</A
></DT
><DT
>7.3.2. <A
-HREF="samba-bdc.html#AEN1296"
+HREF="samba-bdc.html#AEN1211"
>When is the PDC needed?</A
></DT
></DL
></DD
><DT
>7.4. <A
-HREF="samba-bdc.html#AEN1299"
+HREF="samba-bdc.html#AEN1214"
>Can Samba be a Backup Domain Controller to an NT PDC?</A
></DT
><DT
>7.5. <A
-HREF="samba-bdc.html#AEN1304"
+HREF="samba-bdc.html#AEN1219"
>How do I set up a Samba BDC?</A
></DT
><DD
><DL
><DT
>7.5.1. <A
-HREF="samba-bdc.html#AEN1321"
+HREF="samba-bdc.html#AEN1236"
>How do I replicate the smbpasswd file?</A
></DT
><DT
>7.5.2. <A
-HREF="samba-bdc.html#AEN1325"
+HREF="samba-bdc.html#AEN1240"
>Can I do this all with LDAP?</A
></DT
></DL
><DL
><DT
>8.1. <A
-HREF="ads.html#AEN1343"
->Installing the required packages for Debian</A
+HREF="ads.html#AEN1251"
+>Setup your <TT
+CLASS="FILENAME"
+>smb.conf</TT
+></A
></DT
><DT
>8.2. <A
-HREF="ads.html#AEN1350"
->Installing the required packages for RedHat</A
+HREF="ads.html#AEN1262"
+>Setup your <TT
+CLASS="FILENAME"
+>/etc/krb5.conf</TT
+></A
></DT
><DT
>8.3. <A
-HREF="ads.html#AEN1360"
->Compile Samba</A
-></DT
-><DT
->8.4. <A
-HREF="ads.html#AEN1375"
->Setup your /etc/krb5.conf</A
-></DT
-><DT
->8.5. <A
-HREF="ads.html#AEN1385"
+HREF="ads.html#AEN1273"
>Create the computer account</A
></DT
><DD
><DL
><DT
-HREF="ads.html#AEN1389"
+HREF="ads.html#AEN1277"
>Possible errors</A
></DT
></DL
></DD
><DT
-HREF="ads.html#AEN1397"
+HREF="ads.html#AEN1285"
>Test your server setup</A
></DT
><DT
-HREF="ads.html#AEN1402"
+HREF="ads.html#AEN1290"
>Testing with smbclient</A
></DT
><DT
-HREF="ads.html#AEN1405"
+HREF="ads.html#AEN1293"
>Notes</A
></DT
></DL
><DL
><DT
>9.1. <A
-HREF="domain-security.html#AEN1427"
+HREF="domain-security.html#AEN1315"
>Joining an NT Domain with Samba 3.0</A
></DT
><DT
>9.2. <A
-HREF="domain-security.html#AEN1482"
->Samba and Windows 2000 Domains</A
-></DT
-><DT
->9.3. <A
-HREF="domain-security.html#AEN1485"
+HREF="domain-security.html#AEN1369"
>Why is this better than security = server?</A
></DT
></DL
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Integrating MS Windows networks with Samba"
-HREF="integrate-ms-networks.html"><LINK
+TITLE="System Policies"
+HREF="advancednetworkmanagement.html"><LINK
REL="NEXT"
-TITLE="Configuring PAM for distributed but centrally
-managed authentication"
-HREF="pam.html"></HEAD
+TITLE="Group mapping HOWTO"
+HREF="groupmapping.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="integrate-ms-networks.html"
+HREF="advancednetworkmanagement.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="pam.html"
+HREF="groupmapping.html"
ACCESSKEY="N"
>Next</A
></TD
><H1
CLASS="SECT1"
><A
-NAME="AEN1748"
+NAME="AEN1663"
>11.1. Viewing and changing UNIX permissions using the NT
security dialogs</A
></H1
><P
->New in the Samba 2.0.4 release is the ability for Windows
- NT clients to use their native security settings dialog box to
- view and modify the underlying UNIX permissions.</P
+>Windows NT clients can use their native security settings
+ dialog box to view and modify the underlying UNIX permissions.</P
><P
>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
><H1
CLASS="SECT1"
><A
-NAME="AEN1752"
+NAME="AEN1667"
>11.2. How to view file security on a Samba share</A
></H1
><P
->From an NT 4.0 client, single-click with the right
+>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <SPAN
>Properties</I
></SPAN
> entry at the bottom of
- the menu. This brings up the normal file properties dialog
- box, but with Samba 2.0.4 this will have a new tab along the top
- marked <SPAN
+ the menu. This brings up the file properties dialog
+ box. Click on the tab <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Security</I
></SPAN
->. Click on this tab and you
+> and you
will see three buttons, <SPAN
CLASS="emphasis"
><I
><H1
CLASS="SECT1"
><A
-NAME="AEN1763"
+NAME="AEN1678"
>11.3. Viewing file ownership</A
></H1
><P
><P
>There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
- to a Samba 2.0.4 server as root to change the ownership of
+ to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <SPAN
CLASS="emphasis"
><H1
CLASS="SECT1"
><A
-NAME="AEN1783"
+NAME="AEN1698"
>11.4. Viewing file or directory permissions</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1798"
+NAME="AEN1713"
>11.4.1. File Permissions</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN1812"
+NAME="AEN1727"
>11.4.2. Directory Permissions</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN1819"
+NAME="AEN1734"
>11.5. Modifying file or directory permissions</A
></H1
><P
CLASS="COMMAND"
>"Add"</B
>
- button will not return a list of users in Samba 2.0.4 (it will give
+ button will not return a list of users in Samba (it will give
an error message of <B
CLASS="COMMAND"
>"The remote procedure call failed
><H1
CLASS="SECT1"
><A
-NAME="AEN1841"
+NAME="AEN1756"
>11.6. Interaction with the standard Samba create mask
parameters</A
></H1
><P
->Note that with Samba 2.0.5 there are four new parameters
- to control this interaction. These are :</P
+>There are four parameters
+ to control interaction with the standard Samba create mask parameters.
+ These are :</P
><P
><VAR
CLASS="PARAMETER"
>create mask
</VAR
></A
-> parameter to provide compatibility with Samba 2.0.4
- where this permission change facility was introduced. To allow a user to
- modify all the user/group/world permissions on a file, set this parameter
+> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter
to 0777.</P
><P
>Next Samba checks the changed permissions for a file against
>force
create mode</VAR
></A
-> parameter to provide compatibility
- with Samba 2.0.4 where the permission change facility was introduced.
+> parameter.
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</P
><P
the <VAR
CLASS="PARAMETER"
>force directory mode</VAR
-> parameter to provide
- compatibility with Samba 2.0.4 where the permission change facility
- was introduced.</P
+> parameter. </P
><P
>In this way Samba enforces the permission restrictions that
an administrator can set on a Samba share, whilst still allowing users
CLASS="PARAMETER"
>force directory security mode = 0</VAR
></P
-><P
->As described, in Samba 2.0.4 the parameters :</P
-><P
-><VAR
-CLASS="PARAMETER"
->create mask</VAR
-></P
-><P
-><VAR
-CLASS="PARAMETER"
->force create mode</VAR
-></P
-><P
-><VAR
-CLASS="PARAMETER"
->directory mask</VAR
-></P
-><P
-><VAR
-CLASS="PARAMETER"
->force directory mode</VAR
-></P
-><P
->were used instead of the parameters discussed here.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1905"
+NAME="AEN1810"
>11.7. Interaction with the standard Samba file attribute
mapping</A
></H1
ALIGN="left"
VALIGN="top"
><A
-HREF="integrate-ms-networks.html"
+HREF="advancednetworkmanagement.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="pam.html"
+HREF="groupmapping.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Integrating MS Windows networks with Samba</TD
+>System Policies</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Configuring PAM for distributed but centrally
-managed authentication</TD
+>Group mapping HOWTO</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
-TITLE="Improved browsing in samba"
-HREF="improved-browsing.html"><LINK
+TITLE="Hosting a Microsoft Distributed File System tree on Samba"
+HREF="msdfs.html"><LINK
REL="NEXT"
-TITLE="Group mapping HOWTO"
-HREF="groupmapping.html"></HEAD
+TITLE="Securing Samba"
+HREF="securing-samba.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="left"
VALIGN="bottom"
><A
-HREF="improved-browsing.html"
+HREF="msdfs.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="bottom"
><A
-HREF="groupmapping.html"
+HREF="securing-samba.html"
ACCESSKEY="N"
>Next</A
></TD
><A
NAME="VFS"
></A
->Chapter 18. Stackable VFS modules</H1
+>Chapter 20. Stackable VFS modules</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN3190"
->18.1. Introduction and configuration</A
+NAME="AEN3259"
+>20.1. Introduction and configuration</A
></H1
><P
>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
><H1
CLASS="SECT1"
><A
-NAME="AEN3199"
->18.2. Included modules</A
+NAME="AEN3268"
+>20.2. Included modules</A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
-NAME="AEN3201"
->18.2.1. audit</A
+NAME="AEN3270"
+>20.2.1. audit</A
></H2
><P
>A simple module to audit file access to the syslog
><H2
CLASS="SECT2"
><A
-NAME="AEN3209"
->18.2.2. recycle</A
+NAME="AEN3278"
+>20.2.2. recycle</A
></H2
><P
>A recycle-bin like modules. When used any unlink call
><H2
CLASS="SECT2"
><A
-NAME="AEN3246"
->18.2.3. netatalk</A
+NAME="AEN3315"
+>20.2.3. netatalk</A
></H2
><P
>A netatalk module, that will ease co-existence of samba and
><H1
CLASS="SECT1"
><A
-NAME="AEN3253"
->18.3. VFS modules available elsewhere</A
+NAME="AEN3322"
+>20.3. VFS modules available elsewhere</A
></H1
><P
>This section contains a listing of various other VFS modules that
><H2
CLASS="SECT2"
><A
-NAME="AEN3257"
->18.3.1. DatabaseFS</A
+NAME="AEN3326"
+>20.3.1. DatabaseFS</A
></H2
><P
>URL: <A
><H2
CLASS="SECT2"
><A
-NAME="AEN3265"
->18.3.2. vscan</A
+NAME="AEN3334"
+>20.3.2. vscan</A
></H2
><P
>URL: <A
ALIGN="left"
VALIGN="top"
><A
-HREF="improved-browsing.html"
+HREF="msdfs.html"
ACCESSKEY="P"
>Prev</A
></TD
ALIGN="right"
VALIGN="top"
><A
-HREF="groupmapping.html"
+HREF="securing-samba.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
->Improved browsing in samba</TD
+>Hosting a Microsoft Distributed File System tree on Samba</TD
><TD
WIDTH="34%"
ALIGN="center"
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Group mapping HOWTO</TD
+>Securing Samba</TD
></TR
></TABLE
></DIV
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
-TITLE="Optional configuration"
+TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="CUPS Printing Support"
HREF="cups-printing.html"><LINK
REL="NEXT"
-TITLE="Improved browsing in samba"
-HREF="improved-browsing.html"></HEAD
+TITLE="Integrating MS Windows networks with Samba"
+HREF="integrate-ms-networks.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
ALIGN="right"
VALIGN="bottom"
><A
-HREF="improved-browsing.html"
+HREF="integrate-ms-networks.html"
ACCESSKEY="N"
>Next</A
></TD
><H1
CLASS="SECT1"
><A
-NAME="AEN2685"
+NAME="AEN2573"
>16.1. Abstract</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2689"
+NAME="AEN2577"
>16.2. Introduction</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2702"
+NAME="AEN2590"
>16.3. What Winbind Provides</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2709"
+NAME="AEN2597"
>16.3.1. Target Uses</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2713"
+NAME="AEN2601"
>16.4. How Winbind Works</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2718"
+NAME="AEN2606"
>16.4.1. Microsoft Remote Procedure Calls</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2722"
+NAME="AEN2610"
>16.4.2. Microsoft Active Directory Services</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2725"
+NAME="AEN2613"
>16.4.3. Name Service Switch</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2741"
+NAME="AEN2629"
>16.4.4. Pluggable Authentication Modules</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2749"
+NAME="AEN2637"
>16.4.5. User and Group ID Allocation</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2753"
+NAME="AEN2641"
>16.4.6. Result Caching</A
></H2
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN2756"
+NAME="AEN2644"
>16.5. Installation and Configuration</A
></H1
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2761"
+NAME="AEN2649"
>16.5.1. Introduction</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2774"
+NAME="AEN2662"
>16.5.2. Requirements</A
></H2
><P
><H2
CLASS="SECT2"
><A
-NAME="AEN2788"
+NAME="AEN2676"
>16.5.3. Testing Things Out</A
></H2
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2799"
+NAME="AEN2687"
>16.5.3.1. Configure and compile SAMBA</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2818"
+NAME="AEN2706"
>16.5.3.2. Configure <TT
CLASS="FILENAME"
>nsswitch.conf</TT
><H3
CLASS="SECT3"
><A
-NAME="AEN2851"
+NAME="AEN2739"
>16.5.3.3. Configure smb.conf</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2867"
+NAME="AEN2755"
>16.5.3.4. Join the SAMBA server to the PDC domain</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2878"
+NAME="AEN2766"
>16.5.3.5. Start up the winbindd daemon and test it!</A
></H3
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2918"
+NAME="AEN2806"
>16.5.3.6. Fix the init.d startup scripts</A
></H3
><DIV
><H4
CLASS="SECT4"
><A
-NAME="AEN2920"
+NAME="AEN2808"
>16.5.3.6.1. Linux</A
></H4
><P
><H4
CLASS="SECT4"
><A
-NAME="AEN2940"
+NAME="AEN2828"
>16.5.3.6.2. Solaris</A
></H4
><P
><H4
CLASS="SECT4"
><A
-NAME="AEN2950"
+NAME="AEN2838"
>16.5.3.6.3. Restarting</A
></H4
><P
><H3
CLASS="SECT3"
><A
-NAME="AEN2956"
+NAME="AEN2844"
>16.5.3.7. Configure Winbind and PAM</A
></H3
><P
><H4
CLASS="SECT4"
><A
-NAME="AEN2973"
+NAME="AEN2861"
>16.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A
></H4
><P
><H4
CLASS="SECT4"
><A
-NAME="AEN3006"
+NAME="AEN2894"
>16.5.3.7.2. Solaris-specific configuration</A
></H4
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3013"
+NAME="AEN2901"
>16.6. Limitations</A
></H1
><P
><H1
CLASS="SECT1"
><A
-NAME="AEN3023"
+NAME="AEN2911"
>16.7. Conclusion</A
></H1
><P
ALIGN="right"
VALIGN="top"
><A
-HREF="improved-browsing.html"
+HREF="integrate-ms-networks.html"
ACCESSKEY="N"
>Next</A
></TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
->Improved browsing in samba</TD
+>Integrating MS Windows networks with Samba</TD
></TR
></TABLE
></DIV
git.samba.org / kai / samba.git / commitdiff