--- /dev/null
+attributions.xml
--- /dev/null
+<chapter id="vfs">
+<chapterinfo>
+ <author>
+ <firstname>Alexander</firstname><surname>Bokovoy</surname>
+ <affiliation>
+ <address><email>ab@samba.org</email></address>
+ </affiliation>
+ </author>
+ <author>
+ <firstname>Stefan</firstname><surname>Metzmacher</surname>
+ <affiliation>
+ <address><email>metze@metzemix.de</email></address>
+ </affiliation>
+ </author>
+ <pubdate> 27 May 2003 </pubdate>
+</chapterinfo>
+
+<title>VFS Modules</title>
+
+<sect1>
+<title>The Samba (Posix) VFS layer</title>
+
+<sect2>
+<title>The general interface</title>
+
+<para>
+Each VFS operation has a vfs_op_type, a function pointer and a handle pointer in the
+struct vfs_ops and tree macros to make it easier to call the operations.
+(Take a look at <filename>include/vfs.h</filename> and <filename>include/vfs_macros.h</filename>.)
+</para>
+
+<para><programlisting>
+typedef enum _vfs_op_type {
+ SMB_VFS_OP_NOOP = -1,
+
+ ...
+
+ /* File operations */
+
+ SMB_VFS_OP_OPEN,
+ SMB_VFS_OP_CLOSE,
+ SMB_VFS_OP_READ,
+ SMB_VFS_OP_WRITE,
+ SMB_VFS_OP_LSEEK,
+ SMB_VFS_OP_SENDFILE,
+
+ ...
+
+ SMB_VFS_OP_LAST
+} vfs_op_type;
+</programlisting></para>
+
+<para>This struct contains the function and handle pointers for all operations.<programlisting>
+struct vfs_ops {
+ struct vfs_fn_pointers {
+ ...
+
+ /* File operations */
+
+ int (*open)(struct vfs_handle_struct *handle,
+ struct connection_struct *conn,
+ const char *fname, int flags, mode_t mode);
+ int (*close)(struct vfs_handle_struct *handle,
+ struct files_struct *fsp, int fd);
+ ssize_t (*read)(struct vfs_handle_struct *handle,
+ struct files_struct *fsp, int fd, void *data, size_t n);
+ ssize_t (*write)(struct vfs_handle_struct *handle,
+ struct files_struct *fsp, int fd,
+ const void *data, size_t n);
+ SMB_OFF_T (*lseek)(struct vfs_handle_struct *handle,
+ struct files_struct *fsp, int fd,
+ SMB_OFF_T offset, int whence);
+ ssize_t (*sendfile)(struct vfs_handle_struct *handle,
+ int tofd, files_struct *fsp, int fromfd,
+ const DATA_BLOB *header, SMB_OFF_T offset, size_t count);
+
+ ...
+ } ops;
+
+ struct vfs_handles_pointers {
+ ...
+
+ /* File operations */
+
+ struct vfs_handle_struct *open;
+ struct vfs_handle_struct *close;
+ struct vfs_handle_struct *read;
+ struct vfs_handle_struct *write;
+ struct vfs_handle_struct *lseek;
+ struct vfs_handle_struct *sendfile;
+
+ ...
+ } handles;
+};
+</programlisting></para>
+
+<para>
+This macros SHOULD be used to call any vfs operation.
+DO NOT ACCESS conn->vfs.ops.* directly !!!
+<programlisting>
+...
+
+/* File operations */
+#define SMB_VFS_OPEN(conn, fname, flags, mode) \
+ ((conn)->vfs.ops.open((conn)->vfs.handles.open,\
+ (conn), (fname), (flags), (mode)))
+#define SMB_VFS_CLOSE(fsp, fd) \
+ ((fsp)->conn->vfs.ops.close(\
+ (fsp)->conn->vfs.handles.close, (fsp), (fd)))
+#define SMB_VFS_READ(fsp, fd, data, n) \
+ ((fsp)->conn->vfs.ops.read(\
+ (fsp)->conn->vfs.handles.read,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_WRITE(fsp, fd, data, n) \
+ ((fsp)->conn->vfs.ops.write(\
+ (fsp)->conn->vfs.handles.write,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_LSEEK(fsp, fd, offset, whence) \
+ ((fsp)->conn->vfs.ops.lseek(\
+ (fsp)->conn->vfs.handles.lseek,\
+ (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_SENDFILE(tofd, fsp, fromfd, header, offset, count) \
+ ((fsp)->conn->vfs.ops.sendfile(\
+ (fsp)->conn->vfs.handles.sendfile,\
+ (tofd), (fsp), (fromfd), (header), (offset), (count)))
+
+...
+</programlisting></para>
+
+</sect2>
+
+<sect2>
+<title>Possible VFS operation layers</title>
+
+<para>
+These values are used by the VFS subsystem when building the conn->vfs
+and conn->vfs_opaque structs for a connection with multiple VFS modules.
+Internally, Samba differentiates only opaque and transparent layers at this process.
+Other types are used for providing better diagnosing facilities.
+</para>
+
+<para>
+Most modules will provide transparent layers. Opaque layer is for modules
+which implement actual file system calls (like DB-based VFS). For example,
+default POSIX VFS which is built in into Samba is an opaque VFS module.
+</para>
+
+<para>
+Other layer types (logger, splitter, scanner) were designed to provide different
+degree of transparency and for diagnosing VFS module behaviour.
+</para>
+
+<para>
+Each module can implement several layers at the same time provided that only
+one layer is used per each operation.
+</para>
+
+<para><programlisting>
+typedef enum _vfs_op_layer {
+ SMB_VFS_LAYER_NOOP = -1, /* - For using in VFS module to indicate end of array */
+ /* of operations description */
+ SMB_VFS_LAYER_OPAQUE = 0, /* - Final level, does not call anything beyond itself */
+ SMB_VFS_LAYER_TRANSPARENT, /* - Normal operation, calls underlying layer after */
+ /* possibly changing passed data */
+ SMB_VFS_LAYER_LOGGER, /* - Logs data, calls underlying layer, logging may not */
+ /* use Samba VFS */
+ SMB_VFS_LAYER_SPLITTER, /* - Splits operation, calls underlying layer _and_ own facility, */
+ /* then combines result */
+ SMB_VFS_LAYER_SCANNER /* - Checks data and possibly initiates additional */
+ /* file activity like logging to files _inside_ samba VFS */
+} vfs_op_layer;
+</programlisting></para>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>The Interaction between the Samba VFS subsystem and the modules</title>
+
+<sect2>
+<title>Initialization and registration</title>
+
+<para>
+As each Samba module a VFS module should have a
+<programlisting>NTSTATUS vfs_example_init(void);</programlisting> function if it's staticly linked to samba or
+<programlisting>NTSTATUS init_module(void);</programlisting> function if it's a shared module.
+</para>
+
+<para>
+This should be the only non static function inside the module.
+Global variables should also be static!
+</para>
+
+<para>
+The module should register its functions via the
+<programlisting>
+NTSTATUS smb_register_vfs(int version, const char *name, vfs_op_tuple *vfs_op_tuples);
+</programlisting> function.
+</para>
+
+<variablelist>
+
+<varlistentry><term>version</term>
+<listitem><para>should be filled with SMB_VFS_INTERFACE_VERSION</para></listitem>
+</varlistentry>
+
+<varlistentry><term>name</term>
+<listitem><para>this is the name witch can be listed in the
+<command>vfs objects</command> parameter to use this module.</para></listitem>
+</varlistentry>
+
+<varlistentry><term>vfs_op_tuples</term>
+<listitem><para>
+this is an array of vfs_op_tuple's.
+(vfs_op_tuples is descripted in details below.)
+</para></listitem>
+</varlistentry>
+
+</variablelist>
+
+<para>
+For each operation the module wants to provide it has a entry in the
+vfs_op_tuple array.
+</para>
+
+<programlisting>
+typedef struct _vfs_op_tuple {
+ void* op;
+ vfs_op_type type;
+ vfs_op_layer layer;
+} vfs_op_tuple;
+</programlisting>
+
+<variablelist>
+
+<varlistentry><term>op</term>
+<listitem><para>the function pointer to the specified function.</para></listitem>
+</varlistentry>
+
+<varlistentry><term>type</term>
+<listitem><para>the vfs_op_type of the function to specified witch operation the function provides.</para></listitem>
+</varlistentry>
+
+<varlistentry><term>layer</term>
+<listitem><para>the vfs_op_layer in whitch the function operates.</para></listitem>
+</varlistentry>
+
+</variablelist>
+
+<para>A simple example:</para>
+
+<programlisting>
+static vfs_op_tuple example_op_tuples[] = {
+ {SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
+
+ {SMB_VFS_OP(example_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_OPAQUE},
+
+ /* This indicates the end of the array */
+ {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+NTSTATUS init_module(void)
+{
+ return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "example", example_op_tuples);
+}
+</programlisting>
+
+</sect2>
+
+<sect2>
+<title>How the Modules handle per connection data</title>
+
+<para>Each VFS function has as first parameter a pointer to the modules vfs_handle_struct.
+</para>
+
+<programlisting>
+typedef struct vfs_handle_struct {
+ struct vfs_handle_struct *next, *prev;
+ const char *param;
+ struct vfs_ops vfs_next;
+ struct connection_struct *conn;
+ void *data;
+ void (*free_data)(void **data);
+} vfs_handle_struct;
+</programlisting>
+
+<variablelist>
+
+<varlistentry><term>param</term>
+<listitem><para>this is the module parameter specified in the <command>vfs objects</command> parameter.</para>
+<para>e.g. for 'vfs objects = example:test' param would be "test".</para></listitem>
+</varlistentry>
+
+<varlistentry><term>vfs_next</term>
+<listitem><para>This vfs_ops struct contains the information for calling the next module operations.
+Use the SMB_VFS_NEXT_* macros to call a next module operations and
+don't access handle->vfs_next.ops.* directly!</para></listitem>
+</varlistentry>
+
+<varlistentry><term>conn</term>
+<listitem><para>This is a pointer back to the connection_struct to witch the handle belongs.</para></listitem>
+</varlistentry>
+
+<varlistentry><term>data</term>
+<listitem><para>This is a pointer for holding module private data.
+You can alloc data with connection life time on the handle->conn->mem_ctx TALLOC_CTX.
+But you can also manage the memory allocation yourself.</para></listitem>
+</varlistentry>
+
+<varlistentry><term>free_data</term>
+<listitem><para>This is a function pointer to a function that free's the module private data.
+If you talloc your private data on the TALLOC_CTX handle->conn->mem_ctx,
+you can set this function pointer to NULL.</para></listitem>
+</varlistentry>
+
+</variablelist>
+
+<para>Some useful MACROS for handle private data.
+</para>
+
+<programlisting>
+#define SMB_VFS_HANDLE_GET_DATA(handle, datap, type, ret) { \
+ if (!(handle)||((datap=(type *)(handle)->data)==NULL)) { \
+ DEBUG(0,("%s() failed to get vfs_handle->data!\n",FUNCTION_MACRO)); \
+ ret; \
+ } \
+}
+
+#define SMB_VFS_HANDLE_SET_DATA(handle, datap, free_fn, type, ret) { \
+ if (!(handle)) { \
+ DEBUG(0,("%s() failed to set handle->data!\n",FUNCTION_MACRO)); \
+ ret; \
+ } else { \
+ if ((handle)->free_data) { \
+ (handle)->free_data(&(handle)->data); \
+ } \
+ (handle)->data = (void *)datap; \
+ (handle)->free_data = free_fn; \
+ } \
+}
+
+#define SMB_VFS_HANDLE_FREE_DATA(handle) { \
+ if ((handle) && (handle)->free_data) { \
+ (handle)->free_data(&(handle)->data); \
+ } \
+}
+</programlisting>
+
+<para>How SMB_VFS_LAYER_TRANSPARENT functions can call the SMB_VFS_LAYER_OPAQUE functions.</para>
+
+<para>The easiest way to do this is to use the SMB_VFS_OPAQUE_* macros.
+</para>
+
+<programlisting>
+...
+/* File operations */
+#define SMB_VFS_OPAQUE_OPEN(conn, fname, flags, mode) \
+ ((conn)->vfs_opaque.ops.open(\
+ (conn)->vfs_opaque.handles.open,\
+ (conn), (fname), (flags), (mode)))
+#define SMB_VFS_OPAQUE_CLOSE(fsp, fd) \
+ ((fsp)->conn->vfs_opaque.ops.close(\
+ (fsp)->conn->vfs_opaque.handles.close,\
+ (fsp), (fd)))
+#define SMB_VFS_OPAQUE_READ(fsp, fd, data, n) \
+ ((fsp)->conn->vfs_opaque.ops.read(\
+ (fsp)->conn->vfs_opaque.handles.read,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_OPAQUE_WRITE(fsp, fd, data, n) \
+ ((fsp)->conn->vfs_opaque.ops.write(\
+ (fsp)->conn->vfs_opaque.handles.write,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_OPAQUE_LSEEK(fsp, fd, offset, whence) \
+ ((fsp)->conn->vfs_opaque.ops.lseek(\
+ (fsp)->conn->vfs_opaque.handles.lseek,\
+ (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_OPAQUE_SENDFILE(tofd, fsp, fromfd, header, offset, count) \
+ ((fsp)->conn->vfs_opaque.ops.sendfile(\
+ (fsp)->conn->vfs_opaque.handles.sendfile,\
+ (tofd), (fsp), (fromfd), (header), (offset), (count)))
+...
+</programlisting>
+
+<para>How SMB_VFS_LAYER_TRANSPARENT functions can call the next modules functions.</para>
+
+<para>The easiest way to do this is to use the SMB_VFS_NEXT_* macros.
+</para>
+
+<programlisting>
+...
+/* File operations */
+#define SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode) \
+ ((handle)->vfs_next.ops.open(\
+ (handle)->vfs_next.handles.open,\
+ (conn), (fname), (flags), (mode)))
+#define SMB_VFS_NEXT_CLOSE(handle, fsp, fd) \
+ ((handle)->vfs_next.ops.close(\
+ (handle)->vfs_next.handles.close,\
+ (fsp), (fd)))
+#define SMB_VFS_NEXT_READ(handle, fsp, fd, data, n) \
+ ((handle)->vfs_next.ops.read(\
+ (handle)->vfs_next.handles.read,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n) \
+ ((handle)->vfs_next.ops.write(\
+ (handle)->vfs_next.handles.write,\
+ (fsp), (fd), (data), (n)))
+#define SMB_VFS_NEXT_LSEEK(handle, fsp, fd, offset, whence) \
+ ((handle)->vfs_next.ops.lseek(\
+ (handle)->vfs_next.handles.lseek,\
+ (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, fromfd, header, offset, count) \
+ ((handle)->vfs_next.ops.sendfile(\
+ (handle)->vfs_next.handles.sendfile,\
+ (tofd), (fsp), (fromfd), (header), (offset), (count)))
+...
+</programlisting>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>Upgrading to the New VFS Interface</title>
+
+<sect2>
+<title>Upgrading from 2.2.* and 3.0aplha modules</title>
+
+<orderedlist>
+<listitem><para>
+Add "vfs_handle_struct *handle, " as first parameter to all vfs operation functions.
+e.g. example_connect(connection_struct *conn, const char *service, const char *user);
+-> example_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user);
+</para></listitem>
+
+<listitem><para>
+Replace "default_vfs_ops." with "smb_vfs_next_".
+e.g. default_vfs_ops.connect(conn, service, user);
+-> smb_vfs_next_connect(conn, service, user);
+</para></listitem>
+
+<listitem><para>
+Uppercase all "smb_vfs_next_*" functions.
+e.g. smb_vfs_next_connect(conn, service, user);
+-> SMB_VFS_NEXT_CONNECT(conn, service, user);
+</para></listitem>
+
+<listitem><para>
+Add "handle, " as first parameter to all SMB_VFS_NEXT_*() calls.
+e.g. SMB_VFS_NEXT_CONNECT(conn, service, user);
+-> SMB_VFS_NEXT_CONNECT(handle, conn, service, user);
+</para></listitem>
+
+<listitem><para>
+(Only for 2.2.* modules)
+Convert the old struct vfs_ops example_ops to
+a vfs_op_tuple example_op_tuples[] array.
+e.g.
+<programlisting>
+struct vfs_ops example_ops = {
+ /* Disk operations */
+ example_connect, /* connect */
+ example_disconnect, /* disconnect */
+ NULL, /* disk free *
+ /* Directory operations */
+ NULL, /* opendir */
+ NULL, /* readdir */
+ NULL, /* mkdir */
+ NULL, /* rmdir */
+ NULL, /* closedir */
+ /* File operations */
+ NULL, /* open */
+ NULL, /* close */
+ NULL, /* read */
+ NULL, /* write */
+ NULL, /* lseek */
+ NULL, /* sendfile */
+ NULL, /* rename */
+ NULL, /* fsync */
+ example_stat, /* stat */
+ example_fstat, /* fstat */
+ example_lstat, /* lstat */
+ NULL, /* unlink */
+ NULL, /* chmod */
+ NULL, /* fchmod */
+ NULL, /* chown */
+ NULL, /* fchown */
+ NULL, /* chdir */
+ NULL, /* getwd */
+ NULL, /* utime */
+ NULL, /* ftruncate */
+ NULL, /* lock */
+ NULL, /* symlink */
+ NULL, /* readlink */
+ NULL, /* link */
+ NULL, /* mknod */
+ NULL, /* realpath */
+ NULL, /* fget_nt_acl */
+ NULL, /* get_nt_acl */
+ NULL, /* fset_nt_acl */
+ NULL, /* set_nt_acl */
+
+ NULL, /* chmod_acl */
+ NULL, /* fchmod_acl */
+
+ NULL, /* sys_acl_get_entry */
+ NULL, /* sys_acl_get_tag_type */
+ NULL, /* sys_acl_get_permset */
+ NULL, /* sys_acl_get_qualifier */
+ NULL, /* sys_acl_get_file */
+ NULL, /* sys_acl_get_fd */
+ NULL, /* sys_acl_clear_perms */
+ NULL, /* sys_acl_add_perm */
+ NULL, /* sys_acl_to_text */
+ NULL, /* sys_acl_init */
+ NULL, /* sys_acl_create_entry */
+ NULL, /* sys_acl_set_tag_type */
+ NULL, /* sys_acl_set_qualifier */
+ NULL, /* sys_acl_set_permset */
+ NULL, /* sys_acl_valid */
+ NULL, /* sys_acl_set_file */
+ NULL, /* sys_acl_set_fd */
+ NULL, /* sys_acl_delete_def_file */
+ NULL, /* sys_acl_get_perm */
+ NULL, /* sys_acl_free_text */
+ NULL, /* sys_acl_free_acl */
+ NULL /* sys_acl_free_qualifier */
+};
+</programlisting>
+->
+<programlisting>
+static vfs_op_tuple example_op_tuples[] = {
+ {SMB_VFS_OP(example_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(example_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
+
+ {SMB_VFS_OP(example_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(example_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(example_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_TRANSPARENT},
+
+ {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+</programlisting>
+</para></listitem>
+
+<listitem><para>
+Move the example_op_tuples[] array to the end of the file.
+</para></listitem>
+
+<listitem><para>
+Add the init_module() function at the end of the file.
+e.g.
+<programlisting>
+NTSTATUS init_module(void)
+{
+ return smb_register_vfs(SMB_VFS_INTERFACE_VERSION,"example",example_op_tuples);
+}
+</programlisting>
+</para></listitem>
+
+<listitem><para>
+Check if your vfs_init() function does more then just prepare the vfs_ops structs or
+remember the struct smb_vfs_handle_struct.
+<simplelist>
+<member>If NOT you can remove the vfs_init() function.</member>
+<member>If YES decide if you want to move the code to the example_connect() operation or to the init_module(). And then remove vfs_init().
+ e.g. a debug class registration should go into init_module() and the allocation of private data should go to example_connect().</member>
+</simplelist>
+</para></listitem>
+
+<listitem><para>
+(Only for 3.0alpha* modules)
+Check if your vfs_done() function contains needed code.
+<simplelist>
+<member>If NOT you can remove the vfs_done() function.</member>
+<member>If YES decide if you can move the code to the example_disconnect() operation. Otherwise register a SMB_EXIT_EVENT with smb_register_exit_event(); (Described in the <link linkend="modules">modules section</link>) And then remove vfs_done(). e.g. the freeing of private data should go to example_disconnect().
+</member>
+</simplelist>
+</para></listitem>
+
+<listitem><para>
+Check if you have any global variables left.
+Decide if it wouldn't be better to have this data on a connection basis.
+<simplelist>
+ <member>If NOT leave them as they are. (e.g. this could be the variable for the private debug class.)</member>
+ <member>If YES pack all this data into a struct. You can use handle->data to point to such a struct on a per connection basis.</member>
+</simplelist>
+
+ e.g. if you have such a struct:
+<programlisting>
+struct example_privates {
+ char *some_string;
+ int db_connection;
+};
+</programlisting>
+first way of doing it:
+<programlisting>
+static int example_connect(vfs_handle_struct *handle,
+ connection_struct *conn, const char *service,
+ const char* user)
+{
+ struct example_privates *data = NULL;
+
+ /* alloc our private data */
+ data = (struct example_privates *)talloc_zero(conn->mem_ctx, sizeof(struct example_privates));
+ if (!data) {
+ DEBUG(0,("talloc_zero() failed\n"));
+ return -1;
+ }
+
+ /* init out private data */
+ data->some_string = talloc_strdup(conn->mem_ctx,"test");
+ if (!data->some_string) {
+ DEBUG(0,("talloc_strdup() failed\n"));
+ return -1;
+ }
+
+ data->db_connection = open_db_conn();
+
+ /* and now store the private data pointer in handle->data
+ * we don't need to specify a free_function here because
+ * we use the connection TALLOC context.
+ * (return -1 if something failed.)
+ */
+ VFS_HANDLE_SET_DATA(handle, data, NULL, struct example_privates, return -1);
+
+ return SMB_VFS_NEXT_CONNECT(handle,conn,service,user);
+}
+
+static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ struct example_privates *data = NULL;
+
+ /* get the pointer to our private data
+ * return -1 if something failed
+ */
+ SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1);
+
+ /* do something here...*/
+ DEBUG(0,("some_string: %s\n",data->some_string));
+
+ return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
+}
+</programlisting>
+second way of doing it:
+<programlisting>
+static void free_example_privates(void **datap)
+{
+ struct example_privates *data = (struct example_privates *)*datap;
+
+ SAFE_FREE(data->some_string);
+ SAFE_FREE(data);
+
+ *datap = NULL;
+
+ return;
+}
+
+static int example_connect(vfs_handle_struct *handle,
+ connection_struct *conn, const char *service,
+ const char* user)
+{
+ struct example_privates *data = NULL;
+
+ /* alloc our private data */
+ data = (struct example_privates *)malloc(sizeof(struct example_privates));
+ if (!data) {
+ DEBUG(0,("malloc() failed\n"));
+ return -1;
+ }
+
+ /* init out private data */
+ data->some_string = strdup("test");
+ if (!data->some_string) {
+ DEBUG(0,("strdup() failed\n"));
+ return -1;
+ }
+
+ data->db_connection = open_db_conn();
+
+ /* and now store the private data pointer in handle->data
+ * we need to specify a free_function because we used malloc() and strdup().
+ * (return -1 if something failed.)
+ */
+ SMB_VFS_HANDLE_SET_DATA(handle, data, free_example_privates, struct example_privates, return -1);
+
+ return SMB_VFS_NEXT_CONNECT(handle,conn,service,user);
+}
+
+static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ struct example_privates *data = NULL;
+
+ /* get the pointer to our private data
+ * return -1 if something failed
+ */
+ SMB_VFS_HANDLE_GET_DATA(handle, data, struct example_privates, return -1);
+
+ /* do something here...*/
+ DEBUG(0,("some_string: %s\n",data->some_string));
+
+ return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
+}
+</programlisting>
+</para></listitem>
+
+<listitem><para>
+To make it easy to build 3rd party modules it would be usefull to provide
+configure.in, (configure), install.sh and Makefile.in with the module.
+(Take a look at the example in <filename>examples/VFS</filename>.)
+</para>
+
+<para>
+The configure script accepts <option>--with-samba-source</option> to specify
+the path to the samba source tree.
+It also accept <option>--enable-developer</option> which lets the compiler
+give you more warnings.
+</para>
+
+<para>
+The idea is that you can extend this
+<filename>configure.in</filename> and <filename>Makefile.in</filename> scripts
+for your module.
+</para></listitem>
+
+<listitem><para>
+Compiling & Testing...
+<simplelist>
+<member><userinput>./configure <option>--enable-developer</option></userinput> ...</member>
+<member><userinput>make</userinput></member>
+<member>Try to fix all compiler warnings</member>
+<member><userinput>make</userinput></member>
+<member>Testing, Testing, Testing ...</member>
+</simplelist>
+</para></listitem>
+</orderedlist>
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>Some Notes</title>
+
+<sect2>
+<title>Implement TRANSPARENT functions</title>
+
+<para>
+Avoid writing functions like this:
+
+<programlisting>
+static int example_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
+}
+</programlisting>
+
+Overload only the functions you really need to!
+</para>
+
+</sect2>
+
+<sect2>
+<title>Implement OPAQUE functions</title>
+
+<para>
+If you want to just implement a better version of a
+default samba opaque function
+(e.g. like a disk_free() function for a special filesystem)
+it's ok to just overload that specific function.
+</para>
+
+<para>
+If you want to implement a database filesystem or
+something different from a posix filesystem.
+Make sure that you overload every vfs operation!!!
+</para>
+<para>
+Functions your FS does not support should be overloaded by something like this:
+e.g. for a readonly filesystem.
+</para>
+
+<programlisting>
+static int example_rename(vfs_handle_struct *handle, connection_struct *conn,
+ char *oldname, char *newname)
+{
+ DEBUG(10,("function rename() not allowed on vfs 'example'\n"));
+ errno = ENOSYS;
+ return -1;
+}
+</programlisting>
+
+</sect2>
+
+</sect1>
+
+</chapter>
--- /dev/null
+<chapter id="windows-debug">
+ <chapterinfo>
+ &author.jelmer;
+ &author.tridge;
+ </chapterinfo>
+
+ <title>Finding useful information on windows</title>
+
+ <sect1><title>Netlogon debugging output</title>
+
+ <procedure>
+ <step><para>stop netlogon service on PDC</para></step>
+ <step><para>rename original netlogon.dll to netlogon.dll.original</para></step>
+ <step><para>copy checked version of netlogon.dll to system32 directory</para></step>
+ <step><para>set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag to 0x20000004</para></step>
+ <step><para>start netlogon service on PDC</para></step>
+ </procedure>
+</sect1>
+</chapter>
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [
+<!ENTITY % globalentities SYSTEM '../global.ent'> %globalentities;
+]>
+<refentry id="profiles.1">
+
+<refmeta>
+ <refentrytitle>profiles</refentrytitle>
+ <manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+ <refname>profiles</refname>
+ <refpurpose>A utility to report and change SIDs in registry files
+ </refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>profiles</command>
+ <arg choice="opt">-v</arg>
+ <arg choice="opt">-c SID</arg>
+ <arg choice="opt">-n SID</arg>
+ <arg choice="req">file</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <citerefentry><refentrytitle>Samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+ <para><command>profiles</command> is a utility that
+ reports and changes SIDs in windows registry files. It currently only
+ supports NT.
+ </para>
+</refsect1>
+
+
+<refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>file</term>
+ <listitem><para>Registry file to view or edit. </para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>-v,--verbose</term>
+ <listitem><para>Increases verbosity of messages.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c SID1 -n SID2</term>
+ <listitem><para>Change all occurences of SID1 in <filename>file</filename> by SID2.
+ </para></listitem>
+ </varlistentry>
+
+ &stdarg.help;
+
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>This man page is correct for version 3.0 of the Samba
+ suite.</para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+
+ <para>The profiles man page was written by Jelmer Vernooij. </para>
+</refsect1>
+
+</refentry>
--- /dev/null
+attributions.xml
--- /dev/null
+<chapter id="Backup">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+
+<title>Samba Backup Techniques</title>
+
+<sect1>
+<title>Note</title>
+
+<para>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+If you have something to contribute for this section please email it to
+<link url="mail://jht@samba.org">jht@samba.org</link>/
+</para>
+
+</sect1>
+
+<sect1>
+<title>Features and Benefits</title>
+
+<para>
+We need feedback from people who are backing up samba servers.
+We would like to know what software tools you are using to backup
+your samba server/s.
+</para>
+
+<para>
+In particular, if you have any success and / or failure stories you could
+share with other users this would be appreciated.
+</para>
+
+</sect1>
+
+</chapter>
--- /dev/null
+<chapter id="DNSDHCP">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+
+<title>DNS and DHCP Configuration Guide</title>
+
+<sect1>
+<title>Note</title>
+
+<para>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</para>
+
+</sect1>
+</chapter>
--- /dev/null
+<chapter id="FastStart">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+
+<title>Fast Start for the Impatient</title>
+
+<sect1>
+<title>Note</title>
+
+<para>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</para>
+
+</sect1>
+</chapter>
--- /dev/null
+<chapter id="SambaHA">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+
+<title>High Availability Options</title>
+
+<sect1>
+<title>Note</title>
+
+<para>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</para>
+
+</sect1>
+</chapter>
--- /dev/null
+<chapter id="ClientConfig">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+
+<title>MS Windows Network Configuration Guide</title>
+
+<sect1>
+<title>Note</title>
+
+<para>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</para>
+
+</sect1>
+</chapter>
--- /dev/null
+<samba:parameter name="-valid"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+ <listitem>
+ <para> This parameter indicates whether a share is
+ valid and thus can be used. When this parameter is set to false,
+ the share will be in no way visible nor accessible.
+ </para>
+
+ <para>
+ This option should not be
+ used by regular users but might be of help to developers.
+ Samba uses this option internally to mark shares as deleted.
+ </para>
+
+ <para>Default: <emphasis>True</emphasis></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="total print jobs"
+ context="G"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also <link linkend="MAXPRINTJOBS">
+ <parameter moreinfo="none">max print jobs</parameter></link>.
+ </para>
+
+ <para>Default: <command moreinfo="none">total print jobs = 0</command></para>
+
+ <para>Example: <command moreinfo="none">total print jobs = 5000</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="client use spnego"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para> This variable controls controls whether samba clients will try
+ to use Simple and Protected NEGOciation (as specified by rfc2478) with
+ WindowsXP and Windows2000 servers to agree upon an authentication mechanism.
+ </para>
+
+ <para>Default: <emphasis>client use spnego = yes</emphasis></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="map acl inherit"
+ context="S"
+ advanced="1" wizard="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
+ access control entry flags stored in Windows ACLs into an extended attribute
+ called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
+ on a platform that supports extended attributes (Linux and IRIX so far) and
+ allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
+ POSIX ACL mapping code.
+ </para>
+
+ <para>Default: <command moreinfo="none">map acl inherit = no</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="profile acls"
+ context="S"
+ advanced="1" wizard="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
+ This boolean parameter was added to fix the problems that people have been
+ having with storing user profiles on Samba shares from Windows 2000 or
+ Windows XP clients. New versions of Windows 2000 or Windows XP service
+ packs do security ACL checking on the owner and ability to write of the
+ profile directory stored on a local workstation when copied from a Samba
+ share. When not in domain mode with winbindd then the security info copied
+ onto the local workstation has no meaning to the logged in user (SID) on
+ that workstation so the profile storing fails. Adding this parameter
+ onto a share used for profile storage changes two things about the
+ returned Windows ACL. Firstly it changes the owner and group owner
+ of all reported files and directories to be BUILTIN\\Administrators,
+ BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
+ it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
+ every returned ACL. This will allow any Windows 2000 or XP workstation
+ user to access the profile. Note that if you have multiple users logging
+ on to a workstation then in order to prevent them from being able to access
+ each others profiles you must remove the "Bypass traverse checking" advanced
+ user right. This will prevent access to other users profile directories as
+ the top level profile directory (named after the user) is created by the
+ workstation profile code and has an ACL restricting entry to the directory
+ tree to the owning user.
+ </para>
+
+ <para>Default: <command moreinfo="none">profile acls = no</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="client lanman auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba client
+ tools will attempt to authenticate itself to servers using the
+ weaker LANMAN password hash. If disabled, only server which support NT
+ password hashes (e.g. Windows NT/2000, Samba, etc... but not
+ Windows 95/98) will be able to be connected from the Samba client.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Clients
+ without Windows 95/98 servers are advised to disable
+ this option. </para>
+
+ <para>Disabling this option will also disable the <command
+ moreinfo="none">client plaintext auth</command> option</para>
+
+ <para>Likewise, if the <command moreinfo="none">client ntlmv2
+ auth</command> parameter is enabled, then only NTLMv2 logins will be
+ attempted. Not all servers support NTLMv2, and most will require
+ special configuration to us it.</para>
+
+ <para>Default : <command moreinfo="none">client lanman auth = yes</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="client ntlmv2 auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate itself to servers using the NTLMv2 encrypted password
+ response.</para>
+
+ <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+ secure than earlier versions) will be sent. Many servers
+ (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with
+ NTLMv2. </para>
+
+ <para>If disabled, an NTLM response (and possibly a LANMAN response)
+ will be sent by the client, depending on the value of <command
+ moreinfo="none">client lanman auth</command>. </para>
+
+ <para>Note that some sites (particularly
+ those following 'best practice' security polices) only allow NTLMv2
+ responses, and not the weaker LM or NTLM.</para>
+
+ <para>Default : <command moreinfo="none">client ntlmv2 auth = no</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="vfs objects"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies the backend names which
+ are used for Samba VFS I/O operations. By default, normal
+ disk I/O operations are used but these can be overloaded
+ with one or more VFS objects. </para>
+
+ <para>Default: <emphasis>no value</emphasis></para>
+
+ <para>Example: <command moreinfo="none">vfs objects = extd_audit recycle</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="enable rid algorithm"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option is used to control whether or not smbd in Samba 3.0 should fallback
+ to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm
+ development goal is to remove the algorithmic mappings of RIDs altogether, but
+ this has proved to be difficult. This parameter is mainly provided so that
+ developers can turn the algorithm on and off and see what breaks. This parameter
+ should not be disabled by non-developers because certain features in Samba will fail
+ to work without it.
+ </para>
+
+ <para>Default: <command moreinfo="none">enable rid algorithm = <yes></command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="idmap gid"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>The idmap gid parameter specifies the range of group ids that are allocated for
+ the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
+ existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
+
+ <para>The availability of an idmap gid range is essential for correct operation of
+ all group mapping.</para>
+
+ <para>Default: <command moreinfo="none">idmap gid = <empty string></command></para>
+
+ <para>Example: <command moreinfo="none">idmap gid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="idmap uid"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The idmap uid parameter specifies the range of user ids that are allocated for use
+ in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
+ or NIS users within it as strange conflicts can occur otherwise.</para>
+
+ <para>Default: <command moreinfo="none">idmap uid = <empty string></command></para>
+
+ <para>Example: <command moreinfo="none">idmap uid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="template primary group"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option defines the default primary group for
+ each user created by <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>'s local account management
+ functions (similar to the 'add user script').
+ </para>
+
+ <para>Default: <command moreinfo="none">template primary group = nobody</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="winbind enable local accounts"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls whether or not winbindd
+ will act as a stand in replacement for the various account
+ management hooks in smb.conf (e.g. 'add user script').
+ If enabled, winbindd will support the creation of local
+ users and groups as another source of UNIX account information
+ available via getpwnam() or getgrgid(), etc...
+ </para>
+
+ <para>Default: <command moreinfo="none">winbind enable local accounts = yes</command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="winbind trusted domains only"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is designed to allow Samba servers that
+ are members of a Samba controlled domain to use UNIX accounts
+ distributed vi NIS, rsync, or LDAP as the uid's for winbindd users
+ in the hosts primary domain. Therefore, the user 'SAMBA\user1' would
+ be mapped to the account 'user1' in /etc/passwd instead of allocating
+ a new uid for him or her.
+ </para>
+
+ <para>Default: <command moreinfo="none">winbind trusted domains only = <no></command></para>
+</listitem>
+</samba:parameter>
--- /dev/null
+<?xml version='1.0'?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:exsl="http://exslt.org/common"
+ xmlns:samba="http://samba.org/common"
+ version="1.1"
+ extension-element-prefixes="exsl">
+
+<xsl:output method="xml" omit-xml-declaration="yes"/>
+
+<!-- Remove all character data -->
+<xsl:template match="@*|node()">
+ <xsl:apply-templates select="@*|node()"/>
+</xsl:template>
+
+<xsl:template match="book">
+ <xsl:element name="variablelist">
+ <xsl:apply-templates/>
+ </xsl:element>
+</xsl:template>
+
+<xsl:template match="chapter">
+ <xsl:element name="varlistentry">
+ <xsl:element name="term">
+ <xsl:element name="link">
+ <xsl:attribute name="linkend"><xsl:value-of select="@id"/></xsl:attribute>
+ <xsl:value-of select="title"/>
+ </xsl:element>
+ </xsl:element>
+ <xsl:element name="listitem">
+ <xsl:element name="para">
+ <xsl:element name="itemizedlist">
+ <xsl:apply-templates/>
+ </xsl:element>
+ </xsl:element>
+ </xsl:element>
+ </xsl:element>
+</xsl:template>
+
+<xsl:template match="author">
+ <xsl:element name="listitem">
+ <xsl:element name="para">
+ <xsl:value-of select="firstname"/><xsl:text> </xsl:text><xsl:value-of select="surname"/>
+ <xsl:choose>
+ <xsl:when test="affiliation/address/email != ''">
+ <xsl:text> <</xsl:text>
+ <xsl:element name="ulink">
+ <xsl:attribute name="url">
+ <xsl:text>mailto:</xsl:text>
+ <xsl:value-of select="affiliation/address/email"/>
+ </xsl:attribute>
+ <xsl:value-of select="affiliation/address/email"/>
+ </xsl:element>
+ <xsl:text>></xsl:text>
+ </xsl:when>
+ </xsl:choose>
+ <xsl:choose>
+ <xsl:when test="contrib != ''">
+ <xsl:text> (</xsl:text>
+ <xsl:value-of select="contrib"/>
+ <xsl:text>) </xsl:text>
+ </xsl:when>
+ </xsl:choose>
+ </xsl:element>
+ </xsl:element>
+</xsl:template>
+
+</xsl:stylesheet>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. File, Directory and Share Access Controls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups"><link rel="next" href="locking.html" title="Chapter 14. File and Record Locking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. File, Directory and Share Access Controls</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AccessControls"></a>Chapter 13. File, Directory and Share Access Controls</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 10, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask
+ parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute
+ mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files
+ I touch!</a></dt></dl></dd></dl></div><p>
+Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
+resources shared via Samba do not behave in the manner they might expect. MS Windows network
+administrators are often confused regarding network access controls and what is the best way to
+provide users with the type of access they need while protecting resources from the consequences
+of untoward access capabilities.
+</p><p>
+Unix administrators frequently are not familiar with the MS Windows environment and in particular
+have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file
+and directory access permissions.
+</p><p>
+The problem lies in the differences in how file and directory permissions and controls work
+between the two environments. This difference is one that Samba can not completely hide, even
+though it does try to make the chasm transparent.
+</p><p>
+POSIX Access Control List technology has been available (along with Extended Attributes)
+for Unix for many years, yet there is little evidence today of any significant use. This
+explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows
+administrators are astounded at this given that ACLs were a foundational capability of the now
+decade old MS Windows NT operating system.
+</p><p>
+The purpose of this chapter is to present each of the points of control that are possible with
+Samba-3 in the hope that this will help the network administrator to find the optimum method
+for delivering the best environment for MS Windows desktop users.
+</p><p>
+This is an opportune point to mention that it should be borne in mind that Samba was created to
+provide a means of interoperability and interchange of data between two operating environments
+that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
+the purpose was an is to provide a sufficient level of exchange of data between the two environments.
+What is available today extends well beyond early plans and expectations, yet the gap continues to
+shrink.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920271"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ Samba offers a lot of flexibility in file system access management. These are the key access control
+ facilities present in Samba today:
+ </p><div class="itemizedlist"><p class="title"><b>Samba Access Control Facilities</b></p><ul type="disc"><li><p>
+ <span class="emphasis"><em>Unix File and Directory Permissions</em></span>
+ </p><p>
+ Samba honours and implements Unix file system access controls. Users
+ who access a Samba server will do so as a particular MS Windows user.
+ This information is passed to the Samba server as part of the logon or
+ connection setup process. Samba uses this user identity to validate
+ whether or not the user should be given access to file system resources
+ (files and directories). This chapter provides an overview for those
+ to whom the Unix permissions and controls are a little strange or unknown.
+ </p></li><li><p>
+ <span class="emphasis"><em>Samba Share Definitions</em></span>
+ </p><p>
+ In configuring share settings and controls in the <tt class="filename">smb.conf</tt> file
+ the network administrator can exercise over-rides to native file
+ system permissions and behaviours. This can be handy and convenient
+ to affect behaviour that is more like what MS Windows NT users expect
+ but it is seldom the <span class="emphasis"><em>best</em></span> way to achieve this.
+ The basic options and techniques are described herein.
+ </p></li><li><p>
+ <span class="emphasis"><em>Samba Share ACLs</em></span>
+ </p><p>
+ Just like it is possible in MS Windows NT to set ACLs on shares
+ themselves, so it is possible to do this in Samba.
+ Very few people make use of this facility, yet it remains on of the
+ easiest ways to affect access controls (restrictions) and can often
+ do so with minimum invasiveness compared with other methods.
+ </p></li><li><p>
+ <span class="emphasis"><em>MS Windows ACLs through Unix POSIX ACLs</em></span>
+ </p><p>
+ The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying
+ operating system supports them. If not, then this option will not be
+ available to you. Current Unix technology platforms have native support
+ for POSIX ACLs. There are patches for the Linux kernel that provide
+ this also. Sadly, few Linux platforms ship today with native ACLs and
+ Extended Attributes enabled. This chapter has pertinent information
+ for users of platforms that support them.
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920308"></a>File System Access Controls</h2></div></div><div></div></div><p>
+Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP
+implement a totally divergent file system technology from what is provided in the Unix operating system
+environment. Firstly we should consider what the most significant differences are, then we shall look
+at how Samba helps to bridge the differences.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920326"></a>MS Windows NTFS Comparison with Unix File Systems</h3></div></div><div></div></div><p>
+ Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions
+ and permissions. It also means that if the MS Windows networking environment requires file system
+ behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating
+ that in a transparent and consistent manner.
+ </p><p>
+ It is good news that Samba does this to a very large extent and on top of that provides a high degree
+ of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
+ but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
+ to depths of control ability should review the <tt class="filename">smb.conf</tt> man page.
+ </p><div class="variablelist"><p class="title"><b>File System Feature Comparison</b></p><dl><dt><span class="term">Name Space</span></dt><dd><p>
+ MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names
+ may be 1023 characters long. In MS Windows file extensions indicate particular file types,
+ in Unix this is not so rigorously observed as all names are considered arbitrary.
+ </p><p>
+ What MS Windows calls a Folder, Unix calls a directory,
+ </p></dd><dt><span class="term">Case Sensitivity</span></dt><dd><p>
+ MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name
+ and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case
+ Insensitive.
+ </p><p>
+ Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the
+ MS Windows file name behaviour, but it does so as a user application. The Unix file system
+ provides no mechanism to perform case insensitive file name lookups. MS Windows does this
+ by default. This means that Samba has to carry the processing overhead to provide features
+ that are NOT native to the Unix operating system environment.
+ </p><p>
+ Consider the following, all are unique Unix names but one single MS Windows file name:
+ <tt class="computeroutput">
+ MYFILE.TXT
+ MyFile.txt
+ myfile.txt
+ </tt>
+ So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
+ they can. So what should Samba do if all three are present? Answer, the one that is lexically
+ first will be accessible to MS Windows users, the others are invisible and unaccessible - any
+ other solution would be suicidal.
+ </p></dd><dt><span class="term">Directory Separators</span></dt><dd><p>
+ MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/'
+ as it's directory delimiter. This is transparently handled by Samba.
+ </p></dd><dt><span class="term">Drive Identification</span></dt><dd><p>
+ MS Windows products support a notion of drive letters, like <b class="command">C:</b> to represent
+ disk partitions. Unix has NO concept if separate identifiers for file partitions since each
+ such file system is <tt class="filename">mounted</tt> to become part of the over-all directory tree.
+ The Unix directory tree begins at '/', just like the root of a DOS drive is specified like
+ <b class="command">C:\</b>.
+ </p></dd><dt><span class="term">File Naming Conventions</span></dt><dd><p>
+ MS Windows generally never experiences file names that begin with a '.', while in Unix these
+ are commonly found in a user's home directory. Files that begin with a '.' are typically
+ either start up files for various Unix applications, or they may be files that contain
+ start-up configuration data.
+ </p></dd><dt><span class="term">Links and Short-Cuts</span></dt><dd><p>
+ MS Windows make use of "links and Short-Cuts" that are actually special types of files that will
+ redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory
+ links, but they are entirely different from what MS Windows users are used to.
+ </p><p>
+ Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
+ operation (like read or write) will operate directly on the file referenced. Symbolic links are also
+ referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
+ one physical file to be known simultaneously by more than one file name.
+ </p></dd></dl></div><p>
+ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort
+ in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the
+ purpose of Unix/Linux training/education.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920583"></a>Managing Directories</h3></div></div><div></div></div><p>
+ There are three basic operations for managing directories, <b class="command">create, delete, rename</b>.
+ </p><div class="table"><a name="id2920603"></a><p class="title"><b>Table 13.1. Managing directories with unix and windows</b></p><table summary="Managing directories with unix and windows" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="center">Action</th><th align="center">MS Windows Command</th><th align="center">Unix Command</th></tr></thead><tbody><tr><td align="center">create</td><td align="center">md folder</td><td align="center">mkdir folder</td></tr><tr><td align="center">delete</td><td align="center">rd folder</td><td align="center">rmdir folder</td></tr><tr><td align="center">rename</td><td align="center">rename oldname newname</td><td align="center">mv oldname newname</td></tr></tbody></table></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2920678"></a>File and Directory Access Control</h3></div></div><div></div></div><p>
+ The network administrator is strongly advised to read foundational training manuals and reference materials
+ regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
+ without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
+ Attributes (EAs).
+ </p><p>
+ Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
+ A Unix file listing looks as follows:-
+
+ </p><pre class="screen">
+ <tt class="prompt">jht@frodo:~/stuff> </tt><b class="userinput"><tt>ls -la</tt></b>
+ total 632
+ drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
+ drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
+ d--------- 2 jht users 48 2003-05-12 22:29 muchado00
+ d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01
+ dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02
+ drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03
+ drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04
+ d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05
+ dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06
+ drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07
+ drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08
+ ---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst
+ ---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst
+ --w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst
+ --wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst
+ -r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst
+ -r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
+ -rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
+ -rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
+ <tt class="prompt">jht@frodo:~/stuff></tt>
+ </pre><p>
+ </p><p>
+ The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
+ </p><p>
+ The permissions field is made up of:
+
+ </p><pre class="programlisting">
+ <i><span class="comment"> JRV: Put this into a diagram of some sort</span></i>
+ [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
+ [ d | l ] [ r w x ] [ r w x ] [ r w x ]
+ | | | | | | | | | | |
+ | | | | | | | | | | |-----> Can Execute, List files
+ | | | | | | | | | |-------> Can Write, Create files
+ | | | | | | | | |---------> Can Read, Read files
+ | | | | | | | |---------------> Can Execute, List files
+ | | | | | | |-----------------> Can Write, Create files
+ | | | | | |-------------------> Can Read, Read files
+ | | | | |-------------------------> Can Execute, List files
+ | | | |---------------------------> Can Write, Create files
+ | | |-----------------------------> Can Read, Read files
+ | |-----------------------------------> Is a symbolic Link
+ |---------------------------------------> Is a directory
+ </pre><p>
+ </p><p>
+ Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
+
+ </p><div class="example"><a name="id2920816"></a><p class="title"><b>Example 13.1. Example File</b></p><pre class="programlisting">
+ -rwxr-x--- Means: The owner (user) can read, write, execute
+ the group can read and execute
+ everyone else can NOT do anything with it
+ </pre></div><p>
+
+ </p><p>
+ Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
+ </p><p>
+ The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
+ execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
+ sticky (t).
+ </p><p>
+ When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
+ Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
+ directories, such as /tmp, that are world-writable.
+ </p><p>
+ When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
+ group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
+ all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
+ to be exclusively owned by a user who's primary group is not the group that all such users belong to.
+ </p><p>
+ When a directory is set <tt class="constant">drw-r-----</tt> this means that the owner can read and create (write) files in it, but because
+ the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
+ directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
+ group members will be able to write to (or delete) them.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2920894"></a>Share Definition Access Controls</h2></div></div><div></div></div><p>
+The following parameters in the <tt class="filename">smb.conf</tt> file sections that define a share control or affect access controls.
+Before using any of the following options please refer to the man page for <tt class="filename">smb.conf</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922074"></a>User and Group Based Controls</h3></div></div><div></div></div><p>
+ User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
+ file system operations as if a single user is doing this, the use of the <i class="parameter"><tt>force user</tt></i> and
+ <i class="parameter"><tt>force group</tt></i> behaviour will achieve this. In other situations it may be necessary to affect a
+ paranoia level of control to ensure that only particular authorised persons will be able to access a share or
+ it's contents, here the use of the <i class="parameter"><tt>valid users</tt></i> or the <i class="parameter"><tt>invalid users</tt></i> may
+ be most useful.
+ </p><p>
+ As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
+ controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
+ if that person finds too great a mess, or if they do not understand what you have done then there is risk of
+ Samba being removed and an alternative solution being adopted.
+ </p><div class="table"><a name="id2922134"></a><p class="title"><b>Table 13.2. User and Group Based Controls</b></p><table summary="User and Group Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>admin users</td><td><p>
+ List of users who will be granted administrative privileges on the share.
+ They will do all file operations as the super-user (root).
+ Any user in this list will be able to do anything they like on the share,
+ irrespective of file permissions.
+ </p></td></tr><tr><td>force group</td><td><p>
+ Specifies a UNIX group name that will be assigned as the default primary group
+ for all users connecting to this service.
+ </p></td></tr><tr><td>force user</td><td><p>
+ Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. Incorrect use can cause security problems.
+ </p></td></tr><tr><td>guest ok</td><td><p>
+ If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
+ those of the guest account.
+ </p></td></tr><tr><td>invalid users</td><td><p>
+ List of users that should not be allowed to login to this service.
+ </p></td></tr><tr><td>only user</td><td><p>
+ Controls whether connections with usernames not in the user list will be allowed.
+ </p></td></tr><tr><td>read list</td><td><p>
+ List of users that are given read-only access to a service. Users in this list
+ will not be given write access, no matter what the read only option is set to.
+ </p></td></tr><tr><td>username</td><td><p>
+ Refer to the <tt class="filename">smb.conf</tt> man page for more information - this is a complex and potentially misused parameter.
+ </p></td></tr><tr><td>valid users</td><td><p>
+ List of users that should be allowed to login to this service.
+ </p></td></tr><tr><td>write list</td><td><p>
+ List of users that are given read-write access to a service.
+ </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922346"></a>File and Directory Permissions Based Controls</h3></div></div><div></div></div><p>
+ The following file and directory permission based controls, if misused, can result in considerable difficulty to
+ diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
+ undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
+ re-introduce them in a controlled fashion.
+ </p><div class="table"><a name="id2922367"></a><p class="title"><b>Table 13.3. File and Directory Permission Based Controls</b></p><table summary="File and Directory Permission Based Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>create mask</td><td><p>
+ Refer to the <tt class="filename">smb.conf</tt> man page.
+ </p></td></tr><tr><td>directory mask</td><td><p>
+ The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
+ See also: directory security mask.
+ </p></td></tr><tr><td>dos filemode</td><td><p>
+ Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
+ </p></td></tr><tr><td>force create mode</td><td><p>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
+ </p></td></tr><tr><td>force directory mode</td><td><p>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
+ </p></td></tr><tr><td>force directory security mode</td><td><p>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
+ </p></td></tr><tr><td>force security mode</td><td><p>
+ Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
+ </p></td></tr><tr><td>hide unreadable</td><td><p>
+ Prevents clients from seeing the existence of files that cannot be read.
+ </p></td></tr><tr><td>hide unwriteable files</td><td><p>
+ Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
+ </p></td></tr><tr><td>nt acl support</td><td><p>
+ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
+ </p></td></tr><tr><td>security mask</td><td><p>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
+ </p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922591"></a>Miscellaneous Controls</h3></div></div><div></div></div><p>
+ The following are documented because of the prevalence of administrators creating inadvertant barriers to file
+ access by not understanding the full implications of <tt class="filename">smb.conf</tt> file settings.
+ </p><div class="table"><a name="id2922614"></a><p class="title"><b>Table 13.4. Other Controls</b></p><table summary="Other Controls" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Control Parameter</th><th align="center">Description - Action - Notes</th></tr></thead><tbody><tr><td>case sensitive, default case, short preserve case</td><td><p>
+ This means that all file name lookup will be done in a case sensitive manner.
+ Files will be created with the precise filename Samba received from the MS Windows client.
+ </p></td></tr><tr><td>csc policy</td><td><p>
+ Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
+ </p></td></tr><tr><td>dont descend</td><td><p>
+ Allows to specify a comma-delimited list of directories that the server should always show as empty.
+ </p></td></tr><tr><td>dos filetime resolution</td><td><p>
+ This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
+ </p></td></tr><tr><td>dos filetimes</td><td><p>
+ DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
+ This options allows DOS and Windows behaviour.
+ </p></td></tr><tr><td>fake oplocks</td><td><p>
+ Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
+ oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
+ </p></td></tr><tr><td>hide dot files, hide files, veto files</td><td><p>
+ Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
+ </p></td></tr><tr><td>read only</td><td><p>
+ If this parameter is yes, then users of a service may not create or modify files in the service's directory.
+ </p></td></tr><tr><td>veto files</td><td><p>
+ List of files and directories that are neither visible nor accessible.
+ </p></td></tr></tbody></table></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2922807"></a>Access Controls on Shares</h2></div></div><div></div></div><p>
+ This section deals with how to configure Samba per share access control restrictions.
+ By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
+ can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
+ connect to a share. In the absence of specific restrictions the default setting is to allow
+ the global user <tt class="constant">Everyone</tt> Full Control (ie: Full control, Change and Read).
+ </p><p>
+ At this time Samba does NOT provide a tool for configuring access control setting on the Share
+ itself. Samba does have the capacity to store and act on access control settings, but the only
+ way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
+ Computer Management.
+ </p><p>
+ Samba stores the per share access control settings in a file called <tt class="filename">share_info.tdb</tt>.
+ The location of this file on your system will depend on how samba was compiled. The default location
+ for Samba's tdb files is under <tt class="filename">/usr/local/samba/var</tt>. If the <tt class="filename">tdbdump</tt>
+ utility has been compiled and installed on your system, then you can examine the contents of this file
+ by: <b class="userinput"><tt>tdbdump share_info.tdb</tt></b>.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922879"></a>Share Permissions Management</h3></div></div><div></div></div><p>
+ The best tool for the task is platform dependant. Choose the best tool for your environment.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922892"></a>Windows NT4 Workstation/Server</h4></div></div><div></div></div><p>
+ The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
+ Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
+ You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
+ </p><div class="procedure"><p class="title"><b>Procedure 13.1. Instructions</b></p><ol type="1"><li><p>
+ Launch the <span class="application">NT4 Server Manager</span>, click on the Samba server you want to administer, then from the menu
+ select <span class="guimenu">Computer</span>, then click on the <span class="guimenuitem">Shared Directories</span> entry.
+ </p></li><li><p>
+ Now click on the share that you wish to manage, then click on the <span class="guilabel">Properties</span> tab, next click on
+ the <span class="guilabel">Permissions</span> tab. Now you can add or change access control settings as you wish.
+ </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2922975"></a>Windows 200x/XP</h4></div></div><div></div></div><p>
+ On <span class="application">MS Windows NT4/200x/XP</span> system access control lists on the share itself are set using native
+ tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
+ then select <span class="guimenuitem">Sharing</span>, then click on <span class="guilabel">Permissions</span>. The default
+ Windows NT4/200x permission allows <span class="emphasis"><em>Everyone</em></span> Full Control on the Share.
+ </p><p>
+ MS Windows 200x and later all comes with a tool called the <span class="application">Computer Management</span> snap-in for the
+ Microsoft Management Console (MMC). This tool is located by clicking on <tt class="filename">Control Panel ->
+ Administrative Tools -> Computer Management</tt>.
+ </p><div class="procedure"><p class="title"><b>Procedure 13.2. Instructions</b></p><ol type="1"><li><p>
+ After launching the MMC with the Computer Management snap-in, click on the menu item <span class="guimenuitem">Action</span>,
+ select <span class="guilabel">Connect to another computer</span>. If you are not logged onto a domain you will be prompted
+ to enter a domain login user identifier and a password. This will authenticate you to the domain.
+ If you where already logged in with administrative privilege this step is not offered.
+ </p></li><li><p>
+ If the Samba server is not shown in the <span class="guilabel">Select Computer</span> box, then type in the name of the target
+ Samba server in the field <span class="guilabel">Name:</span>. Now click on the <span class="guibutton">[+]</span> next to
+ <span class="guilabel">System Tools</span>, then on the <span class="guibutton">[+]</span> next to <span class="guilabel">Shared Folders</span> in the
+ left panel.
+ </p></li><li><p>
+ Now in the right panel, double-click on the share you wish to set access control permissions on.
+ Then click on the tab <span class="guilabel">Share Permissions</span>. It is now possible to add access control entities
+ to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
+ wish to assign for each entry.
+ </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Be careful. If you take away all permissions from the <tt class="constant">Everyone</tt> user without removing this user
+ then effectively no user will be able to access the share. This is a result of what is known as
+ ACL precedence. ie: Everyone with <span class="emphasis"><em>no access</em></span> means that MaryK who is part of the group
+ <tt class="constant">Everyone</tt> will have no access even if this user is given explicit full control access.
+ </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2923178"></a>MS Windows Access Control Lists and Unix Interoperability</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923186"></a>Managing UNIX permissions Using NT Security Dialogs</h3></div></div><div></div></div><p>Windows NT clients can use their native security settings
+ dialog box to view and modify the underlying UNIX permissions.</p><p>Note that this ability is careful not to compromise
+ the security of the UNIX host Samba is running on, and
+ still obeys all the file permission rules that a Samba
+ administrator can set.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ All access to Unix/Linux system file via Samba is controlled at
+ the operating system file access control level. When trying to
+ figure out file access problems it is vitally important to identify
+ the identity of the Windows user as it is presented by Samba at
+ the point of file access. This can best be determined from the
+ Samba log files.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923224"></a>Viewing File Security on a Samba Share</h3></div></div><div></div></div><p>From an NT4/2000/XP client, single-click with the right
+ mouse button on any file or directory in a Samba mounted
+ drive letter or UNC path. When the menu pops-up, click
+ on the <span class="guilabel">Properties</span> entry at the bottom of
+ the menu. This brings up the file properties dialog
+ box. Click on the tab <span class="guilabel">Security</span> and you
+ will see three buttons, <span class="guibutton">Permissions</span>,
+ <span class="guibutton">Auditing</span>, and <span class="guibutton">Ownership</span>.
+ The <span class="guibutton">Auditing</span> button will cause either
+ an error message <span class="errorname">A requested privilege is not held
+ by the client</span> to appear if the user is not the
+ NT Administrator, or a dialog which is intended to allow an
+ Administrator to add auditing requirements to a file if the
+ user is logged on as the NT Administrator. This dialog is
+ non-functional with a Samba share at this time, as the only
+ useful button, the <span class="guibutton">Add</span> button will not currently
+ allow a list of users to be seen.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923303"></a>Viewing file ownership</h3></div></div><div></div></div><p>Clicking on the <span class="guibutton">Ownership</span> button
+ brings up a dialog box telling you who owns the given file. The
+ owner name will be of the form :</p><p><b class="command">"SERVER\user (Long name)"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
+ the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
+ the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
+ is the descriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database). Click on the
+ <span class="guibutton">Close </span> button to remove this dialog.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
+ is set to <tt class="constant">false</tt> then the file owner will
+ be shown as the NT user <tt class="constant">"Everyone"</tt>.</p><p>The <span class="guibutton">Take Ownership</span> button will not allow
+ you to change the ownership of this file to yourself (clicking on
+ it will display a dialog box complaining that the user you are
+ currently logged onto the NT client cannot be found). The reason
+ for this is that changing the ownership of a file is a privileged
+ operation in UNIX, available only to the <span class="emphasis"><em>root</em></span>
+ user. As clicking on this button causes NT to attempt to change
+ the ownership of a file to the current user logged into the NT
+ client this will not work with Samba at this time.</p><p>There is an NT chown command that will work with Samba
+ and allow a user with Administrator privilege connected
+ to a Samba server as root to change the ownership of
+ files on both a local NTFS filesystem or remote mounted NTFS
+ or Samba drive. This is available as part of the <span class="application">Seclib
+ </span> NT security library written by Jeremy Allison of
+ the Samba Team, available from the main Samba ftp site.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923425"></a>Viewing File or Directory Permissions</h3></div></div><div></div></div><p>The third button is the <span class="guibutton">Permissions</span>
+ button. Clicking on this brings up a dialog box that shows both
+ the permissions and the UNIX owner of the file or directory.
+ The owner is displayed in the form :</p><p><b class="command">"<i class="replaceable"><tt>SERVER</tt></i>\
+ <i class="replaceable"><tt>user</tt></i>
+ <i class="replaceable"><tt>(Long name)</tt></i>"</b></p><p>Where <i class="replaceable"><tt>SERVER</tt></i> is the NetBIOS name of
+ the Samba server, <i class="replaceable"><tt>user</tt></i> is the user name of
+ the UNIX user who owns the file, and <i class="replaceable"><tt>(Long name)</tt></i>
+ is the descriptive string identifying the user (normally found in the
+ GECOS field of the UNIX password database).</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
+ is set to <tt class="constant">false</tt> then the file owner will
+ be shown as the NT user <tt class="constant">"Everyone"</tt> and the
+ permissions will be shown as NT "Full Control".</p><p>The permissions field is displayed differently for files
+ and directories, so I'll describe the way file permissions
+ are displayed first.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923516"></a>File Permissions</h4></div></div><div></div></div><p>The standard UNIX user/group/world triplet and
+ the corresponding "read", "write", "execute" permissions
+ triplets are mapped by Samba into a three element NT ACL
+ with the 'r', 'w', and 'x' bits mapped into the corresponding
+ NT permissions. The UNIX world permissions are mapped into
+ the global NT group <tt class="constant">Everyone</tt>, followed
+ by the list of permissions allowed for UNIX world. The UNIX
+ owner and group permissions are displayed as an NT
+ <span class="guiicon">user</span> icon and an NT <span class="guiicon">local
+ group</span> icon respectively followed by the list
+ of permissions allowed for the UNIX user and group.</p><p>As many UNIX permission sets don't map into common
+ NT names such as <tt class="constant">read</tt>, <tt class="constant">
+ "change"</tt> or <tt class="constant">full control</tt> then
+ usually the permissions will be prefixed by the words <tt class="constant">
+ "Special Access"</tt> in the NT display list.</p><p>But what happens if the file has no permissions allowed
+ for a particular UNIX user group or world component ? In order
+ to allow "no permissions" to be seen and modified then Samba
+ overloads the NT <b class="command">"Take Ownership"</b> ACL attribute
+ (which has no meaning in UNIX) and reports a component with
+ no permissions as having the NT <b class="command">"O"</b> bit set.
+ This was chosen of course to make it look like a zero, meaning
+ zero permissions. More details on the decision behind this will
+ be given below.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2923608"></a>Directory Permissions</h4></div></div><div></div></div><p>Directories on an NT NTFS file system have two
+ different sets of permissions. The first set of permissions
+ is the ACL set on the directory itself, this is usually displayed
+ in the first set of parentheses in the normal <tt class="constant">"RW"</tt>
+ NT style. This first set of permissions is created by Samba in
+ exactly the same way as normal file permissions are, described
+ above, and is displayed in the same way.</p><p>The second set of directory permissions has no real meaning
+ in the UNIX permissions world and represents the <tt class="constant">
+ inherited</tt> permissions that any file created within
+ this directory would inherit.</p><p>Samba synthesises these inherited permissions for NT by
+ returning as an NT ACL the UNIX permission mode that a new file
+ created by Samba on this share would receive.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923653"></a>Modifying file or directory permissions</h3></div></div><div></div></div><p>Modifying file and directory permissions is as simple
+ as changing the displayed permissions in the dialog box, and
+ clicking the <span class="guibutton">OK</span> button. However, there are
+ limitations that a user needs to be aware of, and also interactions
+ with the standard Samba permission masks and mapping of DOS
+ attributes that need to also be taken into account.</p><p>If the parameter <i class="parameter"><tt>nt acl support</tt></i>
+ is set to <tt class="constant">false</tt> then any attempt to set
+ security permissions will fail with an <span class="errorname">"Access Denied"
+ </span> message.</p><p>The first thing to note is that the <span class="guibutton">"Add"</span>
+ button will not return a list of users in Samba (it will give
+ an error message of <span class="errorname">The remote procedure call failed
+ and did not execute</span>). This means that you can only
+ manipulate the current user/group/world permissions listed in
+ the dialog box. This actually works quite well as these are the
+ only permissions that UNIX actually has.</p><p>If a permission triplet (either user, group, or world)
+ is removed from the list of permissions in the NT dialog box,
+ then when the <span class="guibutton">OK</span> button is pressed it will
+ be applied as "no permissions" on the UNIX side. If you then
+ view the permissions again the "no permissions" entry will appear
+ as the NT <b class="command">"O"</b> flag, as described above. This
+ allows you to add permissions back to a file or directory once
+ you have removed them from a triplet component.</p><p>As UNIX supports only the "r", "w" and "x" bits of
+ an NT ACL then if other NT security attributes such as "Delete
+ access" are selected then they will be ignored when applied on
+ the Samba server.</p><p>When setting permissions on a directory the second
+ set of permissions (in the second set of parentheses) is
+ by default applied to all files within that directory. If this
+ is not what you want you must uncheck the <span class="guilabel">Replace
+ permissions on existing files</span> checkbox in the NT
+ dialog before clicking <span class="guibutton">OK</span>.</p><p>If you wish to remove all permissions from a
+ user/group/world component then you may either highlight the
+ component and click the <span class="guibutton">Remove</span> button,
+ or set the component to only have the special <tt class="constant">Take
+ Ownership</tt> permission (displayed as <b class="command">"O"
+ </b>) highlighted.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2923805"></a>Interaction with the standard Samba create mask
+ parameters</h3></div></div><div></div></div><p>There are four parameters
+ to control interaction with the standard Samba create mask parameters.
+ These are :
+
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode</tt></i></td></tr></table><p>
+
+ </p><p>Once a user clicks <span class="guibutton">OK</span> to apply the
+ permissions Samba maps the given permissions into a user/group/world
+ r/w/x triplet set, and then will check the changed permissions for a
+ file against the bits set in the <a href="smb.conf.5.html#SECURITYMASK" target="_top">
+ <i class="parameter"><tt>security mask</tt></i></a> parameter. Any bits that
+ were changed that are not set to '1' in this parameter are left alone
+ in the file permissions.</p><p>Essentially, zero bits in the <i class="parameter"><tt>security mask</tt></i>
+ mask may be treated as a set of bits the user is <span class="emphasis"><em>not</em></span>
+ allowed to change, and one bits are those the user is allowed to change.
+ </p><p>If not set explicitly this parameter is set to the same value as
+ the <a href="smb.conf.5.html#CREATEMASK" target="_top"><i class="parameter"><tt>create mask
+ </tt></i></a> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter
+ to 0777.</p><p>Next Samba checks the changed permissions for a file against
+ the bits set in the <a href="smb.conf.5.html#FORCESECURITYMODE" target="_top">
+ <i class="parameter"><tt>force security mode</tt></i></a> parameter. Any bits
+ that were changed that correspond to bits set to '1' in this parameter
+ are forced to be set.</p><p>Essentially, bits set in the <i class="parameter"><tt>force security mode
+ </tt></i> parameter may be treated as a set of bits that, when
+ modifying security on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to the same value
+ as the <a href="smb.conf.5.html#FORCECREATEMODE" target="_top"><i class="parameter"><tt>force
+ create mode</tt></i></a> parameter.
+ To allow a user to modify all the user/group/world permissions on a file
+ with no restrictions set this parameter to 000.</p><p>The <i class="parameter"><tt>security mask</tt></i> and <i class="parameter"><tt>force
+ security mode</tt></i> parameters are applied to the change
+ request in that order.</p><p>For a directory Samba will perform the same operations as
+ described above for a file except using the parameter <i class="parameter"><tt>
+ directory security mask</tt></i> instead of <i class="parameter"><tt>security
+ mask</tt></i>, and <i class="parameter"><tt>force directory security mode
+ </tt></i> parameter instead of <i class="parameter"><tt>force security mode
+ </tt></i>.</p><p>The <i class="parameter"><tt>directory security mask</tt></i> parameter
+ by default is set to the same value as the <i class="parameter"><tt>directory mask
+ </tt></i> parameter and the <i class="parameter"><tt>force directory security
+ mode</tt></i> parameter by default is set to the same value as
+ the <i class="parameter"><tt>force directory mode</tt></i> parameter. </p><p>In this way Samba enforces the permission restrictions that
+ an administrator can set on a Samba share, whilst still allowing users
+ to modify the permission bits within that restriction.</p><p>If you want to set up a share that allows users full control
+ in modifying the permission bits on their files and directories and
+ doesn't force any particular bits to be set 'on', then set the following
+ parameters in the <tt class="filename">smb.conf</tt> file in that share specific section :
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force security mode = 0</tt></i></td></tr><tr><td><i class="parameter"><tt>directory security mask = 0777</tt></i></td></tr><tr><td><i class="parameter"><tt>force directory security mode = 0</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924134"></a>Interaction with the standard Samba file attribute
+ mapping</h3></div></div><div></div></div><p>Samba maps some of the DOS attribute bits (such as "read
+ only") into the UNIX permissions of a file. This means there can
+ be a conflict between the permission bits set via the security
+ dialog and the permission bits set by the file attribute mapping.
+ </p><p>One way this can show up is if a file has no UNIX read access
+ for the owner it will show up as "read only" in the standard
+ file attributes tabbed dialog. Unfortunately this dialog is
+ the same one that contains the security info in another tab.</p><p>What this can mean is that if the owner changes the permissions
+ to allow themselves read access using the security dialog, clicks
+ <span class="guibutton">OK</span> to get back to the standard attributes tab
+ dialog, and then clicks <span class="guibutton">OK</span> on that dialog, then
+ NT will set the file permissions back to read-only (as that is what
+ the attributes still say in the dialog). This means that after setting
+ permissions and clicking <span class="guibutton">OK</span> to get back to the
+ attributes dialog you should always hit <span class="guibutton">Cancel</span>
+ rather than <span class="guibutton">OK</span> to ensure that your changes
+ are not overridden.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2924210"></a>Common Errors</h2></div></div><div></div></div><p>
+File, Directory and Share access problems are very common on the mailing list. The following
+are examples taken from the mailing list in recent times.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924224"></a>Users can not write to a public share</h3></div></div><div></div></div><p>
+ “<span class="quote">
+ We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
+ and there's a public share, on which everyone needs to have permission to create / modify files, but only
+ root can change the file, no one else can. We need to constantly go to server to
+ <b class="userinput"><tt>chgrp -R users *</tt></b> and <b class="userinput"><tt>chown -R nobody *</tt></b> to allow others users to change the file.
+ </span>”
+ </p><p>
+ There are many ways to solve this problem, here are a few hints:
+ </p><div class="procedure"><p class="title"><b>Procedure 13.3. Example Solution:</b></p><ol type="1"><li><p>
+ Go to the top of the directory that is shared
+ </p></li><li><p>
+ Set the ownership to what ever public owner and group you want
+ </p><pre class="programlisting">
+ find 'directory_name' -type d -exec chown user.group {}\;
+ find 'directory_name' -type d -exec chmod 6775 'directory_name'
+ find 'directory_name' -type f -exec chmod 0775 {} \;
+ find 'directory_name' -type f -exec chown user.group {}\;
+ </pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The above will set the 'sticky bit' on all directories. Read your
+ Unix/Linux man page on what that does. It causes the OS to assign
+ to all files created in the directories the ownership of the
+ directory.
+ </p></div></li><li><p>
+
+ Directory is: <i class="replaceable"><tt>/foodbar</tt></i>
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt><b class="userinput"><tt>chown jack.engr /foodbar</tt></b>
+ </pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ </p><p>This is the same as doing:</p><p>
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt><b class="userinput"><tt>chown jack /foodbar</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>chgrp engr /foodbar</tt></b>
+ </pre><p>
+ </p></div></li><li><p>Now do:
+
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt><b class="userinput"><tt>chmod 6775 /foodbar</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>ls -al /foodbar/..</tt></b>
+ </pre><p>
+
+ </p><p>You should see:
+ </p><pre class="screen">
+ drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
+ </pre><p>
+ </p></li><li><p>Now do:
+ </p><pre class="screen">
+ <tt class="prompt">$ </tt><b class="userinput"><tt>su - jill</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>cd /foodbar</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>touch Afile</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>ls -al</tt></b>
+ </pre><p>
+ </p><p>
+ You should see that the file <tt class="filename">Afile</tt> created by Jill will have ownership
+ and permissions of Jack, as follows:
+ </p><pre class="screen">
+ -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
+ </pre><p>
+ </p></li><li><p>
+ Now in your <tt class="filename">smb.conf</tt> for the share add:
+ </p><pre class="programlisting">
+ force create mode = 0775
+ force directory mode = 6775
+ </pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The above are only needed <span class="emphasis"><em>if</em></span> your users are <span class="emphasis"><em>not</em></span> members of the group
+ you have used. ie: Within the OS do not have write permission on the directory.
+ </p></div><p>
+ An alternative is to set in the <tt class="filename">smb.conf</tt> entry for the share:
+ </p><pre class="programlisting">
+ force user = jack
+ force group = engr
+ </pre><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2924604"></a>I have set force user and Samba still makes <span class="emphasis"><em>root</em></span> the owner of all the files
+ I touch!</h3></div></div><div></div></div><p>
+ When you have a user in 'admin users', Samba will always do file operations for
+ this user as <span class="emphasis"><em>root</em></span>, even if <i class="parameter"><tt>force user</tt></i> has been set.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="locking.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 12. Mapping MS Windows and Unix Groups </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 14. File and Record Locking</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 22. Advanced Network Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"><link rel="next" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 22. Advanced Network Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="AdvancedNetworkManagement"></a>Chapter 22. Advanced Network Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></div><p>
+This section documents peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment, and to make their lives a little easier.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984570"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Often the difference between a working network environment and a well appreciated one can
+best be measured by the <span class="emphasis"><em>little things</em></span> that makes everything work more
+harmoniously. A key part of every network environment solution is the ability to remotely
+manage MS Windows workstations, to remotely access the Samba server, to provide customised
+logon scripts, as well as other house keeping activities that help to sustain more reliable
+network operations.
+</p><p>
+This chapter presents information on each of these area. They are placed here, and not in
+other chapters, for ease of reference.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984759"></a>Remote Server Administration</h2></div></div><div></div></div><p>
+<span class="emphasis"><em>How do I get 'User Manager' and 'Server Manager'?</em></span>
+</p><p>
+ Since I don't need to buy an <span class="application">NT4 Server</span>, how do I get the 'User Manager for Domains',
+the 'Server Manager'?
+</p><p>
+Microsoft distributes a version of these tools called nexus for installation
+on <span class="application">Windows 9x / Me</span> systems. The tools set includes:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Server Manager</td></tr><tr><td>User Manager for Domains</td></tr><tr><td>Event Viewer</td></tr></table><p>
+Click here to download the archived file <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</a>
+</p><p>
+The <span class="application">Windows NT 4.0</span> version of the 'User Manager for
+Domains' and 'Server Manager' are available from Microsoft via ftp
+from <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984858"></a>Remote Desktop Management</h2></div></div><div></div></div><p>
+There are a number of possible remote desktop management solutions that range from free
+through costly. Do not let that put you off. Sometimes the most costly solutions is the
+most cost effective. In any case, you will need to draw your own conclusions as to which
+is the best tool in your network environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2984876"></a>Remote Management from NoMachines.Com</h3></div></div><div></div></div><p>
+ The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
+ It is presented in slightly edited form (with author details omitted for privacy reasons).
+ The entire answer is reproduced below with some comments removed.
+ </p><p>
+</p><pre class="screen">
+> I have a wonderful linux/samba server running as PDC for a network.
+> Now I would like to add remote desktop capabilities so that
+> users outside could login to the system and get their desktop up from
+> home or another country..
+>
+> Is there a way to accomplish this? Do I need a windows terminal server?
+> Do I need to configure it so that it is a member of the domain or a
+> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
+> even if the computer is in a domain?
+>
+> Any ideas/experience would be appreciated :)
+</pre><p>
+</p><p>
+ Answer provided: Check out the new offer from NoMachine, "NX" software:
+ <a href="http://www.nomachine.com/" target="_top">http://www.nomachine.com/</a>.
+ </p><p>
+ It implements a very easy-to-use interface to the remote X protocol as
+ well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
+ performance much better than anything you may have ever seen...
+ </p><p>
+ Remote X is not new at all -- but what they did achieve successfully is
+ a new way of compression and caching technologies which makes the thing
+ fast enough to run even over slow modem/ISDN connections.
+ </p><p>
+ I could test drive their (public) RedHat machine in Italy, over a loaded
+ internet connection, with enabled thumbnail previews in KDE konqueror
+ which popped up immediately on "mouse-over". From inside that (remote X)
+ session I started a rdesktop session on another, a Windows XP machine.
+ To test the performance, I played Pinball. I am proud to announce here
+ that my score was 631750 points at first try...
+ </p><p>
+ NX performs better on my local LAN than any of the other "pure"
+ connection methods I am using from time to time: TightVNC, rdesktop or
+ remote X. It is even faster than a direct crosslink connection between
+ two nodes.
+ </p><p>
+ I even got sound playing from the remote X app to my local boxes, and
+ had a working "copy'n'paste" from an NX window (running a KDE session
+ in Italy) to my Mozilla mailing agent... These guys are certainly doing
+ something right!
+ </p><p>
+ I recommend to test drive NX to anybody with a only a remote interest
+ in remote computing
+ <a href="http://www.nomachine.com/testdrive.php" target="_top">http://www.nomachine.com/testdrive.php</a>.
+ </p><p>
+ Just download the free of charge client software (available for RedHat,
+ SuSE, Debian and Windows) and be up and running within 5 minutes (they
+ need to send you your account data, though, because you are assigned
+ a real Unix account on their testdrive.nomachine.com box...
+ </p><p>
+ They plan to get to the point were you can have NX application servers
+ running as a cluster of nodes, and users simply start an NX session locally,
+ and can select applications to run transparently (apps may even run on
+ another NX node, but pretend to be on the same as used for initial login,
+ because it displays in the same window.... well, you also can run it
+ fullscreen, and after a short time you forget that it is a remote session
+ at all).
+ </p><p>
+ Now the best thing at the end: all the core compression and caching
+ technologies are released under the GPL and available as source code
+ to anybody who wants to build on it! These technologies are working,
+ albeit started from the command line only (and very inconvenient to
+ use in order to get a fully running remote X session up and running....)
+ </p><p>
+ To answer your questions:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ You don't need to install a terminal server; XP has RDP support built in.
+ </p></li><li><p>
+ NX is much cheaper than Citrix -- and comparable in performance, probably faster
+ </p></li><li><p>
+ You don't need to hack XP -- it just works
+ </p></li><li><p>
+ You log into the XP box from remote transparently (and I think there is no
+ need to change anything to get a connection, even if authentication is against a domain)
+ </p></li><li><p>
+ The NX core technologies are all Open Source and released under the GPL --
+ you can today use a (very inconvenient) commandline to use it at no cost,
+ but you can buy a comfortable (proprietary) NX GUI frontend for money
+ </p></li><li><p>
+ NoMachine are encouraging and offering help to OSS/Free Software implementations
+ for such a frontend too, even if it means competition to them (they have written
+ to this effect even to the LTSP, KDE and GNOME developer mailing lists)
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985087"></a>Network Logon Script Magic</h2></div></div><div></div></div><p>
+This section needs work. Volunteer contributions most welcome. Please send your patches or updates
+to <a href="mailto:jht@samba.org" target="_top">John Terpstra</a>.
+</p><p>
+There are several opportunities for creating a custom network startup configuration environment.
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>No Logon Script</td></tr><tr><td>Simple universal Logon Script that applies to all users</td></tr><tr><td>Use of a conditional Logon Script that applies per user or per group attributes</td></tr><tr><td>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
+ a custom Logon Script and then execute it.</td></tr><tr><td>User of a tool such as KixStart</td></tr></table><p>
+The Samba source code tree includes two logon script generation/execution tools.
+See <tt class="filename">examples</tt> directory <tt class="filename">genlogon</tt> and
+<tt class="filename">ntlogon</tt> subdirectories.
+</p><p>
+The following listings are from the genlogon directory.
+</p><p>
+This is the <tt class="filename">genlogon.pl</tt> file:
+
+</p><pre class="programlisting">
+ #!/usr/bin/perl
+ #
+ # genlogon.pl
+ #
+ # Perl script to generate user logon scripts on the fly, when users
+ # connect from a Windows client. This script should be called from smb.conf
+ # with the %U, %G and %L parameters. I.e:
+ #
+ # root preexec = genlogon.pl %U %G %L
+ #
+ # The script generated will perform
+ # the following:
+ #
+ # 1. Log the user connection to /var/log/samba/netlogon.log
+ # 2. Set the PC's time to the Linux server time (which is maintained
+ # daily to the National Institute of Standard's Atomic clock on the
+ # internet.
+ # 3. Connect the user's home drive to H: (H for Home).
+ # 4. Connect common drives that everyone uses.
+ # 5. Connect group-specific drives for certain user groups.
+ # 6. Connect user-specific drives for certain users.
+ # 7. Connect network printers.
+
+ # Log client connection
+ #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ open LOG, ">>/var/log/samba/netlogon.log";
+ print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
+ close LOG;
+
+ # Start generating logon script
+ open LOGON, ">/shared/netlogon/$ARGV[0].bat";
+ print LOGON "\@ECHO OFF\r\n";
+
+ # Connect shares just use by Software Development group
+ if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+ {
+ print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+ }
+
+ # Connect shares just use by Technical Support staff
+ if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+ {
+ print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+ }
+
+ # Connect shares just used by Administration staff
+ If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+ {
+ print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+ print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+ }
+
+ # Now connect Printers. We handle just two or three users a little
+ # differently, because they are the exceptions that have desktop
+ # printers on LPT1: - all other user's go to the LaserJet on the
+ # server.
+ if ($ARGV[0] eq 'jim'
+ || $ARGV[0] eq 'yvonne')
+ {
+ print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+ else
+ {
+ print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+
+ # All done! Close the output file.
+ close LOGON;
+</pre><p>
+</p><p>
+Those wishing to use more elaborate or capable logon processing system should check out the following sites:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a href="http://www.craigelachie.org/rhacer/ntlogon" target="_top">http://www.craigelachie.org/rhacer/ntlogon</a></td></tr><tr><td><a href="http://www.kixtart.org" target="_top">http://www.kixtart.org</a></td></tr><tr><td><a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">http://support.microsoft.com/default.asp?scid=kb;en-us;189105</a></td></tr></table><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2985283"></a>Adding printers without user intervention</h3></div></div><div></div></div><p>
+Printers may be added automatically during logon script processing through the use of:
+
+</p><pre class="programlisting">
+ rundll32 printui.dll,PrintUIEntry /?
+</pre><p>
+
+See the documentation in the <a href="http://support.microsoft.com/default.asp?scid=kb;en-us;189105" target="_top">Microsoft knowledgebase article no: 189105</a>.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2985316"></a>Common Errors</h2></div></div><div></div></div><p>
+The information provided in this chapter has been reproduced from postings on the samba@samba.org
+mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
+their own evaluation of alternatives and are encouraged to draw their own conclusions.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="winbind.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="PolicyMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 21. Integrated Logon Support using Winbind </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 23. System and Account Policies</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part VI. Appendixes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="bugreport.html" title="Chapter 35. Reporting Bugs"><link rel="next" href="compiling.html" title="Chapter 36. How to compile SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part VI. Appendixes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Appendixes"></a>Appendixes</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
+ for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="bugreport.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compiling.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 35. Reporting Bugs </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 36. How to compile SAMBA</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. Samba Backup Techniques</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unicode.html" title="Chapter 27. Unicode/Charsets"><link rel="next" href="SambaHA.html" title="Chapter 29. High Availability Options"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 28. Samba Backup Techniques</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Backup"></a>Chapter 28. Samba Backup Techniques</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001533"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+If you have something to contribute for this section please email it to
+<a href="">jht@samba.org</a>/
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001557"></a>Features and Benefits</h2></div></div><div></div></div><p>
+We need feedback from people who are backing up samba servers.
+We would like to know what software tools you are using to backup
+your samba server/s.
+</p><p>
+In particular, if you have any success and / or failure stories you could
+share with other users this would be appreciated.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unicode.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SambaHA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 27. Unicode/Charsets </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 29. High Availability Options</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. CUPS Printing Support in Samba 3.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="printing.html" title="Chapter 18. Classical Printing Support"><link rel="next" href="VFS.html" title="Chapter 20. Stackable VFS modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. CUPS Printing Support in Samba 3.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="CUPS-printing"></a>Chapter 19. CUPS Printing Support in Samba 3.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Kurt</span> <span class="surname">Pfeifle</span></h3><div class="affiliation"><span class="orgname"> Danka Deutschland GmbH <br></span><div class="address"><p><tt class="email"><<a href="mailto:kpfeifle@danka.de">kpfeifle@danka.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Ciprian</span> <span class="surname">Vizitiu</span></h3><span class="contrib">drawings</span><div class="affiliation"><div class="address"><p><tt class="email"><<a href="mailto:CVizitiu@gbif.org">CVizitiu@gbif.org</a>></tt></p></div></div></div></div><div><p class="pubdate"> (3 June 2003) </p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="CUPS-printing.html#id2953785">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953792">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2953845">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2953900">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953979">Linking of smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2954122">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2954205">More complex smb.conf Settings for
+CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954322">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954343">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="CUPS-printing.html#id2954370">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
+with Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954406">Driver Installation Methods on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954465">Explicitly enable "raw" printing for
+application/octet-stream!</a></dt><dt><a href="CUPS-printing.html#id2954626">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954719">Using CUPS/Samba in an advanced Way -- intelligent printing
+with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954794">GDI on Windows -- PostScript on Unix</a></dt><dt><a href="CUPS-printing.html#id2954839">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2954940">Unix Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#id2955028">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2955125">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2955238">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2955308">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2955397">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2955420">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2955560">MIME types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2955747">MIME type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2955864">Filter Requirements</a></dt><dt><a href="CUPS-printing.html#id2956034">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2956120">pstops</a></dt><dt><a href="CUPS-printing.html#id2956222">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2956377">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2956434">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2956519">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2956831">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="CUPS-printing.html#id2956944">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2956960">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2957012">"Raw" printing</a></dt><dt><a href="CUPS-printing.html#id2957066">"application/octet-stream" printing</a></dt><dt><a href="CUPS-printing.html#id2957282">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2957510">Difference between cupsomatic/foomatic-rip and
+native CUPS printing</a></dt><dt><a href="CUPS-printing.html#id2957666">Examples for filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2957897">Sources of CUPS drivers / PPDs</a></dt><dt><a href="CUPS-printing.html#id2958024">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958100">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958116">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2958155">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2958227">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958289">Network Printing (Windows clients -- UNIX/Samba Print
+Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958310">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2958474">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958550">Network PostScript RIP: CUPS Filters on Server -- clients use
+PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958605">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2958646">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958712">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958729">Printer Drivers running in "Kernel Mode" cause many
+Problems</a></dt><dt><a href="CUPS-printing.html#id2958763">Workarounds impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2958784">CUPS: a "Magical Stone"?</a></dt><dt><a href="CUPS-printing.html#id2958811">PostScript Drivers with no major problems -- even in Kernel
+Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958865"> Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958884">cupsaddsmb: the unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2958976">Prepare your smb.conf for
+cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2959022">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959220">Recognize the different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959278">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959310">ESP Print Pro Package of "PostScript Driver for
+WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959360">Caveats to be considered</a></dt><dt><a href="CUPS-printing.html#id2959582">What are the Benefits of using the "CUPS PostScript Driver for
+Windows NT/2k/XP" as compared to the Adobe Driver?</a></dt><dt><a href="CUPS-printing.html#id2959764">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2959865">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="CUPS-printing.html#id2960092">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2960186">How to recognize if cupsaddsm completed successfully</a></dt><dt><a href="CUPS-printing.html#id2960273">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2960308">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2960361">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2960474">Avoiding critical PostScript Driver Settings on the
+Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2960608">Installing PostScript Driver Files manually (using
+rpcclient)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2960723">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960836">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960925">Producing an Example by querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2961015">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="CUPS-printing.html#id2961177">Manual Commandline Driver Installation in 15 little Steps</a></dt><dt><a href="CUPS-printing.html#id2961830">Troubleshooting revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2961930">The printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962033">Trivial DataBase Files</a></dt><dt><a href="CUPS-printing.html#id2962103">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2962165">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2962224">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2962290">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962398">foomatic-rip and Foomatic explained</a></dt><dt><a href="CUPS-printing.html#id2963027">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963488">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2963519">Setting up Quotas</a></dt><dt><a href="CUPS-printing.html#id2963551">Correct and incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2963592">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2963663">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2963765">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2963836">Future Developments</a></dt><dt><a href="CUPS-printing.html#id2963884">Other Accounting Tools</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963899">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2964092">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964138">CUPS Configuration Settings explained</a></dt><dt><a href="CUPS-printing.html#id2964221">Pre-conditions</a></dt><dt><a href="CUPS-printing.html#id2964281">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964299">When not to use Samba to print to
+CUPS</a></dt><dt><a href="CUPS-printing.html#id2964316">In Case of Trouble.....</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964352">Where to find Documentation</a></dt><dt><a href="CUPS-printing.html#id2964364">How to ask for Help</a></dt><dt><a href="CUPS-printing.html#id2964377">Where to find Help</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964391">Appendix</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964398">Printing from CUPS to Windows attached
+Printers</a></dt><dt><a href="CUPS-printing.html#id2964612">More CUPS filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2964919">Trouble Shooting Guidelines to fix typical Samba printing
+Problems</a></dt><dt><a href="CUPS-printing.html#id2966041">An Overview of the CUPS Printing Processes</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953785"></a>Introduction</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953792"></a>Features and Benefits</h3></div></div><div></div></div><p>
+ The Common Unix Print System (<a href="http://www.cups.org/" target="_top">CUPS</a>) has become very popular. All
+ big Linux distributions now ship it as their default printing
+ system. But to many it is still a very mystical tool. Normally it
+ "just works" (TM). People tend to regard it as a sort of "black box",
+ which they don't want to look into, as long as it works OK. But once
+ there is a little problem, they are in trouble to find out where to
+ start debugging it. Also, even the most recent and otherwise excellent
+ printed Samba documentation has only limited attention paid to CUPS
+ printing, leaving out important pieces or even writing plain wrong
+ things about it. This demands rectification. But before you dive into
+ this chapter, make sure that you don't forget to refer to the
+ "Classical Printing" chapter also. It contains a lot of information
+ that is relevant for CUPS too.
+ </p><p>
+ CUPS sports quite a few unique and powerful features. While their
+ basic functions may be grasped quite easily, they are also
+ new. Because they are different from other, more traditional printing
+ systems, it is best to try and not apply any prior knowledge about
+ printing upon this new system. Rather try to start understand CUPS
+ from the beginning. This documentation will lead you here to a
+ complete understanding of CUPS, if you study all of the material
+ contained. But lets start with the most basic things first. Maybe this
+ is all you need for now. Then you can skip most of the other
+ paragraphs.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953845"></a>Overview</h3></div></div><div></div></div><p>
+ CUPS is more than just a print spooling system. It is a complete
+ printer management system that complies with the new IPP
+ (<span class="emphasis"><em>Internet Printing Protocol</em></span>). IPP is an industry
+ and IETF (<span class="emphasis"><em>Internet Engineering Task Force</em></span>)
+ standard for network printing. Many of its functions can be managed
+ remotely (or locally) via a web browser (giving you a
+ platform-independent access to the CUPS print server). In addition it
+ has the traditional commandline and several more modern GUI interfaces
+ (GUI interfaces developed by 3rd parties, like KDE's
+ overwhelming <a href="http://printing.kde.org/" target="_top">KDEPrint</a>).
+ </p><p>
+ CUPS allows creation of "raw" printers (ie: NO print file
+ format translation) as well as "smart" printers (i.e. CUPS does
+ file format conversion as required for the printer). In many ways
+ this gives CUPS similar capabilities to the MS Windows print
+ monitoring system. Of course, if you are a CUPS advocate, you would
+ argue that CUPS is better! In any case, let us now move on to
+ explore how one may configure CUPS for interfacing with MS Windows
+ print clients via Samba.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2953900"></a>Basic Configuration of CUPS support</h2></div></div><div></div></div><p>
+ Printing with CUPS in the most basic <tt class="filename">smb.conf</tt>
+ setup in Samba 3.0 (as was true for 2.2.x) only needs two
+ settings: <i class="parameter"><tt>printing = cups</tt></i> and <i class="parameter"><tt>printcap
+ = cups</tt></i>. CUPS itself doesn't need a printcap file
+ anymore. However, the <tt class="filename">cupsd.conf</tt> configuration
+ file knows two related directives: they control if such a file should
+ be automatically created and maintained by CUPS for the convenience of
+ third party applications (example: <i class="parameter"><tt>Printcap
+ /etc/printcap</tt></i> and <i class="parameter"><tt>PrintcapFormat
+ BSD</tt></i>). These legacy programs often require the existence of
+ printcap file containing printernames or they will refuse to
+ print. Make sure CUPS is set to generate and maintain a printcap! For
+ details see <b class="command">man cupsd.conf</b> and other CUPS-related
+ documentation, like the wealth of documents on your CUPS server
+ itself: <a href="http://localhost:631/documentation.html" target="_top">http://localhost:631/documentation.html</a>.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2953979"></a>Linking of smbd with libcups.so</h3></div></div><div></div></div><p>
+ Samba has a very special relationship to CUPS. The reason is: Samba
+ can be compiled with CUPS library support. Most recent installations
+ have this support enabled, and per default CUPS linking is compiled
+ into smbd and other Samba binaries. Of course, you can use CUPS even
+ if Samba is not linked against <tt class="filename">libcups.so</tt> -- but
+ there are some differences in required or supported configuration
+ then.
+ </p><p>
+ If SAMBA is compiled against libcups, then <i class="parameter"><tt>printcap =
+ cups</tt></i> uses the CUPS API to list printers, submit jobs,
+ query queues, etc. Otherwise it maps to the System V commands with an
+ additional <b class="command">-oraw</b> option for printing. On a Linux
+ system, you can use the <b class="command">ldd</b> utility to find out
+ details (ldd may not be present on other OS platforms, or its function
+ may be embodied by a different command):
+ </p><pre class="screen">
+ transmeta:/home/kurt # ldd `which smbd`
+ libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000)
+ libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000)
+ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
+ [....]
+ </pre><p>
+ The line <tt class="computeroutput">libcups.so.2 => /usr/lib/libcups.so.2
+ (0x40123000)</tt> shows there is CUPS support compiled
+ into this version of Samba. If this is the case, and printing = cups
+ is set, then <span class="emphasis"><em>any otherwise manually set print command in
+ <tt class="filename">smb.conf</tt> is ignored</em></span>. This is an
+ important point to remember!
+ </p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> Should you require -- for any reason -- to set your own
+ print commands, you can still do this by setting <i class="parameter"><tt>printing =
+ sysv</tt></i>. However, you'll loose all the benefits from the
+ close CUPS/Samba integration. You are on your own then to manually
+ configure the rest of the printing system commands (most important:
+ <i class="parameter"><tt>print command</tt></i>; other commands are
+ <i class="parameter"><tt>lppause command, lpresume command, lpq command, lprm
+ command, queuepause command </tt></i> and <i class="parameter"><tt>queue resume
+ command</tt></i>).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954122"></a>Simple <tt class="filename">smb.conf</tt> Settings for CUPS</h3></div></div><div></div></div><p>
+ To summarize, here is the simplest printing-related setup
+ for <tt class="filename">smb.conf</tt> to enable basic CUPS support:
+ </p><pre class="screen">
+
+ [global]
+ load printers = yes
+ printing = cups
+ printcap name = cups
+
+ [printers]
+ comment = All Printers
+ path = /var/spool/samba
+ browseable = no
+ public = yes
+ guest ok = yes
+ writable = no
+ printable = yes
+ printer admin = root, @ntadmins
+
+ </pre><p>
+ This is all you need for basic printing setup for CUPS. It will print
+ all Graphic, Text, PDF and PostScript file submitted from Windows
+ clients. However, most of your Windows users would not know how to
+ send these kind of files to print without opening a GUI
+ application. Windows clients tend to have local printer drivers
+ installed. And the GUI application's print buttons start a printer
+ driver. Your users also very rarely send files from the command
+ line. Unlike UNIX clients, they hardly submit graphic, text or PDF
+ formatted files directly to the spooler. They nearly exclusively print
+ from GUI applications, with a "printer driver" hooked in between the
+ applications native format and the print data stream. If the backend
+ printer is not a PostScript device, the print data stream is "binary",
+ sensible only for the target printer. Read on to learn which problem
+ this may cause and how to avoid it.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954205"></a>More complex <tt class="filename">smb.conf</tt> Settings for
+CUPS</h3></div></div><div></div></div><p>
+Here is a slightly more complex printing-related setup
+for <tt class="filename">smb.conf</tt>. It enables general CUPS printing
+support for all printers, but defines one printer share which is set
+up differently.
+</p><pre class="screen">
+
+ [global]
+ printing = cups
+ printcap name = cups
+ load printers = yes
+
+ [printers]
+ comment = All Printers
+ path = /var/spool/samba
+ public = yes
+ guest ok = yes
+ writable = no
+ printable = yes
+ printer admin = root, @ntadmins
+
+ [special_printer]
+ comment = A special printer with his own settings
+ path = /var/spool/samba-special
+ printing = sysv
+ printcap = lpstat
+ print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ;\
+ echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ;\
+ echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log :\
+ rm %f
+ public = no
+ guest ok = no
+ writeable = no
+ printable = yes
+ printer admin = kurt
+ hosts deny = 0.0.0.0
+ hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60
+
+</pre><p>
+This special share is only there for my testing purposes. It doesn't
+even write the print job to a file. It just logs the job parameters
+known to Samba into the <tt class="filename">/tmp/smbprn.log</tt> file and
+deletes the jobfile. Moreover, the <i class="parameter"><tt>printer
+admin</tt></i> of this share is "kurt" (not the "@ntadmins" group);
+guest access is not allowed; the share isn't announced in Network
+Neighbourhood (so you need to know it is there), and it is only
+allowing access from three hosts. To prevent CUPS kicking in and
+taking over the print jobs for that share, we need to set
+<i class="parameter"><tt>printing = sysv</tt></i> and <i class="parameter"><tt>printcap =
+lpstat</tt></i>.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954322"></a>Advanced Configuration</h2></div></div><div></div></div><p>
+Before we dive into all the configuration options, let's clarify a few
+points. <span class="emphasis"><em>Network printing needs to be organized and setup
+correctly</em></span>. Often this is not done correctly. Legacy systems
+or small LANs in business environments often lack a clear design and
+good housekeeping.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954343"></a>Central spooling vs. "Peer-to-Peer" printing</h3></div></div><div></div></div><p>
+Many small office or home networks, as well as badly organized larger
+environments, allow each client a direct access to available network
+printers. Generally, this is a bad idea. It often blocks one client's
+access to the printer when another client's job is printing. It also
+might freeze the first client's application while it is waiting to get
+rid of the job. Also, there are frequent complaints about various jobs
+being printed with their pages mixed with each other. A better concept
+is the usage of a "print server": it routes all jobs through one
+central system, which responds immediately, takes jobs from multiple
+concurrent clients at the same time and in turn transfers them to the
+printer(s) in the correct order.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954370"></a>CUPS/Samba as a "spooling-only" Print Server; "raw" printing
+with Vendor Drivers on Windows Clients</h3></div></div><div></div></div><p>
+Most traditionally configured Unix print servers acting on behalf of
+Samba's Windows clients represented a really simple setup. Their only
+task was to manage the "raw" spooling of all jobs handed to them by
+Samba. This approach meant that the Windows clients were expected to
+prepare the print job file in such a way that it became fit to be fed to
+the printing device. Here a native (vendor-supplied) Windows printer
+driver for the target device needed to be installed on each and every
+client.
+</p><p>
+Of course you can setup CUPS, Samba and your Windows clients in the
+same, traditional and simple way. When CUPS printers are configured
+for RAW print-through mode operation it is the responsibility of the
+Samba client to fully render the print job (file). The file must be
+sent in a format that is suitable for direct delivery to the
+printer. Clients need to run the vendor-provided drivers to do
+this. In this case CUPS will NOT do any print file format conversion
+work.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954406"></a>Driver Installation Methods on Windows Clients</h3></div></div><div></div></div><p>
+The printer drivers on the Windows clients may be installed
+in two functionally different ways:
+</p><div class="itemizedlist"><ul type="disc"><li><p>manually install the drivers locally on each client,
+one by one; this yields the old <span class="emphasis"><em>LanMan</em></span> style
+printing; it uses a <tt class="filename">\\sambaserver\printershare</tt>
+type of connection.</p></li><li><p>deposit and prepare the drivers (for later download) on
+the print server (Samba); this enables the clients to use
+"Point'n'Print" to get drivers semi-automatically installed the
+first time they access the printer; with this method NT/2K/XP
+clients use the <span class="emphasis"><em>SPOOLSS/MS-RPC</em></span>
+type printing calls.</p></li></ul></div><p>
+The second method is recommended for use over the first.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954465"></a>Explicitly enable "raw" printing for
+<span class="emphasis"><em>application/octet-stream</em></span>!</h3></div></div><div></div></div><p>
+If you use the first option (drivers are installed on the client
+side), there is one setting to take care of: CUPS needs to be told
+that it should allow "raw" printing of deliberate (binary) file
+formats. The CUPS files that need to be correctly set for RAW mode
+printers to work are:
+</p><div class="itemizedlist"><ul type="disc"><li><p>/etc/cups/mime.types
+</p></li><li><p>/etc/cups/mime.convs</p></li></ul></div><p>
+Both contain entries (at the end of the respective files) which must
+be uncommented to allow RAW mode operation.
+In<tt class="filename">/etc/cups/mime.types</tt> make sure this line is
+present:
+</p><pre class="screen">
+
+ application/octet-stream
+
+</pre><p>
+In <tt class="filename">/etc/cups/mime.convs</tt>,
+have this line:
+</p><pre class="screen">
+
+ application/octet-stream application/vnd.cups-raw 0 -
+
+</pre><p>
+If these two files are not set up correctly for raw Windows client
+printing, you may encounter the dreaded <tt class="computeroutput">Unable to
+convert file 0</tt> in your CUPS error_log file.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>editing the <tt class="filename">mime.convs</tt> and the
+<tt class="filename">mime.types</tt> file does not
+<span class="emphasis"><em>enforce</em></span> "raw" printing, it only
+<span class="emphasis"><em>allows</em></span> it.
+</p></div><p><b>Background. </b>
+CUPS being a more security-aware printing system than traditional ones
+does not by default allow a user to send deliberate (possibly binary)
+data to printing devices. This could be easily abused to launch a
+"Denial of Service" attack on your printer(s), causing at the least
+the loss of a lot of paper and ink. "Unknown" data are tagged by CUPS
+as <span class="emphasis"><em>MIME type: application/octet-stream</em></span> and not
+allowed to go to the printer. By default, you can only send other
+(known) MIME types "raw". Sending data "raw" means that CUPS does not
+try to convert them and passes them to the printer untouched (see next
+chapter for even more background explanations).
+</p><p>
+This is all you need to know to get the CUPS/Samba combo printing
+"raw" files prepared by Windows clients, which have vendor drivers
+locally installed. If you are not interested in background information about
+more advanced CUPS/Samba printing, simply skip the remaining sections
+of this chapter.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954626"></a>Three familiar Methods for driver upload plus a new one</h3></div></div><div></div></div><p>
+If you want to use the MS-RPC type printing, you must upload the
+drivers onto the Samba server first (<i class="parameter"><tt>[print$]</tt></i>
+share). For a discussion on how to deposit printer drivers on the
+Samba host (so that the Windows clients can download and use them via
+"Point'n'Print") please also refer to the previous chapter of this
+HOWTO Collection. There you will find a description or reference to
+three methods of preparing the client drivers on the Samba server:
+</p><div class="itemizedlist"><ul type="disc"><li><p>the GUI, "Add Printer Wizard"
+<span class="emphasis"><em>upload-from-a-Windows-client</em></span>
+method;</p></li><li><p>the commandline, "smbclient/rpcclient"
+<span class="emphasis"><em>upload-from-a-UNIX-workstation</em></span>
+method;</p></li><li><p>the <span class="emphasis"><em>Imprints</em></span> Toolset
+method.</p></li></ul></div><p>
+These 3 methods apply to CUPS all the same. A new and more
+convenient way to load the Windows drivers into Samba is provided
+provided if you use CUPS:
+</p><div class="itemizedlist"><ul type="disc"><li><p>the <span class="emphasis"><em>cupsaddsmb</em></span>
+utility.</p></li></ul></div><p>
+cupsaddsmb is discussed in much detail further below. But we will
+first explore the CUPS filtering system and compare the Windows and
+UNIX printing architectures.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954719"></a>Using CUPS/Samba in an advanced Way -- intelligent printing
+with PostScript Driver Download</h2></div></div><div></div></div><p>
+Still reading on? Good. Let's go into more detail then. We now know
+how to set up a "dump" printserver, that is, a server which is spooling
+printjobs "raw", leaving the print data untouched.
+</p><p>
+Possibly you need to setup CUPS in a more smart way. The reasons could
+be manifold:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Maybe your boss wants to get monthly statistics: Which
+printer did how many pages? What was the average data size of a job?
+What was the average print run per day? What are the typical hourly
+peaks in printing? Which departments prints how
+much?</p></li><li><p>Maybe you are asked to setup a print quota system:
+users should not be able to print more jobs, once they have surpassed
+a given limit per period?</p></li><li><p>Maybe your previous network printing setup is a mess
+and shall be re-organized from a clean beginning?</p></li><li><p>Maybe you have experiencing too many "Blue Screens",
+originating from poorly debugged printer drivers running in NT "kernel
+mode"?</p></li></ul></div><p>
+These goals cannot be achieved by a raw print server. To build a
+server meeting these requirements, you'll first need to learn about
+how CUPS works and how you can enable its features.
+</p><p>
+What follows is the comparison of some fundamental concepts for
+Windows and Unix printing; then is the time for a description of the
+CUPS filtering system, how it works and how you can tweak it.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954794"></a>GDI on Windows -- PostScript on Unix</h3></div></div><div></div></div><p>
+Network printing is one of the most complicated and error-prone
+day-to-day tasks any user or an administrator may encounter. This is
+true for all OS platforms. And there are reasons for this.
+</p><p>
+You can't expect for most file formats to just throw them towards
+printers and they get printed. There needs to be a file format
+conversion in between. The problem is: there is no common standard for
+print file formats across all manufacturers and printer types. While
+<span class="emphasis"><em>PostScript</em></span> (trademark held by Adobe), and, to an
+extent, <span class="emphasis"><em>PCL</em></span> (trademark held by HP), have developed
+into semi-official "standards", by being the most widely used PDLs
+(<span class="emphasis"><em>Page Description Languages</em></span>), there are still
+many manufacturers who "roll their own" (their reasons may be
+unacceptable license fees for using printer-embedded PostScript
+interpreters, etc.).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954839"></a>Windows Drivers, GDI and EMF</h3></div></div><div></div></div><p>
+In Windows OS, the format conversion job is done by the printer
+drivers. On MS Windows OS platforms all application programmers have
+at their disposal a built-in API, the GDI (<span class="emphasis"><em>Graphical Device
+Interface</em></span>), as part and parcel of the OS itself, to base
+themselves on. This GDI core is used as one common unified ground, for
+all Windows programs, to draw pictures, fonts and documents
+<span class="emphasis"><em>on screen</em></span> as well as <span class="emphasis"><em>on
+paper</em></span> (=print). Therefore printer driver developers can
+standardize on a well-defined GDI output for their own driver
+input. Achieving WYSIWYG ("What You See Is What You Get") is
+relatively easy, because the on-screen graphic primitives, as well as
+the on-paper drawn objects, come from one common source. This source,
+the GDI, produces often a file format called EMF (<span class="emphasis"><em>Enhanced
+MetaFile</em></span>). The EMF is processed by the printer driver and
+converted to the printer-specific file format.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+To the GDI foundation in MS Windows, Apple has chosen to
+put paper and screen output on a common foundation for their
+(BSD-Unix-based, did you know??) Mac OS X and Darwin Operating
+Systems.Their <span class="emphasis"><em>Core Graphic Engine</em></span> uses a
+<span class="emphasis"><em>PDF</em></span> derivate for all display work.
+</p></div><p>
+
+</p><div class="figure"><a name="id2954904"></a><p class="title"><b>Figure 19.1. Windows Printing to a local Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" alt="Windows Printing to a local Printer"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954940"></a>Unix Printfile Conversion and GUI Basics</h3></div></div><div></div></div><p>
+In Unix and Linux, there is no comparable layer built into the OS
+kernel(s) or the X (screen display) server. Every application is
+responsible for itself to create its print output. Fortunately, most
+use PostScript. That gives at least some common ground. Unfortunately,
+there are many different levels of quality for this PostScript. And
+worse: there is a huge difference (and no common root) in the way how
+the same document is displayed on screen and how it is presented on
+paper. WYSIWYG is more difficult to achieve. This goes back to the
+time decades ago, when the predecessors of <span class="emphasis"><em>X.org</em></span>,
+designing the UNIX foundations and protocols for Graphical User
+Interfaces refused to take over responsibility for "paper output"
+also, as some had demanded at the time, and restricted itself to
+"on-screen only". (For some years now, the "Xprint" project has been
+under development, attempting to build printing support into the X
+framework, including a PostScript and a PCL driver, but it is not yet
+ready for prime time.) You can see this unfavorable inheritance up to
+the present day by looking into the various "font" directories on your
+system; there are separate ones for fonts used for X display and fonts
+to be used on paper.
+</p><p><b>Background. </b>
+The PostScript programming language is an "invention" by Adobe Inc.,
+but its specifications have been published to the full. Its strength
+lies in its powerful abilities to describe graphical objects (fonts,
+shapes, patterns, lines, curves, dots...), their attributes (color,
+linewidth...) and the way to manipulate (scale, distort, rotate,
+shift...) them. Because of its open specification, anybody with the
+skill can start writing his own implementation of a PostScript
+interpreter and use it to display PostScript files on screen or on
+paper. Most graphical output devices are based on the concept of
+"raster images" or "pixels" (one notable exception are pen
+plotters). Of course, you can look at a PostScript file in its textual
+form and you will be reading its PostScript code, the language
+instructions which need to be interpreted by a rasterizer. Rasterizers
+produce pixel images, which may be displayed on screen by a viewer
+program or on paper by a printer.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955028"></a>PostScript and Ghostscript</h3></div></div><div></div></div><p>
+So, Unix is lacking a common ground for printing on paper and
+displaying on screen. Despite this unfavorable legacy for Unix, basic
+printing is fairly easy: if you have PostScript printers at your
+disposal! The reason is: these devices have a built-in PostScript
+language "interpreter", also called a <span class="emphasis"><em>Raster Image
+Processor</em></span> (RIP), (which makes them more expensive than
+other types of printers); throw PostScript towards them, and they will
+spit out your printed pages. Their RIP is doing all the hard work of
+converting the PostScript drawing commands into a bitmap picture as
+you see it on paper, in a resolution as done by your printer. This is
+no different to PostScript printing of a file from a Windows origin.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Traditional Unix programs and printing systems -- while
+using PostScript -- are largely not PPD-aware. PPDs are "PostScript
+Printer Description" files. They enable you to specify and control all
+options a printer supports: duplexing, stapling, punching... Therefore
+Unix users for a long time couldn't choose many of the supported
+device and job options, unlike Windows or Apple users. But now there
+is CUPS.... ;-)
+</p></div><p>
+</p><div class="figure"><a name="id2955075"></a><p class="title"><b>Figure 19.2. Printing to a Postscript Printer</b></p><div class="mediaobject"><img src="projdoc/imagefiles/2small.png" alt="Printing to a Postscript Printer"></div></div><p>
+</p><p>
+However, there are other types of printers out there. These don't know
+how to print PostScript. They use their own <span class="emphasis"><em>Page Description
+Language</em></span> (PDL, often proprietary). To print to them is much
+more demanding. Since your Unix applications mostly produce
+PostScript, and since these devices don't understand PostScript, you
+need to convert the printfiles to a format suitable for your printer
+on the host, before you can send it away.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955125"></a>Ghostscript -- the Software RIP for non-PostScript Printers</h3></div></div><div></div></div><p>
+Here is where <span class="emphasis"><em>Ghostscript</em></span> kicks in. Ghostscript is
+the traditional (and quite powerful) PostScript interpreter used on
+Unix platforms. It is a RIP in software, capable to do a
+<span class="emphasis"><em>lot</em></span> of file format conversions, for a very broad
+spectrum of hardware devices as well as software file formats.
+Ghostscript technology and drivers is what enables PostScript printing
+to non-PostScript hardware.
+</p><p>
+</p><div class="figure"><a name="id2955155"></a><p class="title"><b>Figure 19.3. Ghostscript as a RIP for non-postscript printers</b></p><div class="mediaobject"><img src="projdoc/imagefiles/3small.png" alt="Ghostscript as a RIP for non-postscript printers"></div></div><p>
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+Use the "gs -h" command to check for all built-in "devices" of your
+Ghostscript version. If you specify e.g. a parameter of
+<i class="parameter"><tt>-sDEVICE=png256</tt></i> on your Ghostscript command
+line, you are asking Ghostscript to convert the input into a PNG
+file. Naming a "device" on the commandline is the most important
+single parameter to tell Ghostscript how exactly it should render the
+input. New Ghostscript versions are released at fairly regular
+intervals, now by artofcode LLC. They are initially put under the
+"AFPL" license, but re-released under the GNU GPL as soon as the next
+AFPL version appears. GNU Ghostscript is probably the version
+installed on most Samba systems. But it has got some
+deficiencies. Therefore ESP Ghostscript was developed as an
+enhancement over GNU Ghostscript, with lots of bug-fixes, additional
+devices and improvements. It is jointly maintained by developers from
+CUPS, Gimp-Print, MandrakeSoft, SuSE, RedHat and Debian. It includes
+the "cups" device (essential to print to non-PS printers from CUPS).
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955238"></a>PostScript Printer Description (PPD) Specification</h3></div></div><div></div></div><p>
+While PostScript in essence is a <span class="emphasis"><em>Page Description
+Language</em></span> (PDL) to represent the page layout in a
+<span class="emphasis"><em>device independent</em></span> way, real world print jobs are
+always ending up to be output on a hardware with device-specific
+features. To take care of all the differences in hardware, and to
+allow for innovations, Adobe has specified a syntax and file format
+for <span class="emphasis"><em>PostScript Printer Description</em></span> (PPD)
+files. Every PostScript printer ships with one of these files.
+</p><p>
+PPDs contain all information about general and special features of the
+given printer model: Which different resolutions can it handle? Does
+it have a Duplexing Unit? How many paper trays are there? What media
+types and sizes does it take? For each item it also names the special
+command string to be sent to the printer (mostly inside the PostScript
+file) in order to enable it.
+</p><p>
+Information from these PPDs is meant to be taken into account by the
+printer drivers. Therefore, installed as part of the Windows
+PostScript driver for a given printer is the printer's PPD. Where it
+makes sense, the PPD features are presented in the drivers' UI dialogs
+to display to the user as choice of print options. In the end, the
+user selections are somehow written (in the form of special
+PostScript, PJL, JCL or vendor-dependent commands) into the PostScript
+file created by the driver.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+A PostScript file that was created to contain device-specific commands
+for achieving a certain print job output (e.g. duplexed, stapled and
+punched) on a specific target machine, may not print as expected, or
+may not be printable at all on other models; it also may not be fit
+for further processing by software (e.g. by a PDF distilling program).
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955308"></a>CUPS can use all Windows-formatted Vendor PPDs</h3></div></div><div></div></div><p>
+CUPS can handle all spec-compliant PPDs as supplied by the
+manufacturers for their PostScript models. Even if a
+Unix/Linux-illiterate vendor might not have mentioned our favorite
+OS in his manuals and brochures -- you can safely trust this:
+<span class="emphasis"><em>if you get hold of the Windows NT version of the PPD, you
+can use it unchanged in CUPS</em></span> and thus access the full
+power of your printer just like a Windows NT user could!
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+To check the spec compliance of any PPD online, go to <a href="http://www.cups.org/testppd.php" target="_top">http://www.cups.org/testppd.php</a>
+and upload your PPD. You will see the results displayed
+immediately. CUPS in all versions after 1.1.19 has a much more strict
+internal PPD parsing and checking code enabled; in case of printing
+trouble this online resource should be one of your first pitstops.
+</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+For real PostScript printers <span class="emphasis"><em>don't</em></span> use the
+<span class="emphasis"><em>Foomatic</em></span> or <span class="emphasis"><em>cupsomatic</em></span>
+PPDs from Linuxprinting.org. With these devices the original
+vendor-provided PPDs are always the first choice!
+</p></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+If you are looking for an original vendor-provided PPD of a specific
+device, and you know that an NT4 box (or any other Windows box) on
+your LAN has the PostScript driver installed, just use
+<b class="command">smbclient //NT4-box/print\$ -U username</b> to
+access the Windows directory where all printer driver files are
+stored. First look in the <tt class="filename">W32X86/2</tt> subdir for
+the PPD you are seeking.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955397"></a>CUPS also uses PPDs for non-PostScript Printers</h3></div></div><div></div></div><p>
+CUPS also uses specially crafted PPDs to handle non-PostScript
+printers. These PPDs are usually not available from the vendors (and
+no, you can't just take the PPD of a Postscript printer with the same
+model name and hope it works for the non-PostScript version too). To
+understand how these PPDs work for non-PS printers we first need to
+dive deeply into the CUPS filtering and file format conversion
+architecture. Stay tuned.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2955420"></a>The CUPS Filtering Architecture</h2></div></div><div></div></div><p>
+The core of the CUPS filtering system is based on
+<span class="emphasis"><em>Ghostscript</em></span>. In addition to Ghostscript, CUPS
+uses some other filters of its own. You (or your OS vendor) may have
+plugged in even more filters. CUPS handles all data file formats under
+the label of various <span class="emphasis"><em>MIME types</em></span>. Every incoming
+printfile is subjected to an initial
+<span class="emphasis"><em>auto-typing</em></span>. The auto-typing determines its given
+MIME type. A given MIME type implies zero or more possible filtering
+chains relevant to the selected target printer. This section discusses
+how MIME types recognition and conversion rules interact. They are
+used by CUPS to automatically setup a working filtering chain for any
+given input data format.
+</p><p>
+If CUPS rasterizes a PostScript file <span class="emphasis"><em>natively</em></span> to
+a bitmap, this is done in 2 stages:
+</p><div class="itemizedlist"><ul type="disc"><li><p>the first stage uses a Ghostscript device named "cups"
+(this is since version 1.1.15) and produces a generic raster format
+called "CUPS raster".
+</p></li><li><p>the second stage uses a "raster driver" which converts
+the generic CUPS raster to a device specific raster.</p></li></ul></div><p>
+Make sure your Ghostscript version has the "cups" device compiled in
+(check with <b class="command">gs -h | grep cups</b>). Otherwise you
+may encounter the dreaded <tt class="computeroutput">Unable to convert file
+0</tt> in your CUPS error_log file. To have "cups" as a
+device in your Ghostscript, you either need to <span class="emphasis"><em>patch GNU
+Ghostscript</em></span> and re-compile or use <a href="http://www.cups.org/ghostscript.php" target="_top">ESP Ghostscript</a>. The
+superior alternative is ESP Ghostscript: it supports not just CUPS,
+but 300 other devices too (while GNU Ghostscript supports only about
+180). Because of this broad output device support, ESP Ghostscript is
+the first choice for non-CUPS spoolers too. It is now recommended by
+Linuxprinting.org for all spoolers.
+</p><p>
+CUPS printers may be setup to use <span class="emphasis"><em>external</em></span>
+rendering paths. One of the most common ones is provided by the
+<span class="emphasis"><em>Foomatic/cupsomatic</em></span> concept, from <a href="http://www.linuxprinting.org/" target="_top">Linuxprinting.org</a>. This
+uses the classical Ghostscript approach, doing everything in one
+step. It doesn't use the "cups" device, but one of the many
+others. However, even for Foomatic/cupsomatic usage, best results and
+broadest printer model support is provided by ESP Ghostscript (more
+about cupsomatic/Foomatic, particularly the new version called now
+<span class="emphasis"><em>foomatic-rip</em></span>, follows below).
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955560"></a>MIME types and CUPS Filters</h3></div></div><div></div></div><p>
+CUPS reads the file <tt class="filename">/etc/cups/mime.types</tt>
+(and all other files carrying a <tt class="filename">*.types</tt> suffix
+in the same directory) upon startup. These files contain the MIME
+type recognition rules which are applied when CUPS runs its
+auto-typing routines. The rule syntax is explained in the man page
+for <tt class="filename">mime.types</tt> and in the comments section of the
+<tt class="filename">mime.types</tt> file itself. A simple rule reads
+like this:
+</p><pre class="screen">
+
+ application/pdf pdf string(0,%PDF)
+
+</pre><p>
+This means: if a filename has either a
+<tt class="filename">.pdf</tt> suffix, or if the magic
+string <span class="emphasis"><em>%PDF</em></span> is right at the
+beginning of the file itself (offset 0 from the start), then it is
+a PDF file (<span class="emphasis"><em>application/pdf</em></span>).
+Another rule is this:
+</p><pre class="screen">
+
+ application/postscript ai eps ps string(0,%!) string(0,<04>%!)
+
+</pre><p>
+Its meaning: if the filename has one of the suffixes
+<tt class="filename">.ai</tt>, <tt class="filename">.eps</tt>,
+<tt class="filename">.ps</tt> or if the file itself starts with one of the
+strings <span class="emphasis"><em>%!</em></span> or <span class="emphasis"><em><04>%!</em></span>, it
+is a generic PostScript file
+(<span class="emphasis"><em>application/postscript</em></span>).
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+There is a very important difference between two similar MIME type in
+CUPS: one is <span class="emphasis"><em>application/postscript</em></span>, the other is
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span>. While
+<span class="emphasis"><em>application/postscript</em></span> is meant to be device
+independent (job options for the file are still outside the PS file
+content, embedded in commandline or environment variables by CUPS),
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span> may have the job
+options inserted into the PostScript data itself (were
+applicable). The transformation of the generic PostScript
+(application/postscript) to the device-specific version
+(application/vnd.cups-postscript) is the responsibility of the
+CUPS <span class="emphasis"><em>pstops</em></span> filter. pstops uses information
+contained in the PPD to do the transformation.
+</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Don't confuse the other mime.types file your system might be using
+with the one in the <tt class="filename">/etc/cups/</tt> directory.
+</p></div><p>
+CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI and a
+lot of image formats (GIF. PNG, TIFF, JPEG, Photo-CD, SUN-Raster,
+PNM, PBM, SGI-RGB and some more) and their associated MIME types
+with its filters.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955747"></a>MIME type Conversion Rules</h3></div></div><div></div></div><p>
+CUPS reads the file <tt class="filename">/etc/cups/mime.convs</tt>
+(and all other files named with a <tt class="filename">*.convs</tt>
+suffix in the same directory) upon startup. These files contain
+lines naming an input MIME type, an output MIME type, a format
+conversion filter which can produce the output from the input type
+and virtual costs associated with this conversion. One example line
+reads like this:
+</p><pre class="screen">
+
+ application/pdf application/postscript 33 pdftops
+
+</pre><p>
+This means that the <span class="emphasis"><em>pdftops</em></span> filter will take
+<span class="emphasis"><em>application/pdf</em></span> as input and produce
+<span class="emphasis"><em>application/postscript</em></span> as output, the virtual
+cost of this operation is 33 CUPS-$. The next filter is more
+expensive, costing 66 CUPS-$:
+</p><pre class="screen">
+
+ application/vnd.hp-HPGL application/postscript 66 hpgltops
+
+</pre><p>
+This is the <span class="emphasis"><em>hpgltops</em></span>, which processes HP-GL
+plotter files to PostScript.
+</p><pre class="screen">
+
+ application/octet-stream
+
+</pre><p>
+Here are two more examples:
+</p><pre class="screen">
+
+ application/x-shell application/postscript 33 texttops
+ text/plain application/postscript 33 texttops
+
+</pre><p>
+The last two examples name the <span class="emphasis"><em>texttops</em></span> filter
+to work on "text/plain" as well as on "application/x-shell". (Hint:
+this differentiation is needed for the syntax highlighting feature of
+"texttops").
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955864"></a>Filter Requirements</h3></div></div><div></div></div><p>
+There are many more combinations named in mime.convs. However, you
+are not limited to use the ones pre-defined there. You can plug in any
+filter you like into the CUPS framework. It must meet, or must be made
+to meet some minimal requirements. If you find (or write) a cool
+conversion filter of some kind, make sure it complies to what CUPS
+needs, and put in the right lines in <tt class="filename">mime.types</tt>
+and <tt class="filename">mime.convs</tt>, then it will work seamlessly
+inside CUPS!
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+The mentioned "CUPS requirements" for filters are simple. Take
+filenames or <tt class="filename">stdin</tt> as input and write to
+<tt class="filename">stdout</tt>. They should take these 5 or 6 arguments:
+<span class="emphasis"><em>printer job user title copies options [filename]</em></span>
+</p><div class="variablelist"><dl><dt><span class="term">Printer</span></dt><dd><p>The name of the printer queue (normally this is the
+name of the filter being run)</p></dd><dt><span class="term">job</span></dt><dd><p>The numeric job ID for the job being
+printed</p></dd><dt><span class="term">Printer</span></dt><dd><p>The string from the originating-user-name
+attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The string from the job-name attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The numeric value from the number-copies
+attribute</p></dd><dt><span class="term">Printer</span></dt><dd><p>The job options</p></dd><dt><span class="term">Printer</span></dt><dd><p>(Optionally) The print request file (if missing,
+filters expected data fed through <tt class="filename">stdin</tt>). In most
+cases it is very easy to write a simple wrapper script around existing
+filters to make them work with CUPS.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956034"></a>Prefilters</h3></div></div><div></div></div><p>
+As was said, PostScript is the central file format to any Unix based
+printing system. From PostScript, CUPS generates raster data to feed
+non-PostScript printers.
+</p><p>
+But what is happening if you send one of the supported non-PS formats
+to print? Then CUPS runs "pre-filters" on these input formats to
+generate PostScript first. There are pre-filters to create PS from
+ASCII text, PDF, DVI or HP-GL. The outcome of these filters is always
+of MIME type <span class="emphasis"><em>application/postscript</em></span> (meaning that
+any device-specific print options are not yet embedded into the
+PostScript by CUPS, and that the next filter to be called is
+pstops). Another pre-filter is running on all supported image formats,
+the <span class="emphasis"><em>imagetops</em></span> filter. Its outcome is always of
+MIME type <span class="emphasis"><em>application/vnd.cups-postscript</em></span>
+(<span class="emphasis"><em>not</em></span> application/postscript), meaning it has the
+print options already embedded into the file.
+</p><p>
+</p><div class="figure"><a name="id2956084"></a><p class="title"><b>Figure 19.4. Prefiltering in CUPS to form Postscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/4small.png" alt="Prefiltering in CUPS to form Postscript"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956120"></a>pstops</h3></div></div><div></div></div><p>
+<span class="emphasis"><em>pstops</em></span>is the filter to convert
+<span class="emphasis"><em>application/postscript</em></span> to
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span>. It was said
+above that this filter inserts all device-specific print options
+(commands to the printer to ask for the duplexing of output, or
+stapling an punching it, etc.) into the PostScript file.
+</p><p>
+</p><div class="figure"><a name="id2956149"></a><p class="title"><b>Figure 19.5. Adding Device-specific Print Options</b></p><div class="mediaobject"><img src="projdoc/imagefiles/5small.png" alt="Adding Device-specific Print Options"></div></div><p>
+</p><p>
+This is not all: other tasks performed by it are:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+selecting the range of pages to be printed (if you choose to
+print only pages "3, 6, 8-11, 16, 19-21", or only the odd numbered
+ones)
+</p></li><li><p>
+putting 2 or more logical pages on one sheet of paper (the
+so-called "number-up" function)
+</p></li><li><p>counting the pages of the job to insert the accounting
+information into the <tt class="filename">/var/log/cups/page_log</tt>
+</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956222"></a>pstoraster</h3></div></div><div></div></div><p>
+<span class="emphasis"><em>pstoraster</em></span> is at the core of the CUPS filtering
+system. It is responsible for the first stage of the rasterization
+process. Its input is of MIME type application/vnd.cups-postscript;
+its output is application/vnd.cups-raster. This output format is not
+yet meant to be printable. Its aim is to serve as a general purpose
+input format for more specialized <span class="emphasis"><em>raster drivers</em></span>,
+that are able to generate device-specific printer data.
+</p><p>
+</p><div class="figure"><a name="id2956251"></a><p class="title"><b>Figure 19.6. Postscript to intermediate Raster format</b></p><div class="mediaobject"><img src="projdoc/imagefiles/6small.png" alt="Postscript to intermediate Raster format"></div></div><p>
+</p><p>
+CUPS raster is a generic raster format with powerful features. It is
+able to include per-page information, color profiles and more to be
+used by the following downstream raster drivers. Its MIME type is
+registered with IANA and its specification is of course completely
+open. It is designed to make it very easy and inexpensive for
+manufacturers to develop Linux and Unix raster drivers for their
+printer models, should they choose to do so. CUPS always takes care
+for the first stage of rasterization so these vendors don't need to care
+about Ghostscript complications (in fact, there is currently more
+than one vendor financing the development of CUPS raster drivers).
+</p><p>
+</p><div class="figure"><a name="id2956304"></a><p class="title"><b>Figure 19.7. CUPS-raster production using Ghostscript</b></p><div class="mediaobject"><img src="projdoc/imagefiles/7small.png" alt="CUPS-raster production using Ghostscript"></div></div><p>
+</p><p>
+CUPS versions before version 1.1.15 were shipping a binary (or source
+code) standalone filter, named "pstoraster". pstoraster was derived
+from GNU Ghostscript 5.50, and could be installed besides and in
+addition to any GNU or AFPL Ghostscript package without conflicting.
+</p><p>
+From version 1.1.15, this has changed. The functions for this has been
+integrated back into Ghostscript (now based on GNU Ghostscript version
+7.05). The "pstoraster" filter is now a simple shell script calling
+<b class="command">gs</b> with the <b class="command">-sDEVICE=cups</b>
+parameter. If your Ghostscript doesn't show a success on asking for
+<b class="command">gs -h |grep cups</b>, you might not be able to
+print. Update your Ghostscript then!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956377"></a>imagetops and imagetoraster</h3></div></div><div></div></div><p>
+Above in the section about prefilters, we mentioned the prefilter
+that generates PostScript from image formats. The imagetoraster
+filter is used to convert directly from image to raster, without the
+intermediate PostScript stage. It is used more often than the above
+mentioned prefilters. Here is a summarizing flowchart of image file
+filtering:
+</p><p>
+</p><div class="figure"><a name="id2956398"></a><p class="title"><b>Figure 19.8. Image format to CUPS-raster format conversion</b></p><div class="mediaobject"><img src="projdoc/imagefiles/8small.png" alt="Image format to CUPS-raster format conversion"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956434"></a>rasterto [printers specific]</h3></div></div><div></div></div><p>
+CUPS ships with quite some different raster drivers processing CUPS
+raster. On my system I find in /usr/lib/cups/filter/ these:
+<i class="parameter"><tt>rastertoalps, rastertobj, rastertoepson, rastertoescp,
+rastertopcl, rastertoturboprint, rastertoapdk, rastertodymo,
+rastertoescp, rastertohp</tt></i> and
+<i class="parameter"><tt>rastertoprinter</tt></i>. Don't worry if you have less
+than this; some of these are installed by commercial add-ons to CUPS
+(like <i class="parameter"><tt>rastertoturboprint</tt></i>), others (like
+<i class="parameter"><tt>rastertoprinter</tt></i>) by 3rd party driver
+development projects (such as Gimp-Print) wanting to cooperate as
+closely as possible with CUPS.
+</p><p>
+</p><div class="figure"><a name="id2956484"></a><p class="title"><b>Figure 19.9. Raster to Printer Specific formats</b></p><div class="mediaobject"><img src="projdoc/imagefiles/9small.png" alt="Raster to Printer Specific formats"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956519"></a>CUPS Backends</h3></div></div><div></div></div><p>
+The last part of any CUPS filtering chain is a "backend". Backends
+are special programs that send the print-ready file to the final
+device. There is a separate backend program for any transfer
+"protocol" of sending printjobs over the network, or for every local
+interface. Every CUPS printqueue needs to have a CUPS "device-URI"
+associated with it. The device URI is the way to encode the backend
+used to send the job to its destination. Network device-URIs are using
+two slashes in their syntax, local device URIs only one, as you can
+see from the following list. Keep in mind that local interface names
+may vary much from my examples, if your OS is not Linux:
+</p><div class="variablelist"><dl><dt><span class="term">usb</span></dt><dd><p>
+This backend sends printfiles to USB-connected printers. An
+example for the CUPS device-URI to use is:
+<tt class="filename">usb:/dev/usb/lp0</tt>
+</p></dd><dt><span class="term">serial</span></dt><dd><p>
+This backend sends printfiles to serially connected printers.
+An example for the CUPS device-URI to use is:
+<tt class="filename">serial:/dev/ttyS0?baud=11500</tt>
+</p></dd><dt><span class="term">parallel</span></dt><dd><p>
+This backend sends printfiles to printers connected to the
+parallel port. An example for the CUPS device-URI to use is:
+<tt class="filename">parallel:/dev/lp0</tt>
+</p></dd><dt><span class="term">scsi</span></dt><dd><p>
+This backend sends printfiles to printers attached to the
+SCSI interface. An example for the CUPS device-URI to use is:
+<tt class="filename">scsi:/dev/sr1</tt>
+</p></dd><dt><span class="term">lpd</span></dt><dd><p>
+This backend sends printfiles to LPR/LPD connected network
+printers. An example for the CUPS device-URI to use is:
+<tt class="filename">lpd://remote_host_name/remote_queue_name</tt>
+</p></dd><dt><span class="term">AppSocket/HP JetDirect</span></dt><dd><p>
+This backend sends printfiles to AppSocket (a.k.a. "HP
+JetDirect") connected network printers. An example for the CUPS
+device-URI to use is:
+<tt class="filename">socket://10.11.12.13:9100</tt>
+</p></dd><dt><span class="term">ipp</span></dt><dd><p>
+This backend sends printfiles to IPP connected network
+printers (or to other CUPS servers). Examples for CUPS device-URIs
+to use are:
+<tt class="filename">ipp:://192.193.194.195/ipp</tt>
+(for many HP printers) or
+<tt class="filename">ipp://remote_cups_server/printers/remote_printer_name</tt>
+</p></dd><dt><span class="term">http</span></dt><dd><p>
+This backend sends printfiles to HTTP connected printers.
+(The http:// CUPS backend is only a symlink to the ipp:// backend.)
+Examples for the CUPS device-URIs to use are:
+<tt class="filename">http:://192.193.194.195:631/ipp</tt>
+(for many HP printers) or
+<tt class="filename">http://remote_cups_server:631/printers/remote_printer_name</tt>
+</p></dd><dt><span class="term">smb</span></dt><dd><p>
+This backend sends printfiles to printers shared by a Windows
+host. An example for CUPS device-URIs to use are:
+<tt class="filename">smb://workgroup/server/printersharename</tt>
+Or
+<tt class="filename">Smb://server/printersharename</tt>
+or
+<tt class="filename">smb://username:password@workgroup/server/printersharename</tt>
+or
+<tt class="filename">smb://username:password@server/printersharename</tt>.
+The smb:// backend is a symlink to the Samba utility
+<span class="emphasis"><em>smbspool</em></span> (doesn't ship with CUPS). If the
+symlink is not present in your CUPS backend directory, have your
+root user create it: <b class="command">ln -s `which smbspool`
+/usr/lib/cups/backend/smb</b>.
+</p></dd></dl></div><p>
+It is easy to write your own backends as Shell or Perl scripts, if you
+need any modification or extension to the CUPS print system. One
+reason could be that you want to create "special" printers which send
+the printjobs as email (through a "mailto:/" backend), convert them to
+PDF (through a "pdfgen:/" backend) or dump them to "/dev/null" (In
+fact I have the system-wide default printer set up to be connected to
+a "devnull:/" backend: there are just too many people sending jobs
+without specifying a printer, or scripts and programs which don't name
+a printer. The system-wide default deletes the job and sends a polite
+mail back to the $USER asking him to always specify a correct
+printername).
+</p><p>
+Not all of the mentioned backends may be present on your system or
+usable (depending on your hardware configuration). One test for all
+available CUPS backends is provided by the <span class="emphasis"><em>lpinfo</em></span>
+utility. Used with the <i class="parameter"><tt>-v</tt></i> parameter, it lists
+all available backends:
+</p><pre class="screen">
+
+ lpinfo -v
+
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956831"></a>cupsomatic/Foomatic -- how do they fit into the Picture?</h3></div></div><div></div></div><p>
+"cupsomatic" filters may be the most widely used on CUPS
+installations. You must be clear about the fact that these were not
+developed by the CUPS people. They are a "Third Party" add-on to
+CUPS. They utilize the traditional Ghostscript devices to render jobs
+for CUPS. When troubleshooting, you should know about the
+difference. Here the whole rendering process is done in one stage,
+inside Ghostscript, using an appropriate "device" for the target
+printer. cupsomatic uses PPDs which are generated from the "Foomatic"
+Printer & Driver Database at Linuxprinting.org.
+</p><p>
+You can recognize these PPDs from the line calling the
+<span class="emphasis"><em>cupsomatic</em></span> filter:
+</p><pre class="screen">
+
+ *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic"
+
+</pre><p>
+This line you may find amongst the first 40 or so lines of the PPD
+file. If you have such a PPD installed, the printer shows up in the
+CUPS web interface with a <span class="emphasis"><em>foomatic</em></span> namepart for
+the driver description. cupsomatic is a Perl script that runs
+Ghostscript, with all the complicated commandline options
+auto-constructed from the selected PPD and commandline options give to
+the printjob.
+</p><p>
+However, cupsomatic is now deprecated. Its PPDs (especially the first
+generation of them, still in heavy use out there) are not meeting the
+Adobe specifications. You might also suffer difficulties when you try
+to download them with "Point'n'Print" to Windows clients. A better,
+and more powerful successor is now in a very stable Beta-version
+available: it is called <span class="emphasis"><em>foomatic-rip</em></span>. To use
+foomatic-rip as a filter with CUPS, you need the new-type PPDs. These
+have a similar, but different line:
+</p><pre class="screen">
+
+ *cupsFilter: "application/vnd.cups-postscript 0 foomatic-rip"
+
+</pre><p>
+The PPD generating engine at Linuxprinting.org has been revamped.
+The new PPDs comply to the Adobe spec. On top, they also provide a
+new way to specify different quality levels (hi-res photo, normal
+color, grayscale, draft...) with a single click (whereas before you
+could have required 5 or more different selections (media type,
+resolution, inktype, dithering algorithm...). There is support for
+custom-size media built in. There is support to switch
+print-options from page to page, in the middle of a job. And the
+best thing is: the new foomatic-rip now works seamlessly with all
+legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR etc.), providing
+for them access to use PPDs for their printing!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956944"></a>The Complete Picture</h3></div></div><div></div></div><p>
+If you want to see an overview over all the filters and how they
+relate to each other, the complete picture of the puzzle is at the end
+of this document.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956960"></a><tt class="filename">mime.convs</tt></h3></div></div><div></div></div><p>
+CUPS auto-constructs all possible filtering chain paths for any given
+MIME type, and every printer installed. But how does it decide in
+favor or against a specific alternative? (There may often be cases,
+where there is a choice of two or more possible filtering chains for
+the same target printer). Simple: you may have noticed the figures in
+the 3rd column of the mime.convs file. They represent virtual costs
+assigned to this filter. Every possible filtering chain will sum up to
+a total "filter cost". CUPS decides for the most "inexpensive" route.
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+The setting of <i class="parameter"><tt>FilterLimit 1000</tt></i> in
+<tt class="filename">cupsd.conf</tt> will not allow more filters to
+run concurrently than will consume a total of 1000 virtual filter
+cost. This is a very efficient way to limit the load of any CUPS
+server by setting an appropriate "FilterLimit" value. A FilterLimit of
+200 allows roughly 1 job at a time, while a FilterLimit of 1000 allows
+approximately 5 jobs maximum at a time.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957012"></a>"Raw" printing</h3></div></div><div></div></div><p>
+You can tell CUPS to print (nearly) any file "raw". "Raw" means it
+will not be filtered. CUPS will send the file to the printer "as is"
+without bothering if the printer is able to digest it. Users need to
+take care themselves that they send sensible data formats only. Raw
+printing can happen on any queue if the "-o raw" option is specified
+on the command line. You can also set up raw-only queues by simply not
+associating any PPD with it. This command:
+</p><pre class="screen">
+
+ lpadmin -P rawprinter -v socket://11.12.13.14:9100 -E
+
+</pre><p>
+sets up a queue named "rawprinter", connected via the "socket"
+protocol (a.k.a. "HP JetDirect") to the device at IP address
+11.12.1.3.14, using port 9100. (If you had added a PPD with
+<b class="command">-P /path/to/PPD</b> to this command line, you would
+have installed a "normal" printqueue.
+</p><p>
+CUPS will automatically treat each job sent to a queue as a "raw" one,
+if it can't find a PPD associated with the queue. However, CUPS will
+only send known MIME types (as defined in its own mime.types file) and
+refuse others.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957066"></a>"application/octet-stream" printing</h3></div></div><div></div></div><p>
+Any MIME type with no rule in the
+<tt class="filename">/etc/cups/mime.types</tt> file is regarded as unknown
+or <span class="emphasis"><em>application/octet-stream</em></span> and will not be
+sent. Because CUPS refuses to print unknown MIME types per default,
+you will probably have experienced the fact that printjobs originating
+from Windows clients were not printed. You may have found an error
+message in your CUPS logs like:
+</p><pre class="screen">
+
+ Unable to convert file 0 to printable format for job
+
+</pre><p>
+To enable the printing of "application/octet-stream" files, edit
+these two files:
+</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="filename">/etc/cups/mime.convs</tt></p></li><li><p><tt class="filename">/etc/cups/mime.types</tt></p></li></ul></div><p>
+Both contain entries (at the end of the respective files) which must
+be uncommented to allow RAW mode operation for
+application/octet-stream. In <tt class="filename">/etc/cups/mime.types</tt>
+make sure this line is present:
+</p><pre class="screen">
+
+ application/octet-stream
+
+</pre><p>
+This line (with no specific auto-typing rule set) makes all files
+not otherwise auto-typed a member of application/octet-stream. In
+<tt class="filename">/etc/cups/mime.convs</tt>, have this
+line:
+</p><pre class="screen">
+
+ application/octet-stream application/vnd.cups-raw 0 -
+
+</pre><p>
+This line tells CUPS to use the <span class="emphasis"><em>Null Filter</em></span>
+(denoted as "-", doing... nothing at all) on
+<span class="emphasis"><em>application/octet-stream</em></span>, and tag the result as
+<span class="emphasis"><em>application/vnd.cups-raw</em></span>. This last one is
+always a green light to the CUPS scheduler to now hand the file over
+to the "backend" connecting to the printer and sending it over.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Editing the <tt class="filename">mime.convs</tt> and the
+<tt class="filename">mime.types</tt> file does not
+<span class="emphasis"><em>enforce</em></span> "raw" printing, it only
+<span class="emphasis"><em>allows</em></span> it.
+</p></div><p><b>Background. </b>
+CUPS being a more security-aware printing system than traditional ones
+does not by default allow one to send deliberate (possibly binary)
+data to printing devices. (This could be easily abused to launch a
+Denial of Service attack on your printer(s), causing at least the loss
+of a lot of paper and ink...) "Unknown" data are regarded by CUPS
+as <span class="emphasis"><em>MIME type</em></span>
+<span class="emphasis"><em>application/octet-stream</em></span>. While you
+<span class="emphasis"><em>can</em></span> send data "raw", the MIME type for these must
+be one that is known to CUPS and an allowed one. The file
+<tt class="filename">/etc/cups/mime.types</tt> defines the "rules" how CUPS
+recognizes MIME types. The file
+<tt class="filename">/etc/cups/mime.convs</tt> decides which file
+conversion filter(s) may be applied to which MIME types.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957282"></a>PostScript Printer Descriptions (PPDs) for non-PS Printers</h3></div></div><div></div></div><p>
+Originally PPDs were meant to be used for PostScript printers
+only. Here, they help to send device-specific commands and settings
+to the RIP which processes the jobfile. CUPS has extended this
+scope for PPDs to cover non-PostScript printers too. This was not
+very difficult, because it is a standardized file format. In a way
+it was logical too: CUPS handles PostScript and uses a PostScript
+RIP (=Ghostscript) to process the jobfiles. The only difference is:
+a PostScript printer has the RIP built-in, for other types of
+printers the Ghostscript RIP runs on the host computer.
+</p><p>
+PPDs for a non-PS printer have a few lines that are unique to
+CUPS. The most important one looks similar to this:
+</p><pre class="screen">
+
+ *cupsFilter: application/vnd.cups-raster 66 rastertoprinter
+
+</pre><p>
+It is the last piece in the CUPS filtering puzzle. This line tells the
+CUPS daemon to use as a last filter "rastertoprinter". This filter
+should be served as input an "application/vnd.cups-raster" MIME type
+file. Therefore CUPS should auto-construct a filtering chain, which
+delivers as its last output the specified MIME type. This is then
+taken as input to the specified "rastertoprinter" filter. After this
+the last filter has done its work ("rastertoprinter" is a Gimp-Print
+filter), the file should go to the backend, which sends it to the
+output device.
+</p><p>
+CUPS by default ships only a few generic PPDs, but they are good for
+several hundred printer models. You may not be able to control
+different paper trays, or you may get larger margins than your
+specific model supports):
+</p><div class="variablelist"><dl><dt><span class="term">deskjet.ppd</span></dt><dd><p>older HP inkjet printers and compatible
+</p></dd><dt><span class="term">deskjet2.ppd</span></dt><dd><p>newer HP inkjet printers and compatible
+</p></dd><dt><span class="term">dymo.ppd</span></dt><dd><p>label printers
+</p></dd><dt><span class="term">epson9.ppd</span></dt><dd><p>Epson 24pin impact printers and compatible
+</p></dd><dt><span class="term">epson24.ppd</span></dt><dd><p>Epson 24pin impact printers and compatible
+</p></dd><dt><span class="term">okidata9.ppd</span></dt><dd><p>Okidata 9pin impact printers and compatible
+</p></dd><dt><span class="term">okidat24.ppd</span></dt><dd><p>Okidata 24pin impact printers and compatible
+</p></dd><dt><span class="term">stcolor.ppd</span></dt><dd><p>older Epson Stylus Color printers
+</p></dd><dt><span class="term">stcolor2.ppd</span></dt><dd><p>newer Epson Stylus Color printers
+</p></dd><dt><span class="term">stphoto.ppd</span></dt><dd><p>older Epson Stylus Photo printers
+</p></dd><dt><span class="term">stphoto2.ppd</span></dt><dd><p>newer Epson Stylus Photo printers
+</p></dd><dt><span class="term">laserjet.ppd</span></dt><dd><p>all PCL printers. Further below is a discussion
+of several other driver/PPD-packages suitable fur use with CUPS.
+</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957510"></a>Difference between <span class="emphasis"><em>cupsomatic/foomatic-rip</em></span> and
+<span class="emphasis"><em>native CUPS</em></span> printing</h3></div></div><div></div></div><p>
+Native CUPS rasterization works in two steps.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+First is the "pstoraster" step. It uses the special "cups"
+device from ESP Ghostscript 7.05.x as its tool
+</p></li><li><p>
+Second comes the "rasterdriver" step. It uses various
+device-specific filters; there are several vendors who provide good
+quality filters for this step, some are Free Software, some are
+Shareware/Non-Free, some are proprietary.</p></li></ul></div><p>
+Often this produces better quality (and has several more
+advantages) than other methods.
+</p><p>
+</p><div class="figure"><a name="id2957561"></a><p class="title"><b>Figure 19.10. cupsomatic/foomatic processing versus Native CUPS</b></p><div class="mediaobject"><img src="projdoc/imagefiles/10small.png" alt="cupsomatic/foomatic processing versus Native CUPS"></div></div><p>
+</p><p>
+One other method is the <span class="emphasis"><em>cupsomatic/foomatic-rip</em></span>
+way. Note that cupsomatic is <span class="emphasis"><em>not</em></span> made by the CUPS
+developers. It is an independent contribution to printing development,
+made by people from Linuxprinting.org (see also <a href="http://www.cups.org/cups-help.html" target="_top">http://www.cups.org/cups-help.html</a>).
+cupsomatic is no longer developed and maintained and is no longer
+supported. It has now been replaced by
+<span class="emphasis"><em>foomatic-rip</em></span>. foomatic-rip is a complete re-write
+of the old cupsomatic idea, but very much improved and generalized to
+other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly
+advised, especially if you are upgrading to a recent version of CUPS
+too.
+</p><p>
+Both the cupsomatic (old) and the foomatic-rip (new) methods from
+Linuxprinting.org use the traditional Ghostscript print file
+processing, doing everything in a single step. It therefore relies on
+all the other devices built-in into Ghostscript. The quality is as
+good (or bad) as Ghostscript rendering is in other spoolers. The
+advantage is that this method supports many printer models not
+supported (yet) by the more modern CUPS method.
+</p><p>
+Of course, you can use both methods side by side on one system (and
+even for one printer, if you set up different queues), and find out
+which works best for you.
+</p><p>
+cupsomatic "kidnaps" the printfile after the
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span> stage and
+deviates it through the CUPS-external, system wide Ghostscript
+installation: Therefore the printfile bypasses the "pstoraster" filter
+(and thus also bypasses the CUPS-raster-drivers
+"rastertosomething"). After Ghostscript finished its rasterization,
+cupsomatic hands the rendered file directly to the CUPS backend. The
+flowchart above illustrates the difference between native CUPS
+rendering and the Foomatic/cupsomatic method.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957666"></a>Examples for filtering Chains</h3></div></div><div></div></div><p>
+Here are a few examples of commonly occurring filtering chains to
+illustrate the workings of CUPS.
+</p><p>
+Assume you want to print a PDF file to a HP JetDirect-connected
+PostScript printer, but you want to print the pages 3-5, 7, 11-13
+only, and you want to print them "2-up" and "duplex":
+</p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up,
+duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as
+<span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the
+<span class="emphasis"><em>pdftops</em></span> pre-filter, which produces PostScript
+MIME type <span class="emphasis"><em>application/postscript</em></span> (a preview here
+would still show all pages of the original PDF);</p></li><li><p>the file then passes the <span class="emphasis"><em>pstops</em></span>
+filter which applies the commandline options: it selects the pages
+2-5, 7 and 11-13, creates and imposed layout "2 pages on 1 sheet" and
+inserts the correct "duplex" command (as is defined in the printer's
+PPD) into the new PostScript file; the file now is of PostScript MIME
+type
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file goes to the <span class="emphasis"><em>socket</em></span>
+backend, which transfers the job to the printers.</p></li></ul></div><p>
+The resulting filter chain therefore is:
+</p><pre class="screen">
+pdftops --> pstops --> socket
+</pre><p>
+Assume your want to print the same filter to an USB-connected
+Epson Stylus Photo printer, installed with the CUPS
+<tt class="filename">stphoto2.ppd</tt>. The first few filtering stages
+are nearly the same:
+</p><div class="itemizedlist"><ul type="disc"><li><p>your print options (page selection as required, 2-up,
+duplex) are passed to CUPS on the commandline;</p></li><li><p>the (complete) PDF file is sent to CUPS and autotyped as
+<span class="emphasis"><em>application/pdf</em></span>;</p></li><li><p>the file therefore first must pass the
+<span class="emphasis"><em>pdftops</em></span> pre-filter, which produces PostScript
+MIME type <span class="emphasis"><em>application/postscript</em></span> (a preview here
+would still show all pages of the original PDF);</p></li><li><p>the file then passes the "pstops" filter which applies
+the commandline options: it selects the pages 2-5, 7 and 11-13,
+creates and imposed layout "2 pages on 1 sheet" and inserts the
+correct "duplex" command... (OOoops -- this printer and his PPD
+don't support duplex printing at all -- this option will be ignored
+then) into the new PostScript file; the file now is of PostScript
+MIME type
+<span class="emphasis"><em>application/vnd.cups-postscript</em></span>;</p></li><li><p>the file then passes the
+<span class="emphasis"><em>pstoraster</em></span> stage and becomes MIME type
+<span class="emphasis"><em>application/cups-raster</em></span>;</p></li><li><p>finally, the <span class="emphasis"><em>rastertoepson</em></span> filter
+does its work (as is indicated in the printer's PPD), creating the
+printer-specific raster data and embedding any user-selected
+print-options into the print data stream;</p></li><li><p>the file goes to the <span class="emphasis"><em>usb</em></span> backend,
+which transfers the job to the printers.</p></li></ul></div><p>
+The resulting filter chain therefore is:
+</p><pre class="screen">
+pdftops --> pstops --> pstoraster --> rastertoepson --> usb
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957897"></a>Sources of CUPS drivers / PPDs</h3></div></div><div></div></div><p>
+On the internet you can find now many thousand CUPS-PPD files
+(with their companion filters), in many national languages,
+supporting more than 1000 non-PostScript models.
+</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://wwwl.easysw.com/printpro/" target="_top">ESP
+PrintPro (http://wwwl.easysw.com/printpro/)</a> (commercial,
+non-Free) is packaged with more than 3000 PPDs, ready for
+successful use "out of the box" on Linux, Mac OS X, IBM-AIX,
+HP-UX, Sun-Solaris, SGI-IRIX, Compaq Tru64, Digital Unix and some
+more commercial Unices (it is written by the CUPS developers
+themselves and its sales help finance the further development of
+CUPS, as they feed their creators).</p></li><li><p>the <a href="http://gimp-print.sourceforge.net/" target="_top">Gimp-Print-Project
+(http://gimp-print.sourceforge.net/)</a> (GPL, Free Software)
+provides around 140 PPDs (supporting nearly 400 printers, many driven
+to photo quality output), to be used alongside the Gimp-Print CUPS
+filters;</p></li><li><p><a href="http://www.turboprint.com/" target="_top">TurboPrint
+(http://www.turboprint.com/)</a> (Shareware, non-Free) supports
+roughly the same amount of printers in excellent
+quality;</p></li><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">OMNI
+(http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</a>
+(LPGL, Free) is a package made by IBM, now containing support for more
+than 400 printers, stemming from the inheritance of IBM OS/2 Know-How
+ported over to Linux (CUPS support is in a Beta-stage at
+present);</p></li><li><p><a href="http://hpinkjet.sourceforge.net/" target="_top">HPIJS
+(http://hpinkjet.sourceforge.net/)</a> (BSD-style licenses, Free)
+supports around 150 of HP's own printers and is also providing
+excellent print quality now (currently available only via the Foomatic
+path);</p></li><li><p><a href="http://www.linuxprinting.org/" target="_top">Foomatic/cupsomatic
+(http://www.linuxprinting.org/)</a> (LPGL, Free) from
+Linuxprinting.org are providing PPDs for practically every Ghostscript
+filter known to the world (including Omni, Gimp-Print and
+HPIJS).</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The cupsomatic/Foomatic trick from Linuxprinting.org works
+differently from the other drivers. This is explained elsewhere in this
+document.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958024"></a>Printing with Interface Scripts</h3></div></div><div></div></div><p>
+CUPS also supports the usage of "interface scripts" as known from
+System V AT&T printing systems. These are often used for PCL
+printers, from applications that generate PCL print jobs. Interface
+scripts are specific to printer models. They have a similar role as
+PPDs for PostScript printers. Interface scripts may inject the Escape
+sequences as required into the print data stream, if the user has
+chosen to select a certain paper tray, or print landscape, or use A3
+paper, etc. Interfaces scripts are practically unknown in the Linux
+realm. On HP-UX platforms they are more often used. You can use any
+working interface script on CUPS too. Just install the printer with
+the <b class="command">-i</b> option:
+</p><pre class="screen">
+
+ lpadmin -p pclprinter -v socket://11.12.13.14:9100 -i /path/to/interface-script
+
+</pre><p>
+Interface scripts might be the "unknown animal" to many. However,
+with CUPS they provide the most easy way to plug in your own
+custom-written filtering script or program into one specific print
+queue (some information about the traditional usage of interface scripts is
+to be found at <a href="http://playground.sun.com/printing/documentation/interface.html" target="_top">http://playground.sun.com/printing/documentation/interface.html</a>).
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958100"></a>Network printing (purely Windows)</h2></div></div><div></div></div><p>
+Network printing covers a lot of ground. To understand what exactly
+goes on with Samba when it is printing on behalf of its Windows
+clients, let's first look at a "purely Windows" setup: Windows clients
+with a Windows NT print server.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958116"></a>From Windows Clients to an NT Print Server</h3></div></div><div></div></div><p>
+Windows clients printing to an NT-based print server have two
+options. They may
+</p><div class="itemizedlist"><ul type="disc"><li><p>execute the driver locally and render the GDI output
+(EMF) into the printer specific format on their own,
+or</p></li><li><p>send the GDI output (EMF) to the server, where the
+driver is executed to render the printer specific
+output.</p></li></ul></div><p>
+Both print paths are shown in the flowcharts below.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958155"></a>Driver Execution on the Client</h3></div></div><div></div></div><p>
+In the first case the print server must spool the file as "raw",
+meaning it shouldn't touch the jobfile and try to convert it in any
+way. This is what traditional Unix-based print server can do too; and
+at a better performance and more reliably than NT print server. This
+is what most Samba administrators probably are familiar with. One
+advantage of this setup is that this "spooling-only" print server may
+be used even if no driver(s) for Unix are available it is sufficient
+to have the Windows client drivers available and installed on the
+clients.
+</p><p>
+</p><div class="figure"><a name="id2958191"></a><p class="title"><b>Figure 19.11. Print Driver execution on the Client</b></p><div class="mediaobject"><img src="projdoc/imagefiles/11small.png" alt="Print Driver execution on the Client"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958227"></a>Driver Execution on the Server</h3></div></div><div></div></div><p>
+The other path executes the printer driver on the server. The clients
+transfers print files in EMF format to the server. The server uses the
+PostScript, PCL, ESC/P or other driver to convert the EMF file into
+the printer-specific language. It is not possible for Unix to do the
+same. Currently there is no program or method to convert a Windows
+client's GDI output on a Unix server into something a printer could
+understand.
+</p><p>
+</p><div class="figure"><a name="id2958249"></a><p class="title"><b>Figure 19.12. Print Driver execution on the Server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/12small.png" alt="Print Driver execution on the Server"></div></div><p>
+</p><p>
+However, there is something similar possible with CUPS. Read on...
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958289"></a>Network Printing (Windows clients -- UNIX/Samba Print
+Servers)</h2></div></div><div></div></div><p>
+Since UNIX print servers <span class="emphasis"><em>cannot</em></span> execute the Win32
+program code on their platform, the picture is somewhat
+different. However, this doesn't limit your options all that
+much. In the contrary, you may have a way here to implement printing
+features which are not possible otherwise.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958310"></a>From Windows Clients to a CUPS/Samba Print Server</h3></div></div><div></div></div><p>
+Here is a simple recipe showing how you can take advantage of CUPS
+powerful features for the benefit of your Windows network printing
+clients:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Let the Windows clients send PostScript to the CUPS
+server.</p></li><li><p>Let the CUPS server render the PostScript into device
+specific raster format.</p></li></ul></div><p>
+This requires the clients to use a PostScript driver (even if the
+printer is a non-PostScript model. It also requires that you have a
+"driver" on the CUPS server.
+</p><p>
+Firstly, to enable CUPS based printing through Samba the
+following options should be set in your <tt class="filename">smb.conf</tt> file [globals]
+section:
+</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printing = CUPS</tt></i></p></li><li><p><i class="parameter"><tt>printcap = CUPS</tt></i></p></li></ul></div><p>
+When these parameters are specified, all manually set print directives
+(like <i class="parameter"><tt>print command =...</tt></i>, or <i class="parameter"><tt>lppause
+command =...</tt></i>) in <tt class="filename">smb.conf</tt> (as well as
+in samba itself) will be ignored. Instead, Samba will directly
+interface with CUPS through it's application program interface (API) -
+as long as Samba has been compiled with CUPS library (libcups)
+support. If Samba has NOT been compiled with CUPS support, and if no
+other print commands are set up, then printing will use the
+<span class="emphasis"><em>System V</em></span> AT&T command set, with the -oraw
+option automatically passing through (if you want your own defined
+print commands to work with a Samba that has CUPS support compiled in,
+simply use <i class="parameter"><tt>printing = sysv</tt></i>).
+</p><p>
+</p><div class="figure"><a name="id2958439"></a><p class="title"><b>Figure 19.13. Printing via CUPS/samba server</b></p><div class="mediaobject"><img src="projdoc/imagefiles/13small.png" alt="Printing via CUPS/samba server"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958474"></a>Samba receiving Jobfiles and passing them to CUPS</h3></div></div><div></div></div><p>
+Samba <span class="emphasis"><em>must</em></span> use its own spool directory (it is set
+by a line similar to <i class="parameter"><tt>path = /var/spool/samba</tt></i>,
+in the <i class="parameter"><tt>[printers]</tt></i> or
+<i class="parameter"><tt>[printername]</tt></i> section of
+<tt class="filename">smb.conf</tt>). Samba receives the job in its own
+spool space and passes it into the spool directory of CUPS (the CUPS
+spooling directory is set by the <i class="parameter"><tt>RequestRoot</tt></i>
+directive, in a line that defaults to <i class="parameter"><tt>RequestRoot
+/var/spool/cups</tt></i>). CUPS checks the access rights of its
+spool dir and resets it to healthy values with every re-start. We have
+seen quite some people who had used a common spooling space for Samba
+and CUPS, and were struggling for weeks with this "problem".
+</p><p>
+A Windows user authenticates only to Samba (by whatever means is
+configured). If Samba runs on the same host as CUPS, you only need to
+allow "localhost" to print. If they run on different machines, you
+need to make sure the Samba host gets access to printing on CUPS.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958550"></a>Network PostScript RIP: CUPS Filters on Server -- clients use
+PostScript Driver with CUPS-PPDs</h2></div></div><div></div></div><p>
+PPDs can control all print device options. They are usually provided
+by the manufacturer; if you own a PostScript printer, that is. PPD
+files (PostScript Printer Descriptions) are always a component of
+PostScript printer drivers on MS Windows or Apple Mac OS systems. They
+are ASCII files containing user-selectable print options, mapped to
+appropriate PostScript, PCL or PJL commands for the target
+printer. Printer driver GUI dialogs translate these options
+"on-the-fly" into buttons and drop-down lists for the user to select.
+</p><p>
+CUPS can load, without any conversions, the PPD file from any Windows
+(NT is recommended) PostScript driver and handle the options. There is
+a web browser interface to the print options (select <a href="http://localhost:631/printers/" target="_top">http://localhost:631/printers/</a>
+and click on one <span class="emphasis"><em>Configure Printer</em></span> button to see
+it), or a commandline interface (see <b class="command">man lpoptions</b>
+or see if you have lphelp on your system). There are also some
+different GUI frontends on Linux/UNIX, which can present PPD options
+to users. PPD options are normally meant to be evaluated by the
+PostScript RIP on the real PostScript printer.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958605"></a>PPDs for non-PS Printers on UNIX</h3></div></div><div></div></div><p>
+CUPS doesn't limit itself to "real" PostScript printers in its usage
+of PPDs. The CUPS developers have extended the scope of the PPD
+concept, to also describe available device and driver options for
+non-PostScript printers through CUPS-PPDs.
+</p><p>
+This is logical, as CUPS includes a fully featured PostScript
+interpreter (RIP). This RIP is based on Ghostscript. It can process
+all received PostScript (and additionally many other file formats)
+from clients. All CUPS-PPDs geared to non-PostScript printers contain
+an additional line, starting with the keyword
+<i class="parameter"><tt>*cupsFilter</tt></i> . This line tells the CUPS print
+system which printer-specific filter to use for the interpretation of
+the supplied PostScript. Thus CUPS lets all its printers appear as
+PostScript devices to its clients, because it can act as a PostScript
+RIP for those printers, processing the received PostScript code into a
+proper raster print format.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958646"></a>PPDs for non-PS Printers on Windows</h3></div></div><div></div></div><p>
+CUPS-PPDs can also be used on Windows-Clients, on top of a
+"core" PostScript driver (now recommended is the "CUPS PostScript
+Driver for WindowsNT/2K/XP"; you can also use the Adobe one, with
+limitations). This feature enables CUPS to do a few tricks no other
+spooler can do:
+</p><div class="itemizedlist"><ul type="disc"><li><p>act as a networked PostScript RIP (Raster Image
+Processor), handling printfiles from all client platforms in a uniform
+way;</p></li><li><p>act as a central accounting and billing server, since
+all files are passed through the pstops filter and are therefore
+logged in the CUPS <tt class="filename">page_log</tt> file.
+<span class="emphasis"><em>NOTE:</em></span> this can not happen with "raw" print jobs,
+which always remain unfiltered per definition;</p></li><li><p>enable clients to consolidate on a single PostScript
+driver, even for many different target printers.</p></li></ul></div><p>
+Using CUPS PPDs on Windows clients enables these to control
+all print job settings just as a UNIX client can do too.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958712"></a>Windows Terminal Servers (WTS) as CUPS Clients</h2></div></div><div></div></div><p>
+This setup may be of special interest to people experiencing major
+problems in WTS environments. WTS need often a multitude of
+non-PostScript drivers installed to run their clients' variety of
+different printer models. This often imposes the price of much
+increased instability.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958729"></a>Printer Drivers running in "Kernel Mode" cause many
+Problems</h3></div></div><div></div></div><p>
+The reason is that in Win NT printer drivers run in "Kernel
+Mode", this introduces a high risk for the stability of the system
+if the driver is not really stable and well-tested. And there are a
+lot of bad drivers out there! Especially notorious is the example
+of the PCL printer driver that had an additional sound module
+running, to notify users via soundcard of their finished jobs. Do I
+need to say that this one was also reliably causing "Blue Screens
+of Death" on a regular basis?
+</p><p>
+PostScript drivers generally are very well tested. They are not known
+to cause any problems, even though they run in Kernel Mode too. This
+might be because there have so far only been 2 different PostScript
+drivers the ones from Adobe and the one from Microsoft. Both are
+very well tested and are as stable as you ever can imagine on
+Windows. The CUPS driver is derived from the Microsoft one.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958763"></a>Workarounds impose Heavy Limitations</h3></div></div><div></div></div><p>
+In many cases, in an attempt to work around this problem, site
+administrators have resorted to restrict the allowed drivers installed
+on their WTS to one generic PCL- and one PostScript driver. This
+however restricts the clients in the amount of printer options
+available for them; often they can't get out more than simplex
+prints from one standard paper tray, while their devices could do much
+better, if driven by a different driver! )
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958784"></a>CUPS: a "Magical Stone"?</h3></div></div><div></div></div><p>
+Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very
+elegant way to overcome all these shortcomings. There are, depending
+on the version of Windows OS you use, up to 3 different PostScript
+drivers available: Adobe, Microsoft and CUPS PostScript drivers. None
+of them is known to cause major stability problems on WTS (even if
+used with many different PPDs). The clients will be able to (again)
+chose paper trays, duplex printing and other settings. However, there
+is a certain price for this too: a CUPS server acting as a PostScript
+RIP for its clients requires more CPU and RAM than when just acting as
+a "raw spooling" device. Plus, this setup is not yet widely tested,
+although the first feedbacks look very promising.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958811"></a>PostScript Drivers with no major problems -- even in Kernel
+Mode</h3></div></div><div></div></div><p>
+More recent printer drivers on W2K and XP don't run in Kernel mode
+(unlike Win NT) any more. However, both operating systems can still
+use the NT drivers, running in Kernel mode (you can roughly tell which
+is which as the drivers in subdirectory "2" of "W32X86" are "old"
+ones). As was said before, the Adobe as well as the Microsoft
+PostScript drivers are not known to cause any stability problems. The
+CUPS driver is derived from the Microsoft one. There is a simple
+reason for this: The MS DDK (Device Development Kit) for Win NT (which
+used to be available at no cost to licensees of Visual Studio)
+includes the source code of the Microsoft driver, and licensees of
+Visual Studio are allowed to use and modify it for their own driver
+development efforts. This is what the CUPS people have done. The
+license doesn't allow them to publish the whole of the source code.
+However, they have released the "diff" under the GPL, and if you are
+owner of an "MS DDK for Win NT", you can check the driver yourself.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958865"></a> Setting up CUPS for driver Download</h2></div></div><div></div></div><p>
+As we have said before: all previously known methods to prepare client
+printer drivers on the Samba server for download and "Point'n'Print"
+convenience of Windows workstations are working with CUPS too. These
+methods were described in the previous chapter. In reality, this is a
+pure Samba business, and only relates to the Samba/Win client
+relationship.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958884"></a><span class="emphasis"><em>cupsaddsmb</em></span>: the unknown Utility</h3></div></div><div></div></div><p>
+The cupsaddsmb utility (shipped with all current CUPS versions) is an
+alternative method to transfer printer drivers into the Samba
+<i class="parameter"><tt>[print$]</tt></i> share. Remember, this share is where
+clients expect drivers deposited and setup for download and
+installation. It makes the sharing of any (or all) installed CUPS
+printers very easy. cupsaddsmb can use the Adobe PostScript driver as
+well as the newly developed <span class="emphasis"><em>CUPS PostScript Driver for
+WinNT/2K/XP</em></span>. Note, that cupsaddsmb does
+<span class="emphasis"><em>not</em></span> work with arbitrary vendor printer drivers,
+but only with the <span class="emphasis"><em>exact</em></span> driver files that are
+named in its man page.
+</p><p>
+The CUPS printer driver is available from the CUPS download site. Its
+package name is <tt class="filename">cups-samba-[version].tar.gz</tt> . It
+is preferred over the Adobe drivers since it has a number of
+advantages:
+</p><div class="itemizedlist"><ul type="disc"><li><p>it supports a much more accurate page
+accounting;</p></li><li><p>it supports banner pages, and page labels on all
+printers;</p></li><li><p>it supports the setting of a number of job IPP
+attributes (such as job-priority, page-label and
+job-billing)</p></li></ul></div><p>
+However, currently only Windows NT, 2000, and XP are supported by the
+CUPS drivers. You will need to get the respective part of Adobe driver
+too if you need to support Windows 95, 98, and ME clients.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958976"></a>Prepare your <tt class="filename">smb.conf</tt> for
+cupsaddsmb</h3></div></div><div></div></div><p>
+Prior to running cupsaddsmb, you need the following settings in
+<tt class="filename">smb.conf</tt>:
+</p><pre class="screen">
+
+ [global]
+ load printers = yes
+ printing = cups
+ printcap name = cups
+
+ [printers]
+ comment = All Printers
+ path = /var/spool/samba
+ browseable = no
+ public = yes
+ guest ok = yes # setting depends on your requirements
+ writable = no
+ printable = yes
+ printer admin = root
+
+ [print$]
+ comment = Printer Drivers
+ path = /etc/samba/drivers
+ browseable = yes
+ guest ok = no
+ read only = yes
+ write list = root
+
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959022"></a>CUPS Package of "PostScript Driver for WinNT/2k/XP"</h3></div></div><div></div></div><p>
+CUPS users may get the exactly same packages from<a href="http://www.cups.org/software.html" target="_top"><span class="emphasis"><em>http://www.cups.org/software.html</em></span></a>.
+It is a separate package from the CUPS base software files, tagged as
+<span class="emphasis"><em>CUPS 1.1.x Windows NT/2k/XP Printer Driver for SAMBA
+(tar.gz, 192k)</em></span>. The filename to download is
+<tt class="filename">cups-samba-1.1.x.tar.gz</tt>. Upon untar-/unzip-ing,
+it will reveal these files:
+</p><pre class="screen">
+
+# tar xvzf cups-samba-1.1.19.tar.gz
+
+ cups-samba.install
+ cups-samba.license
+ cups-samba.readme
+ cups-samba.remove
+ cups-samba.ss
+
+</pre><p>
+These have been packaged with the ESP meta packager software
+"EPM". The <tt class="filename">*.install</tt> and
+<tt class="filename">*.remove</tt> files are simple shell scripts, which
+untars the <tt class="filename">*.ss</tt> (the <tt class="filename">*.ss</tt> is
+nothing else but a tar-archive, which can be untar-ed by "tar"
+too). Then it puts the content into
+<tt class="filename">/usr/share/cups/drivers/</tt>. This content includes 3
+files:
+</p><pre class="screen">
+
+# tar tv cups-samba.ss
+
+ cupsdrvr.dll
+ cupsui.dll
+ cups.hlp
+
+</pre><p>
+The <span class="emphasis"><em>cups-samba.install</em></span> shell scripts is easy to
+handle:
+</p><pre class="screen">
+
+# ./cups-samba.install
+
+ [....]
+ Installing software...
+ Updating file permissions...
+ Running post-install commands...
+ Installation is complete.
+
+</pre><p>
+The script should automatically put the driver files into the
+<tt class="filename">/usr/share/cups/drivers/</tt> directory.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Due to a bug, one recent CUPS release puts the
+<tt class="filename">cups.hlp</tt> driver file
+into<tt class="filename">/usr/share/drivers/</tt> instead of
+<tt class="filename">/usr/share/cups/drivers/</tt>. To work around this,
+copy/move the file (after running the
+<b class="command">./cups-samba.install</b> script) manually to the
+right place.
+</p></div><pre class="screen">
+
+ cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/
+
+</pre><p>
+This new CUPS PostScript driver is currently binary-only, but free of
+charge. No complete source code is provided (yet). The reason is this:
+it has been developed with the help of the <span class="emphasis"><em>Microsoft Driver
+Developer Kit</em></span> (DDK) and compiled with Microsoft Visual
+Studio 6. Driver developers are not allowed to distribute the whole of
+the source code as Free Software. However, CUPS developers released
+the "diff" in source code under the GPL, so anybody with a license of
+Visual Studio and a DDK will be able to compile for him/herself.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959220"></a>Recognize the different Driver Files</h3></div></div><div></div></div><p>
+The CUPS drivers don't support the "older" Windows 95/98/ME, but only
+the Windows NT/2000/XP client:
+</p><pre class="screen">
+
+ [Windows NT, 2000, and XP are supported by:]
+ cups.hlp
+ cupsdrvr.dll
+ cupsui.dll
+
+</pre><p>
+Adobe drivers are available for the older Windows 95/98/ME as well as
+the Windows NT/2000/XP clients. The set of files is different for the
+different platforms.
+</p><pre class="screen">
+
+ [Windows 95, 98, and Me are supported by:]
+ ADFONTS.MFM
+ ADOBEPS4.DRV
+ ADOBEPS4.HLP
+ DEFPRTR2.PPD
+ ICONLIB.DLL
+ PSMON.DLL
+
+ [Windows NT, 2000, and XP are supported by:]
+ ADOBEPS5.DLL
+ ADOBEPSU.DLL
+ ADOBEPSU.HLP
+
+</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+If both, the Adobe driver files and the CUPS driver files for the
+support of WinNT/2k/XP are present in , the Adobe ones will be ignored
+and the CUPS ones will be used. If you prefer -- for whatever reason
+-- to use Adobe-only drivers, move away the 3 CUPS driver files. The
+Win95/98/ME clients use the Adobe drivers in any case.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959278"></a>Acquiring the Adobe Driver Files</h3></div></div><div></div></div><p>
+Acquiring the Adobe driver files seems to be unexpectedly difficult
+for many users. They are not available on the Adobe website as single
+files and the self-extracting and/or self-installing Windows-exe is
+not easy to locate either. Probably you need to use the included
+native installer and run the installation process on one client
+once. This will install the drivers (and one Generic PostScript
+printer) locally on the client. When they are installed, share the
+Generic PostScript printer. After this, the client's
+<i class="parameter"><tt>[print$]</tt></i> share holds the Adobe files, from
+where you can get them with smbclient from the CUPS host. A more
+detailed description about this is in the next (the CUPS printing)
+chapter.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959310"></a>ESP Print Pro Package of "PostScript Driver for
+WinNT/2k/XP"</h3></div></div><div></div></div><p>
+Users of the ESP Print Pro software are able to install their "Samba
+Drivers" package for this purpose with no problem. Retrieve the driver
+files from the normal download area of the ESP Print Pro software
+at<a href="http://www.easysw.com/software.html" target="_top">http://www.easysw.com/software.html</a>.
+You need to locate the link labelled "SAMBA" amongst the
+<span class="emphasis"><em>Download Printer Drivers for ESP Print Pro 4.x</em></span>
+area and download the package. Once installed, you can prepare any
+driver by simply highlighting the printer in the Printer Manager GUI
+and select <span class="emphasis"><em>Export Driver...</em></span> from the menu. Of
+course you need to have prepared Samba beforehand too to handle the
+driver files; i.e. mainly setup the <i class="parameter"><tt>[print$]</tt></i>
+share, etc. The ESP Print Pro package includes the CUPS driver files
+as well as a (licensed) set of Adobe drivers for the Windows 95/98/ME
+client family.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959360"></a>Caveats to be considered</h3></div></div><div></div></div><p>
+Once you have run the install script (and possibly manually
+moved the <tt class="filename">cups.hlp</tt> file to
+<tt class="filename">/usr/share/cups/drivers/</tt>), the driver is
+ready to be put into Samba's <i class="parameter"><tt>[print$]</tt></i> share (which often maps to
+<tt class="filename">/etc/samba/drivers/</tt> and contains a subdir
+tree with <span class="emphasis"><em>WIN40</em></span> and
+<span class="emphasis"><em>W32X86</em></span> branches): You do this by running
+"cupsaddsmb" (see also <b class="command">man cupsaddsmb</b> for
+CUPS since release 1.1.16).
+</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
+You may need to put root into the smbpasswd file by running
+<b class="command">smbpasswd</b>; this is especially important if you
+should run this whole procedure for the first time, and are not
+working in an environment where everything is configured for
+<span class="emphasis"><em>Single Sign On</em></span> to a Windows Domain Controller.
+</p></div><p>
+Once the driver files are in the <i class="parameter"><tt>[print$]</tt></i> share
+and are initialized, they are ready to be downloaded and installed by
+the Win NT/2k/XP clients.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+</p><div class="orderedlist"><ol type="1"><li><p>
+Win 9x/ME clients won't work with the CUPS PostScript driver. For
+these you'd still need to use the <tt class="filename">ADOBE*.*</tt>
+drivers as previously.
+</p></li><li><p>
+It is not harmful if you still have the
+<tt class="filename">ADOBE*.*</tt> driver files from previous
+installations in the <tt class="filename">/usr/share/cups/drivers/</tt>
+directory. The new <span class="emphasis"><em>cupsaddsmb</em></span> (from 1.1.16) will
+automatically prefer "its own" drivers if it finds both.
+</p></li><li><p>
+Should your Win clients have had the old <tt class="filename">ADOBE*.*</tt>
+files for the Adobe PostScript driver installed, the download and
+installation of the new CUPS PostScript driver for Windows NT/2k/XP
+will fail at first. You need to wipe the old driver from the clients
+first. It is not enough to "delete" the printer, as the driver files
+will still be kept by the clients and re-used if you try to re-install
+the printer. To really get rid of the Adobe driver files on the
+clients, open the "Printers" folder (possibly via <span class="emphasis"><em>Start
+--> Settings --> Control Panel --> Printers</em></span>),
+right-click onto the folder background and select <span class="emphasis"><em>Server
+Properties</em></span>. When the new dialog opens, select the
+<span class="emphasis"><em>Drivers</em></span> tab. On the list select the driver you
+want to delete and click on the <span class="emphasis"><em>Delete</em></span>
+button. This will only work if there is not one single printer left
+which uses that particular driver. You need to "delete" all printers
+using this driver in the "Printers" folder first. You will need
+Administrator privileges to do this.
+</p></li><li><p>
+Once you have successfully downloaded the CUPS PostScript driver to a
+client, you can easily switch all printers to this one by proceeding
+as described elsewhere in the "Samba HOWTO Collection": either change
+a driver for an existing printer by running the "Printer Properties"
+dialog, or use <b class="command">rpcclient</b> with the
+<b class="command">setdriver</b> sub-command.
+</p></li></ol></div><p>
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959582"></a>What are the Benefits of using the "CUPS PostScript Driver for
+Windows NT/2k/XP" as compared to the Adobe Driver?</h3></div></div><div></div></div><p>
+You are interested in a comparison between the CUPS and the Adobe
+PostScript drivers? For our purposes these are the most important
+items which weigh in favor of the CUPS ones:
+</p><div class="itemizedlist"><ul type="disc"><li><p>no hassle with the Adobe EULA</p></li><li><p>no hassle with the question “<span class="quote">Where do I
+get the ADOBE*.* driver files from?</span>”</p></li><li><p>the Adobe drivers (on request of the printer PPD
+associated with them) often put a PJL header in front of the main
+PostScript part of the print file. Thus the printfile starts with
+<i class="parameter"><tt><1B >%-12345X</tt></i> or
+<i class="parameter"><tt><escape>%-12345X</tt></i> instead
+of <i class="parameter"><tt>%!PS</tt></i>). This leads to the
+CUPS daemon auto-typing the incoming file as a print-ready file,
+not initiating a pass through the "pstops" filter (to speak more
+technically, it is not regarded as the generic MIME type
+<span class="emphasis"><em>application/postscript</em></span>, but as
+the more special MIME type
+<span class="emphasis"><em>application/cups.vnd-postscript</em></span>),
+which therefore also leads to the page accounting in
+<span class="emphasis"><em>/var/log/cups/page_log</em></span> not
+receiving the exact number of pages; instead the dummy page number
+of "1" is logged in a standard setup)</p></li><li><p>the Adobe driver has more options to "mis-configure" the
+PostScript generated by it (like setting it inadvertently to
+<span class="emphasis"><em>Optimize for Speed</em></span>, instead of
+<span class="emphasis"><em>Optimize for Portability</em></span>, which
+could lead to CUPS being unable to process it)</p></li><li><p>the CUPS PostScript driver output sent by Windows
+clients to the CUPS server will be guaranteed to be auto-typed always
+as generic MIME type <span class="emphasis"><em>application/postscript</em></span>,
+thusly passing through the CUPS "pstops" filter and logging the
+correct number of pages in the <tt class="filename">page_log</tt> for
+accounting and quota purposes</p></li><li><p>the CUPS PostScript driver supports the sending of
+additional standard (IPP) print options by Win NT/2k/XP clients. Such
+additional print options are: naming the CUPS standard
+<span class="emphasis"><em>banner pages</em></span> (or the custom ones, should they be
+installed at the time of driver download), using the CUPS
+<span class="emphasis"><em>page-label</em></span> option, setting a
+<span class="emphasis"><em>job-priority</em></span> and setting the <span class="emphasis"><em>scheduled
+time of printing</em></span> (with the option to support additional
+useful IPP job attributes in the future).</p></li><li><p>the CUPS PostScript driver supports the inclusion of
+the new <span class="emphasis"><em>*cupsJobTicket</em></span> comments at the
+beginning of the PostScript file (which could be used in the future
+for all sort of beneficial extensions on the CUPS side, but which will
+not disturb any other applications as they will regard it as a comment
+and simply ignore it).</p></li><li><p>the CUPS PostScript driver will be the heart of the
+fully fledged CUPS IPP client for Windows NT/2K/XP to be released soon
+(probably alongside the first Beta release for CUPS
+1.2).</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959764"></a>Run "cupsaddsmb" (quiet Mode)</h3></div></div><div></div></div><p>
+The cupsaddsmb command copies the needed files into your
+<i class="parameter"><tt>[print$]</tt></i> share. Additionally, the PPD
+associated with this printer is copied from
+<tt class="filename">/etc/cups/ppd/</tt> to
+<i class="parameter"><tt>[print$]</tt></i>. There the files wait for convenient
+Windows client installations via Point'n'Print. Before we can run the
+command successfully, we need to be sure that we can authenticate
+towards Samba. If you have a small network you are probably using user
+level security (<i class="parameter"><tt>security = user</tt></i>). Probably your
+root has already a Samba account. Otherwise, create it now, using
+<b class="command">smbpasswd</b>:
+</p><pre class="screen">
+
+ # smbpasswd -a root
+ New SMB password: [type in password 'secret']
+ Retype new SMB password: [type in password 'secret']
+
+</pre><p>
+Here is an example of a successfully run cupsaddsmb command.
+</p><pre class="screen">
+
+ # cupsaddsmb -U root infotec_IS2027
+ Password for root required to access localhost via SAMBA: [type in password 'secret']
+
+</pre><p>
+To share <span class="emphasis"><em>all</em></span> printers and drivers, use the
+<i class="parameter"><tt>-a</tt></i> parameter instead of a printer name. Since
+cupsaddsmb "exports" the printer drivers to Samba, it should be
+obvious that it only works for queues with a CUPS driver associated.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2959865"></a>Run "cupsaddsmb" with verbose Output</h3></div></div><div></div></div><p>
+Probably you want to see what's going on. Use the
+<i class="parameter"><tt>-v</tt></i> parameter to get a more verbose output. The
+output below was edited for better readability: all "\" at the end of
+a line indicate that I inserted an artificial line break plus some
+indentation here:
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+You will see the root password for the Samba account printed on
+screen. If you use remote access, the password will go over the wire
+unencrypted!
+</p></div><pre class="screen">
+
+ # cupsaddsmb -U root -v infotec_2105
+ Password for root required to access localhost via SAMBA:
+ Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put \
+ /var/spool/cups/tmp/3e98bf2d333b5 W32X86/infotec_2105.ppd;put \
+ /usr/share/cups/drivers/cupsdrvr.dll W32X86/cupsdrvr.dll;put \
+ /usr/share/cups/drivers/cupsui.dll W32X86/cupsui.dll;put \
+ /usr/share/cups/drivers/cups.hlp W32X86/cups.hlp'
+ added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+ Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
+ NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
+ putting file /var/spool/cups/tmp/3e98bf2d333b5 as \W32X86/infotec_2105.ppd (2328.8 kb/s) \
+ (average 2328.8 kb/s)
+ putting file /usr/share/cups/drivers/cupsdrvr.dll as \W32X86/cupsdrvr.dll (9374.3 kb/s) \
+ (average 5206.6 kb/s)
+ putting file /usr/share/cups/drivers/cupsui.dll as \W32X86/cupsui.dll (8107.2 kb/s) \
+ (average 5984.1 kb/s)
+ putting file /usr/share/cups/drivers/cups.hlp as \W32X86/cups.hlp (3475.0 kb/s) \
+ (average 5884.7 kb/s)
+
+ Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" \
+ "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll:cups.hlp:NULL: \
+ RAW:NULL"'
+ cmd = adddriver "Windows NT x86" "infotec_2105:cupsdrvr.dll:infotec_2105.ppd:cupsui.dll: \
+ cups.hlp:NULL:RAW:NULL"
+ Printer Driver infotec_2105 successfully installed.
+
+ Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put \
+ /var/spool/cups/tmp/3e98bf2d333b5 WIN40/infotec_2105.PPD; put \
+ /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put \
+ /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put \
+ /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put \
+ /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put \
+ /usr/share/cups/drivers/ICONLIB.DLL
+ WIN40/ICONLIB.DLL;put /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
+ added interface ip=10.160.51.60 bcast=10.160.51.255 nmask=255.255.252.0
+ Domain=[CUPS-PRINT] OS=[Unix] Server=[Samba 2.2.7a]
+ NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
+ putting file /var/spool/cups/tmp/3e98bf2d333b5 as \WIN40/infotec_2105.PPD (2328.8 kb/s) \
+ (average 2328.8 kb/s)
+ putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (9368.0 kb/s) \
+ (average 6469.6 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (9958.2 kb/s) \
+ (average 8404.3 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (8341.5 kb/s) \
+ (average 8398.6 kb/s)
+ putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (2195.9 kb/s) \
+ (average 8254.3 kb/s)
+ putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (8239.9 kb/s) \
+ (average 8253.6 kb/s)
+ putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (6222.2 kb/s) \
+ (average 8188.5 kb/s)
+
+ Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" \
+ "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL:ADOBEPS4.HLP: \
+ PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP,PSMON.DLL, \
+ ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
+ cmd = adddriver "Windows 4.0" "infotec_2105:ADOBEPS4.DRV:infotec_2105.PPD:NULL: \
+ ADOBEPS4.HLP:PSMON.DLL:RAW:ADOBEPS4.DRV,infotec_2105.PPD,ADOBEPS4.HLP, \
+ PSMON.DLL,ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
+ Printer Driver infotec_2105 successfully installed.
+
+ Running command: rpcclient localhost -N -U'root%secret' \
+ -c 'setdriver infotec_2105 infotec_2105'
+ cmd = setdriver infotec_2105 infotec_2105
+ Successfully set infotec_2105 to driver infotec_2105.
+
+</pre><p>
+If you look closely, you'll discover your root password was transfered
+unencrypted over the wire, so beware! Also, if you look further her,
+you'll discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in
+between. They occur, because the directories WIN40 and W32X86 already
+existed in the <i class="parameter"><tt>[print$]</tt></i> driver download share
+(from a previous driver installation). They are harmless here.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960092"></a>Understanding cupsaddsmb</h3></div></div><div></div></div><p>
+What has happened? What did cupsaddsmb do? There are five stages of
+the procedure
+</p><div class="orderedlist"><ol type="1"><li><p>call the CUPS server via IPP and request the
+driver files and the PPD file for the named printer;</p></li><li><p>store the files temporarily in the local
+TEMPDIR (as defined in
+<tt class="filename">cupsd.conf</tt>);</p></li><li><p>connect via smbclient to the Samba server's
+ <i class="parameter"><tt>[print$]</tt></i> share and put the files into the
+ share's WIN40 (for Win95/98/ME) and W32X86/ (for WinNT/2k/XP) sub
+ directories;</p></li><li><p>connect via rpcclient to the Samba server and
+execute the "adddriver" command with the correct
+parameters;</p></li><li><p>connect via rpcclient to the Samba server a second
+time and execute the "setdriver" command.</p></li></ol></div><p>
+Note, that you can run the cupsaddsmb utility with parameters to
+specify one remote host as Samba host and a second remote host as CUPS
+host. Especially if you want to get a deeper understanding, it is a
+good idea try it and see more clearly what is going on (though in real
+life most people will have their CUPS and Samba servers run on the
+same host):
+</p><pre class="screen">
+
+ # cupsaddsmb -H sambaserver -h cupsserver -v printername
+
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960186"></a>How to recognize if cupsaddsm completed successfully</h3></div></div><div></div></div><p>
+You <span class="emphasis"><em>must</em></span> always check if the utility completed
+successfully in all fields. You need as a minimum these 3 messages
+amongst the output:
+</p><div class="orderedlist"><ol type="1"><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
+installed.</em></span> # (for the W32X86 == WinNT/2K/XP
+architecture...)</p></li><li><p><span class="emphasis"><em>Printer Driver infotec_2105 successfully
+installed.</em></span> # (for the WIN40 == Win9x/ME
+architecture...)</p></li><li><p><span class="emphasis"><em>Successfully set [printerXPZ] to driver
+[printerXYZ].</em></span></p></li></ol></div><p>
+These messages probably not easily recognized in the general
+output. If you run cupsaddsmb with the <i class="parameter"><tt>-a</tt></i>
+parameter (which tries to prepare <span class="emphasis"><em>all</em></span> active CUPS
+printer drivers for download), you might miss if individual printers
+drivers had problems to install properly. Here a redirection of the
+output will help you analyze the results in retrospective.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+It is impossible to see any diagnostic output if you don't run
+cupsaddsmb in verbose mode. Therefore we strongly recommend to not
+use the default quiet mode. It will hide any problems from you which
+might occur.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960273"></a>cupsaddsmb with a Samba PDC</h3></div></div><div></div></div><p>
+You can't get the standard cupsaddsmb command to run on a Samba PDC?
+You are asked for the password credential all over again and again and
+the command just will not take off at all? Try one of these
+variations:
+</p><pre class="screen">
+
+ # cupsaddsmb -U DOMAINNAME\\root -v printername
+ # cupsaddsmb -H SAMBA-PDC -U DOMAINNAME\\root -v printername
+ # cupsaddsmb -H SAMBA-PDC -U DOMAINNAME\\root -h cups-server -v printername
+
+</pre><p>
+(Note the two backslashes: the first one is required to
+"escape" the second one).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960308"></a>cupsaddsmb Flowchart</h3></div></div><div></div></div><p>
+Here is a chart about the procedures, commandflows and
+dataflows of the "cupaddsmb" command. Note again: cupsaddsmb is
+not intended to, and does not work with, "raw" queues!
+</p><p>
+</p><div class="figure"><a name="id2960326"></a><p class="title"><b>Figure 19.14. cupsaddsmb flowchart</b></p><div class="mediaobject"><img src="projdoc/imagefiles/1small.png" alt="cupsaddsmb flowchart"></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960361"></a>Installing the PostScript Driver on a Client</h3></div></div><div></div></div><p>
+After cupsaddsmb completed, your driver is prepared for the clients to
+use. Here are the steps you must perform to download and install it
+via "Point'n'Print". From a Windows client, browse to the CUPS/Samba
+server;
+</p><div class="itemizedlist"><ul type="disc"><li><p>open the <span class="emphasis"><em>Printers</em></span>
+share of Samba in Network Neighbourhood;</p></li><li><p>right-click on the printer in
+question;</p></li><li><p>from the opening context-menu select
+<span class="emphasis"><em>Install...</em></span> or
+<span class="emphasis"><em>Connect...</em></span> (depending on the Windows version you
+use).</p></li></ul></div><p>
+After a few seconds, there should be a new printer in your
+client's <span class="emphasis"><em>local</em></span> "Printers" folder: On Windows
+XP it will follow a naming convention of <span class="emphasis"><em>PrinterName on
+SambaServer</em></span>. (In my current case it is "infotec_2105 on
+kde-bitshop"). If you want to test it and send your first job from
+an application like Winword, the new printer will appears in a
+<tt class="filename">\\SambaServer\PrinterName</tt> entry in the
+dropdown list of available printers.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+cupsaddsmb will only reliably work with CUPS version 1.1.15 or higher
+and Samba from 2.2.4. If it doesn't work, or if the automatic printer
+driver download to the clients doesn't succeed, you can still manually
+install the CUPS printer PPD on top of the Adobe PostScript driver on
+clients. Then point the client's printer queue to the Samba printer
+share for a UNC type of connection:
+</p></div><pre class="screen">
+
+ net use lpt1: \\sambaserver\printershare /user:ntadmin
+
+</pre><p>
+should you desire to use the CUPS networked PostScript RIP
+functions. (Note that user "ntadmin" needs to be a valid Samba user
+with the required privileges to access the printershare) This would
+set up the printer connection in the traditional
+<span class="emphasis"><em>LanMan</em></span> way (not using MS-RPC).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960474"></a>Avoiding critical PostScript Driver Settings on the
+Client</h3></div></div><div></div></div><p>
+Soooo: printing works, but there are still problems. Most jobs print
+well, some don't print at all. Some jobs have problems with fonts,
+which don't look very good. Some jobs print fast, and some are
+dead-slow. Many of these problems can be greatly reduced or even
+completely eliminated if you follow a few guidelines. Remember, if
+your print device is not PostScript-enabled, you are treating your
+Ghostscript installation on your CUPS host with the output your client
+driver settings produce. Treat it well:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Avoid the <span class="emphasis"><em>PostScript Output Option: Optimize
+for Speed</em></span> setting. Rather use the <span class="emphasis"><em>Optimize for
+Portability</em></span> instead (Adobe PostScript
+driver).</p></li><li><p>Don't use the <span class="emphasis"><em>Page Independence:
+NO</em></span> setting. Instead use <span class="emphasis"><em>Page Independence
+YES</em></span> (CUPS PostScript Driver)</p></li><li><p>Recommended is the <span class="emphasis"><em>True Type Font
+Downloading Option: Native True Type</em></span> over
+<span class="emphasis"><em>Automatic</em></span> and <span class="emphasis"><em>Outline</em></span>; you
+should by all means avoid <span class="emphasis"><em>Bitmap</em></span> (Adobe
+PostScript Driver)</p></li><li><p>Choose <span class="emphasis"><em>True Type Font: Download as Softfont
+into Printer</em></span> over the default <span class="emphasis"><em>Replace by Device
+Font</em></span> (for exotic fonts you may need to change it back to
+get a printout at all) (Adobe)</p></li><li><p>Sometimes you can choose <span class="emphasis"><em>PostScript Language
+Level</em></span>: in case of problems try <span class="emphasis"><em>2</em></span>
+instead of <span class="emphasis"><em>3</em></span> (the latest ESP Ghostscript package
+handles Level 3 PostScript very well) (Adobe).</p></li><li><p>Say <span class="emphasis"><em>Yes</em></span> to <span class="emphasis"><em>PostScript
+Error Handler</em></span> (Adobe)</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2960608"></a>Installing PostScript Driver Files manually (using
+rpcclient)</h2></div></div><div></div></div><p>
+Of course you can run all the commands which are embedded into the
+cupsaddsmb convenience utility yourself, one by one, and hereby upload
+and prepare the driver files for future client downloads.
+</p><div class="orderedlist"><ol type="1"><li><p>prepare Samba (a CUPS printqueue with the name of the
+printer should be there. We are providing the driver
+now);</p></li><li><p>copy all files to
+<i class="parameter"><tt>[print$]:</tt></i></p></li><li><p>run <b class="command">rpcclient adddriver</b>
+(for each client architecture you want to support):</p></li><li><p>run <b class="command">rpcclient
+setdriver.</b></p></li></ol></div><p>
+We are going to do this now. First, read the man page on "rpcclient"
+to get a first idea. Look at all the printing related
+sub-commands. <b class="command">enumprinters</b>,
+<b class="command">enumdrivers</b>, <b class="command">enumports</b>,
+<b class="command">adddriver</b>, <b class="command">setdriver</b> are amongst
+the most interesting ones. rpcclient implements an important part of
+the MS-RPC protocol. You can use it to query (and command) a Win NT
+(or 2K/XP) PC too. MS-RPC is used by Windows clients, amongst other
+things, to benefit from the "Point'n'Print" features. Samba can now
+mimic this too.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960723"></a>A Check of the rpcclient man Page</h3></div></div><div></div></div><p>
+First let's have a little check of the rpcclient man page. Here are
+two relevant passages:
+</p><p>
+<b class="command">adddriver <arch> <config></b> Execute an
+AddPrinterDriver() RPC to install the printer driver information on
+the server. Note that the driver files should already exist in the
+directory returned by <b class="command">getdriverdir</b>. Possible
+values for <i class="parameter"><tt>arch</tt></i> are the same as those for the
+<b class="command">getdriverdir</b> command. The
+<i class="parameter"><tt>config</tt></i> parameter is defined as follows:
+</p><pre class="screen">
+Long Printer Name:\
+Driver File Name:\
+Data File Name:\
+Config File Name:\
+Help File Name:\
+Language Monitor Name:\
+Default Data Type:\
+Comma Separated list of Files
+</pre><p>Any empty fields should be enter as the string "NULL". </p><p>Samba does not need to support the concept of Print Monitors
+since these only apply to local printers whose driver can make use of
+a bi-directional link for communication. This field should be "NULL".
+On a remote NT print server, the Print Monitor for a driver must
+already be installed prior to adding the driver or else the RPC will
+fail
+</p><p>
+<b class="command">setdriver <printername> <drivername></b>
+Execute a <b class="command">SetPrinter()</b> command to update the
+printer driver associated with an installed printer. The printer
+driver must already be correctly installed on the print server.
+</p><p> See also the enumprinters and enumdrivers commands for
+obtaining a list of installed printers and drivers.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960836"></a>Understanding the rpcclient man Page</h3></div></div><div></div></div><p>
+The <span class="emphasis"><em>exact</em></span> format isn't made too clear by the man
+page, since you have to deal with some parameters containing
+spaces. Here is a better description for it. We have line-broken the
+command and indicated the breaks with "\". Usually you would type the
+command in one line without the linebreaks:
+</p><pre class="screen">
+
+ adddriver "Architecture" \
+ "LongPrinterName:DriverFile:DataFile:ConfigFile:HelpFile:\
+ LanguageMonitorFile:DataType:ListOfFiles,Comma-separated"
+
+</pre><p>
+What the man pages denotes as a simple <config>
+keyword, does in reality consist of 8 colon-separated fields. The
+last field may take multiple (in some, very insane, cases, even
+20 different additional files. This might sound confusing at first.
+Note, that what the man pages names the "LongPrinterName" in
+reality should rather be called the "Driver Name". You can name it
+anything you want, as long as you use this name later in the
+<span class="emphasis"><em>rpcclient ... setdriver</em></span> command. For
+practical reasons, many name the driver the same as the
+printer.
+</p><p>
+True: it isn't simple at all. I hear you asking:
+<span class="emphasis"><em>How do I know which files are "Driver
+File", "Data File", "Config File", "Help File" and "Language
+Monitor File" in each case?</em></span> -- For an answer you may
+want to have a look at how a Windows NT box with a shared printer
+presents the files to us. Remember, that this whole procedure has
+to be developed by the Samba Team by overhearing the traffic caused
+by Windows computers on the wire. We may as well turn to a Windows
+box now, and access it from a UNIX workstation. We will query it
+with <b class="command">rpcclient</b> to see what it tells us and
+try to understand the man page more clearly which we've read just
+now.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2960925"></a>Producing an Example by querying a Windows Box</h3></div></div><div></div></div><p>
+We could run <b class="command">rpcclient</b> with a
+<b class="command">getdriver</b> or a <b class="command">getprinter</b>
+subcommand (in level 3 verbosity) against it. Just sit down at UNIX or
+Linux workstation with the Samba utilities installed. Then type the
+following command:
+</p><pre class="screen">
+
+ rpcclient -U'USERNAME%PASSWORD' NT-SERVER-NAME -c 'getdriver printername 3'
+
+</pre><p>
+From the result it should become clear which is which. Here is an
+example from my installation:
+</p><pre class="screen">
+
+# rpcclient -U'Danka%xxxx' W2KSERVER -c'getdriver "DANKA InfoStream Virtual Printer" 3'
+ cmd = getdriver "DANKA InfoStream Virtual Printer" 3
+
+ [Windows NT x86]
+ Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [DANKA InfoStream]
+ Architecture: [Windows NT x86]
+ Driver Path: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.DLL]
+ Datafile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\INFOSTRM.PPD]
+ Configfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRPTUI.DLL]
+ Helpfile: [C:\WINNT\System32\spool\DRIVERS\W32X86\2\PSCRIPT.HLP]
+
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+ Dependentfiles: []
+
+ Monitorname: []
+ Defaultdatatype: []
+
+</pre><p>
+Some printer drivers list additional files under the label
+"Dependentfiles": these would go into the last field
+<span class="emphasis"><em>ListOfFiles,Comma-separated</em></span>. For the CUPS
+PostScript drivers we don't need any (nor would we for the Adobe
+PostScript driver): therefore the field will get a "NULL" entry.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961015"></a>What is required for adddriver and setdriver to succeed</h3></div></div><div></div></div><p>
+From the manpage (and from the quoted output
+of <span class="emphasis"><em>cupsaddsmb</em></span>, above) it becomes clear that you
+need to have certain conditions in order to make the manual uploading
+and initializing of the driver files succeed. The two rpcclient
+subcommands (<b class="command">adddriver</b> and
+<b class="command">setdriver</b>) need to encounter the following
+pre-conditions to complete successfully:
+</p><div class="itemizedlist"><ul type="disc"><li><p>you are connected as "printer admin", or root (note,
+that this is <span class="emphasis"><em>not</em></span> the "Printer Operators" group in
+NT, but the <span class="emphasis"><em>printer admin</em></span> group, as defined in
+the <i class="parameter"><tt>[global]</tt></i> section of
+<tt class="filename">smb.conf</tt>);</p></li><li><p>copy all required driver files to
+<tt class="filename">\\sambaserver\print$\w32x86</tt> and
+<tt class="filename">\\sambaserver\print$\win40</tt> as appropriate. They
+will end up in the "0" respective "2" subdirectories later -- for now
+<span class="emphasis"><em>don't</em></span> put them there, they'll be automatically
+used by the <b class="command">adddriver</b> subcommand.! (if you use
+"smbclient" to put the driver files into the share, note that you need
+to escape the "$": <b class="command">smbclient //sambaserver/print\$ -U
+root</b>);</p></li><li><p>the user you're connecting as must be able to write to
+the <i class="parameter"><tt>[print$]</tt></i> share and create
+subdirectories;</p></li><li><p>the printer you are going to setup for the Windows
+clients, needs to be installed in CUPS already;</p></li><li><p>the CUPS printer must be known to Samba, otherwise the
+<b class="command">setdriver</b> subcommand fails with an
+NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by
+Samba you may use the <b class="command">enumprinters</b> subcommand to
+rpcclient. A long-standing bug prevented a proper update of the
+printer list until every smbd process had received a SIGHUP or was
+restarted. Remember this in case you've created the CUPS printer just
+shortly ago and encounter problems: try restarting
+Samba.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961177"></a>Manual Commandline Driver Installation in 15 little Steps</h3></div></div><div></div></div><p>
+We are going to install a printer driver now by manually executing all
+required commands. As this may seem a rather complicated process at
+first, we go through the procedure step by step, explaining every
+single action item as it comes up.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961194"></a>First Step: Install the Printer on CUPS</h4></div></div><div></div></div><pre class="screen">
+
+# lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E -P /home/kurt/canonIR85.ppd
+
+</pre><p>
+This installs printer with the name <span class="emphasis"><em>mysmbtstprn</em></span>
+to the CUPS system. The printer is accessed via a socket
+(a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root
+for this step
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961224"></a>Second Step (optional): Check if the Printer is recognized by
+Samba</h4></div></div><div></div></div><pre class="screen">
+
+ # rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep -C2 mysmbtstprn
+
+ flags:[0x800000]
+ name:[\\kde-bitshop\mysmbtstprn]
+ description:[\\kde-bitshop\mysmbtstprn,,mysmbtstprn]
+ comment:[mysmbtstprn]
+
+</pre><p>
+This should show the printer in the list. If not, stop and re-start
+the Samba daemon (smbd), or send a HUP signal: <b class="command">kill -HUP
+`pidof smbd`</b>. Check again. Troubleshoot and repeat until
+success. Note the "empty" field between the two commas in the
+"description" line. Here would the driver name appear if there was one
+already. You need to know root's Samba password (as set by the
+<b class="command">smbpasswd</b> command) for this step and most of the
+following steps. Alternatively you can authenticate as one of the
+users from the "write list" as defined in <tt class="filename">smb.conf</tt> for
+<i class="parameter"><tt>[print$]</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961288"></a>Third Step (optional): Check if Samba knows a Driver for the
+Printer</h4></div></div><div></div></div><pre class="screen">
+
+# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep driver
+ drivername:[]
+
+# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep -C4 driv
+ servername:[\\kde-bitshop]
+ printername:[\\kde-bitshop\mysmbtstprn]
+ sharename:[mysmbtstprn]
+ portname:[Samba Printer Port]
+ drivername:[]
+ comment:[mysmbtstprn]
+ location:[]
+ sepfile:[]
+ printprocessor:[winprint]
+
+# rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost
+ result was WERR_UNKNOWN_PRINTER_DRIVER
+
+</pre><p>
+Neither method of the three commands shown above should show a driver.
+This step was done for the purpose of demonstrating this condition. An
+attempt to connect to the printer at this stage will prompt the
+message along the lines: "The server has not the required printer
+driver installed".
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961326"></a>Fourth Step: Put all required Driver Files into Samba's
+[print$]</h4></div></div><div></div></div><pre class="screen">
+
+# smbclient //localhost/print\$ -U 'root%xxxx' \
+ -c 'cd W32X86; \
+ put /etc/cups/ppd/mysmbtstprn.ppd mysmbtstprn.PPD; \
+ put /usr/share/cups/drivers/cupsui.dll cupsui.dll; \
+ put /usr/share/cups/drivers/cupsdrvr.dll cupsdrvr.dll; \
+ put /usr/share/cups/drivers/cups.hlp cups.hlp'
+
+</pre><p>
+(Note that this command should be entered in one long single
+line. Line-breaks and the line-end indicating "\" has been inserted
+for readability reasons.) This step is <span class="emphasis"><em>required</em></span>
+for the next one to succeed. It makes the driver files physically
+present in the <i class="parameter"><tt>[print$]</tt></i> share. However, clients
+would still not be able to install them, because Samba does not yet
+treat them as driver files. A client asking for the driver would still
+be presented with a "not installed here" message.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961377"></a>Fifth Step: Verify where the Driver Files are now</h4></div></div><div></div></div><pre class="screen">
+
+# ls -l /etc/samba/drivers/W32X86/
+ total 669
+ drwxr-sr-x 2 root ntadmin 532 May 25 23:08 2
+ drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
+ -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
+ -rwxr--r-- 1 root ntadmin 278380 May 25 23:21 cupsdrvr.dll
+ -rwxr--r-- 1 root ntadmin 215848 May 25 23:21 cupsui.dll
+ -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
+
+</pre><p>
+The driver files now are in the W32X86 architecture "root" of
+<i class="parameter"><tt>[print$]</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961415"></a>Sixth Step: Tell Samba that these are
+<span class="emphasis"><em>Driver</em></span> Files
+(<b class="command">adddriver</b>)</h4></div></div><div></div></div><pre class="screen">
+
+# rpcclient -Uroot%xxxx -c `adddriver "Windows NT x86" "mydrivername: \
+ cupsdrvr.dll:mysmbtstprn.PPD: \
+ cupsui.dll:cups.hlp:NULL:RAW[<span class="citation">:</span>]NULL" \
+ localhost
+
+ Printer Driver mydrivername successfully installed.
+
+</pre><p>
+Note that your cannot repeat this step if it fails. It could fail even
+as a result of a simple typo. It will most likely have moved a part of
+the driver files into the "2" subdirectory. If this step fails, you
+need to go back to the fourth step and repeat it, before you can try
+this one again. In this step you need to choose a name for your
+driver. It is normally a good idea to use the same name as is used for
+the printername; however, in big installations you may use this driver
+for a number of printers which have obviously different names. So the
+name of the driver is not fixed.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961469"></a>Seventh Step: Verify where the Driver Files are now</h4></div></div><div></div></div><pre class="screen">
+
+# ls -l /etc/samba/drivers/W32X86/
+ total 1
+ drwxr-sr-x 2 root ntadmin 532 May 25 23:22 2
+ drwxr-sr-x 2 root ntadmin 670 May 16 03:15 3
+
+
+# ls -l /etc/samba/drivers/W32X86/2
+ total 5039
+ [....]
+ -rwxr--r-- 1 root ntadmin 14234 May 25 23:21 cups.hlp
+ -rwxr--r-- 1 root ntadmin 278380 May 13 13:53 cupsdrvr.dll
+ -rwxr--r-- 1 root ntadmin 215848 May 13 13:53 cupsui.dll
+ -rwxr--r-- 1 root ntadmin 169458 May 25 23:21 mysmbtstprn.PPD
+
+</pre><p>
+Notice how step 6 did also move the driver files to the appropriate
+subdirectory. Compare with the situation after step 5.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961503"></a>Eighth Step (optional): Verify if Samba now recognizes the
+Driver</h4></div></div><div></div></div><pre class="screen">
+
+# rpcclient -Uroot%xxxx -c 'enumdrivers 3' localhost | grep -B2 -A5 mydrivername
+
+ Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [mydrivername]
+ Architecture: [Windows NT x86]
+ Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
+ Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
+ Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
+ Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
+
+</pre><p>
+Remember, this command greps for the name you did choose for the
+driver in step Six. This command must succeed before you can proceed.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961536"></a>Ninth Step: Tell Samba which Printer should use these Driver
+Files (<b class="command">setdriver</b>)</h4></div></div><div></div></div><pre class="screen">
+
+# rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' localhost
+
+ Successfully set mysmbtstprn to driver mydrivername
+
+</pre><p>
+Since you can bind any printername (=printqueue) to any driver, this
+is a very convenient way to setup many queues which use the same
+driver. You don't need to repeat all the previous steps for the
+setdriver command to succeed. The only pre-conditions are:
+<b class="command">enumdrivers</b> must find the driver and
+<b class="command">enumprinters</b> must find the printer.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961586"></a>Tenth Step (optional): Verify if Samba has this Association
+recognized</h4></div></div><div></div></div><pre class="screen">
+
+# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep driver
+ drivername:[mydrivername]
+
+# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost | grep -C4 driv
+ servername:[\\kde-bitshop]
+ printername:[\\kde-bitshop\mysmbtstprn]
+ sharename:[mysmbtstprn]
+ portname:[Done]
+ drivername:[mydrivername]
+ comment:[mysmbtstprn]
+ location:[]
+ sepfile:[]
+ printprocessor:[winprint]
+
+# rpcclient -U root%xxxx -c 'getdriver mysmbtstprn' localhost
+ [Windows NT x86]
+ Printer Driver Info 3:
+ Version: [2]
+ Driver Name: [mydrivername]
+ Architecture: [Windows NT x86]
+ Driver Path: [\\kde-bitshop\print$\W32X86\2\cupsdrvr.dll]
+ Datafile: [\\kde-bitshop\print$\W32X86\2\mysmbtstprn.PPD]
+ Configfile: [\\kde-bitshop\print$\W32X86\2\cupsui.dll]
+ Helpfile: [\\kde-bitshop\print$\W32X86\2\cups.hlp]
+ Monitorname: []
+ Defaultdatatype: [RAW]
+ Monitorname: []
+ Defaultdatatype: [RAW]
+
+# rpcclient -Uroot%xxxx -c 'enumprinters' localhost | grep mysmbtstprn
+ name:[\\kde-bitshop\mysmbtstprn]
+ description:[\\kde-bitshop\mysmbtstprn,mydrivername,mysmbtstprn]
+ comment:[mysmbtstprn]
+
+</pre><p>
+Compare these results with the ones from steps 2 and 3. Note that
+every single of these commands show the driver is installed. Even
+the <b class="command">enumprinters</b> command now lists the driver
+on the "description" line.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961666"></a>Eleventh Step (optional): Tickle the Driver into a correct
+Device Mode</h4></div></div><div></div></div><p>
+You certainly know how to install the driver on the client. In case
+you are not particularly familiar with Windows, here is a short
+recipe: browse the Network Neighbourhood, go to the Samba server, look
+for the shares. You should see all shared Samba printers.
+Double-click on the one in question. The driver should get
+installed, and the network connection set up. An alternative way is to
+open the "Printers (and Faxes)" folder, right-click on the printer in
+question and select "Connect" or "Install". As a result, a new printer
+should have appeared in your client's local "Printers (and Faxes)"
+folder, named something like "printersharename on Sambahostname".
+</p><p>
+It is important that you execute this step as a Samba printer admin
+(as defined in <tt class="filename">smb.conf</tt>). Here is another method
+to do this on Windows XP. It uses a commandline, which you may type
+into the "DOS box" (type root's smbpassword when prompted):
+</p><pre class="screen">
+
+ C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /in /n \\sambacupsserver\mysmbtstprn"
+
+</pre><p>
+Change any printer setting once (like <span class="emphasis"><em>"portrait"
+--> "landscape"</em></span>), click "Apply"; change the setting
+back.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961731"></a>Twelfth Step: Install the Printer on a Client
+("Point'n'Print")</h4></div></div><div></div></div><pre class="screen">
+
+ C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambacupsserver\mysmbtstprn"
+
+</pre><p>
+If it doesn't work it could be a permission problem with the
+<i class="parameter"><tt>[print$]</tt></i> share.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961764"></a>Thirteenth Step (optional): Print a Test Page</h4></div></div><div></div></div><pre class="screen">
+
+ C:\> rundll32 printui.dll,PrintUIEntry /p /n "\\sambacupsserver\mysmbtstprn"
+
+</pre><p>
+Then hit [TAB] 5 times, [ENTER] twice, [TAB] once and [ENTER] again
+and march to the printer.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961790"></a>Fourteenth Step (recommended): Study the Test Page</h4></div></div><div></div></div><p>
+Hmmm.... just kidding! By now you know everything about printer
+installations and you don't need to read a word. Just put it in a
+frame and bolt it to the wall with the heading "MY FIRST
+RPCCLIENT-INSTALLED PRINTER" - why not just throw it away!
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2961808"></a>Fifteenth Step (obligatory): Enjoy. Jump. Celebrate your
+Success</h4></div></div><div></div></div><pre class="screen">
+
+# echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd
+
+</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2961830"></a>Troubleshooting revisited</h3></div></div><div></div></div><p>
+The setdriver command will fail, if in Samba's mind the queue is not
+already there. You had promising messages about the:
+</p><pre class="screen">
+
+ Printer Driver ABC successfully installed.
+
+</pre><p>
+after the "adddriver" parts of the procedure? But you are also seeing
+a disappointing message like this one beneath?
+</p><pre class="screen">
+
+ result was NT_STATUS_UNSUCCESSFUL
+
+</pre><p>
+It is not good enough that <span class="emphasis"><em>you</em></span>
+can see the queue <span class="emphasis"><em>in CUPS</em></span>, using
+the <b class="command">lpstat -p ir85wm</b> command. A
+bug in most recent versions of Samba prevents the proper update of
+the queuelist. The recognition of newly installed CUPS printers
+fails unless you re-start Samba or send a HUP to all smbd
+processes. To verify if this is the reason why Samba doesn't
+execute the setdriver command successfully, check if Samba "sees"
+the printer:
+</p><pre class="screen">
+
+# rpcclient transmeta -N -U'root%secret' -c 'enumprinters 0'| grep ir85wm
+ printername:[ir85wm]
+
+</pre><p>
+An alternative command could be this:
+</p><pre class="screen">
+
+# rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm'
+ cmd = getprinter ir85wm
+ flags:[0x800000]
+ name:[\\transmeta\ir85wm]
+ description:[\\transmeta\ir85wm,ir85wm,DPD]
+ comment:[CUPS PostScript-Treiber for WinNT/2K/XP]
+
+</pre><p>
+BTW, you can use these commands, plus a few more, of course,
+to install drivers on remote Windows NT print servers too!
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2961930"></a>The printing <tt class="filename">*.tdb</tt> Files</h2></div></div><div></div></div><p>
+Some mystery is associated with the series of files with a
+tdb-suffix appearing in every Samba installation. They are
+<tt class="filename">connections.tdb</tt>,
+<tt class="filename">printing.tdb</tt>,
+<tt class="filename">share_info.tdb</tt> ,
+<tt class="filename">ntdrivers.tdb</tt>,
+<tt class="filename">unexpected.tdb</tt>,
+<tt class="filename">brlock.tdb</tt> ,
+<tt class="filename">locking.tdb</tt>,
+<tt class="filename">ntforms.tdb</tt>,
+<tt class="filename">messages.tdb</tt> ,
+<tt class="filename">ntprinters.tdb</tt>,
+<tt class="filename">sessionid.tdb</tt> and
+<tt class="filename">secrets.tdb</tt>. What is their purpose?
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962033"></a>Trivial DataBase Files</h3></div></div><div></div></div><p>
+A Windows NT (Print) Server keeps track of all information needed to serve
+its duty toward its clients by storing entries in the Windows
+"Registry". Client queries are answered by reading from the registry,
+Administrator or user configuration settings are saved by writing into
+the Registry. Samba and Unix obviously don't have such a kind of
+Registry. Samba instead keeps track of all client related information in a
+series of <tt class="filename">*.tdb</tt> files. (TDB = Trivial Data
+Base). These are often located in <tt class="filename">/var/lib/samba/</tt>
+or <tt class="filename">/var/lock/samba/</tt> . The printing related files
+are <tt class="filename">ntprinters.tdb</tt>,
+<tt class="filename">printing.tdb</tt>,<tt class="filename">ntforms.tdb</tt> and
+<tt class="filename">ntdrivers.tdb</tt>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962103"></a>Binary Format</h3></div></div><div></div></div><p>
+<tt class="filename">*.tdb</tt> files are not human readable. They are
+written in a binary format. "Why not ASCII?", you may ask. "After all,
+ASCII configuration files are a good and proofed tradition on UNIX."
+-- The reason for this design decision by the Samba Team is mainly
+performance. Samba needs to be fast; it runs a separate
+<b class="command">smbd</b> process for each client connection, in some
+environments many thousand of them. Some of these smbds might need to
+write-access the same <tt class="filename">*.tdb</tt> file <span class="emphasis"><em>at the
+same time</em></span>. The file format of Samba's
+<tt class="filename">*.tdb</tt> files allows for this provision. Many smbd
+processes may write to the same <tt class="filename">*.tdb</tt> file at the
+same time. This wouldn't be possible with pure ASCII files.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962165"></a>Losing <tt class="filename">*.tdb</tt> Files</h3></div></div><div></div></div><p>
+It is very important that all <tt class="filename">*.tdb</tt> files remain
+consistent over all write and read accesses. However, it may happen
+that these files <span class="emphasis"><em>do</em></span> get corrupted. (A
+<b class="command">kill -9 `pidof smbd`</b> while a write access is in
+progress could do the damage as well as a power interruption,
+etc.). In cases of trouble, a deletion of the old printing-related
+<tt class="filename">*.tdb</tt> files may be the only option. You need to
+re-create all print related setup after that. Or you have made a
+backup of the <tt class="filename">*.tdb</tt> files in time.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962224"></a>Using <span class="emphasis"><em>tdbbackup</em></span></h3></div></div><div></div></div><p>
+Samba ships with a little utility which helps the root user of your
+system to back up your <tt class="filename">*.tdb</tt> files. If you run it
+with no argument, it prints a little usage message:
+</p><pre class="screen">
+
+# tdbbackup
+ Usage: tdbbackup [options] <fname...>
+
+ Version:3.0a
+ -h this help message
+ -s suffix set the backup suffix
+ -v verify mode (restore if corrupt)
+
+</pre><p>
+Here is how I backed up my printing.tdb file:
+</p><pre class="screen">
+
+# ls
+ . browse.dat locking.tdb ntdrivers.tdb printing.tdb share_info.tdb
+ .. connections.tdb messages.tdb ntforms.tdb printing.tdbkp unexpected.tdb
+ brlock.tdb gmon.out namelist.debug ntprinters.tdb sessionid.tdb
+
+ kde-bitshop:/var/lock/samba # tdbbackup -s .bak printing.tdb
+ printing.tdb : 135 records
+
+ kde-bitshop:/var/lock/samba # ls -l printing.tdb*
+ -rw------- 1 root root 40960 May 2 03:44 printing.tdb
+ -rw------- 1 root root 40960 May 2 03:44 printing.tdb.bak
+
+</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2962290"></a>CUPS Print Drivers from Linuxprinting.org</h2></div></div><div></div></div><p>
+CUPS ships with good support for HP LaserJet type printers. You can
+install the generic driver as follows:
+</p><pre class="screen">
+
+lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd
+
+</pre><p>
+The <i class="parameter"><tt>-m</tt></i> switch will retrieve the
+<tt class="filename">laserjet.ppd</tt> from the standard repository for
+not-yet-installed-PPDs, which CUPS typically stores in
+<tt class="filename">/usr/share/cups/model</tt>. Alternatively, you may use
+<i class="parameter"><tt>-P /path/to/your.ppd</tt></i>.
+</p><p>
+The generic laserjet.ppd however does not support every special option
+for every LaserJet-compatible model. It constitutes a sort of "least
+denominator" of all the models. If for some reason it is ruled out to
+you to pay for the commercially available ESP Print Pro drivers, your
+first move should be to consult the database on <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>.
+Linuxprinting.org has excellent recommendations about which driver is
+best used for each printer. Its database is kept current by the
+tireless work of Till Kamppeter from MandrakeSoft, who is also the
+principal author of the foomatic-rip utility.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The former "cupsomatic" concept is now be replaced by the new, much
+more powerful "foomatic-rip". foomatic-rip is the successor of
+cupsomatic. cupsomatic is no longer maintained. Here is the new URL
+to the Foomatic-3.0 database:<a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">http://www.linuxprinting.org/driver_list.cgi</a>.
+If you upgrade to foomatic-rip, don't forget to also upgrade to the
+new-style PPDs for your foomatic-driven printers. foomatic-rip will
+not work with PPDs generated for the old cupsomatic. The new-style
+PPDs are 100% compliant to the Adobe PPD specification. They are
+intended to be used by Samba and the cupsaddsmb utility also, to
+provide the driver files for the Windows clients also!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2962398"></a>foomatic-rip and Foomatic explained</h3></div></div><div></div></div><p>
+Nowadays most Linux distros rely on the utilities of Linuxprinting.org
+to create their printing related software (which, BTW, works on all
+UNIXes and on Mac OS X or Darwin too). It is not known as well as it
+should be, that it also has a very end-user friendly interface which
+allows for an easy update of drivers and PPDs, for all supported
+models, all spoolers, all operating systems and all package formats
+(because there is none). Its history goes back a few years.
+</p><p>
+Recently Foomatic has achieved the astonishing milestone of <a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">1000
+listed</a> printer models. Linuxprinting.org keeps all the
+important facts about printer drivers, supported models and which
+options are available for the various driver/printer combinations in
+its <a href="http://www.linuxprinting.org/foomatic.html" target="_top">Foomatic</a>
+database. Currently there are <a href="http://www.linuxprinting.org/driver_list.cgi" target="_top">245 drivers</a>
+in the database: many drivers support various models, and many models
+may be driven by different drivers; it's your choice!
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962453"></a>690 "perfect" Printers</h4></div></div><div></div></div><p>
+At present there are 690 devices dubbed as working "perfectly", 181
+"mostly", 96 "partially" and 46 are "Paperweights". Keeping in mind
+that most of these are non-PostScript models (PostScript printers are
+automatically supported supported by CUPS to perfection, by using
+their own manufacturer-provided Windows-PPD...), and that a
+multifunctional device never qualifies as working "perfectly" if it
+doesn't also scan and copy and fax under GNU/Linux: then this is a
+truly astonishing achievement. Three years ago the number was not
+more than 500, and Linux or UNIX "printing" at the time wasn't
+anywhere near the quality it is today!
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962477"></a>How the "Printing HOWTO" started it all</h4></div></div><div></div></div><p>
+A few years ago <a href="http://www2.picante.com:81/~gtaylor/" target="_top">Grant Taylor</a>
+started it all. The roots of today's Linuxprinting.org are in the
+first <a href="http://www.linuxprinting.org/foomatic2.9/howto/" target="_top">Linux Printing
+HOWTO</a> which he authored. As a side-project to this document,
+which served many Linux users and admins to guide their first steps in
+this complicated and delicate setup (to a scientist, printing is
+"applying a structured deposition of distinct patterns of ink or toner
+particles on paper substrates" <span class="emphasis"><em>;-)</em></span>, he started to
+build in a little Postgres database with information about the
+hardware and driver zoo that made up Linux printing of the time. This
+database became the core component of today's Foomatic collection of
+tools and data. In the meantime it has moved to an XML representation
+of the data.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962522"></a>Foomatic's strange Name</h4></div></div><div></div></div><p>
+"Why the funny name?", you ask. When it really took off, around spring
+2000, CUPS was far less popular than today, and most systems used LPD,
+LPRng or even PDQ to print. CUPS shipped with a few generic "drivers"
+(good for a few hundred different printer models). These didn't
+support many device-specific options. CUPS also shipped with its own
+built-in rasterization filter ("pstoraster", derived from
+Ghostscript). On the other hand, CUPS provided brilliant support for
+<span class="emphasis"><em>controlling</em></span> all printer options through
+standardized and well-defined "PPD files" (PostScript Printers
+Description files). Plus, CUPS was designed to be easily extensible.
+</p><p>
+Grant already had in his database a respectable compilation
+of facts about a many more printers, and the Ghostscript "drivers"
+they run with. His idea, to generate PPDs from the database info
+and use them to make standard Ghostscript filters work within CUPS,
+proved to work very well. It also "killed several birds with one
+stone":
+</p><div class="itemizedlist"><ul type="disc"><li><p>It made all current and future Ghostscript filter
+developments available for CUPS;</p></li><li><p>It made available a lot of additional printer models
+to CUPS users (because often the "traditional" Ghostscript way of
+printing was the only one available);</p></li><li><p>It gave all the advanced CUPS options (web interface,
+GUI driver configurations) to users wanting (or needing) to use
+Ghostscript filters.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962589"></a>cupsomatic, pdqomatic, lpdomatic, directomatic</h4></div></div><div></div></div><p>
+CUPS worked through a quickly-hacked up filter script named <a href="http://www.linuxprinting.org/download.cgi?filename=cupsomatic&show=0" target="_top">cupsomatic</a>.
+cupsomatic ran the printfile through Ghostscript, constructing
+automatically the rather complicated command line needed. It just
+required to be copied into the CUPS system to make it work. To
+"configure" the way cupsomatic controls the Ghostscript rendering
+process, it needs a CUPS-PPD. This PPD is generated directly from the
+contents of the database. For CUPS and the respective printer/filter
+combo another Perl script named "CUPS-O-Matic" did the PPD
+generation. After that was working, Grant implemented within a few
+days a similar thing for two other spoolers. Names chosen for the
+config-generator scripts were <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">PDQ-O-Matic</a>
+(for PDQ) and <a href="http://www.linuxprinting.org/download.cgi?filename=lpdomatic&show=0" target="_top">LPD-O-Matic</a>
+(for - you guessed it - LPD); the configuration here didn't use PPDs
+but other spooler-specific files.
+</p><p>
+From late summer of that year, <a href="http://www.linuxprinting.org/till/" target="_top">Till Kamppeter</a>
+started to put work into the database. Till had been newly employed by
+<a href="http://www.mandrakesoft.com/" target="_top">MandrakeSoft</a> to
+convert their printing system over to CUPS, after they had seen his
+<a href="http://www.fltk.org/" target="_top">FLTK</a>-based <a href="http://cups.sourceforge.net/xpp/" target="_top">XPP</a> (a GUI frontend to
+the CUPS lp-command). He added a huge amount of new information and new
+printers. He also developed the support for other spoolers, like
+<a href="http://ppr.sourceforge.net/" target="_top">PPR</a> (via ppromatic),
+<a href="http://sourceforge.net/projects/lpr/" target="_top">GNUlpr</a> and
+<a href="http://www.lprng.org/" target="_top">LPRng</a> (both via an extended
+lpdomatic) and "spoolerless" printing (<a href="http://www.linuxprinting.org/download.cgi?filename=directomatic&show=0" target="_top">directomatic</a>)....
+</p><p>
+So, to answer your question: "Foomatic" is the general name for all
+the overlapping code and data behind the "*omatic" scripts.... --
+Foomatic up to versions 2.0.x required (ugly) Perl data structures
+attached the Linuxprinting.org PPDs for CUPS. It had a different
+"*omatic" script for every spooler, as well as different printer
+configuration files..
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962725"></a>7.13.1.5.The <span class="emphasis"><em>Grand Unification</em></span>
+achieved...</h4></div></div><div></div></div><p>
+This all has changed in Foomatic versions 2.9 (Beta) and released as
+"stable" 3.0. This has now achieved the convergence of all *omatic
+scripts: it is called the <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">foomatic-rip</a>.
+This single script is the unification of the previously different
+spooler-specific *omatic scripts. foomatic-rip is used by all the
+different spoolers alike. Because foomatic-rip can read PPDs (both the
+original PostScript printer PPDs and the Linuxprinting.org-generated
+ones), all of a sudden all supported spoolers can have the power of
+PPDs at their disposal; users only need to plug "foomatic-rip" into
+their system.... For users there is improved media type and source
+support; paper sizes and trays are easier to configure.
+</p><p>
+Also, the New Generation of Linuxprinting.org PPDs doesn't contain
+Perl data structures any more. If you are a distro maintainer and have
+used the previous version of Foomatic, you may want to give the new
+one a spin: but don't forget to generate a new-version set of PPDs,
+via the new <a href="http://www.linuxprinting.org/download/foomatic/foomatic-db-engine-3.0.0beta1.tar.gz" target="_top">foomatic-db-engine</a>!
+Individual users just need to generate a single new PPD specific to
+their model by <a href="http://www.linuxprinting.org/kpfeifle/LinuxKongress2002/Tutorial/II.Foomatic-User/II.tutorial-handout-foomatic-user.html" target="_top">following
+the steps</a> outlined in the Foomatic tutorial or further
+below. This new development is truly amazing.
+</p><p>
+foomatic-rip is a very clever wrapper around the need to run
+Ghostscript with a different syntax, different options, different
+device selections and/or different filters for each different printer
+or different spooler. At the same time it can read the PPD associated
+with a print queue and modify the print job according to the user
+selections. Together with this comes the 100% compliance of the new
+Foomatic PPDs with the Adobe spec. Some really innovative features of
+the Foomatic concept will surprise users: it will support custom paper
+sizes for many printers; and it will support printing on media drawn
+from different paper trays within the same job (in both cases: even
+where there is no support for this from Windows-based vendor printer
+drivers).
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962810"></a>Driver Development outside</h4></div></div><div></div></div><p>
+Most driver development itself does not happen within
+Linuxprinting.org. Drivers are written by independent maintainers.
+Linuxprinting.org just pools all the information, and stores it in its
+database. In addition, it also provides the Foomatic glue to integrate
+the many drivers into any modern (or legacy) printing system known to
+the world.
+</p><p>
+Speaking of the different driver development groups: most of
+the work is currently done in three projects. These are:
+</p><div class="itemizedlist"><ul type="disc"><li><p><a href="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/" target="_top">Omni</a>
+-- a Free Software project by IBM which tries to convert their printer
+driver knowledge from good-ol' OS/2 times into a modern, modular,
+universal driver architecture for Linux/Unix (still Beta). This
+currently supports 437 models.</p></li><li><p><a href="http://hpinkjet.sf.net/" target="_top">HPIJS</a> --
+a Free Software project by HP to provide the support for their own
+range of models (very mature, printing in most cases is perfect and
+provides true photo quality). This currently supports 369
+models.</p></li><li><p><a href="http://gimp-print.sf.net/" target="_top">Gimp-Print</a> -- a Free software
+effort, started by Michael Sweet (also lead developer for CUPS), now
+directed by Robert Krawitz, which has achieved an amazing level of
+photo print quality (many Epson users swear that its quality is
+better than the vendor drivers provided by Epson for the Microsoft
+platforms). This currently supports 522 models.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962892"></a>Forums, Downloads, Tutorials, Howtos -- also for Mac OS X and
+commercial Unix</h4></div></div><div></div></div><p>
+Linuxprinting.org today is the one-stop "shop" to download printer
+drivers. Look for printer information and <a href="http://www.linuxprinting.org//kpfeifle/LinuxKongress2002/Tutorial/" target="_top">tutorials</a>
+or solve printing problems in its popular <a href="http://www.linuxprinting.org/newsportal/" target="_top">forums</a>. But
+it's not just for GNU/Linux: users and admins of <a href="http://www.linuxprinting.org/macosx/" target="_top">commercial UNIX
+systems</a> are also going there, and the relatively new <a href="http://www.linuxprinting.org/newsportal/thread.php3?name=linuxprinting.macosx.general" target="_top">Mac
+OS X forum</a> has turned out to be one of the most frequented
+fora after only a few weeks.
+</p><p>
+Linuxprinting.org and the Foomatic driver wrappers around Ghostscript
+are now a standard toolchain for printing on all the important
+distros. Most of them also have CUPS underneath. While in recent years
+most printer data had been added by Till (who works at Mandrake), many
+additional contributions came from engineers with SuSE, RedHat,
+Connectiva, Debian and others. Vendor-neutrality is an important goal
+of the Foomatic project.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Till Kamppeter from MandrakeSoft is doing an excellent job in his
+spare time to maintain Linuxprinting.org and Foomatic. So if you use
+it often, please send him a note showing your appreciation.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2962963"></a>Foomatic Database generated PPDs</h4></div></div><div></div></div><p>
+The Foomatic database is an amazing piece of ingenuity in itself. Not
+only does it keep the printer and driver information, but it is
+organized in a way that it can generate "PPD" files "on the fly" from
+its internal XML-based datasets. While these PPDs are modelled to the
+Adobe specification of "PostScript Printer Descriptions" (PPDs), the
+Linuxprinting.org/Foomatic-PPDs don't normally drive PostScript
+printers: they are used to describe all the bells and whistles you
+could ring or blow on an Epson Stylus inkjet, or a HP Photosmart or
+what-have-you. The main "trick" is one little additional line, not
+envisaged by the PPD specification, starting with the "*cupsFilter"
+keyword: it tells the CUPS daemon how to proceed with the PostScript
+print file (old-style Foomatic-PPDs named the
+<span class="emphasis"><em>cupsomatic</em></span> filter script, while the new-style
+PPDs now call <span class="emphasis"><em>foomatic-rip</em></span>). This filter
+script calls Ghostscript on the host system (the recommended variant
+is ESP Ghostscript) to do the rendering work. foomatic-rip knows which
+filter or internal device setting it should ask from Ghostscript to
+convert the PostScript printjob into a raster format ready for the
+target device. This usage of PPDs to describe the options of non-PS
+printers was the invention of the CUPS developers. The rest is easy:
+GUI tools (like KDE's marvellous <a href="http://printing.kde.org/overview/kprinter.phtml" target="_top">"kprinter"</a>,
+or the GNOME <a href="http://gtklp.sourceforge.net/" target="_top">"gtklp"</a>, "xpp" and the CUPS
+web interface) read the PPD too and use this information to present
+the available settings to the user as an intuitive menu selection.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963027"></a>foomatic-rip and Foomatic-PPD Download and Installation</h3></div></div><div></div></div><p>
+Here are the steps to install a foomatic-rip driven "LaserJet 4 Plus"
+compatible printer in CUPS (note that recent distributions of SuSE,
+UnitedLinux and Mandrake may ship with a complete package of
+Foomatic-PPDs plus the foomatic-rip utility. going directly to
+Linuxprinting.org ensures you to get the latest driver/PPD files):
+</p><div class="itemizedlist"><ul type="disc"><li><p>Surf to <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>
+</p></li><li><p>Check the complete list of printers in the database:
+<a href="http://www.linuxprinting.org/printer_list.cgi?make=Anyone" target="_top">http://www.linuxprinting.org/printer_list.cgi?make=Anyone</a>
+</p></li><li><p>There select your model and click on the
+link.</p></li><li><p>You'll arrive at a page listing all drivers working
+with this model (for all printers, there will always be
+<span class="emphasis"><em>one</em></span> recommended driver. Try this one
+first).</p></li><li><p>In our case ("HP LaserJet 4 Plus"), we'll arrive here:
+<a href="http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus" target="_top">http://www.linuxprinting.org/show_printer.cgi?recnum=HP-LaserJet_4_Plus</a>
+</p></li><li><p>The recommended driver is "ljet4".</p></li><li><p>There are several links provided here. You should
+visit them all, if you are not familiar with the Linuxprinting.org
+database.</p></li><li><p>There is a link to the database page for the "ljet4":
+<a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a>
+On the driver's page, you'll find important and detailed information
+about how to use that driver within the various available
+spoolers.</p></li><li><p>Another link may lead you to the homepage of the
+driver author or the driver.</p></li><li><p>Important links are the ones which provide hints with
+setup instructions for CUPS (<a href="http://www.linuxprinting.org/cups-doc.html" target="_top">http://www.linuxprinting.org/cups-doc.html</a>),
+PDQ (<a href="http://www.linuxprinting.org/pdq-doc.html" target="_top">http://www.linuxprinting.org/pdq-doc.html</a>),
+LPD, LPRng and GNUlpr (<a href="http://www.linuxprinting.org/lpd-doc.html" target="_top">http://www.linuxprinting.org/lpd-doc.html</a>)
+as well as PPR (<a href="http://www.linuxprinting.org/ppr-doc.html" target="_top">http://www.linuxprinting.org/ppr-doc.html)</a>
+or "spooler-less" printing (<a href="http://www.linuxprinting.org/direct-doc.html" target="_top">http://www.linuxprinting.org/direct-doc.html</a>
+).</p></li><li><p>You can view the PPD in your browser through this
+link: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=1</a>
+</p></li><li><p>You can also (most importantly)
+generate and download the PPD: <a href="http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0" target="_top">http://www.linuxprinting.org/ppd-o-matic.cgi?driver=ljet4&printer=HP-LaserJet_4_Plus&show=0</a>
+</p></li><li><p>The PPD contains all the information needed to use our
+model and the driver; this is, once installed, working transparently
+for the user. Later you'll only need to choose resolution, paper size
+etc. from the web-based menu, or from the print dialog GUI, or from
+the commandline.</p></li><li><p>Should you have ended up on the driver's page (<a href="http://www.linuxprinting.org/show_driver.cgi?driver=ljet4" target="_top">http://www.linuxprinting.org/show_driver.cgi?driver=ljet4</a>),
+you can choose to use the "PPD-O-Matic" online PPD generator
+program.</p></li><li><p>Select the exact model and check either "download" or
+"display PPD file" and click on "Generate PPD file".</p></li><li><p>If you save the PPD file from the browser view, please
+don't use "cut'n'past" (since it could possibly damage line endings
+and tabs, which makes the PPD likely to fail its duty), but use "Save
+as..." in your browser's menu. (Best is to use the "download" option
+from the web page directly).</p></li><li><p>Another very interesting part on each driver page is
+the <span class="emphasis"><em>Show execution details</em></span> button. If you
+select your printer model and click that button, you will get
+displayed a complete Ghostscript command line, enumerating all options
+available for that driver/printermodel combo. This is a great way to
+"Learn Ghostscript By Doing". It is also an excellent "cheat sheet"
+for all experienced users who need to re-construct a good command line
+for that damn printing script, but can't remember the exact
+syntax. ;-)</p></li><li><p>Some time during your visit to Linuxprinting.org, save
+the PPD to a suitable place on your harddisk, say
+<tt class="filename">/path/to/my-printer.ppd</tt> (if you prefer to install
+your printers with the help of the CUPS web interface, save the PPD to
+the <tt class="filename">/usr/share/cups/model/</tt> path and re-start
+cupsd).</p></li><li><p>Then install the printer with a suitable commandline,
+e.g.:
+</p><pre class="screen">
+
+lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P path/to/my-printer.ppd
+
+</pre></li><li><p>Note again this: for all the new-style "Foomatic-PPDs"
+from Linuxprinting.org, you also need a special "CUPS filter" named
+"foomatic-rip".Get the latest version of "foomatic-rip" from: <a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=0</a>
+</p></li><li><p>The foomatic-rip Perlscript itself also makes some
+interesting reading (<a href="http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1" target="_top">http://www.linuxprinting.org/foomatic2.9/download.cgi?filename=foomatic-rip&show=1</a>),
+because it is very well documented by Till's inline comments (even
+non-Perl hackers will learn quite a bit about printing by reading
+it... ;-)</p></li><li><p>Save foomatic-rip either directly in
+<tt class="filename">/usr/lib/cups/filter/foomatic-rip</tt> or somewhere in
+your $PATH (and don't forget to make it world-executable). Again,
+don't save by "copy'n'paste" but use the appropriate link, or the
+"Save as..." menu item in your browser.</p></li><li><p>If you save foomatic-rip in your $PATH, create a symlink:
+<b class="command">cd /usr/lib/cups/filter/ ; ln -s `which
+foomatic-rip`</b>. For CUPS to discover this new
+available filter at startup, you need to re-start
+cupsd.</p></li></ul></div><p>
+Once you print to a printqueue set up with the Foomatic-PPD, CUPS will
+insert the appropriate commands and comments into the resulting
+PostScript jobfile. foomatic-rip is able to read and act upon
+these. foomatic-rip uses some specially encoded Foomatic comments,
+embedded in the jobfile. These in turn are used to construct
+(transparently for you, the user) the complicated ghostscript command
+line telling for the printer driver how exactly the resulting raster
+data should look like and which printer commands to embed into the
+data stream.
+</p><p>
+You need:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A "foomatic+something" PPD -- but it this not enough
+to print with CUPS (it is only <span class="emphasis"><em>one</em></span> important
+component)</p></li><li><p>The "foomatic-rip" filter script (Perl) in
+/usr/lib/cups/filters/</p></li><li><p>Perl to make foomatic-rip run</p></li><li><p>Ghostscript (because it is doing the main work,
+controlled by the PPD/foomatic-rip combo) to produce the raster data
+fit for your printermodel's consumption</p></li><li><p>Ghostscript <span class="emphasis"><em>must</em></span> (depending on
+the driver/model) contain support for a certain "device", representing
+the selected "driver" for your model (as shown by "gs
+-h")</p></li><li><p>foomatic-rip needs a new version of PPDs (PPD versions
+produced for cupsomatic don't work with
+foomatic-rip).</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963488"></a>Page Accounting with CUPS</h2></div></div><div></div></div><p>
+Often there are questions regarding "print quotas" wherein Samba users
+(that is, Windows clients) should not be able to print beyond a
+certain amount of pages or data volume per day, week or month. This
+feature is dependent on the real print subsystem you're using.
+Samba's part is always to receive the job files from the clients
+(filtered <span class="emphasis"><em>or</em></span> unfiltered) and hand it over to this
+printing subsystem.
+</p><p>
+Of course one could "hack" things with one's own scripts. But then
+there is CUPS. CUPS supports "quotas" which can be based on sizes of
+jobs or on the number of pages or both, and are spanning any time
+period you want.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963519"></a>Setting up Quotas</h3></div></div><div></div></div><p>
+This is an example command how root would set a print quota in CUPS,
+assuming an existing printer named "quotaprinter":
+</p><pre class="screen">
+
+ lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 -o job-page-limit=100
+
+</pre><p>
+This would limit every single user to print 100 pages or 1024 KB of
+data (whichever comes first) within the last 604,800 seconds ( = 1
+week).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963551"></a>Correct and incorrect Accounting</h3></div></div><div></div></div><p>
+For CUPS to count correctly, the printfile needs to pass the CUPS
+"pstops" filter, otherwise it uses a "dummy" count of "1". Some
+printfiles don't pass it (eg: image files) but then those are mostly 1
+page jobs anyway. This also means that proprietary drivers for the
+target printer running on the client computers and CUPS/Samba, which
+then spool these files as "raw" (i.e. leaving them untouched, not
+filtering them), will be counted as "1-pagers" too!
+</p><p>
+You need to send PostScript from the clients (i.e. run a PostScript
+driver there) to have the chance to get accounting done. If the
+printer is a non-PostScript model, you need to let CUPS do the job to
+convert the file to a print-ready format for the target printer. This
+will be working for currently about 1,000 different printer models,
+see <a href="http://www.linuxprinting.org/printer_list.cgi" target="_top">http://www.linuxprinting.org/printer_list.cgi</a>).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963592"></a>Adobe and CUPS PostScript Drivers for Windows Clients</h3></div></div><div></div></div><p>
+Before CUPS-1.1.16 your only option was to use the Adobe PostScript
+Driver on the Windows clients. The output of this driver was not
+always passed through the "pstops" filter on the CUPS/Samba side, and
+therefore was not counted correctly (the reason is that it often,
+depending on the "PPD" being used, wrote a "PJL"-header in front of
+the real PostScript which caused CUPS to skip pstops and go directly
+to the "pstoraster" stage).
+</p><p>
+From CUPS-1.1.16 onward you can use the "CUPS PostScript Driver for
+Windows NT/2K/XP clients" (which is tagged in the download area of
+http://www.cups.org/ as the "cups-samba-1.1.16.tar.gz" package). It does
+<span class="emphasis"><em>not</em></span> work for Win9x/ME clients. But it guarantees:
+</p><div class="itemizedlist"><ul type="disc"><li><p>to not write an PJL-header</p></li><li><p>to still read and support all PJL-options named in the
+driver PPD with its own means</p></li><li><p> that the file will pass through the "pstops" filter
+on the CUPS/Samba server</p></li><li><p>to page-count correctly the
+printfile</p></li></ul></div><p>
+You can read more about the setup of this combination in the manpage
+for "cupsaddsmb" (which is only present with CUPS installed, and only
+current from CUPS 1.1.16).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963663"></a>The page_log File Syntax</h3></div></div><div></div></div><p>
+These are the items CUPS logs in the "page_log" for every
+single <span class="emphasis"><em>page</em></span> of a job:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Printer name</p></li><li><p>User name</p></li><li><p>Job ID</p></li><li><p>Time of printing</p></li><li><p>the page number</p></li><li><p>the number of copies</p></li><li><p>a billing information string
+(optional)</p></li><li><p>the host which sent the job (included since version
+1.1.19)</p></li></ul></div><p>
+Here is an extract of my CUPS server's page_log file to illustrate the
+format and included items:
+</p><pre class="screen">
+
+ infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13
+ infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 2 3 #marketing 10.160.50.13
+ infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 3 3 #marketing 10.160.50.13
+ infotec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 4 3 #marketing 10.160.50.13
+ DigiMaster9110 boss 402 [22/Apr/2003:10:33:22 +0100] 1 440 finance-dep 10.160.51.33
+
+</pre><p>
+This was job ID "401", printed on "infotec_IS2027" by user "kurt", a
+64-page job printed in 3 copies and billed to "#marketing", sent
+from IP address 10.160.50.13. The next job had ID "402", was sent by
+user "boss" from IP address 10.160.51.33,printed from one page 440
+copies and is set to be billed to "finance-dep".
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963765"></a>Possible Shortcomings</h3></div></div><div></div></div><p>
+What flaws or shortcomings are there with this quota system?
+</p><div class="itemizedlist"><ul type="disc"><li><p>the ones named above (wrongly logged job in case of
+printer hardware failure, etc.)</p></li><li><p>in reality, CUPS counts the job pages that are being
+processed in <span class="emphasis"><em>software</em></span> (that is, going through the
+"RIP") rather than the physical sheets successfully leaving the
+printing device. Thus if there is a jam while printing the 5th sheet out
+of 1000 and the job is aborted by the printer, the "page count" will
+still show the figure of 1000 for that job</p></li><li><p>all quotas are the same for all users (no flexibility
+to give the boss a higher quota than the clerk) no support for
+groups</p></li><li><p>no means to read out the current balance or the
+"used-up" number of current quota</p></li><li><p>a user having used up 99 sheets of 100 quota will
+still be able to send and print a 1,000 sheet job</p></li><li><p>a user being denied a job because of a filled-up quota
+doesn't get a meaningful error message from CUPS other than
+"client-error-not-possible".</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963836"></a>Future Developments</h3></div></div><div></div></div><p>
+This is the best system currently available, and there are huge
+improvements under development for CUPS 1.2:
+</p><div class="itemizedlist"><ul type="disc"><li><p>page counting will go into the "backends" (these talk
+directly to the printer and will increase the count in sync with the
+actual printing process: thus a jam at the 5th sheet will lead to a
+stop in the counting)</p></li><li><p>quotas will be handled more flexibly</p></li><li><p>probably there will be support for users to inquire
+their "accounts" in advance</p></li><li><p>probably there will be support for some other tools
+around this topic</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2963884"></a>Other Accounting Tools</h3></div></div><div></div></div><p>
+PrintAnalyzer, pyKota, printbill, LogReport.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2963899"></a>Additional Material</h2></div></div><div></div></div><p>
+A printer queue with <span class="emphasis"><em>no</em></span> PPD associated to it is a
+"raw" printer and all files will go directly there as received by the
+spooler. The exceptions are file types "application/octet-stream"
+which need "passthrough feature" enabled. "Raw" queues don't do any
+filtering at all, they hand the file directly to the CUPS backend.
+This backend is responsible for the sending of the data to the device
+(as in the "device URI" notation: <tt class="filename">lpd://, socket://,
+smb://, ipp://, http://, parallel:/, serial:/, usb:/</tt> etc.)
+</p><p>
+"cupsomatic"/Foomatic are <span class="emphasis"><em>not</em></span> native CUPS drivers
+and they don't ship with CUPS. They are a Third Party add-on,
+developed at Linuxprinting.org. As such, they are a brilliant hack to
+make all models (driven by Ghostscript drivers/filters in traditional
+spoolers) also work via CUPS, with the same (good or bad!) quality as
+in these other spoolers. "cupsomatic" is only a vehicle to execute a
+ghostscript commandline at that stage in the CUPS filtering chain,
+where "normally" the native CUPS "pstoraster" filter would kick
+in. cupsomatic by-passes pstoraster, "kidnaps" the printfile from CUPS
+away and re-directs it to go through Ghostscript. CUPS accepts this,
+because the associated CUPS-O-Matic-/Foomatic-PPD specifies:
+</p><pre class="screen">
+
+ *cupsFilter: "application/vnd.cups-postscript 0 cupsomatic"
+
+</pre><p>
+This line persuades CUPS to hand the file to cupsomatic, once it has
+successfully converted it to the MIME type
+"application/vnd.cups-postscript". This conversion will not happen for
+Jobs arriving from Windows which are auto-typed
+"application/octet-stream", with the according changes in
+<tt class="filename">/etc/cups/mime.types</tt> in place.
+</p><p>
+CUPS is widely configurable and flexible, even regarding its filtering
+mechanism. Another workaround in some situations would be to have in
+<tt class="filename">/etc/cups/mime.types</tt> entries as follows:
+</p><pre class="screen">
+
+ application/postscript application/vnd.cups-raw 0 -
+ application/vnd.cups-postscript application/vnd.cups-raw 0 -
+
+</pre><p>
+This would prevent all Postscript files from being filtered (rather,
+they will through the virtual <span class="emphasis"><em>nullfilter</em></span>
+denoted with "-"). This could only be useful for PS printers. If you
+want to print PS code on non-PS printers (provided they support ASCII
+text printing) an entry as follows could be useful:
+</p><pre class="screen">
+
+ */* application/vnd.cups-raw 0 -
+
+</pre><p>
+and would effectively send <span class="emphasis"><em>all</em></span> files to the
+backend without further processing.
+</p><p>
+Lastly, you could have the following entry:
+</p><pre class="screen">
+
+ application/vnd.cups-postscript application/vnd.cups-raw 0 my_PJL_stripping_filter
+
+</pre><p>
+You will need to write a <span class="emphasis"><em>my_PJL_stripping_filter</em></span>
+(could be a shellscript) that parses the PostScript and removes the
+unwanted PJL. This would need to conform to CUPS filter design
+(mainly, receive and pass the parameters printername, job-id,
+username, jobtitle, copies, print options and possibly the
+filename). It would be installed as world executable into
+<tt class="filename">/usr/lib/cups/filters/</tt> and will be called by CUPS
+if it encounters a MIME type "application/vnd.cups-postscript".
+</p><p>
+CUPS can handle <span class="emphasis"><em>-o job-hold-until=indefinite</em></span>.
+This keeps the job in the queue "on hold". It will only be printed
+upon manual release by the printer operator. This is a requirement in
+many "central reproduction departments", where a few operators manage
+the jobs of hundreds of users on some big machine, where no user is
+allowed to have direct access (such as when the operators often need
+to load the proper paper type before running the 10,000 page job
+requested by marketing for the mailing, etc.).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964092"></a>Auto-Deletion or Preservation of CUPS Spool Files</h2></div></div><div></div></div><p>
+Samba print files pass through two "spool" directories. One is the
+incoming directory managed by Samba, (set in the <span class="emphasis"><em>path =
+/var/spool/samba</em></span> directive in the
+<span class="emphasis"><em>[printers]</em></span> section of
+<tt class="filename">smb.conf</tt>). The other is the spool directory of
+your UNIX print subsystem. For CUPS it is normally
+<tt class="filename">/var/spool/cups/</tt>, as set by the cupsd.conf
+directive <tt class="filename">RequestRoot /var/spool/cups</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964138"></a>CUPS Configuration Settings explained</h3></div></div><div></div></div><p>
+Some important parameter settings in the CUPS configuration file
+<tt class="filename">cupsd.conf</tt> are:
+</p><div class="variablelist"><dl><dt><span class="term">PreserveJobHistory Yes</span></dt><dd><p>
+This keeps some details of jobs in cupsd's mind (well it keeps the
+"c12345", "c12346" etc. files in the CUPS spool directory, which do a
+similar job as the old-fashioned BSD-LPD control files). This is set
+to "Yes" as a default.
+</p></dd><dt><span class="term">PreserveJobFiles Yes</span></dt><dd><p>
+This keeps the job files themselves in cupsd's mind
+(well it keeps the "d12345", "d12346" etc. files in the CUPS spool
+directory...). This is set to "No" as the CUPS
+default.
+</p></dd><dt><span class="term"><span class="emphasis"><em>"MaxJobs 500"</em></span></span></dt><dd><p>
+This directive controls the maximum number of jobs
+that are kept in memory. Once the number of jobs reaches the limit,
+the oldest completed job is automatically purged from the system to
+make room for the new one. If all of the known jobs are still
+pending or active then the new job will be rejected. Setting the
+maximum to 0 disables this functionality. The default setting is
+0.
+</p></dd></dl></div><p>
+(There are also additional settings for "MaxJobsPerUser" and
+"MaxJobsPerPrinter"...)
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964221"></a>Pre-conditions</h3></div></div><div></div></div><p>
+For everything to work as announced, you need to have three
+things:
+</p><div class="itemizedlist"><ul type="disc"><li><p>a Samba-smbd which is compiled against "libcups" (Check
+on Linux by running "ldd `which smbd`")</p></li><li><p>a Samba-<tt class="filename">smb.conf</tt> setting of
+"printing = cups"</p></li><li><p>another Samba-<tt class="filename">smb.conf</tt> setting of
+"printcap = cups"</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+In this case all other manually set printing-related commands (like
+"print command", "lpq command", "lprm command", "lppause command" or
+"lpresume command") are ignored and they should normally have no
+influence what-so-ever on your printing.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964281"></a>Manual Configuration</h3></div></div><div></div></div><p>
+If you want to do things manually, replace the "printing =
+cups" by "printing = bsd". Then your manually set commands may work
+(haven't tested this), and a "print command = lp -d %P %s; rm %s"
+may do what you need.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964299"></a>When <span class="emphasis"><em>not</em></span> to use Samba to print to
+CUPS</h2></div></div><div></div></div><p>
+[TO BE DONE]
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964316"></a>In Case of Trouble.....</h2></div></div><div></div></div><p>
+If you have more problems, post the output of these commands
+to the CUPS or Samba mailing lists (choose the one which seems more
+relevant to your problem):
+</p><pre class="screen">
+
+ grep -v ^# /etc/cups/cupsd.conf | grep -v ^$
+ grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"
+
+</pre><p>
+(adapt paths as needed). These commands leave out the empty
+lines and lines with comments, providing the "naked settings" in a
+compact way. Don't forget to name the CUPS and Samba versions you
+are using! This saves bandwidth and makes for easier readability
+for experts (and you are expecting experts to read them, right?
+;-)
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964352"></a>Where to find Documentation</h3></div></div><div></div></div><p>
+[TO BE DONE]
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964364"></a>How to ask for Help</h3></div></div><div></div></div><p>
+[TO BE DONE]
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964377"></a>Where to find Help</h3></div></div><div></div></div><p>
+[TO BE DONE]
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2964391"></a>Appendix</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964398"></a>Printing <span class="emphasis"><em>from</em></span> CUPS to Windows attached
+Printers</h3></div></div><div></div></div><p>
+From time to time the question arises, how you can print
+<span class="emphasis"><em>to</em></span> a Windows attached printer
+<span class="emphasis"><em>from</em></span> Samba. Normally the local connection
+"Windows host <--> printer" would be done by USB or parallel
+cable, but this doesn't matter to Samba. From here only an SMB
+connection needs to be opened to the Windows host. Of course, this
+printer must be "shared" first. As you have learned by now, CUPS uses
+<span class="emphasis"><em>backends</em></span> to talk to printers and other
+servers. To talk to Windows shared printers you need to use the
+<span class="emphasis"><em>smb</em></span> (surprise, surprise!) backend. Check if this
+is in the CUPS backend directory. This resides usually in
+<tt class="filename">/usr/lib/cups/backend/</tt>. You need to find a "smb"
+file there. It should be a symlink to <tt class="filename">smbspool</tt>
+which file must exist and be executable:
+</p><pre class="screen">
+
+ # ls -l /usr/lib/cups/backend/
+ total 253
+ drwxr-xr-x 3 root root 720 Apr 30 19:04 .
+ drwxr-xr-x 6 root root 125 Dec 19 17:13 ..
+ -rwxr-xr-x 1 root root 10692 Feb 16 21:29 canon
+ -rwxr-xr-x 1 root root 10692 Feb 16 21:29 epson
+ lrwxrwxrwx 1 root root 3 Apr 17 22:50 http -> ipp
+ -rwxr-xr-x 1 root root 17316 Apr 17 22:50 ipp
+ -rwxr-xr-x 1 root root 15420 Apr 20 17:01 lpd
+ -rwxr-xr-x 1 root root 8656 Apr 20 17:01 parallel
+ -rwxr-xr-x 1 root root 2162 Mar 31 23:15 pdfdistiller
+ lrwxrwxrwx 1 root root 25 Apr 30 19:04 ptal -> /usr/local/sbin/ptal-cups
+ -rwxr-xr-x 1 root root 6284 Apr 20 17:01 scsi
+ lrwxrwxrwx 1 root root 17 Apr 2 03:11 smb -> /usr/bin/smbspool
+ -rwxr-xr-x 1 root root 7912 Apr 20 17:01 socket
+ -rwxr-xr-x 1 root root 9012 Apr 20 17:01 usb
+
+# ls -l `which smbspool`
+ -rwxr-xr-x 1 root root 563245 Dec 28 14:49 /usr/bin/smbspool
+
+</pre><p>
+If this symlink doesn't exist, create it:
+</p><pre class="screen">
+
+# ln -s `which smbspool` /usr/lib/cups/backend/smb
+
+</pre><p>
+smbspool has been written by Mike Sweet from the CUPS folks. It is
+included and ships with Samba. It may also be used with print
+subsystems other than CUPS, to spool jobs to Windows printer shares. To
+set up printer "winprinter" on CUPS, you need to have a "driver" for
+it. Essentially this means to convert the print data on the CUPS/Samba
+host to a format that the printer can digest (the Windows host is
+unable to convert any files you may send). This also means you should
+be able to print to the printer if it were hooked directly at your
+Samba/CUPS host. For troubleshooting purposes, this is what you
+should do, to determine if that part of the process chain is in
+order. Then proceed to fix the network connection/authentication to
+the Windows host, etc.
+</p><p>
+To install a printer with the smb backend on CUPS, use this command:
+</p><pre class="screen">
+
+# lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename -P /path/to/PPD
+
+</pre><p>
+The <span class="emphasis"><em>PPD</em></span> must be able to direct CUPS to generate
+the print data for the target model. For PostScript printers just use
+the PPD that would be used with the Windows NT PostScript driver. But
+what can you do if the printer is only accessible with a password? Or
+if the printer's host is part of another workgroup? This is provided
+for: you can include the required parameters as part of the
+<tt class="filename">smb://</tt> device-URI. Like this:
+</p><pre class="screen">
+
+ smb://WORKGROUP/WINDOWSNETBIOSNAME/printersharename
+ smb://username:password@WORKGROUP/WINDOWSNETBIOSNAME/printersharename
+ smb://username:password@WINDOWSNETBIOSNAME/printersharename
+
+</pre><p>
+Note that the device-URI will be visible in the process list of the
+Samba server (e.g. when someone uses the <b class="command">ps -aux</b>
+command on Linux), even if the username and passwords are sanitized
+before they get written into the log files. So this is an inherently
+insecure option. However it is the only one. Don't use it if you want
+to protect your passwords. Better share the printer in a way that
+doesn't require a password! Printing will only work if you have a
+working netbios name resolution up and running. Note that this is a
+feature of CUPS and you don't necessarily need to have smbd running
+(but who wants that? :-).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964612"></a>More CUPS filtering Chains</h3></div></div><div></div></div><p>
+The following diagrams reveal how CUPS handles print jobs.
+</p><pre class="screen">
+#########################################################################
+#
+# CUPS in and of itself has this (general) filter chain (CAPITAL
+# letters are FILE-FORMATS or MIME types, other are filters (this is
+# true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro):
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT
+# |
+# V
+# pstoraster # as shipped with CUPS, independent from any Ghostscipt
+# | # installation on the system
+# | (= "postscipt interpreter")
+# V
+# APPLICATION/VND.CUPS-RASTER
+# |
+# V
+# rastertosomething (e.g. Gimp-Print filters may be plugged in here)
+# | (= "raster driver")
+# V
+# SOMETHING-DEVICE-SPECIFIC
+# |
+# V
+# backend
+#
+#
+# ESP PrintPro has some enhanced "rastertosomething" filters as compared to
+# CUPS, and also a somewhat improved "pstoraster" filter.
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+#########################################################################
+</pre><pre class="screen">
+#########################################################################
+#
+# This is how "cupsomatic" comes into play:
+# =========================================
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+
+# | V
+# V cupsomatic
+# pstoraster (constructs complicated
+# | (= "postscipt interpreter") Ghostscript commandline
+# | to let the file be
+# V processed by a
+# APPLICATION/VND.CUPS-RASTER "-sDEVICE=s.th."
+# | call...)
+# V |
+# rastertosomething V
+# | (= "raster driver") +-------------------------+
+# | | Ghostscript at work.... |
+# V | |
+# SOMETHING-DEVICE-SPECIFIC *-------------------------+
+# | |
+# V |
+# backend <------------------------------------+
+# |
+# V
+# THE PRINTER
+#
+#
+# Note, that cupsomatic "kidnaps" the printfile after the
+# "APPLICATION/VND.CUPS-POSTSCRPT" stage and deviates it gh
+# the CUPS-external, systemwide Ghostscript installation, bypassing the
+# "pstoraster" filter (therefore also bypassing the CUPS-raster-drivers
+# "rastertosomething", and hands the rasterized file directly to the CUPS
+# backend...
+#
+# cupsomatic is not made by the CUPS developers. It is an independent
+# contribution to printing development, made by people from
+# Linuxprinting.org. (see also http://www.cups.org/cups-help.html)
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+#########################################################################
+</pre><pre class="screen">
+#########################################################################
+#
+# And this is how it works for ESP PrintPro from 4.3:
+# ===================================================
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT
+# |
+# V
+# gsrip
+# | (= "postscipt interpreter")
+# V
+# APPLICATION/VND.CUPS-RASTER
+# |
+# V
+# rastertosomething (e.g. Gimp-Print filters may be plugged in here)
+# | (= "raster driver")
+# V
+# SOMETHING-DEVICE-SPECIFIC
+# |
+# V
+# backend
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+#########################################################################
+</pre><pre class="screen">
+#########################################################################
+#
+# This is how "cupsomatic" would come into play with ESP PrintPro:
+# ================================================================
+#
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+
+# | V
+# V cupsomatic
+# gsrip (constructs complicated
+# | (= "postscipt interpreter") Ghostscript commandline
+# | to let the file be
+# V processed by a
+# APPLICATION/VND.CUPS-RASTER "-sDEVICE=s.th."
+# | call...)
+# V |
+# rastertosomething V
+# | (= "raster driver") +-------------------------+
+# | | Ghostscript at work.... |
+# V | |
+# SOMETHING-DEVICE-SPECIFIC *-------------------------+
+# | |
+# V |
+# backend <------------------------------------+
+# |
+# V
+# THE PRINTER
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+#########################################################################
+</pre><pre class="screen">
+#########################################################################
+#
+# And this is how it works for CUPS from 1.1.15:
+# ==============================================
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT-----+
+# +------------------v------------------------------+
+# | Ghostscript |
+# | at work... |
+# | (with |
+# | "-sDEVICE=cups") |
+# | |
+# | (= "postscipt interpreter") |
+# | |
+# +------------------v------------------------------+
+# |
+# APPLICATION/VND.CUPS-RASTER >-------+
+# |
+# V
+# rastertosomething
+# | (= "raster driver")
+# V
+# SOMETHING-DEVICE-SPECIFIC
+# |
+# V
+# backend
+#
+#
+# NOTE: since version 1.1.15 CUPS "outsourced" the pstoraster process to
+# Ghostscript. GNU Ghostscript needs to be patched to handle the
+# CUPS requirement; ESP Ghostscript has this builtin. In any case,
+# "gs -h" needs to show up a "cups" device. pstoraster is now a
+# calling an appropriate "gs -sDEVICE=cups..." commandline to do
+# the job. It will output "application/vnd.cup-raster", which will
+# be finally processed by a CUPS raster driver "rastertosomething"
+# Note the difference to "cupsomatic", which will <span class="emphasis"><em>not</em></span> output
+# CUPS-raster, but a final version of the printfile, ready to be
+# sent to the printer. cupsomatic also doesn't use the "cups"
+# devicemode in Ghostscript, but one of the classical devicemodes....
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+#########################################################################
+</pre><pre class="screen">
+#########################################################################
+#
+# And this is how it works for CUPS from 1.1.15, with cupsomatic included:
+# ========================================================================
+#
+# SOMETHNG-FILEFORMAT
+# |
+# V
+# somethingtops
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# V
+# pstops
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT-----+
+# +------------------v------------------------------+
+# | Ghostscript . Ghostscript at work.... |
+# | at work... . (with "-sDEVICE= |
+# | (with . s.th." |
+# | "-sDEVICE=cups") . |
+# | . |
+# | (CUPS standard) . (cupsomatic) |
+# | . |
+# | (= "postscript interpreter") |
+# | . |
+# +------------------v--------------v---------------+
+# | |
+# APPLICATION/VND.CUPS-RASTER >-------+ |
+# | |
+# V |
+# rastertosomething |
+# | (= "raster driver") |
+# V |
+# SOMETHING-DEVICE-SPECIFIC >------------------------+
+# |
+# V
+# backend
+#
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rastertosomething is noted.
+#
+##########################################################################
+</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2964919"></a>Trouble Shooting Guidelines to fix typical Samba printing
+Problems</h3></div></div><div></div></div><p>
+This is a short description of how to debug printing problems
+with Samba. This describes how to debug problems with printing from
+a SMB client to a Samba server, not the other way around.
+</p><div class="variablelist"><dl><dt><span class="term">Win9x client can't install driver</span></dt><dd><p>For Win9x clients require the printer names to be 8
+chars (or "8 plus 3 chars suffix") max; otherwise the driver files
+won't get transferred when you want to download them from
+Samba.</p></dd><dt><span class="term">testparm</span></dt><dd><p>Run <b class="command">testparm</b>: It will tell you if
+<tt class="filename">smb.conf</tt> parameters are in the wrong
+section. Many people have had the "printer admin" parameter in the
+<i class="parameter"><tt>[printers]</tt></i> section and experienced
+problems. "testparm" will tell you if it sees
+this.</p></dd><dt><span class="term">"cupsaddsmb" keeps asking for a root password in a
+neverending loop</span></dt><dd><p>Have you <i class="parameter"><tt>security = user</tt></i>? Have
+you used <b class="command">smbpasswd</b> to give root a Samba account?
+You can do 2 things: open another terminal and execute
+<b class="command">smbpasswd -a root</b> to create the account, and
+continue with entering the password into the first terminal. Or break
+out of the loop by hitting ENTER twice (without trying to type a
+password).</p></dd><dt><span class="term">"cupsaddsmb" gives "No PPD file for printer..."
+message (but I swear there is one!)</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Have you enabled printer sharing on CUPS? This means:
+do you have a <i class="parameter"><tt><Location
+/printers>....</Location></tt></i> section in CUPS
+server's <tt class="filename">cupsd.conf</tt> which doesn't deny access to
+the host you run "cupsaddsmb" from? It <span class="emphasis"><em>could</em></span> be
+an issue if you use cupsaddsmb remotely, or if you use it with a
+<i class="parameter"><tt>-h</tt></i> parameter: <b class="command">cupsaddsmb -H
+sambaserver -h cupsserver -v printername</b>.
+</p></li><li><p>Is your
+"TempDir" directive in
+<span class="emphasis"><em>cupsd.conf</em></span>
+set to a valid value and is it writeable?
+</p></li></ul></div></dd><dt><span class="term">I can't connect client to Samba printer.</span></dt><dd><p>Use <b class="command">smbstatus</b> to check which user
+you are from Samba's point of view. Do you have the privileges to
+write into the <i class="parameter"><tt>[print$]</tt></i>
+share?</p></dd><dt><span class="term">I can't reconnect to Samba under a new account
+from Win2K/XP</span></dt><dd><p>Once you are connected as the "wrong" user (for
+example as "nobody", which often occurs if you have <i class="parameter"><tt>map to
+guest = bad user</tt></i>), Windows Explorer will not accept an
+attempt to connect again as a different user. There won't be any byte
+transfered on the wire to Samba, but still you'll see a stupid error
+message which makes you think that Samba has denied access. Use
+<b class="command">smbstatus</b> to check for active connections. Kill the
+PIDs. You still can't re-connect and get the dreaded
+<tt class="computeroutput">You can't connect with a second account from the same
+machine</tt> message, as soon as you are trying? And you
+don't see any single byte arriving at Samba (see logs; use "ethereal")
+indicating a renewed connection attempt? Shut all Explorer Windows.
+This makes Windows forget what it has cached in its memory as
+established connections. Then re-connect as the right user. Best
+method is to use a DOS terminal window and <span class="emphasis"><em>first</em></span>
+do <b class="command">net use z: \\SAMBAHOST\print$ /user:root</b>. Check
+with <b class="command">smbstatus</b> that you are connected under a
+different account. Now open the "Printers" folder (on the Samba server
+in the <span class="emphasis"><em>Network Neighbourhood</em></span>), right-click the
+printer in question and select
+<span class="emphasis"><em>Connect...</em></span></p></dd><dt><span class="term">Avoid being connected to the Samba server as the
+"wrong" user</span></dt><dd><p>You see per <b class="command">smbstatus</b> that you are
+connected as user "nobody"; while you wanted to be "root" or
+"printeradmin"? This is probably due to <i class="parameter"><tt>map to guest = bad
+user</tt></i>, which silently connects you under the guest account,
+when you gave (maybe by accident) an incorrect username. Remove
+<i class="parameter"><tt>map to guest</tt></i>, if you want to prevent
+this.</p></dd><dt><span class="term">Upgrading to CUPS drivers from Adobe drivers on
+NT/2K/XP clients gives problems</span></dt><dd><p>First delete all "old" Adobe-using printers. Then
+delete all "old" Adobe drivers. (On Win2K/XP, right-click in
+background of "Printers" folder, select "Server Properties...", select
+tab "Drivers" and delete here).</p></dd><dt><span class="term">I can't use "cupsaddsmb"on a Samba server which is
+a PDC</span></dt><dd><p>Do you use the "naked" root user name? Try to do it
+this way: <span class="emphasis"><em>cupsaddsmb -U DOMAINNAME\\root -v
+printername</em></span> (note the two backslashes: the first one is
+required to "escape" the second one).</p></dd><dt><span class="term">I deleted a printer on Win2K; but I still see
+its driver</span></dt><dd><p>Deleting a printer on the client won't delete the
+driver too (to verify, right-click on the white background of the
+"Printers" folder, select "Server Properties" and click on the
+"Drivers" tab). These same old drivers will be re-used when you try to
+install a printer with the same name. If you want to update to a new
+driver, delete the old ones first. Deletion is only possible if no
+other printer uses the same driver.</p></dd><dt><span class="term">Win2K/XP "Local Security
+Policies"</span></dt><dd><p><span class="emphasis"><em>Local Security Policies</em></span> may not
+allow the installation of unsigned drivers. "Local Security Policies"
+may not allow the installation of printer drivers at
+all.</p></dd><dt><span class="term">WinXP clients: "Administrator can not install
+printers for all local users"</span></dt><dd><p>Windows XP handles SMB printers on a "per-user" basis.
+This means every user needs to install the printer himself. To have a
+printer available for everybody, you might want to use the built-in
+IPP client capabilities of WinXP. Add a printer with the print path of
+<span class="emphasis"><em>http://cupsserver:631/printers/printername</em></span>.
+Still looking into this one: maybe a "logon script" could
+automatically install printers for all
+users.</p></dd><dt><span class="term">"Print Change Notify" functions on
+NT-clients</span></dt><dd><p>For "print change notify" functions on NT++ clients,
+these need to run the "Server" service first (re-named to
+<span class="emphasis"><em>File & Print Sharing for MS Networks</em></span> in
+XP).</p></dd><dt><span class="term">WinXP-SP1</span></dt><dd><p>WinXP-SP1 introduced a <span class="emphasis"><em>Point and Print
+Restriction Policy</em></span> (this restriction doesn't apply to
+"Administrator" or "Power User" groups of users). In Group Policy
+Object Editor: go to <span class="emphasis"><em>User Configuration -->
+Administrative Templates --> Control Panel -->
+Printers</em></span>. The policy is automatically set to
+<span class="emphasis"><em>Enabled</em></span> and the <span class="emphasis"><em>Users can only Point
+and Print to machines in their Forest</em></span> . You probably need
+to change it to <span class="emphasis"><em>Disabled</em></span> or <span class="emphasis"><em>Users can
+only Point and Print to these servers</em></span> in order to make
+driver downloads from Samba possible.</p></dd><dt><span class="term">I can't set and save default print options for all
+users on Win2K/XP</span></dt><dd><p>How are you doing it? I bet the wrong way (it is not
+very easy to find out, though). There are 3 different ways to bring
+you to a dialog that <span class="emphasis"><em>seems</em></span> to set everything. All
+three dialogs <span class="emphasis"><em>look</em></span> the same. Only one of them
+<span class="emphasis"><em>does</em></span> what you intend. You need to be
+Administrator or Print Administrator to do this for all users. Here
+is how I do in on XP:
+</p><div class="orderedlist"><ol type="A"><li><p>The first "wrong" way:
+
+</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span>
+folder.</p></li><li><p>Right-click on the printer
+(<span class="emphasis"><em>remoteprinter on cupshost</em></span>) and
+select in context menu <span class="emphasis"><em>Printing
+Preferences...</em></span></p></li><li><p>Look at this dialog closely and remember what it looks
+like.</p></li></ol></div><p>
+</p></li><li><p>The second "wrong" way:
+
+</p><div class="orderedlist"><ol type="1"><li><p>Open the <span class="emphasis"><em>Printers</em></span>
+folder.</p></li><li><p>Right-click on the printer (<span class="emphasis"><em>remoteprinter on
+cupshost</em></span>) and select in the context menu
+<span class="emphasis"><em>Properties</em></span></p></li><li><p>Click on the <span class="emphasis"><em>General</em></span>
+tab</p></li><li><p>Click on the button <span class="emphasis"><em>Printing
+Preferences...</em></span></p></li><li><p>A new dialog opens. Keep this dialog open and go back
+to the parent dialog.</p></li></ol></div><p>
+</p></li><li><p>The third, the "correct" way: (should you do
+this from the beginning, just carry out steps 1. and 2. from second
+"way" above)
+
+</p><div class="orderedlist"><ol type="1"><li><p>Click on the <span class="emphasis"><em>Advanced</em></span>
+tab. (Hmmm... if everything is "Grayed Out", then you are not logged
+in as a user with enough privileges).</p></li><li><p>Click on the <span class="emphasis"><em>Printing
+Defaults...</em></span> button.</p></li><li><p>On any of the two new tabs, click on the
+<span class="emphasis"><em>Advanced...</em></span>
+button.</p></li><li><p>A new dialog opens. Compare this one to the other,
+identical looking one from "B.5" or A.3".</p></li></ol></div><p>
+</p></li></ol></div><p>
+Do you see any difference? I don't either... However, only the last
+one, which you arrived at with steps "C.1.-6." will save any settings
+permanently and be the defaults for new users. If you want all clients
+to get the same defaults, you need to conduct these steps <span class="emphasis"><em>as
+Administrator</em></span> (<i class="parameter"><tt>printer admin</tt></i> in
+<tt class="filename">smb.conf</tt>) <span class="emphasis"><em>before</em></span> a client
+downloads the driver (the clients can later set their own
+<span class="emphasis"><em>per-user defaults</em></span> by following the
+procedures <span class="emphasis"><em>A.</em></span> or <span class="emphasis"><em>B.</em></span>
+above).</p></dd><dt><span class="term">What are the most common blunders in driver
+settings on Windows clients?</span></dt><dd><p>Don't use <span class="emphasis"><em>Optimize for
+Speed</em></span>: use <span class="emphasis"><em>Optimize for
+Portability</em></span> instead (Adobe PS Driver) Don't use
+<span class="emphasis"><em>Page Independence: No</em></span>: always
+settle with <span class="emphasis"><em>Page Independence:
+Yes</em></span> (Microsoft PS Driver and CUPS PS Driver for
+WinNT/2K/XP) If there are problems with fonts: use
+<span class="emphasis"><em>Download as Softfont into
+printer</em></span> (Adobe PS Driver). For
+<span class="emphasis"><em>TrueType Download Options</em></span>
+choose <span class="emphasis"><em>Outline</em></span>. Use PostScript
+Level 2, if you are having trouble with a non-PS printer, and if
+there is a choice.</p></dd><dt><span class="term">I can't make <b class="command">cupsaddsmb</b> work
+with newly installed printer</span></dt><dd><p>Symptom: the last command of
+<b class="command">cupsaddsmb</b> doesn't complete successfully:
+<b class="command">cmd = setdriver printername printername</b> result was
+NT_STATUS_UNSUCCESSFUL then possibly the printer was not yet
+"recognized" by Samba. Did it show up in <span class="emphasis"><em>Network
+Neighbourhood</em></span>? Did it show up in <b class="command">rpcclient
+hostname -c 'enumprinters'</b>? Restart smbd (or send a
+<b class="command">kill -HUP</b> to all processes listed by
+<b class="command">smbstatus</b> and try
+again.</p></dd><dt><span class="term">My permissions on
+<tt class="filename">/var/spool/samba/</tt> get reset after each
+reboot</span></dt><dd><p>Have you by accident set the CUPS spool directory to
+the same location? (<i class="parameter"><tt>RequestRoot
+/var/spool/samba/</tt></i> in <tt class="filename">cupsd.conf</tt> or
+the other way round: <tt class="filename">/var/spool/cups/</tt> is set as
+<i class="parameter"><tt>path</tt></i> in the <i class="parameter"><tt>[printers]</tt></i>
+section). These <span class="emphasis"><em>must</em></span> be different. Set
+<i class="parameter"><tt>RequestRoot /var/spool/cups/</tt></i> in
+<tt class="filename">cupsd.conf</tt> and <i class="parameter"><tt>path =
+/var/spool/samba</tt></i> in the <i class="parameter"><tt>[printers]</tt></i>
+section of <tt class="filename">smb.conf</tt>. Otherwise cupsd will
+sanitize permissions to its spool directory with each restart, and
+printing will not work reliably.</p></dd><dt><span class="term">My printers work fine: just the printer named "lp"
+intermittently swallows jobs and spits out completely different
+ones</span></dt><dd><p>It is a very bad idea to name any printer "lp". This
+is the traditional Unix name for the default printer. CUPS may be set
+up to do an automatic creation of "Implicit Classes". This means, to
+group all printers with the same name to a pool of devices, and
+loadbalancing the jobs across them in a round-robin fashion. Chances
+are high that someone else has an "lp" named printer too. You may
+receive his jobs and send your own to his device unwittingly. To have
+tight control over the printer names, set <i class="parameter"><tt>BrowseShortNames
+No</tt></i>. It will present any printer as "printername@cupshost"
+then, giving you a better control over what may happen in a large
+networked environment.</p></dd><dt><span class="term">How do I "watch" my Samba server?</span></dt><dd><p>You can use <b class="command">tail -f
+/var/log/samba/log.smbd</b> (you may need a different path) to
+see a live scrolling of all log messages. <b class="command">smbcontrol smbd
+debuglevel</b> tells you which verbosity goes into the
+logs. <b class="command">smbcontrol smbd debug 3</b> sets the verbosity to
+a quite high level (you can choose from 0 to 10 or 100). This works
+"on the fly", without the need to restart the smbd daemon. Don't use
+more than 3 initially; or you'll drown in an ocean of
+messages.</p></dd><dt><span class="term">I can't use Samba from my WinXP Home box, while
+access from WinXP Prof works flawlessly</span></dt><dd><p>You have our condolences! WinXP home has been
+completely neutered by Microsoft as compared to WinXP Prof: you can
+not log into a WinNT domain. It cannot join a Win NT domain as a
+member server. While it is possible to access domain resources, users
+don't have "single sign-on". They need to supply username and password
+each time they connect to a resource. Logon scripts and roaming
+profiles are not supported. It can serve file and print shares; but
+only in "share-mode security" level. It can not use "user-mode
+security" (what Windows 95/98/ME still can
+do).</p></dd><dt><span class="term">Where do I find the Adobe PostScript driver files
+I need for "cupsaddsmb"?</span></dt><dd><p>Use <b class="command">smbclient</b> to connect to any
+Windows box with a shared PostScript printer: <b class="command">smbclient
+//windowsbox/print\$ -U guest</b>. You can navigate to the
+<tt class="filename">W32X86/2</tt> subdir to <b class="command">mget ADOBE*</b>
+and other files or to <tt class="filename">WIN40/0</tt> to do the same. --
+Another option is to download the <tt class="filename">*.exe</tt> packaged
+files from the Adobe website.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2966041"></a>An Overview of the CUPS Printing Processes</h3></div></div><div></div></div><p>
+</p><div class="figure"><a name="id2966052"></a><p class="title"><b>Figure 19.15. CUPS Printing Overview</b></p><div class="mediaobject"><img src="projdoc/imagefiles/a_small.png" alt="CUPS Printing Overview"></div></div><p>
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="VFS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Classical Printing Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Stackable VFS modules</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. MS Windows Network Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. MS Windows Network Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ClientConfig"></a>Chapter 9. MS Windows Network Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2901966"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="StandAloneServer.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Stand-Alone Servers </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 40. DNS and DHCP Configuration Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="speed.html" title="Chapter 39. Samba Performance Tuning"><link rel="next" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 40. DNS and DHCP Configuration Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DNSDHCP"></a>Chapter 40. DNS and DHCP Configuration Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018605"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Further-Resources.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 39. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 41. Further Resources</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Fast Start for the Impatient</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="install.html" title="Chapter 2. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Fast Start for the Impatient</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 3. Fast Start for the Impatient</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886744"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 41. Further Resources</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide"><link rel="next" href="ix01.html" title="Index"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 41. Further Resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Further-Resources"></a>Chapter 41. Further Resources</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">May 1, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3018765"></a>Websites</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ <a href="http://hr.uoregon.edu/davidrl/cifs.txt" target="_top">
+ <span class="emphasis"><em>CIFS: Common Insecurities Fail Scrutiny</em></span> by "Hobbit"</a>
+ </p></li><li><p>
+ <a href="http://afr.com/it/2002/10/01/FFXDF43AP6D.html" target="_top">
+ <span class="emphasis"><em>Doing the Samba on Windows</em></span> by Financial Review
+ </a>
+ </p></li><li><p>
+ <a href="http://ubiqx.org/cifs/" target="_top">
+ <span class="emphasis"><em>Implementing CIFS</em></span> by Christopher R. Hertel
+ </a>
+ </p></li><li><p>
+ <a href="http://samba.anu.edu.au/cifs/docs/what-is-smb.html" target="_top">
+ <span class="emphasis"><em>Just What Is SMB?</em></span> by Richard Sharpe
+ </a>
+ </p></li><li><p>
+ <a href="http://www.linux-mag.com/1999-05/samba_01.html" target="_top">
+ <span class="emphasis"><em>Opening Windows Everywhere</em></span> by Mike Warfield
+ </a>
+ </p></li><li><p>
+ <a href="http://www.tldp.org/HOWTO/SMB-HOWTO.html" target="_top">
+ <span class="emphasis"><em>SMB HOWTO</em></span> by David Wood
+ </a>
+ </p></li><li><p>
+ <a href="http://www.phrack.org/phrack/60/p60-0x0b.txt" target="_top">
+ <span class="emphasis"><em>SMB/CIFS by The Root</em></span> by "ledin"
+ </a>
+ </p></li><li><p>
+ <a href="http://www.linux-mag.com/1999-09/samba_01.html" target="_top">
+ <span class="emphasis"><em>The Story of Samba</em></span> by Christopher R. Hertel
+ </a>
+ </p></li><li><p>
+ <a href="http://hr.uoregon.edu/davidrl/samba/" target="_top">
+ <span class="emphasis"><em>The Unofficial Samba HOWTO</em></span> by David Lechnyr
+ </a>
+ </p></li><li><p>
+ <a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
+ <span class="emphasis"><em>Understanding the Network Neighborhood</em></span> by Christopher R. Hertel
+ </a>
+ </p></li><li><p>
+ <a href="http://www.linux-mag.com/2002-02/samba_01.html" target="_top">
+ <span class="emphasis"><em>Using Samba as a PDC</em></span> by Andrew Bartlett
+ </a>
+ </p></li><li><p>
+ <a href="http://ru.samba.org/samba/ftp/docs/Samba24Hc13.pdf" target="_top">
+ <span class="emphasis"><em>PDF version of the Troubleshooting Techniques chapter</em></span>
+ from the second edition of Sam's Teach Yourself Samba in 24 Hours
+ (publishing date of Dec. 12, 2001)</a>
+ </p></li><li><p>
+ <a href="http://ru.samba.org/samba/ftp/slides/" target="_top">
+ <span class="emphasis"><em>Slide presentations</em></span> by Samba Team members
+ </a>
+ </p></li><li><p>
+ <a href="http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html" target="_top">
+ <span class="emphasis"><em>Introduction to Samba 3.0</em></span> by Motonobu Takahashi
+ (written in Japanese). </a>
+ </p></li><li><p>
+ <a href="http://www.linux-mag.com/2001-05/smb_01.html" target="_top">
+ <span class="emphasis"><em>Understanding the Network Neighborhood</em></span>, by team member
+ Chris Hertel. This article appeared in the May 2001 issue of
+ Linux Magazine.
+ </a>
+ </p></li><li><p>
+ <a href="ftp://ftp.stratus.com/pub/vos/customers/samba/" target="_top">
+ <span class="emphasis"><em>Samba 2.0.x Troubleshooting guide</em></span> from Paul Green
+ </a>
+ </p></li><li><p>
+ <a href="http://samba.org/samba/docs/10years.html" target="_top">
+ <span class="emphasis"><em>Ten Years of Samba</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html" target="_top">
+ <span class="emphasis"><em>Samba Authenticated Gateway HOWTO</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://samba.org/samba/docs/SambaIntro.html" target="_top">
+ <span class="emphasis"><em>An Introduction to Samba</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://www.samba.org/cifs/" target="_top">
+ <span class="emphasis"><em>What is CIFS?</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
+ <span class="emphasis"><em>WFWG: Password Caching and How It Affects LAN Manager
+ Security</em></span> at Microsoft Knowledge Base
+ </a>
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020416"></a>Related updates from Microsoft</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ <a href="http://support.microsoft.com/support/kb/articles/q92/5/88.asp" target="_top">
+ <span class="emphasis"><em>Enhanced Encryption for Windows 95 Password Cache</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
+ <span class="emphasis"><em>Windows '95 File Sharing Updates</em></span>
+ </a>
+ </p></li><li><p>
+ <a href="http://support.microsoft.com/support/kb/articles/q136/4/18.asp" target="_top">
+ <span class="emphasis"><em>Windows for Workgroups Sharing Updates</em></span>
+ </a>
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3020431"></a>Books</h2></div></div><div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="DNSDHCP.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ix01.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 40. DNS and DHCP Configuration Guide </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Index</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Interdomain Trust Relationships</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="securing-samba.html" title="Chapter 15. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 16. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:mimir@samba.org">mimir@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></div><p>
+Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
+will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
+adopt Active Directory or an LDAP based authentication back end. This section explains
+some background information regarding trust relationships and how to create them. It is now
+possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933376"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
+trust relationships. This imparts to Samba similar scalability as is possible with
+MS Windows NT4.
+</p><p>
+Given that Samba-3 has the capability to function with a scalable backend authentication
+database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
+modes, the administrator would be well advised to consider alternatives to the use of
+Interdomain trusts simply because by the very nature of how this works it is fragile.
+That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933404"></a>Trust Relationship Background</h2></div></div><div></div></div><p>
+MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
+The limitations of this architecture as it affects the scalability of MS Windows networking
+in large organisations is well known. Additionally, the flat-name space that results from
+this design significantly impacts the delegation of administrative responsibilities in
+large and diverse organisations.
+</p><p>
+Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
+of circumventing the limitations of the older technologies. Not every organisation is ready
+or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
+is quite adequate, there thus remains an entrenched user base for whom there is no direct
+desire to go through a disruptive change to adopt ADS.
+</p><p>
+Microsoft introduced with MS Windows NT the ability to allow differing security domains
+to affect a mechanism so that users from one domain may be given access rights and privileges
+in another domain. The language that describes this capability is couched in terms of
+<span class="emphasis"><em>Trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
+from another domain. The domain from which users are available to another security domain is
+said to be a trusted domain. The domain in which those users have assigned rights and privileges
+is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
+thus if users in both domains are to have privileges and rights in each others' domain, then it is
+necessary to establish two (2) relationships, one in each direction.
+</p><p>
+In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
+are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
+relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
+implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
+transitive.
+</p><p>
+New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
+by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
+domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
+an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
+style Interdomain trusts and interoperates with MS Windows 200x ADS
+security domains in similar manner to MS Windows NT4 style domains.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933488"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div><div></div></div><p>
+There are two steps to creating an interdomain trust relationship.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933501"></a>NT4 as the Trusting Domain (ie. creating the trusted account)</h3></div></div><div></div></div><p>
+For MS Windows NT4, all domain trust relationships are configured using the
+<span class="application">Domain User Manager</span>. To affect a two way trust relationship it is
+necessary for each domain administrator to make available (for use by an external domain) it's
+security resources. This is done from the Domain User Manager Policies entry on the menu bar.
+From the <span class="guimenu">Policy</span> menu, select <span class="guimenuitem">Trust Relationships</span>, then
+next to the lower box that is labelled <span class="guilabel">Permitted to Trust this Domain</span> are two
+buttons, <span class="guibutton">Add</span> and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span>
+button will open a panel in which needs to be entered the remote domain that will be able to assign
+user rights to your domain. In addition it is necessary to enter a password
+that is specific to this trust relationship. The password needs to be
+typed twice (for standard confirmation).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933586"></a>NT4 as the Trusted Domain (ie. creating trusted account's password)</h3></div></div><div></div></div><p>
+A trust relationship will work only when the other (trusting) domain makes the appropriate connections
+with the trusted domain. To consummate the trust relationship the administrator will launch the
+Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
+<span class="guibutton">Add</span> button that is next to the box that is labelled
+<span class="guilabel">Trusted Domains</span>. A panel will open in which must be entered the name of the remote
+domain as well as the password assigned to that trust.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933622"></a>Configuring Samba NT-style Domain Trusts</h2></div></div><div></div></div><p>
+This description is meant to be a fairly short introduction about how to set up a Samba server so
+that it could participate in interdomain trust relationships. Trust relationship support in Samba
+is in its early stage, so lot of things don't work yet.
+</p><p>
+Each of the procedures described below is treated as they were performed with Windows NT4 Server on
+one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
+reading this document, that combining Samba-specific parts of what's written below leads to trust
+between domains in purely Samba environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933649"></a>Samba-3 as the Trusting Domain</h3></div></div><div></div></div><p>
+In order to set the Samba PDC to be the trusted party of the relationship first you need
+to create special account for the domain that will be the trusting party. To do that,
+you can use the 'smbpasswd' utility. Creating the trusted domain account is very
+similar to creating a trusted machine account. Suppose, your domain is
+called SAMBA, and the remote domain is called RUMBA. The first step
+will be to issue this command from your favourite shell:
+</p><p>
+</p><pre class="screen">
+<tt class="prompt">root# </tt> <b class="userinput"><tt>smbpasswd -a -i rumba</tt></b>
+ New SMB password: XXXXXXXX
+ Retype SMB password: XXXXXXXX
+ Added user rumba$
+</pre><p>
+
+where <tt class="option">-a</tt> means to add a new account into the
+passdb database and <tt class="option">-i</tt> means: ''create this
+account with the InterDomain trust flag''
+</p><p>
+The account name will be 'rumba$' (the name of the remote domain)
+</p><p>
+After issuing this command you'll be asked to enter the password for
+the account. You can use any password you want, but be aware that Windows NT will
+not change this password until 7 days following account creation.
+After the command returns successfully, you can look at the entry for the new account
+(in the standard way depending on your configuration) and see that account's name is
+really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
+the trust by establishing it from Windows NT Server.
+</p><p>
+Open <span class="application">User Manager for Domains</span> and from menu
+<span class="guimenu">Policies</span> select <span class="guimenuitem">Trust Relationships...</span>.
+Right beside <span class="guilabel">Trusted domains</span> list box press the
+<span class="guimenu">Add...</span> button. You will be prompted for
+the trusted domain name and the relationship password. Type in SAMBA, as this is
+your domain name, and the password used at the time of account creation.
+Press OK and, if everything went without incident, you will see
+<tt class="computeroutput">Trusted domain relationship successfully
+established</tt> message.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933790"></a>Samba-3 as the Trusted Domain</h3></div></div><div></div></div><p>
+This time activities are somewhat reversed. Again, we'll assume that your domain
+controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
+</p><p>
+The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
+</p><p>
+Launch the <span class="application">Domain User Manager</span>, then from the menu select
+<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
+Now, next to <span class="guilabel">Trusted Domains</span> box press the <span class="guibutton">Add</span>
+button, and type in the name of the trusted domain (SAMBA) and password securing
+the relationship.
+</p><p>
+The password can be arbitrarily chosen. It is easy to change the password
+from the Samba server whenever you want. After confirming the password your account is
+ready for use. Now it's Samba's turn.
+</p><p>
+Using your favourite shell while being logged in as root, issue this command:
+</p><p>
+<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc trustdom establish rumba</tt></b>
+</p><p>
+You will be prompted for the password you just typed on your Windows NT4 Server box.
+Do not worry if you see an error message that mentions a returned code of
+<span class="errorname">NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</span>. It means the
+password you gave is correct and the NT4 Server says the account is
+ready for interdomain connection and not for ordinary
+connection. After that, be patient it can take a while (especially
+in large networks), you should see the <tt class="computeroutput">Success</tt> message.
+Congratulations! Your trust relationship has just been established.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Note that you have to run this command as root because you must have write access to
+the <tt class="filename">secrets.tdb</tt> file.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2933922"></a>Common Errors</h2></div></div><div></div></div><p>
+Interdomain trust relationships should NOT be attempted on networks that are unstable
+or that suffer regular outages. Network stability and integrity are key concerns with
+distributed trusted domains.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2933937"></a>Tell me about Trust Relationships using Samba</h3></div></div><div></div></div><p>
+ Like many, I administer multiple LANs connected together using NT trust
+ relationships. This was implemented about 4 years ago. I now have the
+ occasion to consider performing this same task again, but this time, I
+ would like to implement it solely through samba - no Microsoft PDCs
+ anywhere.
+ </p><p>
+ I have read documentation on samba.org regarding NT-style trust
+ relationships and am now wondering, can I do what I want to? I already
+ have successfully implemented 2 samba servers, but they are not PDCs.
+ They merely act as file servers. I seem to remember, and it appears to
+ be true (according to samba.org) that trust relationships are a
+ challenge.
+ </p><p>
+ Please provide any helpful feedback that you may have.
+ </p><p>
+ These are almost complete in Samba 3.0 snapshots. The main catch
+ is getting winbindd to be able to allocate UID/GIDs for trusted
+ users/groups. See the updated Samba HOWTO collection for more
+ details.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 17. Hosting a Microsoft Distributed File System tree on Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. Introduction to Samba</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="previous" href="introduction.html" title="Part I. General Installation"><link rel="next" href="install.html" title="Chapter 2. How to Install and Test SAMBA"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction to Samba</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="IntroSMB"></a>Chapter 1. Introduction to Samba</h2></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Lechnyr</span></h3><div class="affiliation"><span class="orgname">Unofficial HOWTO<br></span><div class="address"><p><tt class="email"><<a href="mailto:david@lechnyr.com">david@lechnyr.com</a>></tt></p></div></div></div></div><div><p class="pubdate">April 14, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></div><p>“<span class="quote">
+"If you understand what you're doing, you're not learning anything."
+-- Anonymous
+</span>”</p><p>
+Samba is a file and print server for Windows-based clients using TCP/IP as the underlying
+transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big
+strengths is that you can use it to blend your mix of Windows and Linux machines together
+without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed
+by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885613"></a>Background</h2></div></div><div></div></div><p>
+Once long ago, there was a buzzword referred to as DCE/RPC. This stood for Distributed
+Computing Environment/Remote Procedure Calls and conceptually was a good idea. It was
+originally developed by Apollo/HP as NCA 1.0 (Network Computing Architecture) and only
+ran over UDP. When there was a need to run it over TCP so that it would be compatible
+with DECnet 3.0, it was redesigned, submitted to The Open Group, and officially became
+known as DCE/RPC. Microsoft came along and decided, rather than pay $20 per seat to
+license this technology, to reimplement DCE/RPC themselves as MSRPC. From this, the
+concept continued in the form of SMB (Server Message Block, or the "what") using the
+NetBIOS (Network Basic Input/Output System, or the "how") compatibility layer. You can
+run SMB (i.e., transport) over several different protocols; many different implementations
+arose as a result, including NBIPX (NetBIOS over IPX, NwLnkNb, or NWNBLink) and NBT
+(NetBIOS over TCP/IP, or NetBT). As the years passed, NBT became the most common form
+of implementation until the advance of "Direct-Hosted TCP" -- the Microsoft marketing
+term for eliminating NetBIOS entirely and running SMB by itself across TCP port 445
+only. As of yet, direct-hosted TCP has yet to catch on.
+</p><p>
+Perhaps the best summary of the origins of SMB are voiced in the 1997 article titled, CIFS:
+Common Insecurities Fail Scrutiny:
+</p><p><span class="emphasis"><em>
+Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba
+stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have
+been dutifully waded through during the information-gathering stages of this project, and there
+are *still* many missing pieces... While often tedious, at least the way has been generously
+littered with occurrences of clapping hand to forehead and muttering 'crikey, what are they
+thinking?
+</em></span></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885824"></a>Terminology</h2></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ SMB: Acronym for "Server Message Block". This is Microsoft's file and printer sharing protocol.
+ </p></li><li><p>
+ CIFS: Acronym for "Common Internet File System". Around 1996, Microsoft apparently
+ decided that SMB needed the word "Internet" in it, so they changed it to CIFS.
+ </p></li><li><p>
+ Direct-Hosted: A method of providing file/printer sharing services over port 445/tcp
+ only using DNS for name resolution instead of WINS.
+ </p></li><li><p>
+ IPC: Acronym for "Inter-Process Communication". A method to communicate specific
+ information between programs.
+ </p></li><li><p>
+ Marshalling: - A method of serializing (i.e., sequential ordering of) variable data
+ suitable for transmission via a network connection or storing in a file. The source
+ data can be re-created using a similar process called unmarshalling.
+ </p></li><li><p>
+ NetBIOS: Acronym for "Network Basic Input/Output System". This is not a protocol;
+ it is a method of communication across an existing protocol. This is a standard which
+ was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit,
+ it can help to think of this in comparison your computer's BIOS -- it controls the
+ essential functions of your input/output hardware -- whereas NetBIOS controls the
+ essential functions of your input/output traffic via the network. Again, this is a bit
+ of an exaggeration but it should help that paradigm shift. What is important to realize
+ is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically
+ brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second
+ thought; this will cause no end (and no doubt) of confusion.
+ </p></li><li><p>
+ NetBEUI: Acronym for the "NetBIOS Extended User Interface". Unlike NetBIOS, NetBEUI
+ is a protocol, not a standard. It is also not routable, so traffic on one side of a
+ router will be unable to communicate with the other side. Understanding NetBEUI is
+ not essential to deciphering SMB; however it helps to point out that it is not the
+ same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally
+ referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver".
+ It is not often heard from these days.
+ </p></li><li><p>
+ NBT: Acronym for "NetBIOS over TCP"; also known as "NetBT". Allows the continued use
+ of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made
+ to IP addresses and NetBIOS name types are conceptually equivalent to TCP/IP ports.
+ This is how file and printer sharing are accomplished in Windows 95/98/ME. They
+ traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137,
+ NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service
+ (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts,
+ and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002
+ (Detailed specifications).
+ </p></li><li><p>
+ W2K: Acronym for Windows 2000 Professional or Server
+ </p></li><li><p>
+ W3K: Acronym for Windows 2003 Server
+ </p></li></ul></div><p>If you plan on getting help, make sure to subscribe to the Samba Mailing List (available at
+<a href="http://www.samba.org/" target="_top">http://www.samba.org</a>).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2885978"></a>Related Projects</h2></div></div><div></div></div><p>
+There are currently two network filesystem client projects for Linux that are directly
+related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ SMBFS (Server Message Block File System) allows you to mount SMB shares (the protocol
+ that Microsoft Windows and OS/2 Lan Manager use to share files and printers
+ over local networks) and access them just like any other Unix directory. This is useful
+ if you just want to mount such filesystems without being a SMBFS server.
+ </p></li><li><p>
+ CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
+ is being actively developed for the upcoming version of the Linux kernel. The intent of this module
+ is to provide advanced network file system functionality including support for dfs (hierarchical
+ name space), secure per-user session establishment, safe distributed caching (oplock),
+ optional packet signing, Unicode and other internationalization improvements, and optional
+ Winbind (nsswitch) integration.
+ </p></li></ul></div><p>
+Again, it's important to note that these are implementations for client filesystems, and have
+nothing to do with acting as a file and print server for SMB/CIFS clients.
+</p><p>
+There are other Open Source CIFS client implementations, such as the
+<a href="http://jcifs.samba.org/" target="_top">jCIFS project</a>
+which provides an SMB client toolkit written in Java.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886047"></a>SMB Methodology</h2></div></div><div></div></div><p>
+Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns),
+UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS
+session service, or netbios-ssn). Anyone looking at their network with a good
+packet sniffer will be amazed at the amount of traffic generated by just opening
+up a single file. In general, SMB sessions are established in the following order:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ "TCP Connection" - establish 3-way handshake (connection) to port 139/tcp
+ or 445/tcp.
+ </p></li><li><p>
+ "NetBIOS Session Request" - using the following "Calling Names": The local
+ machine's NetBIOS name plus the 16th character 0x00; The server's NetBIOS
+ name plus the 16th character 0x20
+ </p></li><li><p>
+ "SMB Negotiate Protocol" - determine the protocol dialect to use, which will
+ be one of the following: PC Network Program 1.0 (Core) - share level security
+ mode only; Microsoft Networks 1.03 (Core Plus) - share level security
+ mode only; Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response
+ Authentication; Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response
+ Authentication; NT LM 0.12 (NT LM 0.12) - uses Challenge/Response
+ Authentication
+ </p></li><li><p>
+ SMB Session Startup. Passwords are encrypted (or not) according to one of
+ the following methods: Null (no encryption); Cleartext (no encryption); LM
+ and NTLM; NTLM; NTLMv2
+ </p></li><li><p>
+ SMB Tree Connect: Connect to a share name (e.g., \\servername\share); Connect
+ to a service type (e.g., IPC$ named pipe)
+ </p></li></ul></div><p>
+A good way to examine this process in depth is to try out
+<a href="http://www.securityfriday.com/ToolDownload/SWB/swb_doc.html" target="_top">SecurityFriday's SWB program</a>.
+It allows you to walk through the establishment of a SMB/CIFS session step by step.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886135"></a>Epilogue</h2></div></div><div></div></div><p>“<span class="quote">
+What's fundamentally wrong is that nobody ever had any taste when they
+did it. Microsoft has been very much into making the user interface look good,
+but internally it's just a complete mess. And even people who program for Microsoft
+and who have had years of experience, just don't know how it works internally.
+Worse, nobody dares change it. Nobody dares to fix bugs because it's such a
+mess that fixing one bug might just break a hundred programs that depend on
+that bug. And Microsoft isn't interested in anyone fixing bugs -- they're interested
+in making money. They don't have anybody who takes pride in Windows 95 as an
+operating system.
+</span>”</p><p>“<span class="quote">
+People inside Microsoft know it's a bad operating system and they still
+continue obviously working on it because they want to get the next version out
+because they want to have all these new features to sell more copies of the
+system.
+</span>”</p><p>“<span class="quote">
+The problem with that is that over time, when you have this kind of approach,
+and because nobody understands it, because nobody REALLY fixes bugs (other than
+when they're really obvious), the end result is really messy. You can't trust
+it because under certain circumstances it just spontaneously reboots or just
+halts in the middle of something that shouldn't be strange. Normally it works
+fine and then once in a blue moon for some completely unknown reason, it's dead,
+and nobody knows why. Not Microsoft, not the experienced user and certainly
+not the completely clueless user who probably sits there shivering thinking
+"What did I do wrong?" when they didn't do anything wrong at all.
+</span>”</p><p>“<span class="quote">
+That's what's really irritating to me."
+</span>”</p><p>--
+<a href="http://hr.uoregon.edu/davidrl/boot.txt" target="_top">Linus Torvalds, from an interview with BOOT Magazine, Sept 1998</a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886209"></a>Miscellaneous</h2></div></div><div></div></div><p>
+This chapter is Copyright 2003 David Lechnyr (david at lechnyr dot com).
+Permission is granted to copy, distribute and/or modify this document under the terms
+of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
+Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="introduction.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="install.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. General Installation </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. How to Install and Test SAMBA</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></div><p>
+This is a rough guide to assist those wishing to migrate from NT4 domain control to
+Samba-3 based domain control.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001339"></a>Planning and Getting Started</h2></div></div><div></div></div><p>
+In the IT world there is often a saying that all problems are encountered because of
+poor planning. The corollary to this saying is that not all problems can be anticipated
+and planned for. Then again, good planning will anticipate most show stopper type situations.
+</p><p>
+Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control
+environment would do well to develop a detailed migration plan. So here are a few pointers to
+help migration get under way.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3001368"></a>Objectives</h3></div></div><div></div></div><p>
+The key objective for most organisations will be to make the migration from MS Windows NT4
+to Samba-3 domain control as painless as possible. One of the challenges you may experience
+in your migration process may well be one of convincing management that the new environment
+should remain in place. Many who have introduced open source technologies have experienced
+pressure to return to a Microsoft based platform solution at the first sign of trouble.
+</p><p>
+It is strongly advised that before attempting a migration to a Samba-3 controlled network
+that every possible effort be made to gain all-round commitment to the change. Firstly, you
+should know precisely <span class="emphasis"><em>why</em></span> the change is important for the organisation.
+Possible motivations to make a change include:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Improve network manageability</td></tr><tr><td>Obtain better user level functionality</td></tr><tr><td>Reduce network operating costs</td></tr><tr><td>Reduce exposure caused by Microsoft withdrawal of NT4 support</td></tr><tr><td>Avoid MS License 6 implications</td></tr><tr><td>Reduce organisation's dependency on Microsoft</td></tr></table><p>
+It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers
+an alternative solution that is both different from MS Windows NT4 and that offers some
+advantages compared with it. It should also be recognised that Samba-3 lacks many of the
+features that Microsoft has promoted as core values in migration from MS Windows NT4 to
+MS Windows 2000 and beyond (with or without Active Directory services).
+</p><p>
+What are the features that Samba-3 can NOT provide?
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Server</td></tr><tr><td>Group Policy Objects (in Active Directory)</td></tr><tr><td>Machine Policy objects</td></tr><tr><td>Logon Scripts in Active Directory</td></tr><tr><td>Software Application and Access Controls in Active Directory</td></tr></table><p>
+The features that Samba-3 DOES provide and that may be of compelling interest to your site
+includes:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Lower Cost of Ownership</td></tr><tr><td>Global availability of support with no strings attached</td></tr><tr><td>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</td></tr><tr><td>Creation of on-the-fly logon scripts</td></tr><tr><td>Creation of on-the-fly Policy Files</td></tr><tr><td>Greater Stability, Reliability, Performance and Availability</td></tr><tr><td>Manageability via an ssh connection</td></tr><tr><td>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</td></tr><tr><td>Ability to implement a full single-sign-on architecture</td></tr><tr><td>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</td></tr></table><p>
+Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
+considered. Users should be educated about changes they may experience so that the change will be a
+welcome one and not become an obstacle to the work they need to do. The following are some of the
+factors that will go into a successful migration:
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002882"></a>Domain Layout</h4></div></div><div></div></div><p>
+Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
+a secondary controller), a domain member, or as a stand-alone server. The Windows network security
+domain context should be sized and scoped before implementation. Particular attention needs to be
+paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
+It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
+chooses to use an LDAP authentication backend then the same database can be used by several different
+domains. This means that in a complex organisation there can be a single LDAP database, that itself
+can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
+</p><p>
+It is recommended that from a design perspective, the number of users per server, as well as the number
+of servers, per domain should be scaled according to needs and should also consider server capacity
+and network bandwidth.
+</p><p>
+A physical network segment may house several domains, each of which may span multiple network segments.
+Where domains span routed network segments it is most advisable to consider and test the performance
+implications of the design and layout of a network. A Centrally located domain controller that is being
+designed to serve multiple routed network segments may result in severe performance problems if the
+response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
+where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
+the local authentication and access control server.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002935"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p>
+There are few cardinal rules to effective network design that can be broken with impunity.
+The most important rule of effective network management is that simplicity is king in every
+well controlled network. Every part of the infrastructure must be managed, the more complex
+it is, the greater will be the demand of keeping systems secure and functional.
+</p><p>
+The nature of the data that must be stored needs to be born in mind when deciding how many
+shares must be created. The physical disk space layout should also be taken into account
+when designing where share points will be created. Keep in mind that all data needs to be
+backed up, thus the simpler the disk layout the easier it will be to keep track of what must
+be backed up to tape or other off-line storage medium. Always plan and implement for minimum
+maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
+Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
+</p><p>
+Users should be grouped according to data access control needs. File and directory access
+is best controlled via group permissions and the use of the "sticky bit" on group controlled
+directories may substantially avoid file access complaints from samba share users.
+</p><p>
+Many network administrators who are new to the game will attempt to use elaborate techniques
+to set access controls, on files, directories, shares, as well as in share definitions.
+There is the ever present danger that that administrator's successor will not understand the
+complex mess that has been inherited. Remember, apparent job security through complex design
+and implementation may ultimately cause loss of operations and downtime to users as the new
+administrator learns to untangle your web. Keep access controls simple and effective and
+make sure that users will never be interrupted by the stupidity of complexity.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3002997"></a>Logon Scripts</h4></div></div><div></div></div><p>
+Please refer to the section of this document on Advanced Network Administration for information
+regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
+all users gain share and printer connections they need.
+</p><p>
+Logon scripts can be created on-the-fly so that all commands executed are specific to the
+rights and privileges granted to the user. The preferred controls should be affected through
+group membership so that group information can be used to custom create a logon script using
+the <i class="parameter"><tt>root preexec</tt></i> parameters to the <tt class="filename">NETLOGON</tt> share.
+</p><p>
+Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled
+user environment. In any case you may wish to do a google search for logon script process controls.
+In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
+deals with how to add printers without user intervention via the logon script process.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3003055"></a>Profile Migration/Creation</h4></div></div><div></div></div><p>
+User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
+Management.
+</p><p>
+Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows
+the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
+to be changed to the SID of the Samba-3 domain.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id3004018"></a>User and Group Accounts</h4></div></div><div></div></div><p>
+It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
+attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
+groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to connect these to
+suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
+should migrate painlessly.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004043"></a>Steps In Migration Process</h3></div></div><div></div></div><p>
+The approximate migration process is described below.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+</p></li><li><p>
+Samba-3 set up as a DC with netlogon share, profile share, etc.
+</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>rpcclient <i class="replaceable"><tt>NT4PDC</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>lsaquery</p></li><li><p>Note the SID returned</p></li></ol></li><li><p><b class="userinput"><tt>net getsid -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p><ol type="a"><li><p>Note the SID</p></li></ol></li><li><p><b class="userinput"><tt>net getlocalsid</tt></b></p><ol type="a"><li><p>Note the SID, now check that all three SIDS reported are the same!</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p><b class="userinput"><tt>initGrps.sh <i class="replaceable"><tt>DOMNAME</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -Lv</tt></b></p><ol type="a"><li><p>Note - check that all group membership has been migrated</p></li></ol></li></ol></div><p>
+Now it is time to migrate all the profiles, then migrate all policy files.
+More later.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3004381"></a>Migration Options</h2></div></div><div></div></div><p>
+Based on feedback from many sites as well as from actual installation and maintenance
+experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba
+based solution fit into three basic categories.
+</p><div class="table"><a name="id3004398"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col><col></colgroup><thead><tr><th>Number of Users</th><th>Description</th></tr></thead><tbody><tr><td>< 50</td><td><p>Want simple conversion with NO pain</p></td></tr><tr><td>50 - 250</td><td><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td>> 250</td><td><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004462"></a>Planning for Success</h3></div></div><div></div></div><p>
+There are three basic choices for sites that intend to migrate from MS Windows NT4
+to Samba-3.
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Simple Conversion (total replacement)
+ </p></li><li><p>
+ Upgraded Conversion (could be one of integration)
+ </p></li><li><p>
+ Complete Redesign (completely new solution)
+ </p></li></ul></div><p>
+No matter what choice you make, the following rules will minimise down-stream problems:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Take sufficient time
+ </p></li><li><p>
+ Avoid Panic
+ </p></li><li><p>
+ Test ALL assumptions
+ </p></li><li><p>
+ Test full roll-out program, including workstation deployment
+ </p></li></ul></div><div class="table"><a name="id3004535"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col><col><col></colgroup><thead><tr><th>Simple</th><th>Upgraded</th><th>Redesign</th></tr></thead><tbody><tr><td><p>Make use of minimal OS specific features</p></td><td><p>Translate NT4 features to new host OS features</p></td><td><p>Decide:</p></td></tr><tr><td><p>Suck all accounts from NT4 into Samba-3</p></td><td><p>Copy and improve:</p></td><td><p>Authentication Regime (database location and access)</p></td></tr><tr><td><p>Make least number of operational changes</p></td><td><p>Make progressive improvements</p></td><td><p>Desktop Management Methods</p></td></tr><tr><td><p>Take least amount of time to migrate</p></td><td><p>Minimise user impact</p></td><td><p>Better Control of Desktops / Users</p></td></tr><tr><td><p>Live versus Isolated Conversion</p></td><td><p>Maximise functionality</p></td><td><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td><p>Take advantage of lower maintenance opportunity</p></td><td><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3004704"></a>Samba Implementation Choices</h3></div></div><div></div></div><pre class="programlisting">
+Authentication database back end
+ Winbind (external Samba or NT4/200x server)
+ Can use pam_mkhomedir.so to auto-create home dirs
+ External server could use Active Directory or NT4 Domain
+
+Database type
+ smbpasswd, tdbsam, ldapsam, mysqlsam
+
+Access Control Points
+ On the Share itself (Use NT4 Server Manager)
+ On the file system
+ Unix permissions on files and directories
+ Enable Posix ACLs in file system?
+ Through Samba share parameters
+ Not recommended - except as only resort
+
+Policies (migrate or create new ones)
+ Group Policy Editor (NT4)
+ Watch out for Tattoo effect
+
+User and Group Profiles
+ Platform specific so use platform tool to change from a Local
+ to a Roaming profile Can use new profiles tool to change SIDs
+ (NTUser.DAT)
+
+Logon Scripts (Know how they work)
+
+User and Group mapping to Unix/Linux
+ username map facility may be needed
+ Use 'net groupmap' to connect NT4 groups to Unix groups
+ Use pdbedit to set/change user configuration
+NOTE:
+If migrating to LDAP back end it may be easier to dump initial LDAP database
+to LDIF, then edit, then reload into LDAP
+
+ OS specific scripts / programs may be needed
+ Add / delete Users
+ Note OS limits on size of name (Linux 8 chars)
+ NT4 up to 254 chars
+ Add / delete machines
+ Applied only to domain members (note up to 16 chars)
+ Add / delete Groups
+ Note OS limits on size and nature
+ Linux limit is 16 char,
+ no spaces and no upper case chars (groupadd)
+
+Migration Tools
+ Domain Control (NT4 Style)
+ Profiles, Policies, Access Controls, Security
+
+Migration Tools
+ Samba: net, rpcclient, smbpasswd, pdbedit, profiles
+ Windows: NT4 Domain User Manager, Server Manager (NEXUS)
+
+Authentication
+ New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)
+</pre><p>
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Samba / MS Windows Network Browsing Guide</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="optional.html" title="Part III. Advanced Configuration"><link rel="next" href="passdb.html" title="Chapter 11. Account Information Databases"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Samba / MS Windows Network Browsing Guide</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetworkBrowsing"></a>Chapter 10. Samba / MS Windows Network Browsing Guide</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">July 5, 1998</p></div><div><p class="pubdate">Updated: April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports "This server is not configured to list shared resources"</a></dt></dl></dd></dl></div><p>
+This document contains detailed information as well as a fast track guide to
+implementing browsing across subnets and / or across workgroups (or domains).
+WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
+NOT involved in browse list handling except by way of name to address resolution.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows 2000 and later can be configured to operate with NO NetBIOS
+over TCP/IP. Samba-3 and later also supports this mode of operation.
+When the use of NetBIOS over TCP/IP has been disabled then the primary
+means for resolution of MS Windows machine names is via DNS and Active Directory.
+The following information assumes that your site is running NetBIOS over TCP/IP.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903558"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Someone once referred to the past in terms of: <span class="emphasis"><em>They were the worst of times,
+they were the best of times. The more we look back, them more we long for what was and
+hope it never returns!</em></span>.
+</p><p>
+For many MS Windows network administrators, that statement sums up their feelings about
+NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
+nature was just par for the course. For those who never quite managed to tame its
+lusty features, NetBIOS is like Paterson's Curse.
+</p><p>
+For those not familiar with botanical problems in Australia: Paterson's curse,
+Echium plantagineum, was introduced to Australia from Europe during the mid-nineteenth
+century. Since then it has spread rapidly. The high seed production, with densities of
+thousands of seeds per square metre, a seed longevity of more than seven years, and an
+ability to germinate at any time of year, given the right conditions, are some of the
+features which make it such a persistent weed.
+</p><p>
+In this chapter we explore vital aspects of SMB (Server Message Block) networking with
+a particular focus on SMB as implemented through running NetBIOS (Network Basic
+Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
+any other protocols we need to know how to configure our network environment and simply
+remember to use nothing but TCP/IP on all our MS Windows network clients.
+</p><p>
+Samba provides the ability to implement a WINS (Windows Internetworking Name Server)
+and implements extensions to Microsoft's implementation of WINS. These extensions
+help Samba to affect stable WINS operations beyond the normal scope of MS WINS.
+</p><p>
+Please note that WINS is exclusively a service that applies only to those systems
+that run NetBIOS over TCP/IP. MS Windows 200x / XP have the capacity to turn off
+support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports this also.
+</p><p>
+For those networks on which NetBIOS has been disabled (ie: WINS is NOT required)
+the use of DNS is necessary for host name resolution.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903637"></a>What is Browsing?</h2></div></div><div></div></div><p>
+To most people browsing means that they can see the MS Windows and Samba servers
+in the Network Neighborhood, and when the computer icon for a particular server is
+clicked, it opens up and shows the shares and printers available on the target server.
+</p><p>
+What seems so simple is in fact a very complex interaction of different technologies.
+The technologies (or methods) employed in making all of this work includes:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>MS Windows machines register their presence to the network</td></tr><tr><td>Machines announce themselves to other machines on the network</td></tr><tr><td>One or more machine on the network collates the local announcements</td></tr><tr><td>The client machine finds the machine that has the collated list of machines</td></tr><tr><td>The client machine is able to resolve the machine names to IP addresses</td></tr><tr><td>The client machine is able to connect to a target machine</td></tr></table><p>
+The Samba application that controls browse list management and name resolution is
+called <tt class="filename">nmbd</tt>. The configuration parameters involved in nmbd's operation are:
+</p><pre class="programlisting">
+
+ Browsing options:
+ -----------------
+ * os level
+ lm announce
+ lm interval
+ * preferred master
+ * local master
+ * domain master
+ browse list
+ enhanced browsing
+
+ Name Resolution Method:
+ -----------------------
+ * name resolve order
+
+ WINS options:
+ -------------
+ dns proxy
+ wins proxy
+ * wins server
+ * wins support
+ wins hook
+</pre><p>
+For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
+an '*' are the only options that commonly MAY need to be modified. Even if not one of these
+parameters is set <tt class="filename">nmbd</tt> will still do it's job.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903747"></a>Discussion</h2></div></div><div></div></div><p>
+Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
+SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
+NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
+support.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903764"></a>NetBIOS over TCP/IP</h3></div></div><div></div></div><p>
+Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
+MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
+affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
+UDP messages can be broadcast or unicast.
+</p><p>
+Normally, only unicast UDP messaging can be forwarded by routers. The
+<b class="command">remote announce</b> parameter to smb.conf helps to project browse announcements
+to remote network segments via unicast UDP. Similarly, the
+<b class="command">remote browse sync</b> parameter of <tt class="filename">smb.conf</tt>
+implements browse list collation using unicast UDP.
+</p><p>
+Secondly, in those networks where Samba is the only SMB server technology,
+wherever possible <tt class="filename">nmbd</tt> should be configured on one (1) machine as the WINS
+server. This makes it easy to manage the browsing environment. If each network
+segment is configured with it's own Samba WINS server, then the only way to
+get cross segment browsing to work is by using the
+<b class="command">remote announce</b> and the <b class="command">remote browse sync</b>
+parameters to your <tt class="filename">smb.conf</tt> file.
+</p><p>
+If only one WINS server is used for an entire multi-segment network then
+the use of the <b class="command">remote announce</b> and the
+<b class="command">remote browse sync</b> parameters should NOT be necessary.
+</p><p>
+As of Samba 3 WINS replication is being worked on. The bulk of the code has
+been committed, but it still needs maturation. This is NOT a supported feature
+of the Samba-3.0.0 release. Hopefully, this will become a supported feature
+of one of the Samba-3 release series.
+</p><p>
+Right now Samba WINS does not support MS-WINS replication. This means that
+when setting up Samba as a WINS server there must only be one <tt class="filename">nmbd</tt>
+configured as a WINS server on the network. Some sites have used multiple Samba WINS
+servers for redundancy (one server per subnet) and then used
+<b class="command">remote browse sync</b> and <b class="command">remote announce</b>
+to affect browse list collation across all segments. Note that this means clients
+will only resolve local names, and must be configured to use DNS to resolve names
+on other subnets in order to resolve the IP addresses of the servers they can see
+on other subnets. This setup is not recommended, but is mentioned as a practical
+consideration (ie: an 'if all else fails' scenario).
+</p><p>
+Lastly, take note that browse lists are a collection of unreliable broadcast
+messages that are repeated at intervals of not more than 15 minutes. This means
+that it will take time to establish a browse list and it can take up to 45
+minutes to stabilise, particularly across network segments.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903926"></a>TCP/IP - without NetBIOS</h3></div></div><div></div></div><p>
+All TCP/IP using systems use various forms of host name resolution. The primary
+methods for TCP/IP hostname resolutions involves either a static file (<tt class="filename">/etc/hosts
+</tt>) or DNS (the Domain Name System). DNS is the technology that makes
+the Internet usable. DNS based host name resolution is supported by nearly all TCP/IP
+enabled systems. Only a few embedded TCP/IP systems do not support DNS.
+</p><p>
+When an MS Windows 200x / XP system attempts to resolve a host name to an IP address
+it follows a defined path:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Checks the <tt class="filename">hosts</tt> file. It is located in
+ <tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
+ </p></li><li><p>
+ Does a DNS lookup
+ </p></li><li><p>
+ Checks the NetBIOS name cache
+ </p></li><li><p>
+ Queries the WINS server
+ </p></li><li><p>
+ Does a broadcast name lookup over UDP
+ </p></li><li><p>
+ Looks up entries in LMHOSTS. It is located in
+ <tt class="filename">C:\WinNT\System32\Drivers\etc</tt>.
+ </p></li></ol></div><p>
+Windows 200x / XP can register it's host name with a Dynamic DNS server. You can
+force register with a Dynamic DNS server in Windows 200x / XP using:
+<b class="command">ipconfig /registerdns</b>
+</p><p>
+With Active Directory (ADS), a correctly functioning DNS server is absolutely
+essential. In the absence of a working DNS server that has been correctly configured,
+MS Windows clients and servers will be totally unable to locate each other,
+consequently network services will be severely impaired.
+</p><p>
+The use of Dynamic DNS is highly recommended with Active Directory, in which case
+the use of BIND9 is preferred for it's ability to adequately support the SRV (service)
+records that are needed for Active Directory.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904058"></a>DNS and Active Directory</h3></div></div><div></div></div><p>
+Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic
+DNS server in place of the Microsoft DNS server. While this might be desirable to some, the
+MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible
+to use BIND version 8 or 9, but it will almost certainly be necessary to create service records
+so that MS Active Directory clients can resolve host names to locate essential network services.
+The following are some of the default service records that Active Directory requires:
+</p><div class="itemizedlist"><ul type="disc"><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
+ This provides the address of the Windows NT PDC for the Domain.
+ </p></li><li><p>_ldap._tcp.pdc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
+ Resolves the addresses of Global Catalog servers in the domain.
+ </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>site</em></span>.sites.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
+ Provides list of domain controllers based on sites.
+ </p></li><li><p>_ldap._tcp.writable.ms-dcs.<span class="emphasis"><em>Domain</em></span></p><p>
+ Enumerates list of domain controllers that have the writable
+ copies of the Active Directory data store.
+ </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>GUID</em></span>.domains.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
+ Entry used by MS Windows clients to locate machines using the
+ Global Unique Identifier.
+ </p></li><li><p>_ldap._tcp.<span class="emphasis"><em>Site</em></span>.gc.ms-dcs.<span class="emphasis"><em>DomainTree</em></span></p><p>
+ Used by MS Windows clients to locate site configuration dependent
+ Global Catalog server.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2904194"></a>How Browsing Functions</h2></div></div><div></div></div><p>
+MS Windows machines register their NetBIOS names
+(ie: the machine name for each service type in operation) on start
+up. The exact method by which this name registration
+takes place is determined by whether or not the MS Windows client/server
+has been given a WINS server address, whether or not LMHOSTS lookup
+is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
+</p><p>
+In the case where there is no WINS server, all name registrations as
+well as name lookups are done by UDP broadcast. This isolates name
+resolution to the local subnet, unless LMHOSTS is used to list all
+names and IP addresses. In such situations Samba provides a means by
+which the Samba server name may be forcibly injected into the browse
+list of a remote MS Windows network (using the
+<b class="command">remote announce</b> parameter).
+</p><p>
+Where a WINS server is used, the MS Windows client will use UDP
+unicast to register with the WINS server. Such packets can be routed
+and thus WINS allows name resolution to function across routed networks.
+</p><p>
+During the startup process an election will take place to create a
+local master browser if one does not already exist. On each NetBIOS network
+one machine will be elected to function as the domain master browser. This
+domain browsing has nothing to do with MS security domain control.
+Instead, the domain master browser serves the role of contacting each local
+master browser (found by asking WINS or from LMHOSTS) and exchanging browse
+list contents. This way every master browser will eventually obtain a complete
+list of all machines that are on the network. Every 11-15 minutes an election
+is held to determine which machine will be the master browser. By the nature of
+the election criteria used, the machine with the highest uptime, or the
+most senior protocol version, or other criteria, will win the election
+as domain master browser.
+</p><p>
+Clients wishing to browse the network make use of this list, but also depend
+on the availability of correct name resolution to the respective IP
+address/addresses.
+</p><p>
+Any configuration that breaks name resolution and/or browsing intrinsics
+will annoy users because they will have to put up with protracted
+inability to use the network services.
+</p><p>
+Samba supports a feature that allows forced synchronisation
+of browse lists across routed networks using the <b class="command">remote
+browse sync</b> parameter in the <tt class="filename">smb.conf</tt> file.
+This causes Samba to contact the local master browser on a remote network and
+to request browse list synchronisation. This effectively bridges
+two networks that are separated by routers. The two remote
+networks may use either broadcast based name resolution or WINS
+based name resolution, but it should be noted that the <b class="command">remote
+browse sync</b> parameter provides browse list synchronisation - and
+that is distinct from name to address resolution, in other
+words, for cross subnet browsing to function correctly it is
+essential that a name to address resolution mechanism be provided.
+This mechanism could be via DNS, <tt class="filename">/etc/hosts</tt>,
+and so on.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904320"></a>Setting up WORKGROUP Browsing</h3></div></div><div></div></div><p>
+To set up cross subnet browsing on a network containing machines
+in up to be in a WORKGROUP, not an NT Domain you need to set up one
+Samba server to be the Domain Master Browser (note that this is *NOT*
+the same as a Primary Domain Controller, although in an NT Domain the
+same machine plays both roles). The role of a Domain master browser is
+to collate the browse lists from local master browsers on all the
+subnets that have a machine participating in the workgroup. Without
+one machine configured as a domain master browser each subnet would
+be an isolated workgroup, unable to see any machines on any other
+subnet. It is the presence of a domain master browser that makes
+cross subnet browsing possible for a workgroup.
+</p><p>
+In an WORKGROUP environment the domain master browser must be a
+Samba server, and there must only be one domain master browser per
+workgroup name. To set up a Samba server as a domain master browser,
+set the following option in the <i class="parameter"><tt>[global]</tt></i> section
+of the <tt class="filename">smb.conf</tt> file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = yes
+</pre><p>
+</p><p>
+The domain master browser should also preferrably be the local master
+browser for its own subnet. In order to achieve this set the following
+options in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt> file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = yes
+ local master = yes
+ preferred master = yes
+ os level = 65
+</pre><p>
+</p><p>
+The domain master browser may be the same machine as the WINS
+server, if you require.
+</p><p>
+Next, you should ensure that each of the subnets contains a
+machine that can act as a local master browser for the
+workgroup. Any MS Windows NT/2K/XP/2003 machine should be
+able to do this, as will Windows 9x machines (although these
+tend to get rebooted more often, so it's not such a good idea
+to use these). To make a Samba server a local master browser
+set the following options in the <i class="parameter"><tt>[global]</tt></i> section of the
+<tt class="filename">smb.conf</tt> file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = no
+ local master = yes
+ preferred master = yes
+ os level = 65
+</pre><p>
+</p><p>
+Do not do this for more than one Samba server on each subnet,
+or they will war with each other over which is to be the local
+master browser.
+</p><p>
+The <i class="parameter"><tt>local master</tt></i> parameter allows Samba to act as a
+local master browser. The <i class="parameter"><tt>preferred master</tt></i> causes nmbd
+to force a browser election on startup and the <i class="parameter"><tt>os level</tt></i>
+parameter sets Samba high enough so that it should win any browser elections.
+</p><p>
+If you have an NT machine on the subnet that you wish to
+be the local master browser then you can disable Samba from
+becoming a local master browser by setting the following
+options in the <i class="parameter"><tt>[global]</tt></i> section of the
+<tt class="filename">smb.conf</tt> file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = no
+ local master = no
+ preferred master = no
+ os level = 0
+</pre><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904541"></a>Setting up DOMAIN Browsing</h3></div></div><div></div></div><p>
+If you are adding Samba servers to a Windows NT Domain then
+you must not set up a Samba server as a domain master browser.
+By default, a Windows NT Primary Domain Controller for a domain
+is also the Domain master browser for that domain, and many
+things will break if a Samba server registers the Domain master
+browser NetBIOS name (<i class="replaceable"><tt>DOMAIN</tt></i><1B>)
+with WINS instead of the PDC.
+</p><p>
+For subnets other than the one containing the Windows NT PDC
+you may set up Samba servers as local master browsers as
+described. To make a Samba server a local master browser set
+the following options in the <b class="command">[global]</b> section
+of the <tt class="filename">smb.conf</tt> file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = no
+ local master = yes
+ preferred master = yes
+ os level = 65
+</pre><p>
+</p><p>
+If you wish to have a Samba server fight the election with machines
+on the same subnet you may set the <i class="parameter"><tt>os level</tt></i> parameter
+to lower levels. By doing this you can tune the order of machines that
+will become local master browsers if they are running. For
+more details on this see the section <a href="NetworkBrowsing.html#browse-force-master" title="Forcing Samba to be the master">
+Forcing Samba to be the master browser</a>
+below.
+</p><p>
+If you have Windows NT machines that are members of the domain
+on all subnets, and you are sure they will always be running then
+you can disable Samba from taking part in browser elections and
+ever becoming a local master browser by setting following options
+in the <i class="parameter"><tt>[global]</tt></i> section of the <tt class="filename">smb.conf</tt>
+file :
+</p><p>
+</p><pre class="programlisting">
+ domain master = no
+ local master = no
+ preferred master = no
+ os level = 0
+</pre><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="browse-force-master"></a>Forcing Samba to be the master</h3></div></div><div></div></div><p>
+Who becomes the <i class="parameter"><tt>master browser</tt></i> is determined by an election
+process using broadcasts. Each election packet contains a number of parameters
+which determine what precedence (bias) a host should have in the
+election. By default Samba uses a very low precedence and thus loses
+elections to just about anyone else.
+</p><p>
+If you want Samba to win elections then just set the <i class="parameter"><tt>os level</tt></i> global
+option in <tt class="filename">smb.conf</tt> to a higher number. It defaults to 0. Using 34
+would make it win all elections over every other system (except other
+samba systems!)
+</p><p>
+A <i class="parameter"><tt>os level</tt></i> of 2 would make it beat WfWg and Win95, but not MS Windows
+NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.
+</p><p>The maximum os level is 255</p><p>
+If you want Samba to force an election on startup, then set the
+<i class="parameter"><tt>preferred master</tt></i> global option in <tt class="filename">smb.conf</tt> to <tt class="constant">yes</tt>. Samba will
+then have a slight advantage over other potential master browsers
+that are not preferred master browsers. Use this parameter with
+care, as if you have two hosts (whether they are Windows 95 or NT or
+Samba) on the same local subnet both set with <i class="parameter"><tt>preferred master</tt></i> to
+<tt class="constant">yes</tt>, then periodically and continually they will force an election
+in order to become the local master browser.
+</p><p>
+If you want Samba to be a <i class="parameter"><tt>domain master browser</tt></i>, then it is
+recommended that you also set <i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, because
+Samba will not become a domain master browser for the whole of your
+LAN or WAN if it is not also a local master browser on its own
+broadcast isolated subnet.
+</p><p>
+It is possible to configure two Samba servers to attempt to become
+the domain master browser for a domain. The first server that comes
+up will be the domain master browser. All other Samba servers will
+attempt to become the domain master browser every 5 minutes. They
+will find that another Samba server is already the domain master
+browser and will fail. This provides automatic redundancy, should
+the current domain master browser fail.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904811"></a>Making Samba the domain master</h3></div></div><div></div></div><p>
+The domain master is responsible for collating the browse lists of
+multiple subnets so that browsing can occur between subnets. You can
+make Samba act as the domain master by setting <i class="parameter"><tt>domain master = yes</tt></i>
+in <tt class="filename">smb.conf</tt>. By default it will not be a domain master.
+</p><p>
+Note that you should <span class="emphasis"><em>not</em></span> set Samba to be the domain master for a
+workgroup that has the same name as an NT Domain.
+</p><p>
+When Samba is the domain master and the master browser, it will listen
+for master announcements (made roughly every twelve minutes) from local
+master browsers on other subnets and then contact them to synchronise
+browse lists.
+</p><p>
+If you want Samba to be the domain master then I suggest you also set
+the <i class="parameter"><tt>os level</tt></i> high enough to make sure it wins elections, and set
+<i class="parameter"><tt>preferred master</tt></i> to <tt class="constant">yes</tt>, to get Samba to force an election on
+startup.
+</p><p>
+Note that all your servers (including Samba) and clients should be
+using a WINS server to resolve NetBIOS names. If your clients are only
+using broadcasting to resolve NetBIOS names, then two things will occur:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ your local master browsers will be unable to find a domain master
+ browser, as it will only be looking on the local subnet.
+ </p></li><li><p>
+ if a client happens to get hold of a domain-wide browse list, and
+ a user attempts to access a host in that list, it will be unable to
+ resolve the NetBIOS name of that host.
+ </p></li></ol></div><p>
+If, however, both Samba and your clients are using a WINS server, then:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ your local master browsers will contact the WINS server and, as long as
+ Samba has registered that it is a domain master browser with the WINS
+ server, your local master browser will receive Samba's IP address
+ as its domain master browser.
+ </p></li><li><p>
+ when a client receives a domain-wide browse list, and a user attempts
+ to access a host in that list, it will contact the WINS server to
+ resolve the NetBIOS name of that host. as long as that host has
+ registered its NetBIOS name with the same WINS server, the user will
+ be able to see that host.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904967"></a>Note about broadcast addresses</h3></div></div><div></div></div><p>
+If your network uses a "0" based broadcast address (for example if it
+ends in a 0) then you will strike problems. Windows for Workgroups
+does not seem to support a 0's broadcast and you will probably find
+that browsing and name lookups won't work.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904984"></a>Multiple interfaces</h3></div></div><div></div></div><p>
+Samba now supports machines with multiple network interfaces. If you
+have multiple interfaces then you will need to use the <b class="command">interfaces</b>
+option in <tt class="filename">smb.conf</tt> to configure them.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905013"></a>Use of the Remote Announce parameter</h3></div></div><div></div></div><p>
+The <i class="parameter"><tt>remote announce</tt></i> parameter of
+<tt class="filename">smb.conf</tt> can be used to forcibly ensure
+that all the NetBIOS names on a network get announced to a remote network.
+The syntax of the <i class="parameter"><tt>remote announce</tt></i> parameter is:
+</p><pre class="programlisting">
+ remote announce = a.b.c.d [e.f.g.h] ...
+</pre><p>
+<span class="emphasis"><em>or</em></span>
+</p><pre class="programlisting">
+ remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
+</pre><p>
+
+where:
+</p><div class="variablelist"><dl><dt><span class="term"><i class="replaceable"><tt>a.b.c.d</tt></i> and
+<i class="replaceable"><tt>e.f.g.h</tt></i></span></dt><dd><p>is either the LMB (Local Master Browser) IP address
+or the broadcast address of the remote network.
+ie: the LMB is at 192.168.1.10, or the address
+could be given as 192.168.1.255 where the netmask
+is assumed to be 24 bits (255.255.255.0).
+When the remote announcement is made to the broadcast
+address of the remote network, every host will receive
+our announcements. This is noisy and therefore
+undesirable but may be necessary if we do NOT know
+the IP address of the remote LMB.</p></dd><dt><span class="term"><i class="replaceable"><tt>WORKGROUP</tt></i></span></dt><dd><p>is optional and can be either our own workgroup
+or that of the remote network. If you use the
+workgroup name of the remote network then our
+NetBIOS machine names will end up looking like
+they belong to that workgroup, this may cause
+name resolution problems and should be avoided.
+</p></dd></dl></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905122"></a>Use of the Remote Browse Sync parameter</h3></div></div><div></div></div><p>
+The <i class="parameter"><tt>remote browse sync</tt></i> parameter of
+<tt class="filename">smb.conf</tt> is used to announce to
+another LMB that it must synchronise its NetBIOS name list with our
+Samba LMB. It works ONLY if the Samba server that has this option is
+simultaneously the LMB on its network segment.
+</p><p>
+The syntax of the <i class="parameter"><tt>remote browse sync</tt></i> parameter is:
+
+</p><pre class="programlisting">
+remote browse sync = <i class="replaceable"><tt>a.b.c.d</tt></i>
+</pre><p>
+
+where <i class="replaceable"><tt>a.b.c.d</tt></i> is either the IP address of the
+remote LMB or else is the network broadcast address of the remote segment.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905183"></a>WINS - The Windows Internetworking Name Server</h2></div></div><div></div></div><p>
+Use of WINS (either Samba WINS <span class="emphasis"><em>or</em></span> MS Windows NT Server WINS) is highly
+recommended. Every NetBIOS machine registers its name together with a
+name_type value for each of several types of service it has available.
+eg: It registers its name directly as a unique (the type 0x03) name.
+It also registers its name if it is running the LanManager compatible
+server service (used to make shares and printers available to other users)
+by registering the server (the type 0x20) name.
+</p><p>
+All NetBIOS names are up to 15 characters in length. The name_type variable
+is added to the end of the name - thus creating a 16 character name. Any
+name that is shorter than 15 characters is padded with spaces to the 15th
+character. ie: All NetBIOS names are 16 characters long (including the
+name_type information).
+</p><p>
+WINS can store these 16 character names as they get registered. A client
+that wants to log onto the network can ask the WINS server for a list
+of all names that have registered the NetLogon service name_type. This saves
+broadcast traffic and greatly expedites logon processing. Since broadcast
+name resolution can not be used across network segments this type of
+information can only be provided via WINS <span class="emphasis"><em>or</em></span> via statically configured
+<tt class="filename">lmhosts</tt> files that must reside on all clients in the
+absence of WINS.
+</p><p>
+WINS also serves the purpose of forcing browse list synchronisation by all
+LMB's. LMB's must synchronise their browse list with the DMB (domain master
+browser) and WINS helps the LMB to identify it's DMB. By definition this
+will work only within a single workgroup. Note that the domain master browser
+has NOTHING to do with what is referred to as an MS Windows NT Domain. The
+later is a reference to a security environment while the DMB refers to the
+master controller for browse list information only.
+</p><p>
+Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
+has been configured to use the WINS server/s. Any client that has not been
+configured to use the WINS server will continue to use only broadcast based
+name registration so that WINS may NEVER get to know about it. In any case,
+machines that have not registered with a WINS server will fail name to address
+lookup attempts by other clients and will therefore cause workstation access
+errors.
+</p><p>
+To configure Samba as a WINS server just add
+<i class="parameter"><tt>wins support = yes</tt></i> to the <tt class="filename">smb.conf</tt>
+file [globals] section.
+</p><p>
+To configure Samba to register with a WINS server just add
+<i class="parameter"><tt>wins server = a.b.c.d</tt></i> to your <tt class="filename">smb.conf</tt> file <i class="parameter"><tt>[globals]</tt></i> section.
+</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
+Never use both <i class="parameter"><tt>wins support = yes</tt></i> together
+with <i class="parameter"><tt>wins server = a.b.c.d</tt></i>
+particularly not using it's own IP address.
+Specifying both will cause <span class="application">nmbd</span> to refuse to start!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905341"></a>Setting up a WINS server</h3></div></div><div></div></div><p>
+Either a Samba machine or a Windows NT Server machine may be set up
+as a WINS server. To set a Samba machine to be a WINS server you must
+add the following option to the <tt class="filename">smb.conf</tt> file on the selected machine :
+in the <i class="parameter"><tt>[globals]</tt></i> section add the line
+</p><p>
+</p><pre class="programlisting">
+ wins support = yes
+</pre><p>
+</p><p>
+Versions of Samba prior to 1.9.17 had this parameter default to
+yes. If you have any older versions of Samba on your network it is
+strongly suggested you upgrade to a recent version, or at the very
+least set the parameter to 'no' on all these machines.
+</p><p>
+Machines with <i class="parameter"><tt>wins support = yes</tt></i> will keep a list of
+all NetBIOS names registered with them, acting as a DNS for NetBIOS names.
+</p><p>
+You should set up only ONE WINS server. Do NOT set the
+<i class="parameter"><tt>wins support = yes</tt></i> option on more than one Samba
+server.
+</p><p>
+To set up a Windows NT Server as a WINS server you need to set up
+the WINS service - see your NT documentation for details. Note that
+Windows NT WINS Servers can replicate to each other, allowing more
+than one to be set up in a complex subnet environment. As Microsoft
+refuses to document these replication protocols, Samba cannot currently
+participate in these replications. It is possible in the future that
+a Samba->Samba WINS replication protocol may be defined, in which
+case more than one Samba machine could be set up as a WINS server
+but currently only one Samba server should have the
+<i class="parameter"><tt>wins support = yes</tt></i> parameter set.
+</p><p>
+After the WINS server has been configured you must ensure that all
+machines participating on the network are configured with the address
+of this WINS server. If your WINS server is a Samba machine, fill in
+the Samba machine IP address in the <span class="guilabel">Primary WINS Server</span> field of
+the <span class="guilabel">Control Panel->Network->Protocols->TCP->WINS Server</span> dialogs
+in Windows 95 or Windows NT. To tell a Samba server the IP address
+of the WINS server add the following line to the <i class="parameter"><tt>[global]</tt></i> section of
+all <tt class="filename">smb.conf</tt> files :
+</p><p>
+</p><pre class="programlisting">
+ wins server = <name or IP address>
+</pre><p>
+</p><p>
+where <name or IP address> is either the DNS name of the WINS server
+machine or its IP address.
+</p><p>
+Note that this line MUST NOT BE SET in the <tt class="filename">smb.conf</tt> file of the Samba
+server acting as the WINS server itself. If you set both the
+<i class="parameter"><tt>wins support = yes</tt></i> option and the
+<i class="parameter"><tt>wins server = <name></tt></i> option then
+nmbd will fail to start.
+</p><p>
+There are two possible scenarios for setting up cross subnet browsing.
+The first details setting up cross subnet browsing on a network containing
+Windows 95, Samba and Windows NT machines that are not configured as
+part of a Windows NT Domain. The second details setting up cross subnet
+browsing on networks that contain NT Domains.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905540"></a>WINS Replication</h3></div></div><div></div></div><p>
+Samba-3 permits WINS replication through the use of the <tt class="filename">wrepld</tt> utility.
+This tool is not currently capable of being used as it is still in active development.
+As soon as this tool becomes moderately functional we will prepare man pages and enhance this
+section of the documentation to provide usage and technical details.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905565"></a>Static WINS Entries</h3></div></div><div></div></div><p>
+Adding static entries to your Samba-3 WINS server is actually fairly easy.
+All you have to do is add a line to <tt class="filename">wins.dat</tt>, typically
+located in <tt class="filename">/usr/local/samba/var/locks</tt>.
+</p><p>
+Entries in <tt class="filename">wins.dat</tt> take the form of
+
+</p><pre class="programlisting">
+"NAME#TYPE" TTL ADDRESS+ FLAGS
+</pre><p>
+
+where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
+time-to-live as an absolute time in seconds, ADDRESS+ is one or more
+addresses corresponding to the registration and FLAGS are the NetBIOS
+flags for the registration.
+</p><p>
+A typical dynamic entry looks like:
+</p><pre class="programlisting">
+"MADMAN#03" 1055298378 192.168.1.2 66R
+</pre><p>
+
+To make it static, all that has to be done is set the TTL to 0:
+
+</p><pre class="programlisting">
+"MADMAN#03" 0 192.168.1.2 66R
+</pre><p>
+</p><p>
+Though this method works with early Samba-3 versions, there's a
+possibility that it may change in future versions if WINS replication
+is added.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905650"></a>Helpful Hints</h2></div></div><div></div></div><p>
+The following hints should be carefully considered as they are stumbling points
+for many new network administrators.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905663"></a>Windows Networking Protocols</h3></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Do NOT use more than one (1) protocol on MS Windows machines
+</p></div><p>
+A very common cause of browsing problems results from installing more than
+one protocol on an MS Windows machine.
+</p><p>
+Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
+every 15 minutes. A set of election criteria is used to determine the order
+of precedence for winning this election process. A machine running Samba or
+Windows NT will be biased so that the most suitable machine will predictably
+win and thus retain it's role.
+</p><p>
+The election process is "fought out" so to speak over every NetBIOS network
+interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
+installed and has NetBIOS enabled over both protocols the election will be
+decided over both protocols. As often happens, if the Windows 9x machine is
+the only one with both protocols then the LMB may be won on the NetBIOS
+interface over the IPX protocol. Samba will then lose the LMB role as Windows
+9x will insist it knows who the LMB is. Samba will then cease to function
+as an LMB and thus browse list operation on all TCP/IP only machines will
+fail.
+</p><p><span class="emphasis"><em>
+Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
+The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
+referred to as the WinNT family, but it should be recognised that 2000 and
+XP/2003 introduce new protocol extensions that cause them to behave
+differently from MS Windows NT4. Generally, where a server does NOT support
+the newer or extended protocol, these will fall back to the NT4 protocols.
+</em></span></p><p>
+The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905730"></a>Name Resolution Order</h3></div></div><div></div></div><p>
+Resolution of NetBIOS names to IP addresses can take place using a number
+of methods. The only ones that can provide NetBIOS name_type information
+are:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>WINS: the best tool!</td></tr><tr><td>LMHOSTS: is static and hard to maintain.</td></tr><tr><td>Broadcast: uses UDP and can not resolve names across remote segments.</td></tr></table><p>
+Alternative means of name resolution includes:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><tt class="filename">/etc/hosts</tt>: is static, hard to maintain, and lacks name_type info</td></tr><tr><td>DNS: is a good choice but lacks essential name_type info.</td></tr></table><p>
+Many sites want to restrict DNS lookups and want to avoid broadcast name
+resolution traffic. The <i class="parameter"><tt>name resolve order</tt></i> parameter is
+of great help here. The syntax of the <i class="parameter"><tt>name resolve order</tt></i>
+parameter is:
+</p><pre class="programlisting">
+name resolve order = wins lmhosts bcast host
+</pre><p>
+<span class="emphasis"><em>or</em></span>
+</p><pre class="programlisting">
+name resolve order = wins lmhosts (eliminates bcast and host)
+</pre><p>
+The default is:
+</p><pre class="programlisting">
+name resolve order = host lmhost wins bcast
+</pre><p>
+where "host" refers the the native methods used by the Unix system
+to implement the gethostbyname() function call. This is normally
+controlled by <tt class="filename">/etc/host.conf</tt>, <tt class="filename">/etc/nsswitch.conf</tt> and <tt class="filename">/etc/resolv.conf</tt>.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2905867"></a>Technical Overview of browsing</h2></div></div><div></div></div><p>
+SMB networking provides a mechanism by which clients can access a list
+of machines in a network, a so-called <i class="parameter"><tt>browse list</tt></i>. This list
+contains machines that are ready to offer file and/or print services
+to other machines within the network. Thus it does not include
+machines which aren't currently able to do server tasks. The browse
+list is heavily used by all SMB clients. Configuration of SMB
+browsing has been problematic for some Samba users, hence this
+document.
+</p><p>
+MS Windows 2000 and later, as with Samba 3 and later, can be
+configured to not use NetBIOS over TCP/IP. When configured this way,
+it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
+configured and operative. Browsing will NOT work if name resolution
+from SMB machine names to IP addresses does not function correctly.
+</p><p>
+Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
+recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
+WINS allows remote segment clients to obtain NetBIOS name_type information
+that can NOT be provided by any other means of name resolution.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2905914"></a>Browsing support in Samba</h3></div></div><div></div></div><p>
+Samba facilitates browsing. The browsing is supported by <span class="application">nmbd</span>
+and is also controlled by options in the <tt class="filename">smb.conf</tt> file.
+Samba can act as a local browse master for a workgroup and the ability
+to support domain logons and scripts is now available.
+</p><p>
+Samba can also act as a domain master browser for a workgroup. This
+means that it will collate lists from local browse masters into a
+wide area network server list. In order for browse clients to
+resolve the names they may find in this list, it is recommended that
+both Samba and your clients use a WINS server.
+</p><p>
+Note that you should NOT set Samba to be the domain master for a
+workgroup that has the same name as an NT Domain: on each wide area
+network, you must only ever have one domain master browser per workgroup,
+regardless of whether it is NT, Samba or any other type of domain master
+that is providing this service.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Nmbd can be configured as a WINS server, but it is not
+necessary to specifically use Samba as your WINS server. MS Windows
+NT4, Server or Advanced Server 2000 or 2003 can be configured as
+your WINS server. In a mixed NT/2000/2003 server and Samba environment on
+a Wide Area Network, it is recommended that you use the Microsoft
+WINS server capabilities. In a Samba-only environment, it is
+recommended that you use one and only one Samba server as your WINS server.
+</p></div><p>
+To get browsing to work you need to run nmbd as usual, but will need
+to use the <i class="parameter"><tt>workgroup</tt></i> option in <tt class="filename">smb.conf</tt>
+to control what workgroup Samba becomes a part of.
+</p><p>
+Samba also has a useful option for a Samba server to offer itself for
+browsing on another subnet. It is recommended that this option is only
+used for 'unusual' purposes: announcements over the internet, for
+example. See <i class="parameter"><tt>remote announce</tt></i> in the
+<tt class="filename">smb.conf</tt> man page.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906021"></a>Problem resolution</h3></div></div><div></div></div><p>
+If something doesn't work then hopefully the log.nmbd file will help
+you track down the problem. Try a debug level of 2 or 3 for finding
+problems. Also note that the current browse list usually gets stored
+in text form in a file called <tt class="filename">browse.dat</tt>.
+</p><p>
+Note that if it doesn't work for you, then you should still be able to
+type the server name as <tt class="filename">\\SERVER</tt> in filemanager then
+hit enter and filemanager should display the list of available shares.
+</p><p>
+Some people find browsing fails because they don't have the global
+<i class="parameter"><tt>guest account</tt></i> set to a valid account. Remember that the
+IPC$ connection that lists the shares is done as guest, and thus you must
+have a valid guest account.
+</p><p><span class="emphasis"><em>
+MS Windows 2000 and upwards (as with Samba) can be configured to disallow
+anonymous (ie: Guest account) access to the IPC$ share. In that case, the
+MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
+name of the currently logged in user to query the IPC$ share. MS Windows
+9X clients are not able to do this and thus will NOT be able to browse
+server resources.
+</em></span></p><p>
+The other big problem people have is that their broadcast address,
+netmask or IP address is wrong (specified with the "interfaces" option
+in <tt class="filename">smb.conf</tt>)
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906100"></a>Browsing across subnets</h3></div></div><div></div></div><p>
+Since the release of Samba 1.9.17(alpha1), Samba has supported the
+replication of browse lists across subnet boundaries. This section
+describes how to set this feature up in different settings.
+</p><p>
+To see browse lists that span TCP/IP subnets (ie. networks separated
+by routers that don't pass broadcast traffic), you must set up at least
+one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
+NetBIOS name to IP address translation to be done by doing a direct
+query of the WINS server. This is done via a directed UDP packet on
+port 137 to the WINS server machine. The reason for a WINS server is
+that by default, all NetBIOS name to IP address translation is done
+by broadcasts from the querying machine. This means that machines
+on one subnet will not be able to resolve the names of machines on
+another subnet without using a WINS server.
+</p><p>
+Remember, for browsing across subnets to work correctly, all machines,
+be they Windows 95, Windows NT, or Samba servers must have the IP address
+of a WINS server given to them by a DHCP server, or by manual configuration
+(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
+settings) for Samba this is in the <tt class="filename">smb.conf</tt> file.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2906150"></a>How does cross subnet browsing work ?</h4></div></div><div></div></div><p>
+Cross subnet browsing is a complicated dance, containing multiple
+moving parts. It has taken Microsoft several years to get the code
+that achieves this correct, and Samba lags behind in some areas.
+Samba is capable of cross subnet browsing when configured correctly.
+</p><p>
+Consider a network set up as follows :
+</p><p>
+
+</p><pre class="programlisting">
+ (DMB)
+ N1_A N1_B N1_C N1_D N1_E
+ | | | | |
+ -------------------------------------------------------
+ | subnet 1 |
+ +---+ +---+
+ |R1 | Router 1 Router 2 |R2 |
+ +---+ +---+
+ | |
+ | subnet 2 subnet 3 |
+ -------------------------- ------------------------------------
+ | | | | | | | |
+ N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
+ (WINS)
+</pre><p>
+</p><p>
+Consisting of 3 subnets (1, 2, 3) connected by two routers
+(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
+on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
+for the moment that all these machines are configured to be in the
+same workgroup (for simplicity's sake). Machine N1_C on subnet 1
+is configured as Domain Master Browser (ie. it will collate the
+browse lists for the workgroup). Machine N2_D is configured as
+WINS server and all the other machines are configured to register
+their NetBIOS names with it.
+</p><p>
+As all these machines are booted up, elections for master browsers
+will take place on each of the three subnets. Assume that machine
+N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
+subnet 3 - these machines are known as local master browsers for
+their particular subnet. N1_C has an advantage in winning as the
+local master browser on subnet 1 as it is set up as Domain Master
+Browser.
+</p><p>
+On each of the three networks, machines that are configured to
+offer sharing services will broadcast that they are offering
+these services. The local master browser on each subnet will
+receive these broadcasts and keep a record of the fact that
+the machine is offering a service. This list of records is
+the basis of the browse list. For this case, assume that
+all the machines are configured to offer services so all machines
+will be on the browse list.
+</p><p>
+For each network, the local master browser on that network is
+considered 'authoritative' for all the names it receives via
+local broadcast. This is because a machine seen by the local
+master browser via a local broadcast must be on the same
+network as the local master browser and thus is a 'trusted'
+and 'verifiable' resource. Machines on other networks that
+the local master browsers learn about when collating their
+browse lists have not been directly seen - these records are
+called 'non-authoritative'.
+</p><p>
+At this point the browse lists look as follows (these are
+the machines you would see in your network neighborhood if
+you looked in it on a particular network right now).
+</p><p>
+</p><div class="table"><a name="id2906267"></a><p class="title"><b>Table 10.1. Browse subnet example 1</b></p><table summary="Browse subnet example 1" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
+</p><p>
+Note that at this point all the subnets are separate, no
+machine is seen across any of the subnets.
+</p><p>
+Now examine subnet 2. As soon as N2_B has become the local
+master browser it looks for a Domain master browser to synchronize
+its browse list with. It does this by querying the WINS server
+(N2_D) for the IP address associated with the NetBIOS name
+WORKGROUP<1B>. This name was registered by the Domain master
+browser (N1_C) with the WINS server as soon as it was booted.
+</p><p>
+Once N2_B knows the address of the Domain master browser it
+tells it that is the local master browser for subnet 2 by
+sending a MasterAnnouncement packet as a UDP port 138 packet.
+It then synchronizes with it by doing a NetServerEnum2 call. This
+tells the Domain Master Browser to send it all the server
+names it knows about. Once the domain master browser receives
+the MasterAnnouncement packet it schedules a synchronization
+request to the sender of that packet. After both synchronizations
+are done the browse lists look like :
+</p><p>
+</p><div class="table"><a name="id2906382"></a><p class="title"><b>Table 10.2. Browse subnet example 2</b></p><table summary="Browse subnet example 2" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D</td></tr></tbody></table></div><p>
+
+Servers with a (*) after them are non-authoritative names.
+</p><p>
+At this point users looking in their network neighborhood on
+subnets 1 or 2 will see all the servers on both, users on
+subnet 3 will still only see the servers on their own subnet.
+</p><p>
+The same sequence of events that occured for N2_B now occurs
+for the local master browser on subnet 3 (N3_D). When it
+synchronizes browse lists with the domain master browser (N1_A)
+it gets both the server entries on subnet 1, and those on
+subnet 2. After N3_D has synchronized with N1_C and vica-versa
+the browse lists look like.
+</p><p>
+</p><div class="table"><a name="id2906481"></a><p class="title"><b>Table 10.3. Browse subnet example 3</b></p><table summary="Browse subnet example 3" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
+
+Servers with a (*) after them are non-authoritative names.
+</p><p>
+At this point users looking in their network neighborhood on
+subnets 1 or 3 will see all the servers on all subnets, users on
+subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
+</p><p>
+Finally, the local master browser for subnet 2 (N2_B) will sync again
+with the domain master browser (N1_C) and will receive the missing
+server entries. Finally - and as a steady state (if no machines
+are removed or shut off) the browse lists will look like :
+</p><p>
+</p><div class="table"><a name="id2906581"></a><p class="title"><b>Table 10.4. Browse subnet example 4</b></p><table summary="Browse subnet example 4" border="1"><colgroup><col><col><col></colgroup><thead><tr><th align="left">Subnet</th><th align="left">Browse Master</th><th align="left">List</th></tr></thead><tbody><tr><td align="left">Subnet1</td><td align="left">N1_C</td><td align="left">N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(*), N2_B(*), N2_C(*), N2_D(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet2</td><td align="left">N2_B</td><td align="left">N2_A, N2_B, N2_C, N2_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N3_A(*), N3_B(*), N3_C(*), N3_D(*)</td></tr><tr><td align="left">Subnet3</td><td align="left">N3_D</td><td align="left">N3_A, N3_B, N3_C, N3_D, N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), N2_A(*), N2_B(*), N2_C(*), N2_D(*)</td></tr></tbody></table></div><p>
+
+Servers with a (*) after them are non-authoritative names.
+</p><p>
+Synchronizations between the domain master browser and local
+master browsers will continue to occur, but this should be a
+steady state situation.
+</p><p>
+If either router R1 or R2 fails the following will occur:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Names of computers on each side of the inaccessible network fragments
+ will be maintained for as long as 36 minutes, in the network neighbourhood
+ lists.
+ </p></li><li><p>
+ Attempts to connect to these inaccessible computers will fail, but the
+ names will not be removed from the network neighbourhood lists.
+ </p></li><li><p>
+ If one of the fragments is cut off from the WINS server, it will only
+ be able to access servers on its local subnet, by using subnet-isolated
+ broadcast NetBIOS name resolution. The effects are similar to that of
+ losing access to a DNS server.
+ </p></li></ol></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2906720"></a>Common Errors</h2></div></div><div></div></div><p>
+Many questions are asked on the mailing lists regarding browsing. The majority of browsing
+problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
+particular note.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906735"></a>How can one flush the Samba NetBIOS name cache without restarting Samba?</h3></div></div><div></div></div><p>
+Samba's nmbd process controls all browse list handling. Under normal circumstances it is
+safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
+to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
+in the browse list. When nmbd is taken out of service another machine on the network will
+become the browse master. This new list may still have the rogue entry in it. If you really
+want to clear a rogue machine from the list then every machine on the network will need to be
+shut down and restarted at after all machines are down. Failing a complete restart, the only
+other thing you can do is wait until the entry times out and is then flushed from the list.
+This may take a long time on some networks (months).
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906764"></a>My client reports "This server is not configured to list shared resources"</h3></div></div><div></div></div><p>
+Your guest account is probably invalid for some reason. Samba uses the
+guest account for browsing in smbd. Check that your guest account is
+valid.
+</p><p>See also <i class="parameter"><tt>guest account</tt></i> in the <tt class="filename">smb.conf</tt> man page.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="optional.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="passdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Advanced Configuration </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 11. Account Information Databases</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 38. Samba and other CIFS clients</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="Portability.html" title="Chapter 37. Portability"><link rel="next" href="speed.html" title="Chapter 39. Samba Performance Tuning"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 38. Samba and other CIFS clients</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Other-Clients"></a>Chapter 38. Samba and other CIFS clients</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jim</span> <span class="surname">McDonough</span></h3><div class="affiliation"><span class="orgname">IBM<br></span><div class="address"><p><tt class="email"><<a href="mailto:jmcd@us.ibm.com">jmcd@us.ibm.com</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">5 Mar 2001</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
+ for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></div><p>This chapter contains client-specific information.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3015663"></a>Macintosh clients?</h2></div></div><div></div></div><p>
+Yes. <a href="http://www.thursby.com/" target="_top">Thursby</a> now has a CIFS Client / Server called <a href="http://www.thursby.com/products/dave.html" target="_top">DAVE</a>
+</p><p>
+They test it against Windows 95, Windows NT and samba for
+compatibility issues. At the time of writing, DAVE was at version
+1.0.1. The 1.0.0 to 1.0.1 update is available as a free download from
+the Thursby web site (the speed of finder copies has been greatly
+enhanced, and there are bug-fixes included).
+</p><p>
+Alternatives - There are two free implementations of AppleTalk for
+several kinds of UNIX machines, and several more commercial ones.
+These products allow you to run file services and print services
+natively to Macintosh users, with no additional support required on
+the Macintosh. The two free implementations are
+<a href="http://www.umich.edu/~rsug/netatalk/" target="_top">Netatalk</a>, and
+<a href="http://www.cs.mu.oz.au/appletalk/atalk.html" target="_top">CAP</a>.
+What Samba offers MS
+Windows users, these packages offer to Macs. For more info on these
+packages, Samba, and Linux (and other UNIX-based systems) see
+<a href="http://www.eats.com/linux_mac_win.html" target="_top">http://www.eats.com/linux_mac_win.html</a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017016"></a>OS2 Client</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017023"></a>How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</h3></div></div><div></div></div><p>A more complete answer to this question can be
+ found on <a href="http://carol.wins.uva.nl/~leeuw/samba/warp.html" target="_top">
+ http://carol.wins.uva.nl/~leeuw/samba/warp.html</a>.</p><p>Basically, you need three components:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The File and Print Client ('IBM Peer')</td></tr><tr><td>TCP/IP ('Internet support') </td></tr><tr><td>The "NetBIOS over TCP/IP" driver ('TCPBEUI')</td></tr></table><p>Installing the first two together with the base operating
+ system on a blank system is explained in the Warp manual. If Warp
+ has already been installed, but you now want to install the
+ networking support, use the "Selective Install for Networking"
+ object in the "System Setup" folder.</p><p>Adding the "NetBIOS over TCP/IP" driver is not described
+ in the manual and just barely in the online documentation. Start
+ MPTS.EXE, click on OK, click on "Configure LAPS" and click
+ on "IBM OS/2 NETBIOS OVER TCP/IP" in 'Protocols'. This line
+ is then moved to 'Current Configuration'. Select that line,
+ click on "Change number" and increase it from 0 to 1. Save this
+ configuration.</p><p>If the Samba server(s) is not on your local subnet, you
+ can optionally add IP names and addresses of these servers
+ to the "Names List", or specify a WINS server ('NetBIOS
+ Nameserver' in IBM and RFC terminology). For Warp Connect you
+ may need to download an update for 'IBM Peer' to bring it on
+ the same level as Warp 4. See the webpage mentioned above.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017102"></a>How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</h3></div></div><div></div></div><p>You can use the free Microsoft LAN Manager 2.2c Client
+ for OS/2 from
+ <a href="ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/" target="_top">
+ ftp://ftp.microsoft.com/BusSys/Clients/LANMAN.OS2/</a>.
+ See <a href="http://carol.wins.uva.nl/~leeuw/lanman.html" target="_top">
+ http://carol.wins.uva.nl/~leeuw/lanman.html</a> for
+ more information on how to install and use this client. In
+ a nutshell, edit the file \OS2VER in the root directory of
+ the OS/2 boot partition and add the lines:</p><pre class="programlisting">
+ 20=setup.exe
+ 20=netwksta.sys
+ 20=netvdd.sys
+ </pre><p>before you install the client. Also, don't use the
+ included NE2000 driver because it is buggy. Try the NE2000
+ or NS2000 driver from
+ <a href="ftp://ftp.cdrom.com/pub/os2/network/ndis/" target="_top">
+ ftp://ftp.cdrom.com/pub/os2/network/ndis/</a> instead.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017164"></a>How do I get printer driver download working
+ for OS/2 clients?</h3></div></div><div></div></div><p>First, create a share called <i class="parameter"><tt>[PRINTDRV]</tt></i> that is
+ world-readable. Copy your OS/2 driver files there. Note
+ that the .EA_ files must still be separate, so you will need
+ to use the original install files, and not copy an installed
+ driver from an OS/2 system.</p><p>Install the NT driver first for that printer. Then,
+ add to your <tt class="filename">smb.conf</tt> a parameter, <i class="parameter"><tt>os2 driver map =
+ <i class="replaceable"><tt>filename</tt></i></tt></i>. Then, in the file
+ specified by <i class="replaceable"><tt>filename</tt></i>, map the
+ name of the NT driver name to the OS/2 driver name as
+ follows:</p><p><i class="parameter"><tt><i class="replaceable"><tt>nt driver name</tt></i> = <i class="replaceable"><tt>os2 driver name</tt></i>.<i class="replaceable"><tt>device name</tt></i></tt></i>, e.g.:</p><p><i class="parameter"><tt>
+ HP LaserJet 5L = LASERJET.HP LaserJet 5L</tt></i></p><p>You can have multiple drivers mapped in this file.</p><p>If you only specify the OS/2 driver name, and not the
+ device name, the first attempt to download the driver will
+ actually download the files, but the OS/2 client will tell
+ you the driver is not available. On the second attempt, it
+ will work. This is fixed simply by adding the device name
+ to the mapping, after which it will work on the first attempt.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017260"></a>Windows for Workgroups</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017268"></a>Use latest TCP/IP stack from Microsoft</h3></div></div><div></div></div><p>Use the latest TCP/IP stack from Microsoft if you use Windows
+for Workgroups.
+</p><p>The early TCP/IP stacks had lots of bugs.</p><p>
+Microsoft has released an incremental upgrade to their TCP/IP 32-Bit
+VxD drivers. The latest release can be found on their ftp site at
+ftp.microsoft.com, located in <tt class="filename">/peropsys/windows/public/tcpip/wfwt32.exe</tt>.
+There is an update.txt file there that describes the problems that were
+fixed. New files include <tt class="filename">WINSOCK.DLL</tt>,
+<tt class="filename">TELNET.EXE</tt>,
+<tt class="filename">WSOCK.386</tt>,
+<tt class="filename">VNBT.386</tt>,
+<tt class="filename">WSTCP.386</tt>,
+<tt class="filename">TRACERT.EXE</tt>,
+<tt class="filename">NETSTAT.EXE</tt>, and
+<tt class="filename">NBTSTAT.EXE</tt>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017357"></a>Delete .pwl files after password change</h3></div></div><div></div></div><p>
+WfWg does a lousy job with passwords. I find that if I change my
+password on either the unix box or the PC the safest thing to do is to
+delete the .pwl files in the windows directory. The PC will complain about not finding the files, but will soon get over it, allowing you to enter the new password.
+</p><p>
+If you don't do this you may find that WfWg remembers and uses the old
+password, even if you told it a new one.
+</p><p>
+Often WfWg will totally ignore a password you give it in a dialog box.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017388"></a>Configure WfW password handling</h3></div></div><div></div></div><p>
+There is a program call admincfg.exe
+on the last disk (disk 8) of the WFW 3.11 disk set. To install it
+type <b class="userinput"><tt>EXPAND A:\ADMINCFG.EX_ C:\WINDOWS\ADMINCFG.EXE</tt></b>.
+Then add an icon
+for it via the <span class="application">Program Manager</span> <span class="guimenu">New</span> Menu.
+This program allows you to control how WFW handles passwords. ie disable Password Caching etc
+for use with <i class="parameter"><tt>security = user</tt></i>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017433"></a>Case handling of passwords</h3></div></div><div></div></div><p>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <a href="smb.conf.5.html" target="_top">smb.conf(5)</a> information on <i class="parameter"><tt>password level</tt></i> to specify what characters samba should try to uppercase when checking.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017464"></a>Use TCP/IP as default protocol</h3></div></div><div></div></div><p>To support print queue reporting you may find
+that you have to use TCP/IP as the default protocol under
+WfWg. For some reason if you leave NetBEUI as the default
+it may break the print queue reporting on some systems.
+It is presumably a WfWg bug.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017481"></a>Speed improvement</h3></div></div><div></div></div><p>
+Note that some people have found that setting <i class="parameter"><tt>DefaultRcvWindow</tt></i> in
+the <i class="parameter"><tt>[MSTCP]</tt></i> section of the
+<tt class="filename">SYSTEM.INI</tt> file under WfWg to 3072 gives a
+big improvement. I don't know why.
+</p><p>
+My own experience with DefaultRcvWindow is that I get much better
+performance with a large value (16384 or larger). Other people have
+reported that anything over 3072 slows things down enormously. One
+person even reported a speed drop of a factor of 30 when he went from
+3072 to 8192. I don't know why.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017528"></a>Windows '95/'98</h2></div></div><div></div></div><p>
+When using Windows 95 OEM SR2 the following updates are recommended where Samba
+is being used. Please NOTE that the above change will affect you once these
+updates have been installed.
+</p><p>
+There are more updates than the ones mentioned here. You are referred to the
+Microsoft Web site for all currently available updates to your specific version
+of Windows 95.
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Kernel Update: KRNLUPD.EXE</td></tr><tr><td>Ping Fix: PINGUPD.EXE</td></tr><tr><td>RPC Update: RPCRTUPD.EXE</td></tr><tr><td>TCP/IP Update: VIPUPD.EXE</td></tr><tr><td>Redirector Update: VRDRUPD.EXE</td></tr></table><p>
+Also, if using <span class="application">MS Outlook</span> it is desirable to
+install the <b class="command">OLEUPD.EXE</b> fix. This
+fix may stop your machine from hanging for an extended period when exiting
+Outlook and you may also notice a significant speedup when accessing network
+neighborhood services.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3017601"></a>Speed improvement</h3></div></div><div></div></div><p>
+Configure the win95 TCPIP registry settings to give better
+performance. I use a program called <b class="command">MTUSPEED.exe</b> which I got off the
+net. There are various other utilities of this type freely available.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017625"></a>Windows 2000 Service Pack 2</h2></div></div><div></div></div><p>
+There are several annoyances with Windows 2000 SP2. One of which
+only appears when using a Samba server to host user profiles
+to Windows 2000 SP2 clients in a Windows domain. This assumes
+that Samba is a member of the domain, but the problem will
+likely occur if it is not.
+</p><p>
+In order to serve profiles successfully to Windows 2000 SP2
+clients (when not operating as a PDC), Samba must have
+<i class="parameter"><tt>nt acl support = no</tt></i>
+added to the file share which houses the roaming profiles.
+If this is not done, then the Windows 2000 SP2 client will
+complain about not being able to access the profile (Access
+Denied) and create multiple copies of it on disk (DOMAIN.user.001,
+DOMAIN.user.002, etc...). See the
+<a href="smb.conf.5.html" target="_top">smb.conf(5)</a> man page
+for more details on this option. Also note that the
+<i class="parameter"><tt>nt acl support</tt></i> parameter was formally a global parameter in
+releases prior to Samba 2.2.2.
+</p><p>
+The following is a minimal profile share:
+</p><pre class="programlisting">
+ [profile]
+ path = /export/profile
+ create mask = 0600
+ directory mask = 0700
+ nt acl support = no
+ read only = no
+</pre><p>
+The reason for this bug is that the Win2k SP2 client copies
+the security descriptor for the profile which contains
+the Samba server's SID, and not the domain SID. The client
+compares the SID for SAMBA\user and realizes it is
+different that the one assigned to DOMAIN\user. Hence the reason
+for the <span class="errorname">access denied</span> message.
+</p><p>
+By disabling the <i class="parameter"><tt>nt acl support</tt></i> parameter, Samba will send
+the Win2k client a response to the QuerySecurityDescriptor
+trans2 call which causes the client to set a default ACL
+for the profile. This default ACL includes
+</p><p><span class="emphasis"><em>DOMAIN\user "Full Control"</em></span>></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This bug does not occur when using winbind to
+create accounts on the Samba host for Domain users.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3017736"></a>Windows NT 3.1</h2></div></div><div></div></div><p>If you have problems communicating across routers with Windows
+NT 3.1 workstations, read <a href="http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q103765" target="_top">this Microsoft Knowledge Base article</a>.
+
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Portability.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="speed.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 37. Portability </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 39. Samba Performance Tuning</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 23. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 23. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 23. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></div><p>
+This chapter summarises the current state of knowledge derived from personal
+practice and knowledge from samba mailing list subscribers. Before reproduction
+of posted information effort has been made to validate the information provided.
+Where additional information was uncovered through this validation it is provided
+also.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984380"></a>Features and Benefits</h2></div></div><div></div></div><p>
+When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
+Group Policies for users and group. Then along came MS Windows NT4 and a few sites
+started to adopt this capability. How do we know that? By way of the number of "booboos"
+(or mistakes) administrators made and then requested help to resolve.
+</p><p>
+By the time that MS Windows 2000 and Active Directory was released, administrators
+got the message: Group Policies are a good thing! They can help reduce administrative
+costs and actually can help to create happier users. But adoption of the true
+potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
+and machines were picked up on rather slowly. This was very obvious from the samba
+mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
+how to replicate them in a Samba environment.
+</p><p>
+Judging by the traffic volume since mid 2002, GPOs have become a standard part of
+the deployment in many sites. This chapter reviews techniques and methods that can
+be used to exploit opportunities for automation of control over user desktops and
+network client workstations.
+</p><p>
+A tool new to Samba-3 may become an important part of the future Samba Administrators'
+arsenal. The <b class="command">editreg</b> tool is described in this document.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2984435"></a>Creating and Managing System Policies</h2></div></div><div></div></div><p>
+Under MS Windows platforms, particularly those following the release of MS Windows
+NT4 and MS Windows 95) it is possible to create a type of file that would be placed
+in the NETLOGON share of a domain controller. As the client logs onto the network
+this file is read and the contents initiate changes to the registry of the client
+machine. This file allows changes to be made to those parts of the registry that
+affect users, groups of users, or machines.
+</p><p>
+For MS Windows 9x/Me this file must be called <tt class="filename">Config.POL</tt> and may
+be generated using a tool called <tt class="filename">poledit.exe</tt>, better known as the
+Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
+disappeared again with the introduction of MS Windows Me (Millennium Edition). From
+comments from MS Windows network administrators it would appear that this tool became
+a part of the MS Windows Me Resource Kit.
+</p><p>
+MS Windows NT4 Server products include the <span class="emphasis"><em>System Policy Editor</em></span>
+under the <tt class="filename">Start -> Programs -> Administrative Tools</tt> menu item.
+For MS Windows NT4 and later clients this file must be called <tt class="filename">NTConfig.POL</tt>.
+</p><p>
+New with the introduction of MS Windows 2000 was the Microsoft Management Console
+or MMC. This tool is the new wave in the ever changing landscape of Microsoft
+methods for management of network access and security. Every new Microsoft product
+or technology seems to obsolete the old rules and to introduce newer and more
+complex tools and methods. To Microsoft's credit though, the MMC does appear to
+be a step forward, but improved functionality comes at a great price.
+</p><p>
+Before embarking on the configuration of network and system policies it is highly
+advisable to read the documentation available from Microsoft's web site regarding
+<a href="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" target="_top">
+Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</a> available from Microsoft.
+There are a large number of documents in addition to this old one that should also
+be read and understood. Try searching on the Microsoft web site for "Group Policies".
+</p><p>
+What follows is a very brief discussion with some helpful notes. The information provided
+here is incomplete - you are warned.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986217"></a>Windows 9x/Me Policies</h3></div></div><div></div></div><p>
+ You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
+ It can be found on the Original full product Win98 installation CD under
+ <tt class="filename">tools/reskit/netadmin/poledit</tt>. Install this using the
+ Add/Remove Programs facility and then click on the 'Have Disk' tab.
+ </p><p>
+ Use the Group Policy Editor to create a policy file that specifies the location of
+ user profiles and/or the <tt class="filename">My Documents</tt> etc. Then save these
+ settings in a file called <tt class="filename">Config.POL</tt> that needs to be placed in the
+ root of the <i class="parameter"><tt>[NETLOGON]</tt></i> share. If Win98 is configured to log onto
+ the Samba Domain, it will automatically read this file and update the Win9x/Me registry
+ of the machine as it logs on.
+ </p><p>
+ Further details are covered in the Win98 Resource Kit documentation.
+ </p><p>
+ If you do not take the right steps, then every so often Win9x/Me will check the
+ integrity of the registry and will restore it's settings from the back-up
+ copy of the registry it stores on each Win9x/Me machine. Hence, you will
+ occasionally notice things changing back to the original settings.
+ </p><p>
+ Install the group policy handler for Win9x to pick up group policies. Look on the
+ Win98 CD in <tt class="filename">\tools\reskit\netadmin\poledit</tt>.
+ Install group policies on a Win9x client by double-clicking
+ <tt class="filename">grouppol.inf</tt>. Log off and on again a couple of times and see
+ if Win98 picks up group policies. Unfortunately this needs to be done on every
+ Win9x/Me machine that uses group policies.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986312"></a>Windows NT4 Style Policy Files</h3></div></div><div></div></div><p>
+ To create or edit <tt class="filename">ntconfig.pol</tt> you must use the NT Server
+ Policy Editor, <b class="command">poledit.exe</b> which is included with NT4 Server
+ but <span class="emphasis"><em>not NT Workstation</em></span>. There is a Policy Editor on a NT4
+ Workstation but it is not suitable for creating <span class="emphasis"><em>Domain Policies</em></span>.
+ Further, although the Windows 95 Policy Editor can be installed on an NT4
+ Workstation/Server, it will not work with NT clients. However, the files from
+ the NT Server will run happily enough on an NT4 Workstation.
+ </p><p>
+ You need <tt class="filename">poledit.exe</tt>, <tt class="filename">common.adm</tt> and <tt class="filename">winnt.adm</tt>.
+ It is convenient to put the two *.adm files in the <tt class="filename">c:\winnt\inf</tt>
+ directory which is where the binary will look for them unless told otherwise. Note also that that
+ directory is normally 'hidden'.
+ </p><p>
+ The Windows NT policy editor is also included with the Service Pack 3 (and
+ later) for Windows NT 4.0. Extract the files using <b class="command">servicepackname /x</b>,
+ i.e. that's <b class="command">Nt4sp6ai.exe /x</b> for service pack 6a. The policy editor,
+ <b class="command">poledit.exe</b> and the associated template files (*.adm) should
+ be extracted as well. It is also possible to downloaded the policy template
+ files for Office97 and get a copy of the policy editor. Another possible
+ location is with the Zero Administration Kit available for download from Microsoft.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986421"></a>Registry Spoiling</h4></div></div><div></div></div><p>
+ With NT4 style registry based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. Since the settings that were in the
+ NTConfig.POL file were applied to the client machine registry and that apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences down-stream and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986445"></a>MS Windows 200x / XP Professional Policies</h3></div></div><div></div></div><p>
+ Windows NT4 System policies allows setting of registry parameters specific to
+ users, groups and computers (client workstations) that are members of the NT4
+ style domain. Such policy file will work with MS Windows 2000 / XP clients also.
+ </p><p>
+ New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
+ a superset of capabilities compared with NT4 style policies. Obviously, the tool used
+ to create them is different, and the mechanism for implementing them is much changed.
+ </p><p>
+ The older NT4 style registry based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
+ in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
+ configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+ users' desktop (including: the location of <tt class="filename">My Documents</tt> files (directory), as
+ well as intrinsics of where menu items will appear in the Start menu). An additional new
+ feature is the ability to make available particular software Windows applications to particular
+ users and/or groups.
+ </p><p>
+ Remember: NT4 policy files are named <tt class="filename">NTConfig.POL</tt> and are stored in the root
+ of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
+ and selects the domain name to which the logon will attempt to take place. During the logon
+ process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
+ server, modifies the local registry values according to the settings in this file.
+ </p><p>
+ Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
+ a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+ in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+ Directory domain controllers. The part that is stored in the Active Directory itself is called the
+ group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
+ known as the group policy template (GPT).
+ </p><p>
+ With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
+ MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
+ startup (machine specific part) and when the user logs onto the network the user specific part
+ is applied. In MS Windows 200x style policy management each machine and/or user may be subject
+ to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
+ the administrator to also set filters over the policy settings. No such equivalent capability
+ exists with NT4 style policy files.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2986546"></a>Administration of Win2K / XP Policies</h4></div></div><div></div></div><p>
+ Instead of using the tool called <span class="application">The System Policy Editor</span>, commonly called Poledit (from the
+ executable name <b class="command">poledit.exe</b>), <span class="acronym">GPOs</span> are created and managed using a
+ <span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
+ Go to the Windows 200x / XP menu <span class="guimenu">Start->Programs->Administrative Tools</span>
+ and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
+ </p></li><li><p>
+ Select the domain or organizational unit (OU) that you wish to manage, then right click
+ to open the context menu for that object, select the properties item.
+ </p></li><li><p>
+ Now left click on the <span class="guilabel">Group Policy</span> tab, then left click on the New tab. Type a name
+ for the new policy you will create.
+ </p></li><li><p>
+ Now left click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
+ </p></li></ol></div><p>
+ All policy configuration options are controlled through the use of policy administrative
+ templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
+ Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
+ The later introduces many new features as well as extended definition capabilities. It is
+ well beyond the scope of this documentation to explain how to program .adm files, for that
+ the administrator is referred to the Microsoft Windows Resource Kit for your particular
+ version of MS Windows.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
+ to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
+ use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+ </p></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986697"></a>Managing Account/User Policies</h2></div></div><div></div></div><p>
+Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not not necessary.
+</p><p>
+If you create a policy that will be automatically downloaded from validating domain controllers,
+you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, this change must be made individually to each workstation.
+</p><p>
+When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
+controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
+applied to the user's part of the registry.
+</p><p>
+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
+acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
+itself. The key benefit of using AS GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
+This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
+</p><p>
+In addition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
+Common restrictions that are frequently used includes:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Logon Hours</td></tr><tr><td>Password Aging</td></tr><tr><td>Permitted Logon from certain machines only</td></tr><tr><td>Account type (Local or Global)</td></tr><tr><td>User Rights</td></tr></table><p>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986798"></a>Samba Editreg Toolset</h3></div></div><div></div></div><p>
+ Describe in detail the benefits of <b class="command">editreg</b> and how to use it.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986819"></a>Windows NT4/200x</h3></div></div><div></div></div><p>
+ The tools that may be used to configure these types of controls from the MS Windows environment are:
+ The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
+ Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
+ "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2986839"></a>Samba PDC</h3></div></div><div></div></div><p>
+ With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
+ <b class="command">smbpasswd</b>, <b class="command">pdbedit</b>, <b class="command">net</b>, <b class="command">rpcclient</b>.
+ The administrator should read the
+ man pages for these tools and become familiar with their use.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2986883"></a>System Startup and Logon Processing Overview</h2></div></div><div></div></div><p>
+The following attempts to document the order of processing of system and user policies following a system
+reboot and as part of the user logon:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
+ Convention Provider (MUP) start
+ </p></li><li><p>
+ Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
+ and applied. The list may include GPOs that:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Apply to the location of machines in a Directory</td></tr><tr><td>Apply only when settings have changed</td></tr><tr><td>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</td></tr></table><p>
+ No desktop user interface is presented until the above have been processed.
+ </p></li><li><p>
+ Execution of start-up scripts (hidden and synchronous by default).
+ </p></li><li><p>
+ A keyboard action to affect start of logon (Ctrl-Alt-Del).
+ </p></li><li><p>
+ User credentials are validated, User profile is loaded (depends on policy settings).
+ </p></li><li><p>
+ An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
+
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Is user a domain member, thus subject to particular policies</td></tr><tr><td>Loopback enablement, and the state of the loopback policy (Merge or Replace)</td></tr><tr><td>Location of the Active Directory itself</td></tr><tr><td>Has the list of GPOs changed. No processing is needed if not changed.</td></tr></table><p>
+ </p></li><li><p>
+ User Policies are applied from Active Directory. Note: There are several types.
+ </p></li><li><p>
+ Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
+ Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
+ window.
+ </p></li><li><p>
+ The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
+ Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
+ </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2987030"></a>Common Errors</h2></div></div><div></div></div><p>
+Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
+collection demonstrates only basic issues.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2987044"></a>Policy Does Not Work</h3></div></div><div></div></div><p>
+Question: We have created the <tt class="filename">config.pol</tt> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
+It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
+work any longer since we upgraded to Win XP Pro. Any hints?
+</p><p>
+<span class="emphasis"><em>ANSWER:</em></span> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
+platforms. You need to use the NT4 Group Policy Editor to create a file called <tt class="filename">NTConfig.POL</tt> so that
+it is in the correct format for your MS Windows XP Pro clients.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 22. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 24. Desktop Profile Management</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 37. Portability</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="Appendixes.html" title="Part VI. Appendixes"><link rel="previous" href="compiling.html" title="Chapter 36. How to compile SAMBA"><link rel="next" href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 37. Portability</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><th width="60%" align="center">Part VI. Appendixes</th><td width="20%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="Portability"></a>Chapter 37. Portability</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></div><p>Samba works on a wide range of platforms but the interface all the
+platforms provide is not always compatible. This chapter contains
+platform-specific information about compiling and using samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3013478"></a>HPUX</h2></div></div><div></div></div><p>
+HP's implementation of supplementary groups is, er, non-standard (for
+hysterical reasons). There are two group files, <tt class="filename">/etc/group</tt> and
+<tt class="filename">/etc/logingroup</tt>; the system maps UIDs to numbers using the former, but
+initgroups() reads the latter. Most system admins who know the ropes
+symlink <tt class="filename">/etc/group</tt> to <tt class="filename">/etc/logingroup</tt>
+(hard link doesn't work for reasons too stupid to go into here). initgroups() will complain if one of the
+groups you're in in <tt class="filename">/etc/logingroup</tt> has what it considers to be an invalid
+ID, which means outside the range <tt class="constant">[0..UID_MAX]</tt>, where <tt class="constant">UID_MAX</tt> is (I think)
+60000 currently on HP-UX. This precludes -2 and 65534, the usual <tt class="constant">nobody</tt>
+GIDs.
+</p><p>
+If you encounter this problem, make sure that the programs that are failing
+to initgroups() be run as users not in any groups with GIDs outside the
+allowed range.
+</p><p>This is documented in the HP manual pages under setgroups(2) and passwd(4).
+</p><p>
+On HPUX you must use gcc or the HP ANSI compiler. The free compiler
+that comes with HP-UX is not ANSI compliant and cannot compile
+Samba.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016009"></a>SCO Unix</h2></div></div><div></div></div><p>
+If you run an old version of SCO Unix then you may need to get important
+TCP/IP patches for Samba to work correctly. Without the patch, you may
+encounter corrupt data transfers using samba.
+</p><p>
+The patch you need is UOD385 Connection Drivers SLS. It is available from
+SCO (<a href="ftp://ftp.sco.com/" target="_top">ftp.sco.com</a>, directory SLS,
+files uod385a.Z and uod385a.ltr.Z).
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016039"></a>DNIX</h2></div></div><div></div></div><p>
+DNIX has a problem with seteuid() and setegid(). These routines are
+needed for Samba to work correctly, but they were left out of the DNIX
+C library for some reason.
+</p><p>
+For this reason Samba by default defines the macro NO_EID in the DNIX
+section of includes.h. This works around the problem in a limited way,
+but it is far from ideal, some things still won't work right.
+</p><p>
+To fix the problem properly you need to assemble the following two
+functions and then either add them to your C library or link them into
+Samba.
+</p><p>
+put this in the file <tt class="filename">setegid.s</tt>:
+</p><pre class="programlisting">
+ .globl _setegid
+_setegid:
+ moveq #47,d0
+ movl #100,a0
+ moveq #1,d1
+ movl 4(sp),a1
+ trap #9
+ bccs 1$
+ jmp cerror
+1$:
+ clrl d0
+ rts
+</pre><p>
+put this in the file <tt class="filename">seteuid.s</tt>:
+</p><pre class="programlisting">
+ .globl _seteuid
+_seteuid:
+ moveq #47,d0
+ movl #100,a0
+ moveq #0,d1
+ movl 4(sp),a1
+ trap #9
+ bccs 1$
+ jmp cerror
+1$:
+ clrl d0
+ rts
+</pre><p>
+after creating the above files you then assemble them using
+</p><pre class="screen">
+ <tt class="prompt">$ </tt><b class="userinput"><tt>as seteuid.s</tt></b>
+ <tt class="prompt">$ </tt><b class="userinput"><tt>as setegid.s</tt></b>
+</pre><p>
+that should produce the files <tt class="filename">seteuid.o</tt> and
+<tt class="filename">setegid.o</tt>
+</p><p>
+then you need to add these to the LIBSM line in the DNIX section of
+the Samba Makefile. Your LIBSM line will then look something like this:
+</p><pre class="programlisting">
+LIBSM = setegid.o seteuid.o -ln
+</pre><p>
+You should then remove the line:
+</p><pre class="programlisting">
+#define NO_EID
+</pre><p>from the DNIX section of <tt class="filename">includes.h</tt></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016210"></a>RedHat Linux Rembrandt-II</h2></div></div><div></div></div><p>
+By default RedHat Rembrandt-II during installation adds an
+entry to <tt class="filename">/etc/hosts</tt> as follows:
+</p><pre class="programlisting">
+ 127.0.0.1 loopback "hostname"."domainname"
+</pre><p>
+</p><p>
+This causes Samba to loop back onto the loopback interface.
+The result is that Samba fails to communicate correctly with
+the world and therefor may fail to correctly negotiate who
+is the master browse list holder and who is the master browser.
+</p><p>
+Corrective Action: Delete the entry after the word loopback
+ in the line starting 127.0.0.1
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016254"></a>AIX</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016261"></a>Sequential Read Ahead</h3></div></div><div></div></div><p>
+Disabling Sequential Read Ahead using <b class="userinput"><tt>vmtune -r 0</tt></b> improves
+Samba performance significantly.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3016287"></a>Solaris</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3016294"></a>Locking improvements</h3></div></div><div></div></div><p>Some people have been experiencing problems with F_SETLKW64/fcntl
+when running Samba on Solaris. The built in file locking mechanism was
+not scalable. Performance would degrade to the point where processes would
+get into loops of trying to lock a file. It would try a lock, then fail,
+then try again. The lock attempt was failing before the grant was
+occurring. So the visible manifestation of this would be a handful of
+processes stealing all of the CPU, and when they were trussed they would
+be stuck if F_SETLKW64 loops.
+</p><p>
+Sun released patches for Solaris 2.6, 8, and 9. The patch for Solaris 7
+has not been released yet.
+</p><p>
+The patch revision for 2.6 is 105181-34
+for 8 is 108528-19 and for 9 is 112233-04
+</p><p>
+After the install of these patches it is recommended to reconfigure
+and rebuild samba.
+</p><p>Thanks to Joe Meslovich for reporting</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="winbind-solaris9"></a>Winbind on Solaris 9</h3></div></div><div></div></div><p>
+Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior
+is fixed by Sun in patch 113476-05 which as of March 2003 is not in any
+roll-up packages.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="compiling.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendixes.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Other-Clients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 36. How to compile SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 38. Samba and other CIFS clients</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988251"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
+some administrators.
+</p><p>
+Roaming Profiles allow an administrator to make available a consistent user desktop
+as the user moves from one machine to another. This chapter provides much information
+regarding how to configure and manage Roaming Profiles.
+</p><p>
+While Roaming Profiles might sound like nirvana to some, they are a real and tangible
+problem to others. In particular, users of mobile computing tools, where often there may not
+be a sustained network connection, are often better served by purely Local Profiles.
+This chapter provides information to help the Samba administrator to deal with those
+situations also.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2988285"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
+</p></div><p>
+Before discussing how to configure roaming profiles, it is useful to see how
+Windows 9x / Me and Windows NT4/200x clients implement these features.
+</p><p>
+Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
+profiles location. However, the response does not have room for a separate
+profiles location field, only the user's home share. This means that Win9X/Me
+profiles are restricted to being stored in the user's home directory.
+</p><p>
+Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
+including a separate field for the location of the user's profiles.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988326"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
+This section documents how to configure Samba for MS Windows client profile support.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988340"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
+To support Windows NT4/200x clients, in the [global] section of smb.conf set the
+following (for example):
+</p><p>
+</p><pre class="programlisting">
+ logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
+</pre><p>
+
+ This is typically implemented like:
+
+</p><pre class="programlisting">
+ logon path = \\%L\Profiles\%u
+</pre><p>
+where %L translates to the name of the Samba server and %u translates to the user name
+</p><p>
+The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
+namely <tt class="filename">\\sambaserver\username\profile</tt>.
+The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
+a samba server for the profiles, you _must_ make the share specified in the logon path
+browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
+semantics of %L and %N, as well as %U and %u.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows NT/2K clients at times do not disconnect a connection to a server
+between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
+meta-service name as part of the profile share path.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988432"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
+ To support Windows 9x / Me clients, you must use the <i class="parameter"><tt>logon home</tt></i> parameter. Samba has
+now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
+on the <b class="command">logon home</b> parameter.
+</p><p>
+By using the logon home parameter, you are restricted to putting Win9x / Me
+profiles in the user's home directory. But wait! There is a trick you
+can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
+</p><pre class="programlisting">
+ logon home = \\%L\%U\.profiles
+</pre><p>
+then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
+of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
+</p><p>
+Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
+Windows 9x / Me. It removes any directory stuff off the end of the home directory area
+and only uses the server and share portion. That is, it looks like you
+specified <tt class="filename">\\%L\%U</tt> for <i class="parameter"><tt>logon home</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988541"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
+You can support profiles for both Win9X and WinNT clients by setting both the
+<i class="parameter"><tt>logon home</tt></i> and <i class="parameter"><tt>logon path</tt></i> parameters. For example:
+</p><pre class="programlisting">
+ logon home = \\%L\%u\.profiles
+ logon path = \\%L\profiles\%u
+</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988580"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
+ A question often asked is “<span class="quote">How may I enforce use of local profiles?</span>” or
+ “<span class="quote">How do I disable Roaming Profiles?</span>”
+</p><p>
+There are three ways of doing this:
+</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
+ Affect the following settings and ALL clients
+ will be forced to use a local profile:
+ </p><pre class="programlisting">
+ logon home =
+ logon path =
+ </pre><p>
+ </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p>
+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
+
+ </p><pre class="programlisting">
+ Local Computer Policy\
+ Computer Configuration\
+ Administrative Templates\
+ System\
+ User Profiles\
+
+ Disable: Only Allow Local User Profiles
+ Disable: Prevent Roaming Profile Change from Propagating to the Server
+ </pre><p>
+ </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
+ From the start menu right click on the
+ My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
+ tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
+ </p></dd></dl></div><p>
+Consult the MS Windows registry guide for your particular MS Windows version for more
+information about which registry keys to change to enforce use of only local user
+profiles.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The specifics of how to convert a local profile to a roaming profile, or a roaming profile
+to a local one vary according to the version of MS Windows you are running. Consult the
+Microsoft MS Windows Resource Kit for your version of Windows for specific information.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2988731"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2988739"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
+When a user first logs in on Windows 9X, the file user.DAT is created,
+as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
+These directories and their contents will be merged with the local
+versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
+taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
+options <i class="parameter"><tt>preserve case = yes</tt></i>, <i class="parameter"><tt>short preserve case = yes</tt></i> and
+<i class="parameter"><tt>case sensitive = no</tt></i> in order to maintain capital letters in shortcuts
+in any of the profile folders.
+</p><p>
+The user.DAT file contains all the user's preferences. If you wish to
+enforce a set of preferences, rename their user.DAT file to user.MAN,
+and deny them write access to this file.
+</p><div class="orderedlist"><ol type="1"><li><p>
+ On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Passwords</span> and
+ select the <span class="guilabel">User Profiles</span> tab. Select the required level of
+ roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
+ to reboot.
+ </p></li><li><p>
+ On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -> <span class="guimenuitem">Network</span> ->
+ <span class="guimenuitem">Client for Microsoft Networks</span> -> <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
+ NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
+ Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
+ to reboot.
+ </p></li></ol></div><p>
+Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
+If you have the Primary Logon as 'Client for Novell Networks', then
+the profiles and logon script will be downloaded from your Novell
+Server. If you have the Primary Logon as 'Windows Logon', then the
+profiles will be loaded from the local machine - a bit against the
+concept of roaming profiles, it would seem!
+</p><p>
+You will now find that the Microsoft Networks Login box contains
+[user, password, domain] instead of just [user, password]. Type in
+the samba server's domain name (or any other domain known to exist,
+but bear in mind that the user will be authenticated against this
+domain and profiles downloaded from it, if that domain logon server
+supports it), user name and user's password.
+</p><p>
+Once the user has been successfully validated, the Windows 9x / Me machine
+will inform you that <tt class="computeroutput">The user has not logged on before' and asks you
+ if you wish to save the user's preferences?</tt> Select <span class="guibutton">yes</span>.
+</p><p>
+Once the Windows 9x / Me client comes up with the desktop, you should be able
+to examine the contents of the directory specified in the <i class="parameter"><tt>logon path</tt></i>
+on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
+</p><p>
+These folders will be cached locally on the client, and updated when
+the user logs off (if you haven't made them read-only by then).
+You will find that if the user creates further folders or short-cuts,
+that the client will merge the profile contents downloaded with the
+contents of the profile directory already on the local client, taking
+the newest folders and short-cuts from each set.
+</p><p>
+If you have made the folders / files read-only on the samba server,
+then you will get errors from the Windows 9x / Me machine on logon and logout, as
+it attempts to merge the local and the remote profile. Basically, if
+you have any errors reported by the Windows 9x / Me machine, check the Unix file
+permissions and ownership rights on the profile directory contents,
+on the samba server.
+</p><p>
+If you have problems creating user profiles, you can reset the user's
+local desktop cache, as shown below. When this user then next logs in,
+they will be told that they are logging in "for the first time".
+</p><div class="orderedlist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Before deleting the contents of the
+ directory listed in the ProfilePath (this is likely to be
+ <tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
+ have any important files stored on their desktop or in their start menu.
+ Delete the contents of the directory ProfilePath (making a backup if any
+ of the files are needed).
+ </p><p>
+ This will have the effect of removing the local (read-only hidden
+ system file) user.DAT in their profile directory, as well as the
+ local "desktop", "nethood", "start menu" and "programs" folders.
+ </p></div><ol type="1"><li><p>
+ instead of logging in under the [user, password, domain] dialog,
+ press <span class="guibutton">escape</span>.
+ </p></li><li><p>
+ run the <b class="command">regedit.exe</b> program, and look in:
+ </p><p>
+ <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
+ </p><p>
+ you will find an entry, for each user, of ProfilePath. Note the
+ contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
+ then delete the key ProfilePath for the required user.
+ </p><p>[Exit the registry editor].</p></li><li><p>
+ search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
+ directory, and delete it.
+ </p></li><li><p>
+ log off the windows 9x / Me client.
+ </p></li><li><p>
+ check the contents of the profile path (see <i class="parameter"><tt>logon path</tt></i> described
+ above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
+ making a backup if required.
+ </p></li></ol></div><p>
+If all else fails, increase samba's debug log levels to between 3 and 10,
+and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
+look for error messages.
+</p><p>
+If you have access to an Windows NT4/200x server, then first set up roaming profiles
+and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
+the example packet traces provided with Windows NT4/200x server, and see what the
+differences are with the equivalent samba trace.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989233"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
+When a user first logs in to a Windows NT Workstation, the profile
+NTuser.DAT is created. The profile location can be now specified
+through the <i class="parameter"><tt>logon path</tt></i> parameter.
+</p><p>
+There is a parameter that is now available for use with NT Profiles:
+<i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
+should be used in conjunction with the new "logon home" parameter.
+</p><p>
+The entry for the NT4 profile is a _directory_ not a file. The NT
+help on profiles mentions that a directory is also created with a .PDS
+extension. The user, while logging in, must have write permission to
+create the full profile path (and the folder with the .PDS extension
+for those situations where it might be created.)
+</p><p>
+In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
+It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
+<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
+<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
+its purpose is currently unknown.
+</p><p>
+You can use the <span class="application">System Control Panel</span> to copy a local profile onto
+a samba server (see NT Help on profiles: it is also capable of firing
+up the correct location in the <span class="application">System Control Panel</span> for you). The
+NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
+turns a profile into a mandatory one.
+</p><p>
+The case of the profile is significant. The file must be called
+<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989391"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
+You must first convert the profile from a local profile to a domain
+profile on the MS Windows workstation as follows:
+</p><div class="procedure"><ol type="1"><li><p>
+ Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
+ </p></li><li><p>
+ Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
+ </p></li><li><p>
+ Click on the <span class="guilabel">User Profiles</span> tab
+ </p></li><li><p>
+ Select the profile you wish to convert (click on it once)
+ </p></li><li><p>
+ Click on the button <span class="guibutton">Copy To</span>
+ </p></li><li><p>
+ In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
+ </p></li><li><p>
+ Click on the 'Look in" area that lists the machine name, when you click
+ here it will open up a selection box. Click on the domain to which the
+ profile must be accessible.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect
+ as: <i class="replaceable"><tt>MIDEARTH</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
+ To make the profile capable of being used by anyone select 'Everyone'
+ </p></li><li><p>
+ Click <span class="guibutton">OK</span>. The Selection box will close.
+ </p></li><li><p>
+ Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
+ nominated.
+ </p></li></ol></div><p>
+Done. You now have a profile that can be edited using the samba-3.0.0
+<b class="command">profiles</b> tool.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NT/2K the use of mandatory profiles forces the use of MS Exchange
+storage of mail data. That keeps desktop profiles usable.
+</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><div class="procedure"><ol type="1"><li><p>
+This is a security check new to Windows XP (or maybe only
+Windows XP service pack 1). It can be disabled via a group policy in
+Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
+Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
+Does the new version of samba have an Active Directory analogue? If so,
+then you may be able to set the policy through this.
+</p><p>
+If you cannot set group policies in samba, then you may be able to set
+the policy locally on each machine. If you want to try this, then do
+the following (N.B. I don't know for sure that this will work in the
+same way as a domain group policy):
+</p></li><li><p>
+On the XP workstation log in with an Administrator account.
+</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the "Console Root" window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
+ <span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
+ refers to the console settings rather than the policies you have
+ changed).</p></li><li><p>Reboot</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989902"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
+Sharing of desktop profiles between Windows versions is NOT recommended.
+Desktop profiles are an evolving phenomenon and profiles for later versions
+of MS Windows clients add features that may interfere with earlier versions
+of MS Windows clients. Probably the more salient reason to NOT mix profiles
+is that when logging off an earlier version of MS Windows the older format
+of profile contents may overwrite information that belongs to the newer
+version resulting in loss of profile information content when that user logs
+on again with the newer version of MS Windows.
+</p><p>
+If you then want to share the same Start Menu / Desktop with W9x/Me, you will
+need to specify a common location for the profiles. The smb.conf parameters
+that need to be common are <i class="parameter"><tt>logon path</tt></i> and
+<i class="parameter"><tt>logon home</tt></i>.
+</p><p>
+If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
+<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2989967"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
+There is nothing to stop you specifying any path that you like for the
+location of users' profiles. Therefore, you could specify that the
+profile be stored on a samba server, or any other SMB server, as long as
+that SMB server supports encrypted passwords.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2989984"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
+Unfortunately, the Resource Kit information is specific to the version of MS Windows
+NT4/200x. The correct resource kit is required for each platform.
+</p><p>
+Here is a quick guide:
+</p><div class="procedure"><ol type="1"><li><p>
+On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
+select the tab labelled <span class="guilabel">User Profiles</span>.
+</p></li><li><p>
+Select a user profile you want to migrate and click on it.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term "migrate" loosely. You can copy a profile to
+create a group profile. You can give the user 'Everyone' rights to the
+profile you copy this to. That is what you need to do, since your samba
+domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
+ <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
+ 'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
+Follow the above for every profile you need to migrate.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990153"></a>Side bar Notes</h4></div></div><div></div></div><p>
+You should obtain the SID of your NT4 domain. You can use smbpasswd to do
+this. Read the man page.</p><p>
+With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
+using the net samsync method. This way you can retain your profile
+settings as well as all your users.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990175"></a>moveuser.exe</h4></div></div><div></div></div><p>
+The W2K professional resource kit has moveuser.exe. moveuser.exe changes
+the security of a profile from one user to another. This allows the account
+domain to change, and/or the user name to change.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990191"></a>Get SID</h4></div></div><div></div></div><p>
+You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
+Resource Kit.
+</p><p>
+Windows NT 4.0 stores the local profile information in the registry under
+the following key:
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
+</p><p>
+Under the ProfileList key, there will be subkeys named with the SIDs of the
+users who have logged on to this computer. (To find the profile information
+for the user whose locally cached profile you want to move, find the SID for
+the user with the GetSID.exe utility.) Inside of the appropriate user's
+subkey, you will see a string value named ProfileImagePath.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990232"></a>Mandatory profiles</h2></div></div><div></div></div><p>
+A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
+During the user's session it may be possible to change the desktop environment, but
+as the user logs out all changes made will be lost. If it is desired to NOT allow the
+user any ability to change the desktop environment then this must be done through
+policy settings. See previous chapter.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NO circumstances should the profile directory (or it's contents) be made read-only
+as this may render the profile un-usable.
+</p></div><p>
+For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
+also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
+file in the copied profile and rename it to NTUser.MAN.
+</p><p>
+For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
+affect a mandatory profile.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990290"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
+Most organisations are arranged into departments. There is a nice benefit in
+this fact since usually most users in a department will require the same desktop
+applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
+use of Group Profiles. A Group Profile is a profile that is created firstly using
+a template (example) user. Then using the profile migration tool (see above) the
+profile is assigned access rights for the user group that needs to be given access
+to the group profile.
+</p><p>
+The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
+to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
+the now modified profile.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ Be careful with group profiles, if the user who is a member of a group also
+ has a personal profile, then the result will be a fusion (merge) of the two.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2990336"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
+MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
+a profile does not already exist. Armed with a knowledge of where the default profile
+is located on the Windows workstation, and knowing which registry keys affect the path
+from which the default profile is created, it is possible to modify the default profile
+to one that has been optimised for the site. This has significant administrative
+advantages.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990356"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
+To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
+Policy Editor</span> or change the registry directly.
+</p><p>
+To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
+select <span class="guimenu">File</span> -> <span class="guimenuitem">Open Registry</span>, then click on the
+<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
+select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
+</p><p>
+To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
+<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
+"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2990454"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
+When a user logs on to a Windows 9x / Me machine, the local profile path,
+<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
+for an existing entry for that user:
+</p><p>
+If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
+version of the user profile. Windows 9x / Me also checks the user's home directory (or other
+specified directory if the location has been modified) on the server for the User Profile.
+If a profile exists in both locations, the newer of the two is used. If the User Profile exists
+on the server, but does not exist on the local machine, the profile on the server is downloaded
+and used. If the User Profile only exists on the local machine, that copy is used.
+</p><p>
+If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
+machine is used and is copied to a newly created folder for the logged on user. At log off, any
+changes that the user made are written to the user's local profile. If the user has a roaming
+profile, the changes are written to the user's profile on the server.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2990504"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
+On MS Windows NT4 the default user profile is obtained from the location
+<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
+<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
+three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
+</p><p>
+The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
+system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
+customisable per user depending on the profile settings chosen/created.
+</p><p>
+When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>All Users settings</td></tr><tr><td>Default User settings (contains the default NTUser.DAT file)</td></tr></table><p>
+When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
+the following steps are followed in respect of profile handling:
+</p><div class="procedure"><ol type="1"><li><p>
+ The users' account information which is obtained during the logon process contains
+ the location of the users' desktop profile. The profile path may be local to the
+ machine or it may be located on a network share. If there exists a profile at the location
+ of the path from the user account, then this profile is copied to the location
+ <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
+ settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
+ location.
+ </p></li><li><p>
+ If the user account has a profile path, but at it's location a profile does not exist,
+ then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
+ directory from reading the <tt class="filename">Default User</tt> profile.
+ </p></li><li><p>
+ If the NETLOGON share on the authenticating server (logon server) contains a policy file
+ (<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
+ which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
+ </p></li><li><p>
+ When the user logs out, if the profile is set to be a roaming profile it will be written
+ out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
+ re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
+ Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
+ next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
+ in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
+ </p></li></ol></div><p>
+MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
+will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
+also remain stored in the same way, unless the following registry key is created:
+</p><p>
+</p><pre class="programlisting">
+ HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
+ "DeleteRoamingCache"=dword:00000001
+</pre><p>
+
+In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
+deleted on logout.
+</p><p>
+Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
+may be redirected to a network share by modifying the following registry keys. These changes may be affected
+via use of the System Policy Editor (to do so may require that you create your owns template extension
+for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
+creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
+</p><p>
+The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows NT4 is:
+</p><p>
+<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
+</p><p>
+The above hive key contains a list of automatically managed folders. The default entries are:
+</p><p>
+</p><div class="table"><a name="id2990854"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
+</p><p>
+The registry key that contains the location of the default profile settings is:
+</p><p>
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
+</p><p>
+The default entries are:
+
+</p><div class="table"><a name="id2990998"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991058"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ MS Windows XP Home Edition does use default per user profiles, but can not participate
+ in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
+ only from itself. While there are benefits in doing this the beauty of those MS Windows
+ clients that CAN participate in domain logon processes allows the administrator to create
+ a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
+ </p></div><p>
+When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
+<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
+the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
+arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
+workstation.
+</p><p>
+When MS Windows 200x/XP participate in a domain security context, and if the default user
+profile is not found, then the client will search for a default profile in the NETLOGON share
+of the authenticating server. ie: In MS Windows parlance:
+<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
+to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
+login name of the user.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
+ should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
+ </p></div><p>
+If a default profile does not exist in this location then MS Windows 200x/XP will use the local
+default profile.
+</p><p>
+On logging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created, or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to
+the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
+</p><p>
+Those wishing to modify the default behaviour can do so through three methods:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Modify the registry keys on the local machine manually and place the new default profile in the
+ NETLOGON share root - NOT recommended as it is maintenance intensive.
+ </p></li><li><p>
+ Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
+ in the root of the NETLOGON share along with the new default profile.
+ </p></li><li><p>
+ Create a GPO that enforces this through Active Directory, and place the new default profile
+ in the NETLOGON share.
+ </p></li></ul></div><p>
+The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows 200x/XP is:
+</p><p>
+<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
+</p><p>
+The above hive key contains a list of automatically managed folders. The default entries are:
+</p><p>
+</p><div class="table"><a name="id2991253"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
+</p><p>
+There is also an entry called "Default" that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
+the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
+</p><p>
+It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will NOT be necessary to
+write the Outlook PST file over the network for every login and logout.
+</p><p>
+To set this to a network location you could use the following examples:
+</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
+This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
+You could also use:
+</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
+ in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
+in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
+user as seen by the Linux/Unix file system.
+</p><p>
+Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it.
+</p><p>
+MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
+A roaming profile will be cached locally unless the following registry key is created:
+</p><p><tt class="filename">HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</tt></p><p>
+In which case, the local cache copy will be deleted on logout.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2991562"></a>Common Errors</h2></div></div><div></div></div><p>
+The following are some typical errors/problems/questions that have been asked.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991575"></a>How does one set up roaming profiles for just one (or a few) user/s or group/s?</h3></div></div><div></div></div><p>
+With samba-2.2.x the choice you have is to enable or disable roaming
+profiles support. It is a global only setting. The default is to have
+roaming profiles and the default path will locate them in the user's home
+directory.
+</p><p>
+If disabled globally then no-one will have roaming profile ability.
+If enabled and you want it to apply only to certain machines, then on
+those machines on which roaming profile support is NOT wanted it is then
+necessary to disable roaming profile handling in the registry of each such
+machine.
+</p><p>
+With samba-3.0.0 (soon to be released) you can have a global profile
+setting in smb.conf _AND_ you can over-ride this by per-user settings
+using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
+</p><p>
+In any case, you can configure only one profile per user. That profile can
+be either:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>A profile unique to that user</td></tr><tr><td>A mandatory profile (one the user can not change)</td></tr><tr><td>A group profile (really should be mandatory ie:unchangable)</td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991638"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
+“<span class="quote">
+ I dont want Roaming profile to be implemented, I just want to give users
+ local profiles only.
+...
+ Please help me I am totally lost with this error from past two days I tried
+ everything and googled around quite a bit but of no help. Please help me.
+</span>”</p><p>
+Your choices are:
+
+
+</p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p>
+ I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
+ </p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p>
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td>can use auto-delete on logout option</td></tr><tr><td>requires a registry key change on workstation</td></tr></table><p>
+
+ Your choices are:
+
+ </p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
+ - should be preserved on a central server
+ - workstations 'cache' (store) a local copy
+ - used in case the profile can not be downloaded
+ at next logon
+ </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>- loaded from a central place</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
+ - can be personal or group
+ - can NOT be changed (except by an administrator
+ </p></dd></dl></div><p>
+ </p></dd></dl></div><p>
+
+</p><p>
+A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
+Outlook PST files are most often part of the profile and can be many GB in
+size. On average (in a well controlled environment) roaming profile size of
+2MB is a good rule of thumb to use for planning purposes. In an
+undisciplined environment I have seen up to 2GB profiles. Users tend to
+complain when it take an hour to log onto a workstation but they harvest
+the fruits of folly (and ignorance).
+</p><p>
+The point of all the above is to show that roaming profiles and good
+controls of how they can be changed as well as good discipline make up for
+a problem free site.
+</p><p>
+Microsoft's answer to the PST problem is to store all email in an MS
+Exchange Server back-end. But this is another story ...!
+</p><p>
+So, having LOCAL profiles means:
+
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>If lots of users user each machine - lot's of local disk storage needed for local profiles</td></tr><tr><td>Every workstation the user logs into has it's own profile - can be very different from machine to machine</td></tr></table><p>
+
+On the other hand, having roaming profiles means:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>The network administrator can control EVERY aspect of user profiles</td></tr><tr><td>With the use of mandatory profiles - a drastic reduction in network management overheads</td></tr><tr><td>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</td></tr></table><p>
+
+</p><p>
+I have managed and installed MANY NT/2K networks and have NEVER found one
+where users who move from machine to machine are happy with local
+profiles. In the long run local profiles bite them.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2991859"></a>Changing the default profile</h3></div></div><div></div></div><p>“<span class="quote">
+When the client tries to logon to the PDC it looks for a profile to download
+where do I put this default profile.
+</span>”</p><p>
+Firstly, your samba server need to be configured as a domain controller.
+</p><pre class="programlisting">
+ server = user
+ os level = 32 (or more)
+ domain logons = Yes
+</pre><p>
+Plus you need to have a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
+It is a good idea to add a logon script to pre-set printer and
+drive connections. There is also a facility for automatically
+synchronizing the workstation time clock with that of the logon
+server (another good thing to do).
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+To invoke auto-deletion of roaming profile from the local
+workstation cache (disk storage) you need to use the <span class="application">Group Policy Editor</span>
+to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
+file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
+Oh, of course the windows clients need to be members of the domain.
+Workgroup machines do NOT do network logons - so they never see domain
+profiles.
+</p><p>
+Secondly, for roaming profiles you need:
+
+ logon path = \\%N\profiles\%U (with some such path)
+ logon drive = H: (Z: is the default)
+
+ Plus you need a PROFILES share that is world writable.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 32. SWAT - The Samba Web Administration Tool</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"><link rel="next" href="troubleshooting.html" title="Part V. Troubleshooting"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 32. SWAT - The Samba Web Administration Tool</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SWAT"></a>Chapter 32. SWAT - The Samba Web Administration Tool</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 21, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></div><p>
+There are many and varied opinions regarding the usefulness or otherwise of SWAT.
+No matter how hard one tries to produce the perfect configuration tool it remains
+an object of personal taste. SWAT is a tool that will allow web based configuration
+of samba. It has a wizard that may help to get samba configured quickly, it has context
+sensitive help on each smb.conf parameter, it provides for monitoring of current state
+of connection information, and it allows network wide MS Windows network password
+management.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003929"></a>Features and Benefits</h2></div></div><div></div></div><p>
+There are network administrators who believe that it is a good idea to write systems
+documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT
+does not store the configuration file in any intermediate form, rather, it stores only the
+parameter settings, so when SWAT writes the smb.conf file to disk it will write only
+those parameters that are at other than the default settings. The result is that all comments
+will be lost from the <tt class="filename">smb.conf</tt> file. Additionally, the parameters will be written back in
+internal ordering.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+So before using SWAT please be warned - SWAT will completely replace your smb.conf with
+a fully optimised file that has been stripped of all comments you might have placed there
+and only non-default settings will be written to the file.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3003963"></a>Enabling SWAT for use</h3></div></div><div></div></div><p>
+SWAT should be installed to run via the network super daemon. Depending on which system
+your Unix/Linux system has you will have either an <b class="command">inetd</b> or
+<b class="command">xinetd</b> based system.
+</p><p>
+The nature and location of the network super-daemon varies with the operating system
+implementation. The control file (or files) can be located in the file
+<tt class="filename">/etc/inetd.conf</tt> or in the directory <tt class="filename">/etc/[x]inet.d</tt>
+or similar.
+</p><p>
+The control entry for the older style file might be:
+</p><pre class="programlisting">
+ # swat is the Samba Web Administration Tool
+ swat stream tcp nowait.400 root /usr/sbin/swat swat
+</pre><p>
+A control file for the newer style xinetd could be:
+</p><p>
+</p><pre class="programlisting">
+ # default: off
+ # description: SWAT is the Samba Web Admin Tool. Use swat \
+ # to configure your Samba server. To use SWAT, \
+ # connect to port 901 with your favorite web browser.
+ service swat
+ {
+ port = 901
+ socket_type = stream
+ wait = no
+ only_from = localhost
+ user = root
+ server = /usr/sbin/swat
+ log_on_failure += USERID
+ disable = yes
+ }
+</pre><p>
+
+</p><p>
+Both the above examples assume that the <b class="command">swat</b> binary has been
+located in the <tt class="filename">/usr/sbin</tt> directory. In addition to the above
+SWAT will use a directory access point from which it will load it's help files
+as well as other control information. The default location for this on most Linux
+systems is in the directory <tt class="filename">/usr/share/samba/swat</tt>. The default
+location using samba defaults will be <tt class="filename">/usr/local/samba/swat</tt>.
+</p><p>
+Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user
+the only permission allowed is to view certain aspects of configuration as well as
+access to the password change facility. The buttons that will be exposed to the non-root
+user are: <span class="guibutton">HOME</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>,
+<span class="guibutton">PASSWORD</span>. The only page that allows
+change capability in this case is <span class="guibutton">PASSWORD</span>.
+</p><p>
+So long as you log onto SWAT as the user <span class="emphasis"><em>root</em></span> you should obtain
+full change and commit ability. The buttons that will be exposed includes:
+<span class="guibutton">HOME</span>, <span class="guibutton">GLOBALS</span>, <span class="guibutton">SHARES</span>, <span class="guibutton">PRINTERS</span>,
+<span class="guibutton">WIZARD</span>, <span class="guibutton">STATUS</span>, <span class="guibutton">VIEW</span>, <span class="guibutton">PASSWORD</span>.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006322"></a>Securing SWAT through SSL</h3></div></div><div></div></div><p>
+Lots of people have asked about how to setup SWAT with SSL to allow for secure remote
+administration of Samba. Here is a method that works, courtesy of Markus Krieger
+</p><p>
+Modifications to the swat setup are as following:
+</p><div class="procedure"><ol type="1"><li><p>
+ install OpenSSL
+ </p></li><li><p>
+ generate certificate and private key
+
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
+ /usr/share/doc/packages/stunnel/stunnel.cnf \
+ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</tt></b>
+ </pre></li><li><p>
+ remove swat-entry from [x]inetd
+ </p></li><li><p>
+ start stunnel
+
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
+ -l /usr/local/samba/bin/swat swat </tt></b>
+ </pre></li></ol></div><p>
+afterwords simply contact to swat by using the URL <a href="https://myhost:901" target="_top">https://myhost:901</a>, accept the certificate
+and the SSL connection is up.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006435"></a>The SWAT Home Page</h3></div></div><div></div></div><p>
+The SWAT title page provides access to the latest Samba documentation. The manual page for
+each samba component is accessible from this page as are the Samba-HOWTO-Collection (this
+document) as well as the O'Reilly book "Using Samba".
+</p><p>
+Administrators who wish to validate their samba configuration may obtain useful information
+from the man pages for the diagnostic utilities. These are available from the SWAT home page
+also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
+useful is <b class="command">ethereal</b>, available from <a href="http://www.ethereal.com" target="_top">
+http://www.ethereal.com</a>.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+SWAT can be configured to run in <span class="emphasis"><em>demo</em></span> mode. This is NOT recommended
+as it runs SWAT without authentication and with full administrative ability. ie: Allows
+changes to smb.conf as well as general operation with root privileges. The option that
+creates this ability is the <tt class="option">-a</tt> flag to swat. <span class="emphasis"><em>Do not use this in any
+production environment.</em></span>
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006499"></a>Global Settings</h3></div></div><div></div></div><p>
+The Globals button will expose a page that allows configuration of the global parameters
+in smb.conf. There are three levels of exposure of the parameters:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ <span class="emphasis"><em>Basic</em></span> - exposes common configuration options.
+ </p></li><li><p>
+ <span class="emphasis"><em>Advanced</em></span> - exposes configuration options needed in more
+ complex environments.
+ </p></li><li><p>
+ <span class="emphasis"><em>Developer</em></span> - exposes configuration options that only the brave
+ will want to tamper with.
+ </p></li></ul></div><p>
+To switch to other than <span class="emphasis"><em>Basic</em></span> editing ability click on either the
+<span class="emphasis"><em>Advanced</em></span> or the <span class="emphasis"><em>Developer</em></span> dial, then click the
+<span class="guibutton">Commit Changes</span> button.
+</p><p>
+After making any changes to configuration parameters make sure that you click on the
+<span class="guibutton">Commit Changes</span> button before moving to another area otherwise
+your changes will be immediately lost.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+SWAT has context sensitive help. To find out what each parameter is for simply click the
+<span class="guibutton">Help</span> link to the left of the configuration parameter.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006604"></a>Share Settings</h3></div></div><div></div></div><p>
+To affect a currently configured share, simply click on the pull down button between the
+<span class="guibutton">Choose Share</span> and the <span class="guibutton">Delete Share</span> buttons,
+select the share you wish to operate on, then to edit the settings click on the
+<span class="guibutton">Choose Share</span> button, to delete the share simply press the
+<span class="guibutton">Delete Share</span> button.
+</p><p>
+To create a new share, next to the button labelled <span class="guibutton">Create Share</span> enter
+into the text field the name of the share to be created, then click on the
+<span class="guibutton">Create Share</span> button.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006669"></a>Printers Settings</h3></div></div><div></div></div><p>
+To affect a currently configured printer, simply click on the pull down button between the
+<span class="guibutton">Choose Printer</span> and the <span class="guibutton">Delete Printer</span> buttons,
+select the printer you wish to operate on, then to edit the settings click on the
+<span class="guibutton">Choose Printer</span> button, to delete the share simply press the
+<span class="guibutton">Delete Printer</span> button.
+</p><p>
+To create a new printer, next to the button labelled <span class="guibutton">Create Printer</span> enter
+into the text field the name of the share to be created, then click on the
+<span class="guibutton">Create Printer</span> button.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006733"></a>The SWAT Wizard</h3></div></div><div></div></div><p>
+The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
+to configure Samba with a minimum of effort.
+</p><p>
+The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
+This will also happen if you press the commit button. The two differ in the the rewrite button
+ignores any changes that may have been made, while the Commit button causes all changes to be
+affected.
+</p><p>
+The <span class="guibutton">Edit</span> button permits the editing (setting) of the minimal set of
+options that may be necessary to create a working Samba server.
+</p><p>
+Finally, there are a limited set of options that will determine what type of server Samba
+will be configured for, whether it will be a WINS server, participate as a WINS client, or
+operate with no WINS support. By clicking on one button you can elect to expose (or not) user
+home directories.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006781"></a>The Status Page</h3></div></div><div></div></div><p>
+The status page serves a limited purpose. Firstly, it allows control of the samba daemons.
+The key daemons that create the samba server environment are: <span class="application">smbd</span>, <span class="application">nmbd</span>, <span class="application">winbindd</span>.
+</p><p>
+The daemons may be controlled individually or as a total group. Additionally, you may set
+an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes
+will be continually spawned. The auto-refresh facility will allow you to track the changing
+conditions with minimal effort.
+</p><p>
+Lastly, the Status page may be used to terminate specific smbd client connections in order to
+free files that may be locked.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006833"></a>The View Page</h3></div></div><div></div></div><p>
+This page allows the administrator to view the optimised <tt class="filename">smb.conf</tt> file and, if you are
+particularly masochistic, will permit you also to see all possible global configuration
+parameters and their settings.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3006856"></a>The Password Change Page</h3></div></div><div></div></div><p>
+The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation
+and reactivation of MS Windows networking users on the local machine. Alternatively, you can use
+this tool to change a local password for a user account.
+</p><p>
+When logged in as a non-root account the user will have to provide the old password as well as
+the new password (twice). When logged in as <span class="emphasis"><em>root</em></span> only the new password is
+required.
+</p><p>
+One popular use for this tool is to change user passwords across a range of remote MS Windows
+servers.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NT4Migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="troubleshooting.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 31. Migration from NT4 PDC to Samba-3 PDC </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part V. Troubleshooting</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 29. High Availability Options</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="Backup.html" title="Chapter 28. Samba Backup Techniques"><link rel="next" href="migration.html" title="Part IV. Migration and Updating"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 29. High Availability Options</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SambaHA"></a>Chapter 29. High Availability Options</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003099"></a>Note</h2></div></div><div></div></div><p>
+This chapter did not make it into this release.
+It is planned for the published release of this document.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Backup.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 28. Samba Backup Techniques </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part IV. Migration and Updating</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 4. Server Types and Security Modes</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="type.html" title="Part II. Server Configuration Basics"><link rel="next" href="samba-pdc.html" title="Chapter 5. Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. Server Types and Security Modes</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ServerType"></a>Chapter 4. Server Types and Security Modes</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Tridgell</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:tridge@samba.org">tridge@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></div><p>
+This chapter provides information regarding the types of server that Samba may be
+configured to be. A Microsoft network administrator who wishes to migrate to or to
+use Samba will want to know what, within a Samba context, terms familiar to MS Windows
+administrator mean. This means that it is essential also to define how critical security
+modes function BEFORE we get into the details of how to configure the server itself.
+</p><p>
+The chapter provides an overview of the security modes of which Samba is capable
+and how these relate to MS Windows servers and clients.
+</p><p>
+Firstly we should recognise the question so often asked, "Why would I want to use Samba?"
+So, in those chapters where the answer may be important you will see a section that highlights
+features and benefits. These may be for or against Samba.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888767"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
+hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
+and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
+can turn that into a precious gem and some day it will make a princess very happy!
+</p><p>
+The moral of this tale: Two men, two very different perspectives regarding the same stone.
+Like it or not, Samba is like that stone. Treat it the right way and it can bring great
+pleasure, but if you are forced upon it and have no time for its secrets then it can be
+a source of discomfort.
+</p><p>
+Samba started out as a project that sought to provide interoperability for MS Windows 3.x
+clients with a Unix server. It has grown up a lot since its humble beginnings and now provides
+features and functionality fit for large scale deployment. It also has some warts. In sections
+like this one we will tell of both.
+</p><p>
+So now, what are the benefits of features mentioned in this chapter?
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Samba-3 can replace an MS Windows NT4 Domain Controller
+ </p></li><li><p>
+ Samba-3 offers excellent interoperability with MS Windows NT4
+ style domains as well as natively with Microsoft Active
+ Directory domains.
+ </p></li><li><p>
+ Samba-3 permits full NT4 style Interdomain Trusts
+ </p></li><li><p>
+ Samba has security modes that permit more flexible
+ authentication than is possible with MS Windows NT4 Domain Controllers.
+ </p></li><li><p>
+ Samba-3 permits use of multiple account database backends
+ </p></li><li><p>
+ The account (password) database backends can be distributed
+ and replicated using multiple methods. This gives Samba-3
+ greater flexibility than MS Windows NT4 and in many cases a
+ significantly higher utility than Active Directory domains
+ with MS Windows 200x.
+ </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888862"></a>Server Types</h2></div></div><div></div></div><p>Administrators of Microsoft networks often refer to three
+different type of servers:</p><div class="itemizedlist"><ul type="disc"><li><p>Domain Controller</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Primary Domain Controller</td></tr><tr><td>Backup Domain Controller</td></tr><tr><td>ADS Domain Controller</td></tr></table></li><li><p>Domain Member Server</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Active Directory Member Server</td></tr><tr><td>NT4 Style Domain Member Server</td></tr></table></li><li><p>Stand Alone Server</p></li></ul></div><p>
+The chapters covering Domain Control, Backup Domain Control and Domain Membership provide
+pertinent information regarding Samba-3 configuration for each of these server roles.
+The reader is strongly encouraged to become intimately familiar with the information
+presented.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888947"></a>Samba Security Modes</h2></div></div><div></div></div><p>
+In this section the function and purpose of Samba's <i class="parameter"><tt>security</tt></i>
+modes are described. An accurate understanding of how Samba implements each security
+mode as well as how to configure MS Windows clients for each mode will significantly
+reduce user complaints and administrator heartache.
+</p><p>
+In the SMB/CIFS networking world, there are only two types of security: <span class="emphasis"><em>USER Level</em></span>
+and <span class="emphasis"><em>SHARE Level</em></span>. We refer to these collectively as <span class="emphasis"><em>security levels</em></span>. In implementing these two <span class="emphasis"><em>security levels</em></span> Samba provides flexibilities
+that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of five (5)
+ways that allow the security levels to be implemented. In actual fact, Samba implements
+<span class="emphasis"><em>SHARE Level</em></span> security only one way, but has four ways of implementing
+<span class="emphasis"><em>USER Level</em></span> security. Collectively, we call the Samba implementations
+<span class="emphasis"><em>Security Modes</em></span>. These are: <span class="emphasis"><em>SHARE</em></span>, <span class="emphasis"><em>USER</em></span>, <span class="emphasis"><em>DOMAIN</em></span>,
+<span class="emphasis"><em>ADS</em></span>, and <span class="emphasis"><em>SERVER</em></span>
+modes. They are documented in this chapter.
+</p><p>
+A SMB server tells the client at startup what <i class="parameter"><tt>security level</tt></i>
+it is running. There are two options: <span class="emphasis"><em>share level</em></span> and
+<span class="emphasis"><em>user level</em></span>. Which of these two the client receives affects
+the way the client then tries to authenticate itself. It does not directly affect
+(to any great extent) the way the Samba server does security. This may sound strange,
+but it fits in with the client/server approach of SMB. In SMB everything is initiated
+and controlled by the client, and the server can only tell the client what is
+available and whether an action is allowed.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889062"></a>User Level Security</h3></div></div><div></div></div><p>
+We will describe <i class="parameter"><tt>user level</tt></i> security first, as it's simpler.
+In <span class="emphasis"><em>user level</em></span> security, the client will send a
+<span class="emphasis"><em>session setup</em></span> command directly after the protocol negotiation.
+This contains a username and password. The server can either accept or reject that
+username/password combination. Note that at this stage the server has no idea what
+share the client will eventually try to connect to, so it can't base the
+<span class="emphasis"><em>accept/reject</em></span> on anything other than:
+</p><div class="orderedlist"><ol type="1"><li><p>The username/password</p></li><li><p>The name of the client machine</p></li></ol></div><p>
+If the server accepts the username/password then the client expects to be able to
+mount shares (using a <span class="emphasis"><em>tree connection</em></span>) without specifying a
+password. It expects that all access rights will be as the username/password
+specified in the <span class="emphasis"><em>session setup</em></span>.
+</p><p>
+It is also possible for a client to send multiple <span class="emphasis"><em>session setup</em></span>
+requests. When the server responds, it gives the client a <span class="emphasis"><em>uid</em></span> to use
+as an authentication tag for that username/password. The client can maintain multiple
+authentication contexts in this way (WinDD is an example of an application that does this).
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889156"></a>Example Configuration</h4></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>User Level Security</em></span> is:
+</p><pre class="programlisting">
+ security = user
+</pre><p>
+This is the default setting since samba-2.2.x.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889195"></a>Share Level Security</h3></div></div><div></div></div><p>
+Ok, now for share level security. In share level security, the client authenticates
+itself separately for each share. It will send a password along with each
+<span class="emphasis"><em>tree connection</em></span> (share mount). It does not explicitly send a
+username with this operation. The client expects a password to be associated
+with each share, independent of the user. This means that Samba has to work out what
+username the client probably wants to use. It is never explicitly sent the username.
+Some commercial SMB servers such as NT actually associate passwords directly with
+shares in share level security, but Samba always uses the unix authentication scheme
+where it is a username/password pair that is authenticated, not a share/password pair.
+</p><p>
+To gain understanding of the MS Windows networking parallels to this, one should think
+in terms of MS Windows 9x/Me where one can create a shared folder that provides read-only
+or full access, with or without a password.
+</p><p>
+Many clients send a <span class="emphasis"><em>session setup</em></span> even if the server is in share
+level security. They normally send a valid username but no password. Samba records
+this username in a list of <span class="emphasis"><em>possible usernames</em></span>. When the client
+then does a <span class="emphasis"><em>tree connection</em></span> it also adds to this list the name
+of the share they try to connect to (useful for home directories) and any users
+listed in the <i class="parameter"><tt>user =</tt></i> <tt class="filename">smb.conf</tt> line. The password is then checked
+in turn against these <span class="emphasis"><em>possible usernames</em></span>. If a match is found
+then the client is authenticated as that user.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889275"></a>Example Configuration</h4></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter that sets <span class="emphasis"><em>Share Level Security</em></span> is:
+</p><pre class="programlisting">
+ security = share
+</pre><p>
+Please note that there are reports that recent MS Windows clients do not like to work
+with share mode security servers. You are strongly discouraged from using share level security.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889317"></a>Domain Security Mode (User Level Security)</h3></div></div><div></div></div><p>
+When Samba is operating in <i class="parameter"><tt>security = domain</tt></i> mode,
+the Samba server has a domain security trust account (a machine account) and will cause
+all authentication requests to be passed through to the domain controllers.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889339"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
+Samba as a Domain Member Server
+</em></span></p><p>
+This method involves addition of the following parameters in the <tt class="filename">smb.conf</tt> file:
+</p><pre class="programlisting">
+ security = domain
+ workgroup = "name_of_NT_domain"
+</pre><p>
+In order for this method to work, the Samba server needs to join the MS Windows NT
+security domain. This is done as follows:
+</p><div class="procedure"><ol type="1"><li><p>On the MS Windows NT domain controller, using
+ the Server Manager, add a machine account for the Samba server.
+ </p></li><li><p>Next, on the Unix/Linux system execute:</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j DOMAIN_NAME -r PDC_NAME</tt></b> (samba-2.x)</p><p><tt class="prompt">root# </tt><b class="userinput"><tt>net join -U administrator%password</tt></b> (samba-3)</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just
+by executing:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -j <i class="replaceable"><tt>DOMAIN_NAME</tt></i> -r <i class="replaceable"><tt>PDC_NAME</tt></i> -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
+</pre><p>
+
+As of Samba-3 the same can be done by executing:
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net join -U Administrator%<i class="replaceable"><tt>password</tt></i></tt></b>
+</pre><p>
+It is not necessary with Samba-3 to specify the <i class="replaceable"><tt>DOMAIN_NAME</tt></i> or the <i class="replaceable"><tt>PDC_NAME</tt></i> as it
+figures this out from the <tt class="filename">smb.conf</tt> file settings.
+</p></div><p>
+Use of this mode of authentication does require there to be a standard Unix account
+for each user in order to assign a uid once the account has been authenticated by
+the remote Windows DC. This account can be blocked to prevent logons by clients other than
+MS Windows through things such as setting an invalid shell in the
+<tt class="filename">/etc/passwd</tt> entry.
+</p><p>
+An alternative to assigning UIDs to Windows users on a Samba member server is
+presented in the <a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Winbind Overview</a> chapter
+in this HOWTO collection.
+</p><p>
+For more information of being a domain member, see the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain
+Member</a> section of this Howto.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889568"></a>ADS Security Mode (User Level Security)</h3></div></div><div></div></div><p>
+Both Samba 2.2 and 3.0 can join an Active Directory domain. This is
+possible even if the domain is run in native mode. Active Directory in
+native mode perfectly allows NT4-style domain members, contrary to
+popular belief. The only thing that Active Directory in native mode
+prohibits is Backup Domain Controllers running NT4.
+</p><p>
+If you are running Active Directory starting with Samba 3.0 you can
+however join as a native AD member. Why would you want to do that?
+Your security policy might prohibit the use of NT-compatible
+authentication protocols. All your machines are running Windows 2000
+and above and all use full Kerberos. In this case Samba as a NT4-style
+domain would still require NT-compatible authentication data. Samba in
+AD-member mode can accept Kerberos.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889598"></a>Example Configuration</h4></div></div><div></div></div><pre class="programlisting">
+ realm = your.kerberos.REALM
+ security = ADS
+</pre><p>
+ The following parameter may be required:
+</p><pre class="programlisting">
+ ads server = your.kerberos.server
+</pre><p>
+Please refer to the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a> and <a href="domain-member.html#ads-member" title="Samba ADS Domain Membership">Active Directory
+Membership</a> sections for more information regarding this configuration option.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889655"></a>Server Security (User Level Security)</h3></div></div><div></div></div><p>
+Server security mode is a left over from the time when Samba was not capable of acting
+as a domain member server. It is highly recommended NOT to use this feature. Server
+security mode has many draw backs. The draw backs include:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Potential Account Lockout on MS Windows NT4/200x password servers</td></tr><tr><td>Lack of assurance that the password server is the one specified</td></tr><tr><td>Does not work with Winbind, particularly needed when storing profiles remotely</td></tr><tr><td>This mode may open connections to the password server, and keep them open for extended periods.</td></tr><tr><td>Security on the Samba server breaks badly when the remote password server suddenly shuts down</td></tr><tr><td>With this mode there is NO security account in the domain that the password server belongs to for the Samba server.</td></tr></table><p>
+In server security mode the Samba server reports to the client that it is in user level
+security. The client then does a <span class="emphasis"><em>session setup</em></span> as described earlier.
+The Samba server takes the username/password that the client sends and attempts to login to the
+<i class="parameter"><tt>password server</tt></i> by sending exactly the same username/password that
+it got from the client. If that server is in user level security and accepts the password,
+then Samba accepts the clients connection. This allows the Samba server to use another SMB
+server as the <i class="parameter"><tt>password server</tt></i>.
+</p><p>
+You should also note that at the very start of all this, where the server tells the client
+what security level it is in, it also tells the client if it supports encryption. If it
+does then it supplies the client with a random cryptkey. The client will then send all
+passwords in encrypted form. Samba supports this type of encryption by default.
+</p><p>
+The parameter <i class="parameter"><tt>security = server</tt></i> means that Samba reports to clients that
+it is running in <span class="emphasis"><em>user mode</em></span> but actually passes off all authentication
+requests to another <span class="emphasis"><em>user mode</em></span> server. This requires an additional
+parameter <i class="parameter"><tt>password server</tt></i> that points to the real authentication server.
+That real authentication server can be another Samba server or can be a Windows NT server,
+the later natively capable of encrypted password support.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+When Samba is running in <span class="emphasis"><em>server security mode</em></span> it is essential that
+the parameter <span class="emphasis"><em>password server</em></span> is set to the precise NetBIOS machine
+name of the target authentication server. Samba can NOT determine this from NetBIOS name
+lookups because the choice of the target authentication server is arbitrary and can not
+be determined from a domain name. In essence, a Samba server that is in
+<span class="emphasis"><em>server security mode</em></span> is operating in what used to be known as
+workgroup mode.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889811"></a>Example Configuration</h4></div></div><div></div></div><p><span class="emphasis"><em>
+Using MS Windows NT as an authentication server
+</em></span></p><p>
+This method involves the additions of the following parameters in the <tt class="filename">smb.conf</tt> file:
+</p><pre class="programlisting">
+ encrypt passwords = Yes
+ security = server
+ password server = "NetBIOS_name_of_a_DC"
+</pre><p>
+There are two ways of identifying whether or not a username and password pair was valid
+or not. One uses the reply information provided as part of the authentication messaging
+process, the other uses just an error code.
+</p><p>
+The down-side of this mode of configuration is the fact that for security reasons Samba
+will send the password server a bogus username and a bogus password and if the remote
+server fails to reject the username and password pair then an alternative mode of
+identification of validation is used. Where a site uses password lock out after a
+certain number of failed authentication attempts this will result in user lockouts.
+</p><p>
+Use of this mode of authentication does require there to be a standard Unix account
+for the user, though this account can be blocked to prevent logons by non-SMB/CIFS clients.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889880"></a>Seamless Windows Network Integration</h2></div></div><div></div></div><p>
+MS Windows clients may use encrypted passwords as part of a challenge/response
+authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple
+password based authentication. It should be realized that with the SMB protocol,
+the password is passed over the network either in plain text or encrypted, but
+not both in the same authentication request.
+</p><p>
+When encrypted passwords are used, a password that has been entered by the user
+is encrypted in two ways:
+</p><div class="itemizedlist"><ul type="disc"><li><p>An MD4 hash of the UNICODE of the password
+ string. This is known as the NT hash.
+ </p></li><li><p>The password is converted to upper case,
+ and then padded or truncated to 14 bytes. This string is
+ then appended with 5 bytes of NULL characters and split to
+ form two 56 bit DES keys to encrypt a "magic" 8 byte value.
+ The resulting 16 bytes form the LanMan hash.
+ </p></li></ul></div><p>
+MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x and version 4.0
+pre-service pack 3 will use either mode of password authentication. All
+versions of MS Windows that follow these versions no longer support plain
+text passwords by default.
+</p><p>
+MS Windows clients have a habit of dropping network mappings that have been idle
+for 10 minutes or longer. When the user attempts to use the mapped drive
+connection that has been dropped, the client re-establishes the connection using
+a cached copy of the password.
+</p><p>
+When Microsoft changed the default password mode, support was dropped for caching
+of the plain text password. This means that when the registry parameter is changed
+to re-enable use of plain text passwords it appears to work, but when a dropped
+service connection mapping attempts to revalidate it will fail if the remote
+authentication server does not support encrypted passwords. This means that it
+is definitely not a good idea to re-enable plain text password support in such clients.
+</p><p>
+The following parameters can be used to work around the issue of Windows 9x clients
+upper casing usernames and password before transmitting them to the SMB server
+when using clear text authentication.
+</p><pre class="programlisting">
+ <a href="smb.conf.5.html#PASSWORDLEVEL" target="_top">password level</a> = <i class="replaceable"><tt>integer</tt></i>
+ <a href="smb.conf.5.html#USERNAMELEVEL" target="_top">username level</a> = <i class="replaceable"><tt>integer</tt></i>
+</pre><p>
+By default Samba will lower case the username before attempting to lookup the user
+in the database of local system accounts. Because UNIX usernames conventionally
+only contain lower case character, the <i class="parameter"><tt>username level</tt></i> parameter
+is rarely needed.
+</p><p>
+However, passwords on UNIX systems often make use of mixed case characters.
+This means that in order for a user on a Windows 9x client to connect to a Samba
+server using clear text authentication, the <i class="parameter"><tt>password level</tt></i>
+must be set to the maximum number of upper case letter which <span class="emphasis"><em>could</em></span>
+appear is a password. Note that the server OS uses the traditional DES version
+of crypt(), a <i class="parameter"><tt>password level</tt></i> of 8 will result in case
+insensitive passwords as seen from Windows users. This will also result in longer
+login times as Samba has to compute the permutations of the password string and
+try them one by one until a match is located (or all combinations fail).
+</p><p>
+The best option to adopt is to enable support for encrypted passwords where ever
+Samba is used. Most attempts to apply the registry change to re-enable plain text
+passwords will eventually lead to user complaints and unhappiness.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890056"></a>Common Errors</h2></div></div><div></div></div><p>
+We all make mistakes. It is Ok to make mistakes, so long as they are made in the right places
+and at the right time. A mistake that causes lost productivity is seldom tolerated. A mistake
+made in a developmental test lab is expected.
+</p><p>
+Here we look at common mistakes and misapprehensions that have been the subject of discussions
+on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
+a Samba implementation. Some are the result of misunderstanding of the English language. The
+English language has many turns of phrase that are potentially vague and may be highly confusing
+to those for whom English is not their native tongue.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890084"></a>What makes Samba a SERVER?</h3></div></div><div></div></div><p>
+To some the nature of the Samba <span class="emphasis"><em>security</em></span> mode is very obvious, but entirely
+wrong all the same. It is assumed that <i class="parameter"><tt>security = server</tt></i> means that Samba
+will act as a server. Not so! See above - this setting means that Samba will <span class="emphasis"><em>try</em></span>
+to use another SMB server as its source of user authentication alone.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890117"></a>What makes Samba a Domain Controller?</h3></div></div><div></div></div><p>
+The <tt class="filename">smb.conf</tt> parameter <i class="parameter"><tt>security = domain</tt></i> does NOT really make Samba behave
+as a Domain Controller! This setting means we want Samba to be a domain member!
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890146"></a>What makes Samba a Domain Member?</h3></div></div><div></div></div><p>
+Guess! So many others do. But whatever you do, do NOT think that <i class="parameter"><tt>security = user</tt></i>
+makes Samba act as a domain member. Read the manufacturers manual before the warranty expires! See
+the <a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Member</a> section of this Howto for more information.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890179"></a>Constantly Losing Connections to Password Server</h3></div></div><div></div></div><p>
+Why does server_validate() simply give up rather than re-establishing its connection to the
+password server? Though I am not fluent in the SMB protocol, perhaps the cluster server
+process passes along to its client workstation the session key it receives from the password
+server, which means the password hashes submitted by the client would not work on a subsequent
+connection, whose session key would be different. So server_validate() must give up.
+</p><p>
+Indeed. That's why security = server is at best a nasty hack. Please use security = domain.
+<i class="parameter"><tt>security = server</tt></i> mode is also known as pass-through authentication.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="type.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-pdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part II. Server Configuration Basics </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Domain Control</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Stand-Alone Servers</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="domain-member.html" title="Chapter 7. Domain Membership"><link rel="next" href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Stand-Alone Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="StandAloneServer"></a>Chapter 8. Stand-Alone Servers</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></div><p>
+Stand-Alone servers are independent of Domain Controllers on the network.
+They are NOT domain members and function more like workgroup servers. In many
+cases a stand-alone server is configured with a minimum of security control
+with the intent that all data served will be readily accessible to all users.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902304"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Stand-Alone servers can be as secure or as insecure as needs dictate. They can
+have simple or complex configurations. Above all, despite the hoopla about
+Domain security they remain a very common installation.
+</p><p>
+If all that is needed is a server for read-only files, or for
+printers alone, it may not make sense to affect a complex installation.
+For example: A drafting office needs to store old drawings and reference
+standards. No-one can write files to the server as it is legislatively
+important that all documents remain unaltered. A share mode read-only stand-alone
+server is an ideal solution.
+</p><p>
+Another situation that warrants simplicity is an office that has many printers
+that are queued off a single central server. Everyone needs to be able to print
+to the printers, there is no need to affect any access controls and no files will
+be served from the print server. Again a share mode stand-alone server makes
+a great solution.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902501"></a>Background</h2></div></div><div></div></div><p>
+The term <span class="emphasis"><em>stand-alone server</em></span> means that the server
+will provide local authentication and access control for all resources
+that are available from it. In general this means that there will be a
+local user database. In more technical terms, it means that resources
+on the machine will be made available in either SHARE mode or in
+USER mode.
+</p><p>
+No special action is needed other than to create user accounts. Stand-alone
+servers do NOT provide network logon services. This means that machines that
+use this server do NOT perform a domain logon to it. Whatever logon facility
+the workstations are subject to is independent of this machine. It is however
+necessary to accommodate any network user so that the logon name they use will
+be translated (mapped) locally on the stand-alone server to a locally known
+user name. There are several ways this can be done.
+</p><p>
+Samba tends to blur the distinction a little in respect of what is
+a stand-alone server. This is because the authentication database may be
+local or on a remote server, even if from the Samba protocol perspective
+the Samba server is NOT a member of a domain security context.
+</p><p>
+Through the use of PAM (Pluggable Authentication Modules) and nsswitch
+(the name service switcher) the source of authentication may reside on
+another server. We would be inclined to call this the authentication server.
+This means that the Samba server may use the local Unix/Linux system password database
+(<tt class="filename">/etc/passwd</tt> or <tt class="filename">/etc/shadow</tt>), may use a
+local smbpasswd file, or may use
+an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
+for authentication.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902573"></a>Example Configuration</h2></div></div><div></div></div><p>
+The following examples are designed to inspire simplicity. It is too easy to
+attempt a high level of creativity and to introduce too much complexity in
+server and network design.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902588"></a>Reference Documentation Server</h3></div></div><div></div></div><p>
+Configuration of a read-only data server that EVERYONE can access is very simple.
+Here is the smb.conf file that will do this. Assume that all the reference documents
+are stored in the directory /export, that the documents are owned by a user other than
+nobody. No home directories are shared, that are no users in the <tt class="filename">/etc/passwd</tt>
+Unix system database. This is a very simple system to administer.
+</p><pre class="programlisting">
+ # Global parameters
+ [global]
+ workgroup = MYGROUP
+ netbios name = REFDOCS
+ security = SHARE
+ passdb backend = guest
+ wins server = 192.168.1.1
+
+ [data]
+ comment = Data
+ path = /export
+ guest only = Yes
+</pre><p>
+In the above example the machine name is set to REFDOCS, the workgroup is set to the name
+of the local workgroup so that the machine will appear in with systems users are familiar
+with. The only password backend required is the "guest" backend so as to allow default
+unprivileged account names to be used. Given that there is a WINS server on this network
+we do use it.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2902638"></a>Central Print Serving</h3></div></div><div></div></div><p>
+Configuration of a simple print server is very simple if you have all the right tools
+on your system.
+</p><div class="orderedlist"><p class="title"><b> Assumptions:</b></p><ol type="1"><li><p>
+ The print server must require no administration
+ </p></li><li><p>
+ The print spooling and processing system on our print server will be CUPS.
+ (Please refer to the <a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing</a> chapter for more information).
+ </p></li><li><p>
+ All printers that the print server will service will be network
+ printers. They will be correctly configured, by the administrator,
+ in the CUPS environment.
+ </p></li><li><p>
+ All workstations will be installed using postscript drivers. The printer
+ of choice is the Apple Color LaserWriter.
+ </p></li></ol></div><p>
+In this example our print server will spool all incoming print jobs to
+<tt class="filename">/var/spool/samba</tt> until the job is ready to be submitted by
+Samba to the CUPS print processor. Since all incoming connections will be as
+the anonymous (guest) user, two things will be required:
+</p><div class="itemizedlist"><p class="title"><b>Enabling Anonymous Printing</b></p><ul type="disc"><li><p>
+ The Unix/Linux system must have a <b class="command">guest</b> account.
+ The default for this is usually the account <b class="command">nobody</b>.
+ To find the correct name to use for your version of Samba do the
+ following:
+ </p><pre class="screen">
+<tt class="prompt">$ </tt><b class="userinput"><tt>testparm -s -v | grep "guest account"</tt></b>
+ </pre><p>
+ Then make sure that this account exists in your system password
+ database (<tt class="filename">/etc/passwd</tt>).
+ </p></li><li><p>
+ The directory into which Samba will spool the file must have write
+ access for the guest account. The following commands will ensure that
+ this directory is available for use:
+ </p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>mkdir /var/spool/samba</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chown nobody.nobody /var/spool/samba</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>chmod a+rwt /var/spool/samba</tt></b>
+ </pre><p>
+ </p></li></ul></div><p>
+</p><pre class="programlisting">
+ # Global parameters
+ [global]
+ workgroup = MYGROUP
+ netbios name = PTRSVR1
+ security = SHARE
+ passdb backend = guest
+ wins server = 192.168.1.1
+
+ [printers]
+ comment = All Printers
+ path = /var/spool/samba
+ printer admin = root
+ guest ok = Yes
+ printable = Yes
+ printing = cups
+ use client driver = Yes
+ browseable = No
+</pre><p>
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2902852"></a>Common Errors</h2></div></div><div></div></div><p>
+The greatest mistake so often made is to make a network configuration too complex.
+It pays to use the simplest solution that will meet the needs of the moment.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="domain-member.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ClientConfig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Domain Membership </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. MS Windows Network Configuration Guide</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 20. Stackable VFS modules</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0"><link rel="next" href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 20. Stackable VFS modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="VFS"></a>Chapter 20. Stackable VFS modules</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Tim</span> <span class="surname">Potter</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Simo</span> <span class="surname">Sorce</span></h3><span class="contrib">original vfs_skel README</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Alexander</span> <span class="surname">Bokovoy</span></h3><span class="contrib">original vfs_netatalk docs</span></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stefan</span> <span class="surname">Metzmacher</span></h3><span class="contrib">Update for multiple modules</span></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978211"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Since Samba-3, there is support for stackable VFS(Virtual File System) modules.
+Samba passes each request to access the unix file system thru the loaded VFS modules.
+This chapter covers all the modules that come with the samba source and references to
+some external modules.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978229"></a>Discussion</h2></div></div><div></div></div><p>
+If not supplied with your platform distribution binary Samba package you may have problems
+to compile these modules, as shared libraries are compiled and linked in different ways
+on different systems. They currently have been tested against GNU/Linux and IRIX.
+</p><p>
+To use the VFS modules, create a share similar to the one below. The
+important parameter is the <b class="command">vfs objects</b> parameter where
+you can list one or more VFS modules by name. For example, to log all access
+to files and put deleted files in a recycle bin:
+
+</p><pre class="programlisting">
+[audit]
+ comment = Audited /data directory
+ path = /data
+ vfs objects = audit recycle
+ writeable = yes
+ browseable = yes
+</pre><p>
+</p><p>
+The modules are used in the order in which they are specified.
+</p><p>
+Samba will attempt to load modules from the <span class="emphasis"><em>lib</em></span>
+directory in the root directory of the samba installation (usually
+<tt class="filename">/usr/lib/samba/vfs</tt> or <tt class="filename">/usr/local/samba/lib/vfs
+</tt>).
+</p><p>
+Some modules can be used twice for the same share.
+This can be done using a configuration similar to the one below.
+
+</p><pre class="programlisting">
+[test]
+ comment = VFS TEST
+ path = /data
+ writeable = yes
+ browseable = yes
+ vfs objects = example:example1 example example:test
+ example1: parameter = 1
+ example: parameter = 5
+ test: parameter = 7
+</pre><p>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978320"></a>Included modules</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978327"></a>audit</h3></div></div><div></div></div><p>
+ A simple module to audit file access to the syslog
+ facility. The following operations are logged:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td>share</td></tr><tr><td>connect/disconnect</td></tr><tr><td>directory opens/create/remove</td></tr><tr><td>file open/close/rename/unlink/chmod</td></tr></table><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978365"></a>extd_audit</h3></div></div><div></div></div><p>
+ This module is identical with the <span class="emphasis"><em>audit</em></span> module above except
+ that it sends audit logs to both syslog as well as the smbd log file/s. The
+ loglevel for this module is set in the smb.conf file.
+ </p><p>
+ The logging information that will be written to the smbd log file is controlled by
+ the <i class="parameter"><tt>log level</tt></i> parameter in <tt class="filename">smb.conf</tt>. The
+ following information will be recorded:
+ </p><div class="table"><a name="id2978406"></a><p class="title"><b>Table 20.1. Extended Auditing Log Information</b></p><table summary="Extended Auditing Log Information" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Log Level</th><th align="center">Log Details - File and Directory Operations</th></tr></thead><tbody><tr><td align="center">0</td><td align="left">Creation / Deletion</td></tr><tr><td align="center">1</td><td align="left">Create / Delete / Rename / Permission Changes</td></tr><tr><td align="center">2</td><td align="left">Create / Delete / Rename / Perm Change / Open / Close</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978489"></a>fake_perms</h3></div></div><div></div></div><p>
+ This module was created to allow Roaming Profile files and directories to be set (on the Samba server
+ under Unix) as read only. This module will if installed on the Profiles share will report to the client
+ that the Profile files and directories are writable. This satisfies the client even though the files
+ will never be overwritten as the client logs out or shuts down.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978508"></a>recycle</h3></div></div><div></div></div><p>
+ A recycle-bin like module. When used any unlink call
+ will be intercepted and files moved to the recycle
+ directory instead of being deleted.
+ </p><p>Supported options:
+ </p><div class="variablelist"><dl><dt><span class="term">recycle:repository</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:keeptree</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:versions</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:touch</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:maxsize</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:exclude_dir</span></dt><dd><p>FIXME</p></dd><dt><span class="term">recycle:noversions</span></dt><dd><p>FIXME</p></dd></dl></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978645"></a>netatalk</h3></div></div><div></div></div><p>
+ A netatalk module, that will ease co-existence of samba and
+ netatalk file sharing services.
+ </p><p>Advantages compared to the old netatalk module:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td>it doesn't care about creating of .AppleDouble forks, just keeps them in sync</td></tr><tr><td>if a share in <tt class="filename">smb.conf</tt> doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</td></tr></table><p>
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978690"></a>VFS modules available elsewhere</h2></div></div><div></div></div><p>
+This section contains a listing of various other VFS modules that
+have been posted but don't currently reside in the Samba CVS
+tree for one reason or another (e.g. it is easy for the maintainer
+to have his or her own CVS tree).
+</p><p>
+No statements about the stability or functionality of any module
+should be implied due to its presence here.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978712"></a>DatabaseFS</h3></div></div><div></div></div><p>
+ URL: <a href="http://www.css.tayloru.edu/~elorimer/databasefs/index.php" target="_top">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</a>
+ </p><p>By <a href="mailto:elorimer@css.tayloru.edu" target="_top">Eric Lorimer</a>.</p><p>
+ I have created a VFS module which implements a fairly complete read-only
+ filesystem. It presents information from a database as a filesystem in
+ a modular and generic way to allow different databases to be used
+ (originally designed for organizing MP3s under directories such as
+ "Artists," "Song Keywords," etc... I have since applied it to a student
+ roster database very easily). The directory structure is stored in the
+ database itself and the module makes no assumptions about the database
+ structure beyond the table it requires to run.
+ </p><p>
+ Any feedback would be appreciated: comments, suggestions, patches,
+ etc... If nothing else, hopefully it might prove useful for someone
+ else who wishes to create a virtual filesystem.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2978768"></a>vscan</h3></div></div><div></div></div><p>URL: <a href="http://www.openantivirus.org/" target="_top">http://www.openantivirus.org/</a></p><p>
+ samba-vscan is a proof-of-concept module for Samba, which
+ uses the VFS (virtual file system) features of Samba 2.2.x/3.0
+ alphaX. Of course, Samba has to be compiled with VFS support.
+ samba-vscan supports various virus scanners and is maintained
+ by Rainer Link.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2978797"></a>Common Errors</h2></div></div><div></div></div><p>
+There must be some gotchas we should record here! Jelmer???
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="CUPS-printing.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="winbind.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 19. CUPS Printing Support in Samba 3.0 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 21. Integrated Logon Support using Winbind</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>SAMBA Project Documentation</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><meta name="description" content="
+This book is a collection of HOWTOs added to Samba documentation over the years.
+Samba is always under development, and so is its' documentation. This release of the
+documentation represents a major revision or layout as well as contents.
+The most recent version of this document can be found at
+http://www.samba.org/
+on the "Documentation" page. Please send updates to
+Jelmer Vernooij,
+John H. Terpstra or
+Gerald (Jerry) Carter.
+
+The Samba-Team would like to express sincere thanks to the many people who have with
+or without their knowledge contributed to this update. The size and scope of this
+project would not have been possible without significant community contribution. A not
+insignificant number of ideas for inclusion (if not content itself) has been obtained
+from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
+Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
+"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="next" href="introduction.html" title="Part I. General Installation"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SAMBA Project Documentation</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr></table><hr></div><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="Samba-HOWTO-Collection"></a>SAMBA Project Documentation</h1></div><div><div class="authorgroup"><h4 class="editedby">Edited by</h4><h3 class="editor"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><h3 class="editor"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><h3 class="editor"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3></div></div><div><div class="legalnotice"><p>
+This documentation is distributed under the GNU General Public License (GPL)
+version 2. A copy of the license is included with the Samba source
+distribution. A copy can be found on-line at <a href="http://www.fsf.org/licenses/gpl.txt" target="_top">http://www.fsf.org/licenses/gpl.txt</a>
+</p><p><b>Attributions. </b>
+ </p><div class="variablelist"><dl><dt><span class="term"><a href="IntroSMB.html" title="Chapter 1. Introduction to Samba">Introduction to Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>David Lechnyr <<a href="mailto:david@lechnyr.com" target="_top">david@lechnyr.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="install.html" title="Chapter 2. How to Install and Test SAMBA">How to Install and Test SAMBA</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Karl Auer</p></li></ul></div></dd><dt><span class="term"><a href="FastStart.html" title="Chapter 3. Fast Start for the Impatient">Fast Start for the Impatient</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ServerType.html" title="Chapter 4. Server Types and Security Modes">Server Types and Security Modes</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="samba-bdc.html" title="Chapter 6. Backup Domain Control">Backup Domain Control</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Volker Lendecke <<a href="mailto:Volker.Lendecke@SerNet.DE" target="_top">Volker.Lendecke@SerNet.DE</a>></p></li></ul></div></dd><dt><span class="term"><a href="domain-member.html" title="Chapter 7. Domain Membership">Domain Membership</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="StandAloneServer.html" title="Chapter 8. Stand-Alone Servers">Stand-Alone Servers</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ClientConfig.html" title="Chapter 9. MS Windows Network Configuration Guide">MS Windows Network Configuration Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Samba / MS Windows Network Browsing Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="passdb.html" title="Chapter 11. Account Information Databases">Account Information Databases</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Olivier (lem) Lemaire <<a href="mailto:olem@IDEALX.org" target="_top">olem@IDEALX.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="groupmapping.html" title="Chapter 12. Mapping MS Windows and Unix Groups">Mapping MS Windows and Unix Groups</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jean François Micouleau</p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls">File, Directory and Share Access Controls</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="locking.html" title="Chapter 14. File and Record Locking">File and Record Locking</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jeremy Allison <<a href="mailto:jra@samba.org" target="_top">jra@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Eric Roseme <<a href="mailto:eric.roseme@hp.com" target="_top">eric.roseme@hp.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="securing-samba.html" title="Chapter 15. Securing Samba">Securing Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="InterdomainTrusts.html" title="Chapter 16. Interdomain Trust Relationships">Interdomain Trust Relationships</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Rafal Szczesniak <<a href="mailto:mimir@samba.org" target="_top">mimir@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="msdfs.html" title="Chapter 17. Hosting a Microsoft Distributed File System tree on Samba">Hosting a Microsoft Distributed File System tree on Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Shirish Kalele <<a href="mailto:samba@samba.org" target="_top">samba@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="printing.html" title="Chapter 18. Classical Printing Support">Classical Printing Support</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="CUPS-printing.html" title="Chapter 19. CUPS Printing Support in Samba 3.0">CUPS Printing Support in Samba 3.0</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Kurt Pfeifle <<a href="mailto:kpfeifle@danka.de" target="_top">kpfeifle@danka.de</a>></p></li><li><p>Ciprian Vizitiu <<a href="mailto:CVizitiu@gbif.org" target="_top">CVizitiu@gbif.org</a>> (drawings) </p></li></ul></div></dd><dt><span class="term"><a href="VFS.html" title="Chapter 20. Stackable VFS modules">Stackable VFS modules</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Tim Potter</p></li><li><p>Simo Sorce (original vfs_skel README) </p></li><li><p>Alexander Bokovoy (original vfs_netatalk docs) </p></li><li><p>Stefan Metzmacher (Update for multiple modules) </p></li></ul></div></dd><dt><span class="term"><a href="winbind.html" title="Chapter 21. Integrated Logon Support using Winbind">Integrated Logon Support using Winbind</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Tim Potter <<a href="mailto:tpot@linuxcare.com.au" target="_top">tpot@linuxcare.com.au</a>></p></li><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Naag Mummaneni <<a href="mailto:getnag@rediffmail.com" target="_top">getnag@rediffmail.com</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="AdvancedNetworkManagement.html" title="Chapter 22. Advanced Network Management">Advanced Network Management</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="PolicyMgmt.html" title="Chapter 23. System and Account Policies">System and Account Policies</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management">Desktop Profile Management</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="pam.html" title="Chapter 25. PAM based Distributed Authentication">PAM based Distributed Authentication</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li><li><p>Stephen Langasek <<a href="mailto:vorlon@netexpress.net" target="_top">vorlon@netexpress.net</a>></p></li></ul></div></dd><dt><span class="term"><a href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating MS Windows networks with Samba</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode/Charsets</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>TAKAHASHI Motonobu <<a href="mailto:monyo@home.monyo.com" target="_top">monyo@home.monyo.com</a>></p></li></ul></div></dd><dt><span class="term"><a href="Backup.html" title="Chapter 28. Samba Backup Techniques">Samba Backup Techniques</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="SambaHA.html" title="Chapter 29. High Availability Options">High Availability Options</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0">Upgrading from Samba-2.x to Samba-3.0.0</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC">Migration from NT4 PDC to Samba-3 PDC</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool">SWAT - The Samba Web Administration Tool</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="diagnosis.html" title="Chapter 33. The Samba checklist">The Samba checklist</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Andrew Tridgell <<a href="mailto:tridge@samba.org" target="_top">tridge@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="problems.html" title="Chapter 34. Analysing and solving samba problems">Analysing and solving samba problems</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Gerald Carter <<a href="mailto:jerry@samba.org" target="_top">jerry@samba.org</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Bannon <<a href="mailto:dbannon@samba.org" target="_top">dbannon@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="bugreport.html" title="Chapter 35. Reporting Bugs">Reporting Bugs</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p> Someone; Tridge or Karl Auer perhaps?</p></li></ul></div></dd><dt><span class="term"><a href="compiling.html" title="Chapter 36. How to compile SAMBA">How to compile SAMBA</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p> Someone; Jerry perhaps?</p></li></ul></div></dd><dt><span class="term"><a href="Portability.html" title="Chapter 37. Portability">Portability</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="Other-Clients.html" title="Chapter 38. Samba and other CIFS clients">Samba and other CIFS clients</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jim McDonough <<a href="mailto:jmcd@us.ibm.com" target="_top">jmcd@us.ibm.com</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="speed.html" title="Chapter 39. Samba Performance Tuning">Samba Performance Tuning</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Paul Cochrane <<a href="mailto:paulc@dth.scot.nhs.uk" target="_top">paulc@dth.scot.nhs.uk</a>></p></li><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="DNSDHCP.html" title="Chapter 40. DNS and DHCP Configuration Guide">DNS and DHCP Configuration Guide</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>John Terpstra <<a href="mailto:jht@samba.org" target="_top">jht@samba.org</a>></p></li></ul></div></dd><dt><span class="term"><a href="Further-Resources.html" title="Chapter 41. Further Resources">Further Resources</a></span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Jelmer Vernooij <<a href="mailto:jelmer@samba.org" target="_top">jelmer@samba.org</a>></p></li><li><p>David Lechnyr <<a href="mailto:david@lechnyr.com" target="_top">david@lechnyr.com</a>></p></li></ul></div></dd></dl></div><p>
+
+ </p></div></div><div><p class="pubdate">Monday April 21, 2003</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>
+This book is a collection of HOWTOs added to Samba documentation over the years.
+Samba is always under development, and so is its' documentation. This release of the
+documentation represents a major revision or layout as well as contents.
+The most recent version of this document can be found at
+<a href="http://www.samba.org/" target="_top">http://www.samba.org/</a>
+on the "Documentation" page. Please send updates to
+<a href="mailto:jelmer@samba.org" target="_top">Jelmer Vernooij</a>,
+<a href="mailto:jht@samba.org" target="_top">John H. Terpstra</a> or
+<a href="mailto:jerry@samba.org" target="_top">Gerald (Jerry) Carter</a>.
+</p><p>
+The Samba-Team would like to express sincere thanks to the many people who have with
+or without their knowledge contributed to this update. The size and scope of this
+project would not have been possible without significant community contribution. A not
+insignificant number of ideas for inclusion (if not content itself) has been obtained
+from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
+Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
+application knowledge that is most to be desired by many Samba users and administrators.
+</p></div></div></div><div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>I. <a href="introduction.html">General Installation</a></dt><dd><dl><dt>1. <a href="IntroSMB.html">Introduction to Samba</a></dt><dd><dl><dt><a href="IntroSMB.html#id2885613">Background</a></dt><dt><a href="IntroSMB.html#id2885824">Terminology</a></dt><dt><a href="IntroSMB.html#id2885978">Related Projects</a></dt><dt><a href="IntroSMB.html#id2886047">SMB Methodology</a></dt><dt><a href="IntroSMB.html#id2886135">Epilogue</a></dt><dt><a href="IntroSMB.html#id2886209">Miscellaneous</a></dt></dl></dd><dt>2. <a href="install.html">How to Install and Test SAMBA</a></dt><dd><dl><dt><a href="install.html#id2886868">Obtaining and installing samba</a></dt><dt><a href="install.html#id2886909">Configuring samba (smb.conf)</a></dt><dd><dl><dt><a href="install.html#id2886946">Example Configuration</a></dt><dt><a href="install.html#id2887096">SWAT</a></dt></dl></dd><dt><a href="install.html#id2887140">Try listing the shares available on your
+ server</a></dt><dt><a href="install.html#id2887191">Try connecting with the unix client</a></dt><dt><a href="install.html#id2887292">Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</a></dt><dt><a href="install.html#id2887355">What If Things Don't Work?</a></dt><dt><a href="install.html#id2887388">Common Errors</a></dt><dd><dl><dt><a href="install.html#id2887401">Why are so many smbd processes eating memory?</a></dt><dt><a href="install.html#id2887617">I'm getting "open_oplock_ipc: Failed to get local UDP socket for address 100007f. Error was Cannot assign requested" in the logs</a></dt></dl></dd></dl></dd><dt>3. <a href="FastStart.html">Fast Start for the Impatient</a></dt><dd><dl><dt><a href="FastStart.html#id2886744">Note</a></dt></dl></dd></dl></dd><dt>II. <a href="type.html">Server Configuration Basics</a></dt><dd><dl><dt>4. <a href="ServerType.html">Server Types and Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2888767">Features and Benefits</a></dt><dt><a href="ServerType.html#id2888862">Server Types</a></dt><dt><a href="ServerType.html#id2888947">Samba Security Modes</a></dt><dd><dl><dt><a href="ServerType.html#id2889062">User Level Security</a></dt><dt><a href="ServerType.html#id2889195">Share Level Security</a></dt><dt><a href="ServerType.html#id2889317">Domain Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889568">ADS Security Mode (User Level Security)</a></dt><dt><a href="ServerType.html#id2889655">Server Security (User Level Security)</a></dt></dl></dd><dt><a href="ServerType.html#id2889880">Seamless Windows Network Integration</a></dt><dt><a href="ServerType.html#id2890056">Common Errors</a></dt><dd><dl><dt><a href="ServerType.html#id2890084">What makes Samba a SERVER?</a></dt><dt><a href="ServerType.html#id2890117">What makes Samba a Domain Controller?</a></dt><dt><a href="ServerType.html#id2890146">What makes Samba a Domain Member?</a></dt><dt><a href="ServerType.html#id2890179">Constantly Losing Connections to Password Server</a></dt></dl></dd></dl></dd><dt>5. <a href="samba-pdc.html">Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2891986">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2892290">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2892306">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2892517">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2892837">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2893136">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2893157">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893173">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2893499">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2893607">Common Problems and Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2893614">I cannot include a '$' in a machine name</a></dt><dt><a href="samba-pdc.html#id2893653">I get told "You already have a connection to the Domain...."
+or "Cannot join domain, the credentials supplied conflict with an
+existing set.." when creating a machine trust account.</a></dt><dt><a href="samba-pdc.html#id2893703">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2893773">The machine trust account for this computer either does not
+exist or is not accessible.</a></dt><dt><a href="samba-pdc.html#id2893836">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
+I get a message about my account being disabled.</a></dt><dt><a href="samba-pdc.html#id2893863">Until a few minutes after Samba has started, clients get the error "Domain Controller Unavailable"</a></dt></dl></dd></dl></dd><dt>6. <a href="samba-bdc.html">Backup Domain Control</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896028">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896201">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896230">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896450">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896471">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896497">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896542">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896645">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896706">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896719">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896750">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896783">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896828">Can I do this all with LDAP?</a></dt></dl></dd></dl></dd><dt>7. <a href="domain-member.html">Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2897897">Features and Benefits</a></dt><dt><a href="domain-member.html#id2898012">MS Windows Workstation/Server Machine Trust Accounts</a></dt><dd><dl><dt><a href="domain-member.html#id2898188">Manual Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898440">Using NT4 Server Manager to Add Machine Accounts to the Domain</a></dt><dt><a href="domain-member.html#id2898636">"On-the-Fly" Creation of Machine Trust Accounts</a></dt><dt><a href="domain-member.html#id2898699">Making an MS Windows Workstation or Server a Domain Member</a></dt></dl></dd><dt><a href="domain-member.html#domain-member-server">Domain Member Server</a></dt><dd><dl><dt><a href="domain-member.html#id2898901">Joining an NT4 type Domain with Samba-3</a></dt><dt><a href="domain-member.html#id2899283">Why is this better than security = server?</a></dt></dl></dd><dt><a href="domain-member.html#ads-member">Samba ADS Domain Membership</a></dt><dd><dl><dt><a href="domain-member.html#id2899424">Setup your smb.conf</a></dt><dt><a href="domain-member.html#id2899508">Setup your /etc/krb5.conf</a></dt><dt><a href="domain-member.html#ads-create-machine-account">Create the computer account</a></dt><dt><a href="domain-member.html#ads-test-server">Test your server setup</a></dt><dt><a href="domain-member.html#ads-test-smbclient">Testing with smbclient</a></dt><dt><a href="domain-member.html#id2899872">Notes</a></dt></dl></dd><dt><a href="domain-member.html#id2899892">Common Errors</a></dt><dd><dl><dt><a href="domain-member.html#id2899919">Can Not Add Machine Back to Domain</a></dt><dt><a href="domain-member.html#id2899951">Adding Machine to Domain Fails</a></dt></dl></dd></dl></dd><dt>8. <a href="StandAloneServer.html">Stand-Alone Servers</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902304">Features and Benefits</a></dt><dt><a href="StandAloneServer.html#id2902501">Background</a></dt><dt><a href="StandAloneServer.html#id2902573">Example Configuration</a></dt><dd><dl><dt><a href="StandAloneServer.html#id2902588">Reference Documentation Server</a></dt><dt><a href="StandAloneServer.html#id2902638">Central Print Serving</a></dt></dl></dd><dt><a href="StandAloneServer.html#id2902852">Common Errors</a></dt></dl></dd><dt>9. <a href="ClientConfig.html">MS Windows Network Configuration Guide</a></dt><dd><dl><dt><a href="ClientConfig.html#id2901966">Note</a></dt></dl></dd></dl></dd><dt>III. <a href="optional.html">Advanced Configuration</a></dt><dd><dl><dt>10. <a href="NetworkBrowsing.html">Samba / MS Windows Network Browsing Guide</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903558">Features and Benefits</a></dt><dt><a href="NetworkBrowsing.html#id2903637">What is Browsing?</a></dt><dt><a href="NetworkBrowsing.html#id2903747">Discussion</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2903764">NetBIOS over TCP/IP</a></dt><dt><a href="NetworkBrowsing.html#id2903926">TCP/IP - without NetBIOS</a></dt><dt><a href="NetworkBrowsing.html#id2904058">DNS and Active Directory</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2904194">How Browsing Functions</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2904320">Setting up WORKGROUP Browsing</a></dt><dt><a href="NetworkBrowsing.html#id2904541">Setting up DOMAIN Browsing</a></dt><dt><a href="NetworkBrowsing.html#browse-force-master">Forcing Samba to be the master</a></dt><dt><a href="NetworkBrowsing.html#id2904811">Making Samba the domain master</a></dt><dt><a href="NetworkBrowsing.html#id2904967">Note about broadcast addresses</a></dt><dt><a href="NetworkBrowsing.html#id2904984">Multiple interfaces</a></dt><dt><a href="NetworkBrowsing.html#id2905013">Use of the Remote Announce parameter</a></dt><dt><a href="NetworkBrowsing.html#id2905122">Use of the Remote Browse Sync parameter</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905183">WINS - The Windows Internetworking Name Server</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905341">Setting up a WINS server</a></dt><dt><a href="NetworkBrowsing.html#id2905540">WINS Replication</a></dt><dt><a href="NetworkBrowsing.html#id2905565">Static WINS Entries</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905650">Helpful Hints</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905663">Windows Networking Protocols</a></dt><dt><a href="NetworkBrowsing.html#id2905730">Name Resolution Order</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2905867">Technical Overview of browsing</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2905914">Browsing support in Samba</a></dt><dt><a href="NetworkBrowsing.html#id2906021">Problem resolution</a></dt><dt><a href="NetworkBrowsing.html#id2906100">Browsing across subnets</a></dt></dl></dd><dt><a href="NetworkBrowsing.html#id2906720">Common Errors</a></dt><dd><dl><dt><a href="NetworkBrowsing.html#id2906735">How can one flush the Samba NetBIOS name cache without restarting Samba?</a></dt><dt><a href="NetworkBrowsing.html#id2906764">My client reports "This server is not configured to list shared resources"</a></dt></dl></dd></dl></dd><dt>11. <a href="passdb.html">Account Information Databases</a></dt><dd><dl><dt><a href="passdb.html#id2910308">Features and Benefits</a></dt><dt><a href="passdb.html#id2910636">Technical Information</a></dt><dd><dl><dt><a href="passdb.html#id2910700">Important Notes About Security</a></dt><dt><a href="passdb.html#id2910954">Mapping User Identifiers between MS Windows and Unix</a></dt></dl></dd><dt><a href="passdb.html#id2911009">Account Management Tools</a></dt><dd><dl><dt><a href="passdb.html#id2911041">The smbpasswd Command</a></dt><dt><a href="passdb.html#id2911306">The pdbedit Command</a></dt></dl></dd><dt><a href="passdb.html#id2911458">Password Backends</a></dt><dd><dl><dt><a href="passdb.html#id2911494">Plain Text</a></dt><dt><a href="passdb.html#id2911534">smbpasswd - Encrypted Password Database</a></dt><dt><a href="passdb.html#id2911641">tdbsam</a></dt><dt><a href="passdb.html#id2911668">ldapsam</a></dt><dt><a href="passdb.html#id2913185">MySQL</a></dt><dt><a href="passdb.html#XMLpassdb">XML</a></dt></dl></dd><dt><a href="passdb.html#id2913989">Common Errors</a></dt><dd><dl><dt><a href="passdb.html#id2913997">Users can not logon - Users not in Samba SAM</a></dt><dt><a href="passdb.html#id2914012">Users are being added to the wrong backend database</a></dt><dt><a href="passdb.html#id2914072">auth methods does not work</a></dt></dl></dd></dl></dd><dt>12. <a href="groupmapping.html">Mapping MS Windows and Unix Groups</a></dt><dd><dl><dt><a href="groupmapping.html#id2921449">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921742">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921806">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921820">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921889">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921981">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921997">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2922057">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></dd><dt>13. <a href="AccessControls.html">File, Directory and Share Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920271">Features and Benefits</a></dt><dt><a href="AccessControls.html#id2920308">File System Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2920326">MS Windows NTFS Comparison with Unix File Systems</a></dt><dt><a href="AccessControls.html#id2920583">Managing Directories</a></dt><dt><a href="AccessControls.html#id2920678">File and Directory Access Control</a></dt></dl></dd><dt><a href="AccessControls.html#id2920894">Share Definition Access Controls</a></dt><dd><dl><dt><a href="AccessControls.html#id2922074">User and Group Based Controls</a></dt><dt><a href="AccessControls.html#id2922346">File and Directory Permissions Based Controls</a></dt><dt><a href="AccessControls.html#id2922591">Miscellaneous Controls</a></dt></dl></dd><dt><a href="AccessControls.html#id2922807">Access Controls on Shares</a></dt><dd><dl><dt><a href="AccessControls.html#id2922879">Share Permissions Management</a></dt></dl></dd><dt><a href="AccessControls.html#id2923178">MS Windows Access Control Lists and Unix Interoperability</a></dt><dd><dl><dt><a href="AccessControls.html#id2923186">Managing UNIX permissions Using NT Security Dialogs</a></dt><dt><a href="AccessControls.html#id2923224">Viewing File Security on a Samba Share</a></dt><dt><a href="AccessControls.html#id2923303">Viewing file ownership</a></dt><dt><a href="AccessControls.html#id2923425">Viewing File or Directory Permissions</a></dt><dt><a href="AccessControls.html#id2923653">Modifying file or directory permissions</a></dt><dt><a href="AccessControls.html#id2923805">Interaction with the standard Samba create mask
+ parameters</a></dt><dt><a href="AccessControls.html#id2924134">Interaction with the standard Samba file attribute
+ mapping</a></dt></dl></dd><dt><a href="AccessControls.html#id2924210">Common Errors</a></dt><dd><dl><dt><a href="AccessControls.html#id2924224">Users can not write to a public share</a></dt><dt><a href="AccessControls.html#id2924604">I have set force user and Samba still makes root the owner of all the files
+ I touch!</a></dt></dl></dd></dl></dd><dt>14. <a href="locking.html">File and Record Locking</a></dt><dd><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></dd><dt>15. <a href="securing-samba.html">Securing Samba</a></dt><dd><dl><dt><a href="securing-samba.html#id2931943">Introduction</a></dt><dt><a href="securing-samba.html#id2931976">Features and Benefits</a></dt><dt><a href="securing-samba.html#id2932050">Technical Discussion of Protective Measures and Issues</a></dt><dd><dl><dt><a href="securing-samba.html#id2932069">Using host based protection</a></dt><dt><a href="securing-samba.html#id2932140">User based protection</a></dt><dt><a href="securing-samba.html#id2932191">Using interface protection</a></dt><dt><a href="securing-samba.html#id2932244">Using a firewall</a></dt><dt><a href="securing-samba.html#id2932300">Using a IPC$ share deny</a></dt><dt><a href="securing-samba.html#id2932362">NTLMv2 Security</a></dt></dl></dd><dt><a href="securing-samba.html#id2932402">Upgrading Samba</a></dt><dt><a href="securing-samba.html#id2932426">Common Errors</a></dt><dd><dl><dt><a href="securing-samba.html#id2932444">Smbclient works on localhost, but the network is dead</a></dt><dt><a href="securing-samba.html#id2932469">Why can users access home directories of other users?</a></dt></dl></dd></dl></dd><dt>16. <a href="InterdomainTrusts.html">Interdomain Trust Relationships</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933376">Features and Benefits</a></dt><dt><a href="InterdomainTrusts.html#id2933404">Trust Relationship Background</a></dt><dt><a href="InterdomainTrusts.html#id2933488">Native MS Windows NT4 Trusts Configuration</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933501">NT4 as the Trusting Domain (ie. creating the trusted account)</a></dt><dt><a href="InterdomainTrusts.html#id2933586">NT4 as the Trusted Domain (ie. creating trusted account's password)</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933622">Configuring Samba NT-style Domain Trusts</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933649">Samba-3 as the Trusting Domain</a></dt><dt><a href="InterdomainTrusts.html#id2933790">Samba-3 as the Trusted Domain</a></dt></dl></dd><dt><a href="InterdomainTrusts.html#id2933922">Common Errors</a></dt><dd><dl><dt><a href="InterdomainTrusts.html#id2933937">Tell me about Trust Relationships using Samba</a></dt></dl></dd></dl></dd><dt>17. <a href="msdfs.html">Hosting a Microsoft Distributed File System tree on Samba</a></dt><dd><dl><dt><a href="msdfs.html#id2933279">Features and Benefits</a></dt><dt><a href="msdfs.html#id2934931">Common Errors</a></dt></dl></dd><dt>18. <a href="printing.html">Classical Printing Support</a></dt><dd><dl><dt><a href="printing.html#id2934522">Features and Benefits</a></dt><dt><a href="printing.html#id2934590">Technical Introduction</a></dt><dd><dl><dt><a href="printing.html#id2934627">What happens if you send a Job from a Client</a></dt><dt><a href="printing.html#id2934698">Printing Related Configuration Parameters</a></dt><dt><a href="printing.html#id2935615">Parameters Recommended for Use</a></dt><dt><a href="printing.html#id2935946">Parameters for Backwards Compatibility</a></dt><dt><a href="printing.html#id2936054">Parameters no longer in use</a></dt></dl></dd><dt><a href="printing.html#id2936147">A simple Configuration to Print with Samba-3</a></dt><dd><dl><dt><a href="printing.html#id2936216">Verification of "Settings in Use" with testparm</a></dt><dt><a href="printing.html#id2936305">A little Experiment to warn you</a></dt></dl></dd><dt><a href="printing.html#id2936612">Extended Sample Configuration to Print with Samba-3</a></dt><dt><a href="printing.html#id2936715">Detailed Explanation of the Example's Settings</a></dt><dd><dl><dt><a href="printing.html#id2936728">The [global] Section</a></dt><dt><a href="printing.html#id2937111">The [printers] Section</a></dt><dt><a href="printing.html#id2937440">Any [my_printer_name] Section</a></dt><dt><a href="printing.html#id2937660">Print Commands</a></dt><dt><a href="printing.html#id2937711">Default Print Commands for various Unix Print Subsystems</a></dt><dt><a href="printing.html#id2938236">Setting up your own Print Commands</a></dt></dl></dd><dt><a href="printing.html#id2938516">Innovations in Samba Printing since 2.2</a></dt><dd><dl><dt><a href="printing.html#id2938681">Client Drivers on Samba Server for Point'n'Print</a></dt><dt><a href="printing.html#id2938833">The [printer$] Section is removed from Samba-3</a></dt><dt><a href="printing.html#id2938945">Creating the [print$] Share</a></dt><dt><a href="printing.html#id2939016">Parameters in the [print$] Section</a></dt><dt><a href="printing.html#id2939247">Subdirectory Structure in [print$]</a></dt></dl></dd><dt><a href="printing.html#id2939408">Installing Drivers into [print$]</a></dt><dd><dl><dt><a href="printing.html#id2939503">Setting Drivers for existing Printers with a Client GUI</a></dt><dt><a href="printing.html#id2939686">Setting Drivers for existing Printers with
+rpcclient</a></dt></dl></dd><dt><a href="printing.html#id2941408">"The Proof of the Pudding lies in the Eating" (Client Driver Install
+Procedure)</a></dt><dd><dl><dt><a href="printing.html#id2941428">The first Client Driver Installation</a></dt><dt><a href="printing.html#id2941626">IMPORTANT! Setting Device Modes on new Printers</a></dt><dt><a href="printing.html#id2941915">Further Client Driver Install Procedures</a></dt><dt><a href="printing.html#id2942010">Always make first Client Connection as root or "printer admin"</a></dt></dl></dd><dt><a href="printing.html#id2942152">Other Gotchas</a></dt><dd><dl><dt><a href="printing.html#id2942185">Setting Default Print Options for the Client Drivers</a></dt><dt><a href="printing.html#id2942622">Supporting large Numbers of Printers</a></dt><dt><a href="printing.html#id2942924">Adding new Printers with the Windows NT APW</a></dt><dt><a href="printing.html#id2943168">Weird Error Message Cannot connect under a
+different Name</a></dt><dt><a href="printing.html#id2943267">Be careful when assembling Driver Files</a></dt><dt><a href="printing.html#id2943612">Samba and Printer Ports</a></dt><dt><a href="printing.html#id2943683">Avoiding the most common Misconfigurations of the Client Driver</a></dt></dl></dd><dt><a href="printing.html#id2943705">The Imprints Toolset</a></dt><dd><dl><dt><a href="printing.html#id2943751">What is Imprints?</a></dt><dt><a href="printing.html#id2943792">Creating Printer Driver Packages</a></dt><dt><a href="printing.html#id2943811">The Imprints Server</a></dt><dt><a href="printing.html#id2943835">The Installation Client</a></dt></dl></dd><dt><a href="printing.html#id2943987">Add Network Printers at Logon without User Interaction</a></dt><dt><a href="printing.html#id2944316">The addprinter command</a></dt><dt><a href="printing.html#id2944362">Migration of "Classical" printing to Samba-3</a></dt><dt><a href="printing.html#id2944531">Publishing Printer Information in Active Directory or LDAP</a></dt><dt><a href="printing.html#id2944545">Common Errors and Problems</a></dt><dd><dl><dt><a href="printing.html#id2944558">I give my root password but I don't get access</a></dt><dt><a href="printing.html#id2944591">My printjobs get spooled into the spooling directory, but then get lost</a></dt></dl></dd></dl></dd><dt>19. <a href="CUPS-printing.html">CUPS Printing Support in Samba 3.0</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953785">Introduction</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953792">Features and Benefits</a></dt><dt><a href="CUPS-printing.html#id2953845">Overview</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2953900">Basic Configuration of CUPS support</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2953979">Linking of smbd with libcups.so</a></dt><dt><a href="CUPS-printing.html#id2954122">Simple smb.conf Settings for CUPS</a></dt><dt><a href="CUPS-printing.html#id2954205">More complex smb.conf Settings for
+CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954322">Advanced Configuration</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954343">Central spooling vs. "Peer-to-Peer" printing</a></dt><dt><a href="CUPS-printing.html#id2954370">CUPS/Samba as a "spooling-only" Print Server; "raw" printing
+with Vendor Drivers on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954406">Driver Installation Methods on Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2954465">Explicitly enable "raw" printing for
+application/octet-stream!</a></dt><dt><a href="CUPS-printing.html#id2954626">Three familiar Methods for driver upload plus a new one</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2954719">Using CUPS/Samba in an advanced Way -- intelligent printing
+with PostScript Driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2954794">GDI on Windows -- PostScript on Unix</a></dt><dt><a href="CUPS-printing.html#id2954839">Windows Drivers, GDI and EMF</a></dt><dt><a href="CUPS-printing.html#id2954940">Unix Printfile Conversion and GUI Basics</a></dt><dt><a href="CUPS-printing.html#id2955028">PostScript and Ghostscript</a></dt><dt><a href="CUPS-printing.html#id2955125">Ghostscript -- the Software RIP for non-PostScript Printers</a></dt><dt><a href="CUPS-printing.html#id2955238">PostScript Printer Description (PPD) Specification</a></dt><dt><a href="CUPS-printing.html#id2955308">CUPS can use all Windows-formatted Vendor PPDs</a></dt><dt><a href="CUPS-printing.html#id2955397">CUPS also uses PPDs for non-PostScript Printers</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2955420">The CUPS Filtering Architecture</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2955560">MIME types and CUPS Filters</a></dt><dt><a href="CUPS-printing.html#id2955747">MIME type Conversion Rules</a></dt><dt><a href="CUPS-printing.html#id2955864">Filter Requirements</a></dt><dt><a href="CUPS-printing.html#id2956034">Prefilters</a></dt><dt><a href="CUPS-printing.html#id2956120">pstops</a></dt><dt><a href="CUPS-printing.html#id2956222">pstoraster</a></dt><dt><a href="CUPS-printing.html#id2956377">imagetops and imagetoraster</a></dt><dt><a href="CUPS-printing.html#id2956434">rasterto [printers specific]</a></dt><dt><a href="CUPS-printing.html#id2956519">CUPS Backends</a></dt><dt><a href="CUPS-printing.html#id2956831">cupsomatic/Foomatic -- how do they fit into the Picture?</a></dt><dt><a href="CUPS-printing.html#id2956944">The Complete Picture</a></dt><dt><a href="CUPS-printing.html#id2956960">mime.convs</a></dt><dt><a href="CUPS-printing.html#id2957012">"Raw" printing</a></dt><dt><a href="CUPS-printing.html#id2957066">"application/octet-stream" printing</a></dt><dt><a href="CUPS-printing.html#id2957282">PostScript Printer Descriptions (PPDs) for non-PS Printers</a></dt><dt><a href="CUPS-printing.html#id2957510">Difference between cupsomatic/foomatic-rip and
+native CUPS printing</a></dt><dt><a href="CUPS-printing.html#id2957666">Examples for filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2957897">Sources of CUPS drivers / PPDs</a></dt><dt><a href="CUPS-printing.html#id2958024">Printing with Interface Scripts</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958100">Network printing (purely Windows)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958116">From Windows Clients to an NT Print Server</a></dt><dt><a href="CUPS-printing.html#id2958155">Driver Execution on the Client</a></dt><dt><a href="CUPS-printing.html#id2958227">Driver Execution on the Server</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958289">Network Printing (Windows clients -- UNIX/Samba Print
+Servers)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958310">From Windows Clients to a CUPS/Samba Print Server</a></dt><dt><a href="CUPS-printing.html#id2958474">Samba receiving Jobfiles and passing them to CUPS</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958550">Network PostScript RIP: CUPS Filters on Server -- clients use
+PostScript Driver with CUPS-PPDs</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958605">PPDs for non-PS Printers on UNIX</a></dt><dt><a href="CUPS-printing.html#id2958646">PPDs for non-PS Printers on Windows</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958712">Windows Terminal Servers (WTS) as CUPS Clients</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958729">Printer Drivers running in "Kernel Mode" cause many
+Problems</a></dt><dt><a href="CUPS-printing.html#id2958763">Workarounds impose Heavy Limitations</a></dt><dt><a href="CUPS-printing.html#id2958784">CUPS: a "Magical Stone"?</a></dt><dt><a href="CUPS-printing.html#id2958811">PostScript Drivers with no major problems -- even in Kernel
+Mode</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2958865"> Setting up CUPS for driver Download</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2958884">cupsaddsmb: the unknown Utility</a></dt><dt><a href="CUPS-printing.html#id2958976">Prepare your smb.conf for
+cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2959022">CUPS Package of "PostScript Driver for WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959220">Recognize the different Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959278">Acquiring the Adobe Driver Files</a></dt><dt><a href="CUPS-printing.html#id2959310">ESP Print Pro Package of "PostScript Driver for
+WinNT/2k/XP"</a></dt><dt><a href="CUPS-printing.html#id2959360">Caveats to be considered</a></dt><dt><a href="CUPS-printing.html#id2959582">What are the Benefits of using the "CUPS PostScript Driver for
+Windows NT/2k/XP" as compared to the Adobe Driver?</a></dt><dt><a href="CUPS-printing.html#id2959764">Run "cupsaddsmb" (quiet Mode)</a></dt><dt><a href="CUPS-printing.html#id2959865">Run "cupsaddsmb" with verbose Output</a></dt><dt><a href="CUPS-printing.html#id2960092">Understanding cupsaddsmb</a></dt><dt><a href="CUPS-printing.html#id2960186">How to recognize if cupsaddsm completed successfully</a></dt><dt><a href="CUPS-printing.html#id2960273">cupsaddsmb with a Samba PDC</a></dt><dt><a href="CUPS-printing.html#id2960308">cupsaddsmb Flowchart</a></dt><dt><a href="CUPS-printing.html#id2960361">Installing the PostScript Driver on a Client</a></dt><dt><a href="CUPS-printing.html#id2960474">Avoiding critical PostScript Driver Settings on the
+Client</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2960608">Installing PostScript Driver Files manually (using
+rpcclient)</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2960723">A Check of the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960836">Understanding the rpcclient man Page</a></dt><dt><a href="CUPS-printing.html#id2960925">Producing an Example by querying a Windows Box</a></dt><dt><a href="CUPS-printing.html#id2961015">What is required for adddriver and setdriver to succeed</a></dt><dt><a href="CUPS-printing.html#id2961177">Manual Commandline Driver Installation in 15 little Steps</a></dt><dt><a href="CUPS-printing.html#id2961830">Troubleshooting revisited</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2961930">The printing *.tdb Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962033">Trivial DataBase Files</a></dt><dt><a href="CUPS-printing.html#id2962103">Binary Format</a></dt><dt><a href="CUPS-printing.html#id2962165">Losing *.tdb Files</a></dt><dt><a href="CUPS-printing.html#id2962224">Using tdbbackup</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2962290">CUPS Print Drivers from Linuxprinting.org</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2962398">foomatic-rip and Foomatic explained</a></dt><dt><a href="CUPS-printing.html#id2963027">foomatic-rip and Foomatic-PPD Download and Installation</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963488">Page Accounting with CUPS</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2963519">Setting up Quotas</a></dt><dt><a href="CUPS-printing.html#id2963551">Correct and incorrect Accounting</a></dt><dt><a href="CUPS-printing.html#id2963592">Adobe and CUPS PostScript Drivers for Windows Clients</a></dt><dt><a href="CUPS-printing.html#id2963663">The page_log File Syntax</a></dt><dt><a href="CUPS-printing.html#id2963765">Possible Shortcomings</a></dt><dt><a href="CUPS-printing.html#id2963836">Future Developments</a></dt><dt><a href="CUPS-printing.html#id2963884">Other Accounting Tools</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2963899">Additional Material</a></dt><dt><a href="CUPS-printing.html#id2964092">Auto-Deletion or Preservation of CUPS Spool Files</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964138">CUPS Configuration Settings explained</a></dt><dt><a href="CUPS-printing.html#id2964221">Pre-conditions</a></dt><dt><a href="CUPS-printing.html#id2964281">Manual Configuration</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964299">When not to use Samba to print to
+CUPS</a></dt><dt><a href="CUPS-printing.html#id2964316">In Case of Trouble.....</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964352">Where to find Documentation</a></dt><dt><a href="CUPS-printing.html#id2964364">How to ask for Help</a></dt><dt><a href="CUPS-printing.html#id2964377">Where to find Help</a></dt></dl></dd><dt><a href="CUPS-printing.html#id2964391">Appendix</a></dt><dd><dl><dt><a href="CUPS-printing.html#id2964398">Printing from CUPS to Windows attached
+Printers</a></dt><dt><a href="CUPS-printing.html#id2964612">More CUPS filtering Chains</a></dt><dt><a href="CUPS-printing.html#id2964919">Trouble Shooting Guidelines to fix typical Samba printing
+Problems</a></dt><dt><a href="CUPS-printing.html#id2966041">An Overview of the CUPS Printing Processes</a></dt></dl></dd></dl></dd><dt>20. <a href="VFS.html">Stackable VFS modules</a></dt><dd><dl><dt><a href="VFS.html#id2978211">Features and Benefits</a></dt><dt><a href="VFS.html#id2978229">Discussion</a></dt><dt><a href="VFS.html#id2978320">Included modules</a></dt><dd><dl><dt><a href="VFS.html#id2978327">audit</a></dt><dt><a href="VFS.html#id2978365">extd_audit</a></dt><dt><a href="VFS.html#id2978489">fake_perms</a></dt><dt><a href="VFS.html#id2978508">recycle</a></dt><dt><a href="VFS.html#id2978645">netatalk</a></dt></dl></dd><dt><a href="VFS.html#id2978690">VFS modules available elsewhere</a></dt><dd><dl><dt><a href="VFS.html#id2978712">DatabaseFS</a></dt><dt><a href="VFS.html#id2978768">vscan</a></dt></dl></dd><dt><a href="VFS.html#id2978797">Common Errors</a></dt></dl></dd><dt>21. <a href="winbind.html">Integrated Logon Support using Winbind</a></dt><dd><dl><dt><a href="winbind.html#id2979695">Features and Benefits</a></dt><dt><a href="winbind.html#id2979724">Introduction</a></dt><dt><a href="winbind.html#id2979795">What Winbind Provides</a></dt><dd><dl><dt><a href="winbind.html#id2979856">Target Uses</a></dt></dl></dd><dt><a href="winbind.html#id2979886">How Winbind Works</a></dt><dd><dl><dt><a href="winbind.html#id2979914">Microsoft Remote Procedure Calls</a></dt><dt><a href="winbind.html#id2979949">Microsoft Active Directory Services</a></dt><dt><a href="winbind.html#id2979971">Name Service Switch</a></dt><dt><a href="winbind.html#id2980108">Pluggable Authentication Modules</a></dt><dt><a href="winbind.html#id2980179">User and Group ID Allocation</a></dt><dt><a href="winbind.html#id2980214">Result Caching</a></dt></dl></dd><dt><a href="winbind.html#id2980242">Installation and Configuration</a></dt><dd><dl><dt><a href="winbind.html#id2980271">Introduction</a></dt><dt><a href="winbind.html#id2980346">Requirements</a></dt><dt><a href="winbind.html#id2980438">Testing Things Out</a></dt></dl></dd><dt><a href="winbind.html#id2982058">Conclusion</a></dt><dt><a href="winbind.html#id2982077">Common Errors</a></dt></dl></dd><dt>22. <a href="AdvancedNetworkManagement.html">Advanced Network Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984570">Features and Benefits</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984759">Remote Server Administration</a></dt><dt><a href="AdvancedNetworkManagement.html#id2984858">Remote Desktop Management</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2984876">Remote Management from NoMachines.Com</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985087">Network Logon Script Magic</a></dt><dd><dl><dt><a href="AdvancedNetworkManagement.html#id2985283">Adding printers without user intervention</a></dt></dl></dd><dt><a href="AdvancedNetworkManagement.html#id2985316">Common Errors</a></dt></dl></dd><dt>23. <a href="PolicyMgmt.html">System and Account Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2984380">Features and Benefits</a></dt><dt><a href="PolicyMgmt.html#id2984435">Creating and Managing System Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986217">Windows 9x/Me Policies</a></dt><dt><a href="PolicyMgmt.html#id2986312">Windows NT4 Style Policy Files</a></dt><dt><a href="PolicyMgmt.html#id2986445">MS Windows 200x / XP Professional Policies</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986697">Managing Account/User Policies</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2986798">Samba Editreg Toolset</a></dt><dt><a href="PolicyMgmt.html#id2986819">Windows NT4/200x</a></dt><dt><a href="PolicyMgmt.html#id2986839">Samba PDC</a></dt></dl></dd><dt><a href="PolicyMgmt.html#id2986883">System Startup and Logon Processing Overview</a></dt><dt><a href="PolicyMgmt.html#id2987030">Common Errors</a></dt><dd><dl><dt><a href="PolicyMgmt.html#id2987044">Policy Does Not Work</a></dt></dl></dd></dl></dd><dt>24. <a href="ProfileMgmt.html">Desktop Profile Management</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988251">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2988285">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2988326">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2988731">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2989902">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2989967">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2990232">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2990290">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2990336">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2990356">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2990504">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2991058">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2991562">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2991575">How does one set up roaming profiles for just one (or a few) user/s or group/s?</a></dt><dt><a href="ProfileMgmt.html#id2991638">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2991859">Changing the default profile</a></dt></dl></dd></dl></dd><dt>25. <a href="pam.html">PAM based Distributed Authentication</a></dt><dd><dl><dt><a href="pam.html#id2995804">Features and Benefits</a></dt><dt><a href="pam.html#id2996071">Technical Discussion</a></dt><dd><dl><dt><a href="pam.html#id2996089">PAM Configuration Syntax</a></dt><dt><a href="pam.html#id2996760">Example System Configurations</a></dt><dt><a href="pam.html#id2997062">smb.conf PAM Configuration</a></dt><dt><a href="pam.html#id2997119">Remote CIFS Authentication using winbindd.so</a></dt><dt><a href="pam.html#id2997203">Password Synchronization using pam_smbpass.so</a></dt></dl></dd><dt><a href="pam.html#id2997570">Common Errors</a></dt><dd><dl><dt><a href="pam.html#id2997583">pam_winbind problem</a></dt></dl></dd></dl></dd><dt>26. <a href="integrate-ms-networks.html">Integrating MS Windows networks with Samba</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2999705">Features and Benefits</a></dt><dt><a href="integrate-ms-networks.html#id2999730">Background Information</a></dt><dt><a href="integrate-ms-networks.html#id2999775">Name Resolution in a pure Unix/Linux world</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id2999831">/etc/hosts</a></dt><dt><a href="integrate-ms-networks.html#id2999956">/etc/resolv.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000000">/etc/host.conf</a></dt><dt><a href="integrate-ms-networks.html#id3000042">/etc/nsswitch.conf</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000130">Name resolution as used within MS Windows networking</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000278">The NetBIOS Name Cache</a></dt><dt><a href="integrate-ms-networks.html#id3000323">The LMHOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000567">HOSTS file</a></dt><dt><a href="integrate-ms-networks.html#id3000600">DNS Lookup</a></dt><dt><a href="integrate-ms-networks.html#id3000624">WINS Lookup</a></dt></dl></dd><dt><a href="integrate-ms-networks.html#id3000695">Common Errors</a></dt><dd><dl><dt><a href="integrate-ms-networks.html#id3000711">My Boomerang Won't Come Back</a></dt><dt><a href="integrate-ms-networks.html#id3000742">Very Slow Network Connections</a></dt><dt><a href="integrate-ms-networks.html#id3000794">Samba server name change problem</a></dt></dl></dd></dl></dd><dt>27. <a href="unicode.html">Unicode/Charsets</a></dt><dd><dl><dt><a href="unicode.html#id3001913">Features and Benefits</a></dt><dt><a href="unicode.html#id3002114">What are charsets and unicode?</a></dt><dt><a href="unicode.html#id3002184">Samba and charsets</a></dt><dt><a href="unicode.html#id3002284">Conversion from old names</a></dt><dt><a href="unicode.html#id3002329">Japanese charsets</a></dt></dl></dd><dt>28. <a href="Backup.html">Samba Backup Techniques</a></dt><dd><dl><dt><a href="Backup.html#id3001533">Note</a></dt><dt><a href="Backup.html#id3001557">Features and Benefits</a></dt></dl></dd><dt>29. <a href="SambaHA.html">High Availability Options</a></dt><dd><dl><dt><a href="SambaHA.html#id3003099">Note</a></dt></dl></dd></dl></dd><dt>IV. <a href="migration.html">Migration and Updating</a></dt><dd><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></dd><dt>V. <a href="troubleshooting.html">Troubleshooting</a></dt><dd><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></dd><dt>VI. <a href="Appendixes.html">Appendixes</a></dt><dd><dl><dt>36. <a href="compiling.html">How to compile SAMBA</a></dt><dd><dl><dt><a href="compiling.html#id3012145">Access Samba source code via CVS</a></dt><dd><dl><dt><a href="compiling.html#id3012152">Introduction</a></dt><dt><a href="compiling.html#id3012182">CVS Access to samba.org</a></dt></dl></dd><dt><a href="compiling.html#id3013701">Accessing the samba sources via rsync and ftp</a></dt><dt><a href="compiling.html#id3013750">Verifying Samba's PGP signature</a></dt><dt><a href="compiling.html#id3013886">Building the Binaries</a></dt><dd><dl><dt><a href="compiling.html#id3014023">Compiling samba with Active Directory support</a></dt></dl></dd><dt><a href="compiling.html#id3014188">Starting the smbd and nmbd</a></dt><dd><dl><dt><a href="compiling.html#id3014280">Starting from inetd.conf</a></dt><dt><a href="compiling.html#id3014484">Alternative: starting it as a daemon</a></dt></dl></dd><dt><a href="compiling.html#id3014579">Common Errors</a></dt></dl></dd><dt>37. <a href="Portability.html">Portability</a></dt><dd><dl><dt><a href="Portability.html#id3013478">HPUX</a></dt><dt><a href="Portability.html#id3016009">SCO Unix</a></dt><dt><a href="Portability.html#id3016039">DNIX</a></dt><dt><a href="Portability.html#id3016210">RedHat Linux Rembrandt-II</a></dt><dt><a href="Portability.html#id3016254">AIX</a></dt><dd><dl><dt><a href="Portability.html#id3016261">Sequential Read Ahead</a></dt></dl></dd><dt><a href="Portability.html#id3016287">Solaris</a></dt><dd><dl><dt><a href="Portability.html#id3016294">Locking improvements</a></dt><dt><a href="Portability.html#winbind-solaris9">Winbind on Solaris 9</a></dt></dl></dd></dl></dd><dt>38. <a href="Other-Clients.html">Samba and other CIFS clients</a></dt><dd><dl><dt><a href="Other-Clients.html#id3015663">Macintosh clients?</a></dt><dt><a href="Other-Clients.html#id3017016">OS2 Client</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017023">How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</a></dt><dt><a href="Other-Clients.html#id3017102">How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</a></dt><dt><a href="Other-Clients.html#id3017164">How do I get printer driver download working
+ for OS/2 clients?</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017260">Windows for Workgroups</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017268">Use latest TCP/IP stack from Microsoft</a></dt><dt><a href="Other-Clients.html#id3017357">Delete .pwl files after password change</a></dt><dt><a href="Other-Clients.html#id3017388">Configure WfW password handling</a></dt><dt><a href="Other-Clients.html#id3017433">Case handling of passwords</a></dt><dt><a href="Other-Clients.html#id3017464">Use TCP/IP as default protocol</a></dt><dt><a href="Other-Clients.html#id3017481">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017528">Windows '95/'98</a></dt><dd><dl><dt><a href="Other-Clients.html#id3017601">Speed improvement</a></dt></dl></dd><dt><a href="Other-Clients.html#id3017625">Windows 2000 Service Pack 2</a></dt><dt><a href="Other-Clients.html#id3017736">Windows NT 3.1</a></dt></dl></dd><dt>39. <a href="speed.html">Samba Performance Tuning</a></dt><dd><dl><dt><a href="speed.html#id3018768">Comparisons</a></dt><dt><a href="speed.html#id3018812">Socket options</a></dt><dt><a href="speed.html#id3018887">Read size</a></dt><dt><a href="speed.html#id3018931">Max xmit</a></dt><dt><a href="speed.html#id3018984">Log level</a></dt><dt><a href="speed.html#id3019007">Read raw</a></dt><dt><a href="speed.html#id3019064">Write raw</a></dt><dt><a href="speed.html#id3019106">Slow Logins</a></dt><dt><a href="speed.html#id3019127">Client tuning</a></dt><dt><a href="speed.html#id3019154">Samba performance problem due changing kernel</a></dt><dt><a href="speed.html#id3019185">Corrupt tdb Files</a></dt></dl></dd><dt>40. <a href="DNSDHCP.html">DNS and DHCP Configuration Guide</a></dt><dd><dl><dt><a href="DNSDHCP.html#id3018605">Note</a></dt></dl></dd><dt>41. <a href="Further-Resources.html">Further Resources</a></dt><dd><dl><dt><a href="Further-Resources.html#id3018765">Websites</a></dt><dt><a href="Further-Resources.html#id3020416">Related updates from Microsoft</a></dt><dt><a href="Further-Resources.html#id3020431">Books</a></dt></dl></dd></dl></dd><dt><a href="ix01.html">Index</a></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>19.1. <a href="CUPS-printing.html#id2954904">Windows Printing to a local Printer</a></dt><dt>19.2. <a href="CUPS-printing.html#id2955075">Printing to a Postscript Printer</a></dt><dt>19.3. <a href="CUPS-printing.html#id2955155">Ghostscript as a RIP for non-postscript printers</a></dt><dt>19.4. <a href="CUPS-printing.html#id2956084">Prefiltering in CUPS to form Postscript</a></dt><dt>19.5. <a href="CUPS-printing.html#id2956149">Adding Device-specific Print Options</a></dt><dt>19.6. <a href="CUPS-printing.html#id2956251">Postscript to intermediate Raster format</a></dt><dt>19.7. <a href="CUPS-printing.html#id2956304">CUPS-raster production using Ghostscript</a></dt><dt>19.8. <a href="CUPS-printing.html#id2956398">Image format to CUPS-raster format conversion</a></dt><dt>19.9. <a href="CUPS-printing.html#id2956484">Raster to Printer Specific formats</a></dt><dt>19.10. <a href="CUPS-printing.html#id2957561">cupsomatic/foomatic processing versus Native CUPS</a></dt><dt>19.11. <a href="CUPS-printing.html#id2958191">Print Driver execution on the Client</a></dt><dt>19.12. <a href="CUPS-printing.html#id2958249">Print Driver execution on the Server</a></dt><dt>19.13. <a href="CUPS-printing.html#id2958439">Printing via CUPS/samba server</a></dt><dt>19.14. <a href="CUPS-printing.html#id2960326">cupsaddsmb flowchart</a></dt><dt>19.15. <a href="CUPS-printing.html#id2966052">CUPS Printing Overview</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>7.1. <a href="domain-member.html#id2898912">Assumptions</a></dt><dt>10.1. <a href="NetworkBrowsing.html#id2906267">Browse subnet example 1</a></dt><dt>10.2. <a href="NetworkBrowsing.html#id2906382">Browse subnet example 2</a></dt><dt>10.3. <a href="NetworkBrowsing.html#id2906481">Browse subnet example 3</a></dt><dt>10.4. <a href="NetworkBrowsing.html#id2906581">Browse subnet example 4</a></dt><dt>11.1. <a href="passdb.html#id2912659">Attributes in the sambaSamAccount objectclass (LDAP)</a></dt><dt>11.2. <a href="passdb.html#id2913346">Basic smb.conf options for MySQL passdb backend</a></dt><dt>11.3. <a href="passdb.html#id2913471">MySQL field names for MySQL passdb backend</a></dt><dt>13.1. <a href="AccessControls.html#id2920603">Managing directories with unix and windows</a></dt><dt>13.2. <a href="AccessControls.html#id2922134">User and Group Based Controls</a></dt><dt>13.3. <a href="AccessControls.html#id2922367">File and Directory Permission Based Controls</a></dt><dt>13.4. <a href="AccessControls.html#id2922614">Other Controls</a></dt><dt>20.1. <a href="VFS.html#id2978406">Extended Auditing Log Information</a></dt><dt>24.1. <a href="ProfileMgmt.html#id2990854">User Shell Folder registry keys default values</a></dt><dt>24.2. <a href="ProfileMgmt.html#id2990998">Defaults of profile settings registry keys</a></dt><dt>24.3. <a href="ProfileMgmt.html#id2991253">Defaults of default user profile paths registry keys</a></dt><dt>25.1. <a href="pam.html#id2997236">Options recognized by pam_smbpass</a></dt><dt>31.1. <a href="NT4Migration.html#id3004398">The 3 Major Site Types</a></dt><dt>31.2. <a href="NT4Migration.html#id3004535">Nature of the Conversion Choices</a></dt></dl></div><div class="list-of-examples"><p><b>List of Examples</b></p><dl><dt>12.1. <a href="groupmapping.html#id2921843">smbgrpadd.sh</a></dt><dt>13.1. <a href="AccessControls.html#id2920816">Example File</a></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Part I. General Installation</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Index</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="Further-Resources.html" title="Chapter 41. Further Resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Index</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="index"><div class="titlepage"><div><div><h2 class="title"><a name="id3018533"></a>Index</h2></div></div><div></div></div><div class="index"></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Further-Resources.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 41. Further Resources </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. File and Record Locking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"><link rel="next" href="securing-samba.html" title="Chapter 15. Securing Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. File and Record Locking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="locking"></a>Chapter 14. File and Record Locking</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Eric</span> <span class="surname">Roseme</span></h3><div class="affiliation"><span class="orgname">HP Oplocks Usage Recommendations Whitepaper<br></span><div class="address"><p><tt class="email"><<a href="mailto:eric.roseme@hp.com">eric.roseme@hp.com</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="locking.html#id2928216">Features and Benefits</a></dt><dt><a href="locking.html#id2928272">Discussion</a></dt><dd><dl><dt><a href="locking.html#id2928403">Opportunistic Locking Overview</a></dt></dl></dd><dt><a href="locking.html#id2929049">Samba Opportunistic Locking Control</a></dt><dd><dl><dt><a href="locking.html#id2929159">Example Configuration</a></dt></dl></dd><dt><a href="locking.html#id2929419">MS Windows Opportunistic Locking and Caching Controls</a></dt><dd><dl><dt><a href="locking.html#id2929649">Workstation Service Entries</a></dt><dt><a href="locking.html#id2929676">Server Service Entries</a></dt></dl></dd><dt><a href="locking.html#id2929755">Persistent Data Corruption</a></dt><dt><a href="locking.html#id2929785">Common Errors</a></dt><dd><dl><dt><a href="locking.html#id2929859">locking.tdb error messages</a></dt></dl></dd><dt><a href="locking.html#id2929890">Additional Reading</a></dt></dl></div><p>
+One area which causes trouble for many network administrators is locking.
+The extent of the problem is readily evident from searches over the internet.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928216"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Samba provides all the same locking semantics that MS Windows clients expect
+and that MS Windows NT4 / 200x servers provide also.
+</p><p>
+The term <span class="emphasis"><em>locking</em></span> has exceptionally broad meaning and covers
+a range of functions that are all categorized under this one term.
+</p><p>
+Opportunistic locking is a desirable feature when it can enhance the
+perceived performance of applications on a networked client. However, the
+opportunistic locking protocol is not robust, and therefore can
+encounter problems when invoked beyond a simplistic configuration, or
+on extended, slow, or faulty networks. In these cases, operating
+system management of opportunistic locking and/or recovering from
+repetitive errors can offset the perceived performance advantage that
+it is intended to provide.
+</p><p>
+The MS Windows network administrator needs to be aware that file and record
+locking semantics (behaviour) can be controlled either in Samba or by way of registry
+settings on the MS Windows client.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Sometimes it is necessary to disable locking control settings BOTH on the Samba
+server as well as on each MS Windows client!
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2928272"></a>Discussion</h2></div></div><div></div></div><p>
+There are two types of locking which need to be performed by a SMB server.
+The first is <span class="emphasis"><em>record locking</em></span> which allows a client to lock
+a range of bytes in a open file. The second is the <span class="emphasis"><em>deny modes</em></span>
+that are specified when a file is open.
+</p><p>
+Record locking semantics under Unix is very different from record locking under
+Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix
+system call to implement proper record locking between different Samba clients.
+This can not be fully correct due to several reasons. The simplest is the fact
+that a Windows client is allowed to lock a byte range up to 2^32 or 2^64,
+depending on the client OS. The unix locking only supports byte ranges up to 2^31.
+So it is not possible to correctly satisfy a lock request above 2^31. There are
+many more differences, too many to be listed here.
+</p><p>
+Samba 2.2 and above implements record locking completely independent of the
+underlying unix system. If a byte range lock that the client requests happens
+to fall into the range 0-2^31, Samba hands this request down to the Unix system.
+All other locks can not be seen by unix anyway.
+</p><p>
+Strictly a SMB server should check for locks before every read and write call on
+a file. Unfortunately with the way fcntl() works this can be slow and may overstress
+the <b class="command">rpc.lockd</b>. It is also almost always unnecessary as clients are supposed to
+independently make locking calls before reads and writes anyway if locking is
+important to them. By default Samba only makes locking calls when explicitly asked
+to by a client, but if you set <i class="parameter"><tt>strict locking = yes</tt></i> then it
+will make lock checking calls on every read and write.
+</p><p>
+You can also disable by range locking completely using <i class="parameter"><tt>locking = no</tt></i>.
+This is useful for those shares that don't support locking or don't need it
+(such as cdroms). In this case Samba fakes the return codes of locking calls to
+tell clients that everything is OK.
+</p><p>
+The second class of locking is the <i class="parameter"><tt>deny modes</tt></i>. These
+are set by an application when it opens a file to determine what types of
+access should be allowed simultaneously with its open. A client may ask for
+<tt class="constant">DENY_NONE</tt>, <tt class="constant">DENY_READ</tt>,
+<tt class="constant">DENY_WRITE</tt> or <tt class="constant">DENY_ALL</tt>. There are also special compatibility
+modes called <tt class="constant">DENY_FCB</tt> and <tt class="constant">DENY_DOS</tt>.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2928403"></a>Opportunistic Locking Overview</h3></div></div><div></div></div><p>
+Opportunistic locking (Oplocks) is invoked by the Windows file system
+(as opposed to an API) via registry entries (on the server AND client)
+for the purpose of enhancing network performance when accessing a file
+residing on a server. Performance is enhanced by caching the file
+locally on the client which allows:
+</p><div class="variablelist"><dl><dt><span class="term">Read-ahead:</span></dt><dd><p>
+ The client reads the local copy of the file, eliminating network latency
+ </p></dd><dt><span class="term">Write caching:</span></dt><dd><p>
+ The client writes to the local copy of the file, eliminating network latency
+ </p></dd><dt><span class="term">Lock caching:</span></dt><dd><p>
+ The client caches application locks locally, eliminating network latency
+ </p></dd></dl></div><p>
+The performance enhancement of oplocks is due to the opportunity of
+exclusive access to the file - even if it is opened with deny-none -
+because Windows monitors the file's status for concurrent access from
+other processes.
+</p><div class="variablelist"><p class="title"><b>Windows defines 4 kinds of Oplocks:</b></p><dl><dt><span class="term">Level1 Oplock:</span></dt><dd><p>
+ The redirector sees that the file was opened with deny
+ none (allowing concurrent access), verifies that no
+ other process is accessing the file, checks that
+ oplocks are enabled, then grants deny-all/read-write/exclusive
+ access to the file. The client now performs
+ operations on the cached local file.
+ </p><p>
+ If a second process attempts to open the file, the open
+ is deferred while the redirector "breaks" the original
+ oplock. The oplock break signals the caching client to
+ write the local file back to the server, flush the
+ local locks, and discard read-ahead data. The break is
+ then complete, the deferred open is granted, and the
+ multiple processes can enjoy concurrent file access as
+ dictated by mandatory or byte-range locking options.
+ However, if the original opening process opened the
+ file with a share mode other than deny-none, then the
+ second process is granted limited or no access, despite
+ the oplock break.
+ </p></dd><dt><span class="term">Level2 Oplock:</span></dt><dd><p>
+ Performs like a level1 oplock, except caching is only
+ operative for reads. All other operations are performed
+ on the server disk copy of the file.
+ </p></dd><dt><span class="term">Filter Oplock:</span></dt><dd><p>
+ Does not allow write or delete file access
+ </p></dd><dt><span class="term">Batch Oplock:</span></dt><dd><p>
+ Manipulates file openings and closings - allows caching
+ of file attributes
+ </p></dd></dl></div><p>
+An important detail is that oplocks are invoked by the file system, not
+an application API. Therefore, an application can close an oplocked
+file, but the file system does not relinquish the oplock. When the
+oplock break is issued, the file system then simply closes the file in
+preparation for the subsequent open by the second process.
+</p><p>
+<span class="emphasis"><em>Opportunistic Locking</em></span> is actually an improper name for this feature.
+The true benefit of this feature is client-side data caching, and
+oplocks is merely a notification mechanism for writing data back to the
+networked storage disk. The limitation of opportunistic locking is the
+reliability of the mechanism to process an oplock break (notification)
+between the server and the caching client. If this exchange is faulty
+(usually due to timing out for any number of reasons) then the
+client-side caching benefit is negated.
+</p><p>
+The actual decision that a user or administrator should consider is
+whether it is sensible to share amongst multiple users data that will
+be cached locally on a client. In many cases the answer is no.
+Deciding when to cache or not cache data is the real question, and thus
+"opportunistic locking" should be treated as a toggle for client-side
+caching. Turn it "ON" when client-side caching is desirable and
+reliable. Turn it "OFF" when client-side caching is redundant,
+unreliable, or counter-productive.
+</p><p>
+Opportunistic locking is by default set to "on" by Samba on all
+configured shares, so careful attention should be given to each case to
+determine if the potential benefit is worth the potential for delays.
+The following recommendations will help to characterize the environment
+where opportunistic locking may be effectively configured.
+</p><p>
+Windows Opportunistic Locking is a lightweight performance-enhancing
+feature. It is not a robust and reliable protocol. Every
+implementation of Opportunistic Locking should be evaluated as a
+tradeoff between perceived performance and reliability. Reliability
+decreases as each successive rule above is not enforced. Consider a
+share with oplocks enabled, over a wide area network, to a client on a
+South Pacific atoll, on a high-availability server, serving a
+mission-critical multi-user corporate database, during a tropical
+storm. This configuration will likely encounter problems with oplocks.
+</p><p>
+Oplocks can be beneficial to perceived client performance when treated
+as a configuration toggle for client-side data caching. If the data
+caching is likely to be interrupted, then oplock usage should be
+reviewed. Samba enables opportunistic locking by default on all
+shares. Careful attention should be given to the client usage of
+shared data on the server, the server network reliability, and the
+opportunistic locking configuration of each share.
+n mission critical high availability environments, data integrity is
+often a priority. Complex and expensive configurations are implemented
+to ensure that if a client loses connectivity with a file server, a
+failover replacement will be available immediately to provide
+continuous data availability.
+</p><p>
+Windows client failover behavior is more at risk of application
+interruption than other platforms because it is dependant upon an
+established TCP transport connection. If the connection is interrupted
+- as in a file server failover - a new session must be established.
+It is rare for Windows client applications to be coded to recover
+correctly from a transport connection loss, therefore most applications
+will experience some sort of interruption - at worst, abort and
+require restarting.
+</p><p>
+If a client session has been caching writes and reads locally due to
+opportunistic locking, it is likely that the data will be lost when the
+application restarts, or recovers from the TCP interrupt. When the TCP
+connection drops, the client state is lost. When the file server
+recovers, an oplock break is not sent to the client. In this case, the
+work from the prior session is lost. Observing this scenario with
+oplocks disabled, and the client was writing data to the file server
+real-time, then the failover will provide the data on disk as it
+existed at the time of the disconnect.
+</p><p>
+In mission critical high availability environments, careful attention
+should be given to opportunistic locking. Ideally, comprehensive
+testing should be done with all affected applications with oplocks
+enabled and disabled.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928695"></a>Exclusively Accessed Shares</h4></div></div><div></div></div><p>
+Opportunistic locking is most effective when it is confined to shares
+that are exclusively accessed by a single user, or by only one user at
+a time. Because the true value of opportunistic locking is the local
+client caching of data, any operation that interrupts the caching
+mechanism will cause a delay.
+</p><p>
+Home directories are the most obvious examples of where the performance
+benefit of opportunistic locking can be safely realized.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928719"></a>Multiple-Accessed Shares or Files</h4></div></div><div></div></div><p>
+As each additional user accesses a file in a share with opportunistic
+locking enabled, the potential for delays and resulting perceived poor
+performance increases. When multiple users are accessing a file on a
+share that has oplocks enabled, the management impact of sending and
+receiving oplock breaks, and the resulting latency while other clients
+wait for the caching client to flush data, offset the performance gains
+of the caching user.
+</p><p>
+As each additional client attempts to access a file with oplocks set,
+the potential performance improvement is negated and eventually results
+in a performance bottleneck.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928748"></a>Unix or NFS Client Accessed Files</h4></div></div><div></div></div><p>
+Local Unix and NFS clients access files without a mandatory
+file locking mechanism. Thus, these client platforms are incapable of
+initiating an oplock break request from the server to a Windows client
+that has a file cached. Local Unix or NFS file access can therefore
+write to a file that has been cached by a Windows client, which
+exposes the file to likely data corruption.
+</p><p>
+If files are shared between Windows clients, and either local Unix
+or NFS users, then turn opportunistic locking off.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928775"></a>Slow and/or Unreliable Networks</h4></div></div><div></div></div><p>
+The biggest potential performance improvement for opportunistic locking
+occurs when the client-side caching of reads and writes delivers the
+most differential over sending those reads and writes over the wire.
+This is most likely to occur when the network is extremely slow,
+congested, or distributed (as in a WAN). However, network latency also
+has a very high impact on the reliability of the oplock break
+mechanism, and thus increases the likelihood of encountering oplock
+problems that more than offset the potential perceived performance
+gain. Of course, if an oplock break never has to be sent, then this is
+the most advantageous scenario to utilize opportunistic locking.
+</p><p>
+If the network is slow, unreliable, or a WAN, then do not configure
+opportunistic locking if there is any chance of multiple users
+regularly opening the same file.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928808"></a>Multi-User Databases</h4></div></div><div></div></div><p>
+Multi-user databases clearly pose a risk due to their very nature -
+they are typically heavily accessed by numerous users at random
+intervals. Placing a multi-user database on a share with opportunistic
+locking enabled will likely result in a locking management bottleneck
+on the Samba server. Whether the database application is developed
+in-house or a commercially available product, ensure that the share
+has opportunistic locking disabled.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928829"></a>PDM Data Shares</h4></div></div><div></div></div><p>
+Process Data Management (PDM) applications such as IMAN, Enovia, and
+Clearcase, are increasing in usage with Windows client platforms, and
+therefore SMB data stores. PDM applications manage multi-user
+environments for critical data security and access. The typical PDM
+environment is usually associated with sophisticated client design
+applications that will load data locally as demanded. In addition, the
+PDM application will usually monitor the data-state of each client.
+In this case, client-side data caching is best left to the local
+application and PDM server to negotiate and maintain. It is
+appropriate to eliminate the client OS from any caching tasks, and the
+server from any oplock management, by disabling opportunistic locking on
+the share.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928870"></a>Beware of Force User</h4></div></div><div></div></div><p>
+Samba includes an <tt class="filename">smb.conf</tt> parameter called <i class="parameter"><tt>force user</tt></i> that changes
+the user accessing a share from the incoming user to whatever user is
+defined by the smb.conf variable. If opportunistic locking is enabled
+on a share, the change in user access causes an oplock break to be sent
+to the client, even if the user has not explicitly loaded a file. In
+cases where the network is slow or unreliable, an oplock break can
+become lost without the user even accessing a file. This can cause
+apparent performance degradation as the client continually reconnects
+to overcome the lost oplock break.
+</p><p>
+Avoid the combination of the following:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ <i class="parameter"><tt>force user</tt></i> in the <tt class="filename">smb.conf</tt> share configuration.
+ </p></li><li><p>
+ Slow or unreliable networks
+ </p></li><li><p>
+ Opportunistic Locking Enabled
+ </p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928948"></a>Advanced Samba Opportunistic Locking Parameters</h4></div></div><div></div></div><p>
+Samba provides opportunistic locking parameters that allow the
+administrator to adjust various properties of the oplock mechanism to
+account for timing and usage levels. These parameters provide good
+versatility for implementing oplocks in environments where they would
+likely cause problems. The parameters are:
+<i class="parameter"><tt>oplock break wait time</tt></i>,
+<i class="parameter"><tt>oplock contention limit</tt></i>.
+</p><p>
+For most users, administrators, and environments, if these parameters
+are required, then the better option is to simply turn oplocks off.
+The samba SWAT help text for both parameters reads "DO NOT CHANGE THIS
+PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE."
+This is good advice.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2928991"></a>Mission Critical High Availability</h4></div></div><div></div></div><p>
+In mission critical high availability environments, data integrity is
+often a priority. Complex and expensive configurations are implemented
+to ensure that if a client loses connectivity with a file server, a
+failover replacement will be available immediately to provide
+continuous data availability.
+</p><p>
+Windows client failover behavior is more at risk of application
+interruption than other platforms because it is dependant upon an
+established TCP transport connection. If the connection is interrupted
+- as in a file server failover - a new session must be established.
+It is rare for Windows client applications to be coded to recover
+correctly from a transport connection loss, therefore most applications
+will experience some sort of interruption - at worst, abort and
+require restarting.
+</p><p>
+If a client session has been caching writes and reads locally due to
+opportunistic locking, it is likely that the data will be lost when the
+application restarts, or recovers from the TCP interrupt. When the TCP
+connection drops, the client state is lost. When the file server
+recovers, an oplock break is not sent to the client. In this case, the
+work from the prior session is lost. Observing this scenario with
+oplocks disabled, and the client was writing data to the file server
+real-time, then the failover will provide the data on disk as it
+existed at the time of the disconnect.
+</p><p>
+In mission critical high availability environments, careful attention
+should be given to opportunistic locking. Ideally, comprehensive
+testing should be done with all affected applications with oplocks
+enabled and disabled.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929049"></a>Samba Opportunistic Locking Control</h2></div></div><div></div></div><p>
+Opportunistic Locking is a unique Windows file locking feature. It is
+not really file locking, but is included in most discussions of Windows
+file locking, so is considered a defacto locking feature.
+Opportunistic Locking is actually part of the Windows client file
+caching mechanism. It is not a particularly robust or reliable feature
+when implemented on the variety of customized networks that exist in
+enterprise computing.
+</p><p>
+Like Windows, Samba implements Opportunistic Locking as a server-side
+component of the client caching mechanism. Because of the lightweight
+nature of the Windows feature design, effective configuration of
+Opportunistic Locking requires a good understanding of its limitations,
+and then applying that understanding when configuring data access for
+each particular customized network and client usage state.
+</p><p>
+Opportunistic locking essentially means that the client is allowed to download and cache
+a file on their hard drive while making changes; if a second client wants to access the
+file, the first client receives a break and must synchronise the file back to the server.
+This can give significant performance gains in some cases; some programs insist on
+synchronising the contents of the entire file back to the server for a single change.
+</p><p>
+Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic locking.
+</p><p>
+Level2 Oplocks provides opportunistic locking for a file that will be treated as
+<span class="emphasis"><em>read only</em></span>. Typically this is used on files that are read-only or
+on files that the client has no initial intention to write to at time of opening the file.
+</p><p>
+Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with
+Samba's oplocked files, although this has provided better integration of MS Windows network
+file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are
+oplock aware at this time.
+</p><p>
+Unless your system supports kernel oplocks, you should disable oplocks if you are
+accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
+always be disabled if you are sharing a database file (e.g., Microsoft Access) between
+multiple clients, as any break the first client receives will affect synchronisation of
+the entire file (not just the single record), which will result in a noticeable performance
+impairment and, more likely, problems accessing the database in the first place. Notably,
+Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
+disable oplocks and tune your system from that point.
+</p><p>
+If client-side caching is desirable and reliable on your network, you will benefit from
+turning on oplocks. If your network is slow and/or unreliable, or you are sharing your
+files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people
+will be accessing the same files frequently, you probably will not benefit from the overhead
+of your client sending oplock breaks and will instead want to disable oplocks for the share.
+</p><p>
+Another factor to consider is the perceived performance of file access. If oplocks provide no
+measurable speed benefit on your network, it might not be worth the hassle of dealing with them.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929159"></a>Example Configuration</h3></div></div><div></div></div><p>
+In the following we examine two distinct aspects of Samba locking controls.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929172"></a>Disabling Oplocks</h4></div></div><div></div></div><p>
+You can disable oplocks on a per-share basis with the following:
+</p><p>
+</p><pre class="programlisting">
+[acctdata]
+ oplocks = False
+ level2 oplocks = False
+</pre><p>
+</p><p>
+The default oplock type is Level1. Level2 Oplocks are enabled on a per-share basis
+in the <tt class="filename">smb.conf</tt> file.
+</p><p>
+Alternately, you could disable oplocks on a per-file basis within the share:
+</p><p>
+</p><pre class="programlisting">
+ veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
+</pre><p>
+</p><p>
+If you are experiencing problems with oplocks as apparent from Samba's log entries,
+you may want to play it safe and disable oplocks and level2 oplocks.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2929235"></a>Disabling Kernel OpLocks</h4></div></div><div></div></div><p>
+Kernel OpLocks is an <tt class="filename">smb.conf</tt> parameter that notifies Samba (if
+the UNIX kernel has the capability to send a Windows client an oplock
+break) when a UNIX process is attempting to open the file that is
+cached. This parameter addresses sharing files between UNIX and
+Windows with Oplocks enabled on the Samba server: the UNIX process
+can open the file that is Oplocked (cached) by the Windows client and
+the smbd process will not send an oplock break, which exposes the file
+to the risk of data corruption. If the UNIX kernel has the ability to
+send an oplock break, then the kernel oplocks parameter enables Samba
+to send the oplock break. Kernel oplocks are enabled on a per-server
+basis in the <tt class="filename">smb.conf</tt> file.
+</p><p>
+</p><pre class="programlisting">
+[global]
+kernel oplocks = yes
+</pre><p>
+The default is "no".
+</p><p>
+Veto OpLocks is an <tt class="filename">smb.conf</tt> parameter that identifies specific files for
+which Oplocks are disabled. When a Windows client opens a file that
+has been configured for veto oplocks, the client will not be granted
+the oplock, and all operations will be executed on the original file on
+disk instead of a client-cached file copy. By explicitly identifying
+files that are shared with UNIX processes, and disabling oplocks for
+those files, the server-wide Oplock configuration can be enabled to
+allow Windows clients to utilize the performance benefit of file
+caching without the risk of data corruption. Veto Oplocks can be
+enabled on a per-share basis, or globally for the entire server, in the
+<tt class="filename">smb.conf</tt> file:
+</p><p>
+</p><pre class="programlisting"><font color="red"><title>Example Veto OpLock Settings</title></font>
+[global]
+ veto oplock files = /filename.htm/*.txt/
+
+[share_name]
+ veto oplock files = /*.exe/filename.ext/
+</pre><p>
+</p><p>
+<span class="emphasis"><em>Oplock break wait time</em></span> is an <tt class="filename">smb.conf</tt> parameter that adjusts the time
+interval for Samba to reply to an oplock break request. Samba
+recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
+UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break Wait Time can only be
+configured globally in the <tt class="filename">smb.conf</tt> file:
+</p><p>
+</p><pre class="programlisting">
+[global]
+ oplock break wait time = 0 (default)
+</pre><p>
+</p><p>
+<span class="emphasis"><em>Oplock break contention limit</em></span> is an <tt class="filename">smb.conf</tt> parameter that limits the
+response of the Samba server to grant an oplock if the configured
+number of contending clients reaches the limit specified by the
+parameter. Samba recommends "DO NOT CHANGE THIS PARAMETER UNLESS YOU
+HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE." Oplock Break
+Contention Limit can be enable on a per-share basis, or globally for
+the entire server, in the <tt class="filename">smb.conf</tt> file:
+</p><p>
+</p><pre class="programlisting">
+[global]
+ oplock break contention limit = 2 (default)
+
+[share_name]
+ oplock break contention limit = 2 (default)
+</pre><p>
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929419"></a>MS Windows Opportunistic Locking and Caching Controls</h2></div></div><div></div></div><p>
+There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP
+workstation computer that can affect any application attempting to access shared database files
+across a network. This is a result of a default setting configured in the Windows 2000/XP
+operating system known as <span class="emphasis"><em>Opportunistic Locking</em></span>. When a workstation
+attempts to access shared data files located on another Windows 2000/XP computer,
+the Windows 2000/XP operating system will attempt to increase performance by locking the
+files and caching information locally. When this occurs, the application is unable to
+properly function, which results in an <span class="errorname">Access Denied</span>
+ error message being displayed during network operations.
+</p><p>
+All Windows operating systems in the NT family that act as database servers for data files
+(meaning that data files are stored there and accessed by other Windows PCs) may need to
+have opportunistic locking disabled in order to minimize the risk of data file corruption.
+This includes Windows 9x/Me, Windows NT, Windows 200x and Windows XP.
+</p><p>
+If you are using a Windows NT family workstation in place of a server, you must also
+disable opportunistic locking (oplocks) on that workstation. For example, if you use a
+PC with the Windows NT Workstation operating system instead of Windows NT Server, and you
+have data files located on it that are accessed from other Windows PCs, you may need to
+disable oplocks on that system.
+</p><p>
+The major difference is the location in the Windows registry where the values for disabling
+oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location
+may be used.
+</p><p>
+You can verify (or change or add, if necessary) this Registry value using the Windows
+Registry Editor. When you change this registry value, you will have to reboot the PC
+to ensure that the new setting goes into effect.
+</p><p>
+The location of the client registry entry for opportunistic locking has changed in
+Windows 2000 from the earlier location in Microsoft Windows NT.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks
+in earlier versions of Windows.
+</p></div><p>
+You can also deny the granting of opportunistic locks by changing the following registry entries:
+</p><p>
+</p><pre class="programlisting">
+ HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\MRXSmb\Parameters\
+
+ OplocksDisabled REG_DWORD 0 or 1
+ Default: 0 (not disabled)
+</pre><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The OplocksDisabled registry value configures Windows clients to either request or not
+request opportunistic locks on a remote file. To disable oplocks, the value of
+ OplocksDisabled must be set to 1.
+</p></div><p>
+</p><pre class="programlisting">
+ HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanServer\Parameters
+
+ EnableOplocks REG_DWORD 0 or 1
+ Default: 1 (Enabled by Default)
+
+ EnableOpLockForceClose REG_DWORD 0 or 1
+ Default: 0 (Disabled by Default)
+</pre><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The EnableOplocks value configures Windows-based servers (including Workstations sharing
+files) to allow or deny opportunistic locks on local files.
+</p></div><p>
+To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1.
+</p><p>
+An illustration of how level II oplocks work:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Station 1 opens the file, requesting oplock.
+ </p></li><li><p>
+ Since no other station has the file open, the server grants station 1 exclusive oplock.
+ </p></li><li><p>
+ Station 2 opens the file, requesting oplock.
+ </p></li><li><p>
+ Since station 1 has not yet written to the file, the server asks station 1 to Break
+ to Level II Oplock.
+ </p></li><li><p>
+ Station 1 complies by flushing locally buffered lock information to the server.
+ </p></li><li><p>
+ Station 1 informs the server that it has Broken to Level II Oplock (alternatively,
+ station 1 could have closed the file).
+ </p></li><li><p>
+ The server responds to station 2's open request, granting it level II oplock.
+ Other stations can likewise open the file and obtain level II oplock.
+ </p></li><li><p>
+ Station 2 (or any station that has the file open) sends a write request SMB.
+ The server returns the write response.
+ </p></li><li><p>
+ The server asks all stations that have the file open to Break to None, meaning no
+ station holds any oplock on the file. Because the workstations can have no cached
+ writes or locks at this point, they need not respond to the break-to-none advisory;
+ all they need do is invalidate locally cashed read-ahead data.
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929649"></a>Workstation Service Entries</h3></div></div><div></div></div><pre class="programlisting">
+ \HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanWorkstation\Parameters
+
+ UseOpportunisticLocking REG_DWORD 0 or 1
+ Default: 1 (true)
+</pre><p>
+Indicates whether the redirector should use opportunistic-locking (oplock) performance
+enhancement. This parameter should be disabled only to isolate problems.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929676"></a>Server Service Entries</h3></div></div><div></div></div><pre class="programlisting">
+ \HKEY_LOCAL_MACHINE\System\
+ CurrentControlSet\Services\LanmanServer\Parameters
+
+ EnableOplocks REG_DWORD 0 or 1
+ Default: 1 (true)
+</pre><p>
+Specifies whether the server allows clients to use oplocks on files. Oplocks are a
+significant performance enhancement, but have the potential to cause lost cached
+data on some networks, particularly wide-area networks.
+</p><pre class="programlisting">
+ MinLinkThroughput REG_DWORD 0 to infinite bytes per second
+ Default: 0
+</pre><p>
+Specifies the minimum link throughput allowed by the server before it disables
+raw and opportunistic locks for this connection.
+</p><pre class="programlisting">
+ MaxLinkDelay REG_DWORD 0 to 100,000 seconds
+ Default: 60
+</pre><p>
+Specifies the maximum time allowed for a link delay. If delays exceed this number,
+the server disables raw I/O and opportunistic locking for this connection.
+</p><pre class="programlisting">
+ OplockBreakWait REG_DWORD 10 to 180 seconds
+ Default: 35
+</pre><p>
+Specifies the time that the server waits for a client to respond to an oplock break
+request. Smaller values can allow detection of crashed clients more quickly but can
+potentially cause loss of cached data.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929755"></a>Persistent Data Corruption</h2></div></div><div></div></div><p>
+If you have applied all of the settings discussed in this paper but data corruption problems
+and other symptoms persist, here are some additional things to check out:
+</p><p>
+We have credible reports from developers that faulty network hardware, such as a single
+faulty network card, can cause symptoms similar to read caching and data corruption.
+If you see persistent data corruption even after repeated reindexing, you may have to
+rebuild the data files in question. This involves creating a new data file with the
+same definition as the file to be rebuilt and transferring the data from the old file
+to the new one. There are several known methods for doing this that can be found in
+our Knowledge Base.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929785"></a>Common Errors</h2></div></div><div></div></div><p>
+In some sites locking problems surface as soon as a server is installed, in other sites
+locking problems may not surface for a long time. Almost without exception, when a locking
+problem does surface it will cause embarrassment and potential data corruption.
+</p><p>
+Over the past few years there have been a number of complaints on the samba mailing lists
+that have claimed that samba caused data corruption. Three causes have been identified
+so far:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Incorrect configuration of opportunistic locking (incompatible with the application
+ being used. This is a VERY common problem even where MS Windows NT4 or MS Windows 200x
+ based servers were in use. It is imperative that the software application vendors'
+ instructions for configuration of file locking should be followed. If in doubt,
+ disable oplocks on both the server and the client. Disabling of all forms of file
+ caching on the MS Windows client may be necessary also.
+ </p></li><li><p>
+ Defective network cards, cables, or HUBs / Switched. This is generally a more
+ prevalent factor with low cost networking hardware, though occasionally there
+ have been problems with incompatibilities in more up market hardware also.
+ </p></li><li><p>
+ There have been some random reports of samba log files being written over data
+ files. This has been reported by very few sites (about 5 in the past 3 years)
+ and all attempts to reproduce the problem have failed. The Samba-Team has been
+ unable to catch this happening and thus has NOT been able to isolate any particular
+ cause. Considering the millions of systems that use samba, for the sites that have
+ been affected by this as well as for the Samba-Team this is a frustrating and
+ a vexing challenge. If you see this type of thing happening please create a bug
+ report on https://bugzilla.samba.org without delay. Make sure that you give as much
+ information as you possibly can to help isolate the cause and to allow reproduction
+ of the problem (an essential step in problem isolation and correction).
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2929859"></a>locking.tdb error messages</h3></div></div><div></div></div><p>
+ </p><pre class="screen">
+ > We are seeing lots of errors in the samba logs like:
+ >
+ > tdb(/usr/local/samba_2.2.7/var/locks/locking.tdb): rec_read bad magic
+ > 0x4d6f4b61 at offset=36116
+ >
+ > What do these mean?
+ </pre><p>
+ </p><p>
+ Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2929890"></a>Additional Reading</h2></div></div><div></div></div><p>
+You may want to check for an updated version of this white paper on our Web site from
+time to time. Many of our white papers are updated as information changes. For those papers,
+the Last Edited date is always at the top of the paper.
+</p><p>
+Section of the Microsoft MSDN Library on opportunistic locking:
+</p><p>
+Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development >
+Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems
+> About File Systems > Opportunistic Locks, Microsoft Corporation.
+<a href="http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp" target="_top">http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp</a>
+</p><p>
+Microsoft Knowledge Base Article Q224992 "Maintaining Transactional Integrity with OPLOCKS",
+Microsoft Corporation, April 1999, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992</a>.
+</p><p>
+Microsoft Knowledge Base Article Q296264 "Configuring Opportunistic Locking in Windows 2000",
+Microsoft Corporation, April 2001, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264</a>.
+</p><p>
+Microsoft Knowledge Base Article Q129202 "PC Ext: Explanation of Opportunistic Locking on Windows NT",
+ Microsoft Corporation, April 1995, <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202" target="_top">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202</a>.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AccessControls.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="securing-samba.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. File, Directory and Share Access Controls </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. Securing Samba</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part IV. Migration and Updating</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SambaHA.html" title="Chapter 29. High Availability Options"><link rel="next" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part IV. Migration and Updating</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="migration"></a>Migration and Updating</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>30. <a href="upgrading-to-3.0.html">Upgrading from Samba-2.x to Samba-3.0.0</a></dt><dd><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></dd><dt>31. <a href="NT4Migration.html">Migration from NT4 PDC to Samba-3 PDC</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001339">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id3001368">Objectives</a></dt><dt><a href="NT4Migration.html#id3004043">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id3004381">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id3004462">Planning for Success</a></dt><dt><a href="NT4Migration.html#id3004704">Samba Implementation Choices</a></dt></dl></dd></dl></dd><dt>32. <a href="SWAT.html">SWAT - The Samba Web Administration Tool</a></dt><dd><dl><dt><a href="SWAT.html#id3003929">Features and Benefits</a></dt><dd><dl><dt><a href="SWAT.html#id3003963">Enabling SWAT for use</a></dt><dt><a href="SWAT.html#id3006322">Securing SWAT through SSL</a></dt><dt><a href="SWAT.html#id3006435">The SWAT Home Page</a></dt><dt><a href="SWAT.html#id3006499">Global Settings</a></dt><dt><a href="SWAT.html#id3006604">Share Settings</a></dt><dt><a href="SWAT.html#id3006669">Printers Settings</a></dt><dt><a href="SWAT.html#id3006733">The SWAT Wizard</a></dt><dt><a href="SWAT.html#id3006781">The Status Page</a></dt><dt><a href="SWAT.html#id3006833">The View Page</a></dt><dt><a href="SWAT.html#id3006856">The Password Change Page</a></dt></dl></dd></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SambaHA.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="upgrading-to-3.0.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 29. High Availability Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>tdbbackup</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="tdbbackup.8"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>tdbbackup — tool for backing up and for validating the integrity of samba .tdb files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><tt class="command">tdbbackup</tt> [-s suffix] [-v] [-h]</p></div></div><div class="refsect1" lang="en"><h2>DESCRIPTION</h2><p>This tool is part of the <a href="Samba.1.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(1)</span></a> suite.</p><p><b class="command">tdbbackup</b> is a tool that may be used to backup samba .tdb
+ files. This tool may also be used to verify the integrity of the .tdb files prior
+ to samba startup, in which case, if it find file damage and it finds a prior backup
+ it will restore the backup file.
+ </p></div><div class="refsect1" lang="en"><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-h</span></dt><dd><p>
+ Get help information.
+ </p></dd><dt><span class="term">-s suffix</span></dt><dd><p>
+ The <b class="command">-s</b> option allows the adminisistrator to specify a file
+ backup extension. This way it is possible to keep a history of tdb backup
+ files by using a new suffix for each backup.
+ </p></dd><dt><span class="term">-v</span></dt><dd><p>
+ The <b class="command">-v</b> will check the database for damages (currupt data)
+ which if detected causes the backup to be restored.
+ </p></dd></dl></div></div><div class="refsect1" lang="en"><h2>COMMANDS</h2><p><span class="emphasis"><em>GENERAL INFORMATION</em></span></p><p>
+ The <b class="command">tdbbackup</b> utility should be run as soon as samba has shut down.
+ Do NOT run this command on a live database. Typical usage for the command will be:
+ </p><p>tdbbackup [-s suffix] *.tdb</p><p>
+ Before restarting samba the following command may be run to validate .tdb files:
+ </p><p>tdbbackup -v [-s suffix] *.tdb</p><p>
+ Samba .tdb files are stored in various locations, be sure to run backup all
+ .tdb file on the system. Imporatant files includes:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <b class="command">secrets.tdb</b> - usual location is in the /usr/local/samba/private
+ directory, or on some systems in /etc/samba.
+ </p></li><li><p>
+ <b class="command">passdb.tdb</b> - usual location is in the /usr/local/samba/private
+ directory, or on some systems in /etc/samba.
+ </p></li><li><p>
+ <b class="command">*.tdb</b> located in the /usr/local/samba/var directory or on some
+ systems in the /var/cache or /var/lib/samba directories.
+ </p></li></ul></div></div><div class="refsect1" lang="en"><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><h2>AUTHOR</h2><p>
+ The original Samba software and related utilities were created by Andrew Tridgell.
+ Samba is now developed by the Samba Team as an Open Source project similar to the way
+ the Linux kernel is developed.
+ </p><p>The tdbbackup man page was written by John H Terpstra.</p></div></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Part V. Troubleshooting</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="index.html" title="SAMBA Project Documentation"><link rel="previous" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"><link rel="next" href="diagnosis.html" title="Chapter 33. The Samba checklist"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Part V. Troubleshooting</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr></table><hr></div><div class="part" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="troubleshooting"></a>Troubleshooting</h1></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt>33. <a href="diagnosis.html">The Samba checklist</a></dt><dd><dl><dt><a href="diagnosis.html#id3006072">Introduction</a></dt><dt><a href="diagnosis.html#id3007931">Assumptions</a></dt><dt><a href="diagnosis.html#id3008108">The tests</a></dt><dt><a href="diagnosis.html#id3009283">Still having troubles?</a></dt></dl></dd><dt>34. <a href="problems.html">Analysing and solving samba problems</a></dt><dd><dl><dt><a href="problems.html#id3010907">Diagnostics tools</a></dt><dt><a href="problems.html#id3011048">Installing 'Network Monitor' on an NT Workstation or a Windows 9x box</a></dt><dt><a href="problems.html#id3011333">Useful URLs</a></dt><dt><a href="problems.html#id3011378">Getting help from the mailing lists</a></dt><dt><a href="problems.html#id3011530">How to get off the mailing lists</a></dt></dl></dd><dt>35. <a href="bugreport.html">Reporting Bugs</a></dt><dd><dl><dt><a href="bugreport.html#id3012269">Introduction</a></dt><dt><a href="bugreport.html#id3012491">General info</a></dt><dt><a href="bugreport.html#id3012528">Debug levels</a></dt><dt><a href="bugreport.html#id3012670">Internal errors</a></dt><dt><a href="bugreport.html#id3012778">Attaching to a running process</a></dt><dt><a href="bugreport.html#id3012825">Patches</a></dt></dl></dd></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="SWAT.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="diagnosis.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 32. SWAT - The Samba Web Administration Tool </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 33. The Samba checklist</td></tr></table></div></body></html>
--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="migration.html" title="Part IV. Migration and Updating"><link rel="next" href="NT4Migration.html" title="Chapter 31. Migration from NT4 PDC to Samba-3 PDC"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="upgrading-to-3.0"></a>Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">25 October 2002</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="upgrading-to-3.0.html#id3001684">Charsets</a></dt><dt><a href="upgrading-to-3.0.html#id3001709">Obsolete configuration options</a></dt><dt><a href="upgrading-to-3.0.html#id3003319">Password Backend</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001684"></a>Charsets</h2></div></div><div></div></div><p>You might experience problems with special characters
+when communicating with old DOS clients. Codepage
+support has changed in samba 3.0. Read the chapter
+<a href="unicode.html" title="Chapter 27. Unicode/Charsets">Unicode support</a> for details.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3001709"></a>Obsolete configuration options</h2></div></div><div></div></div><p>
+In 3.0, the following configuration options have been removed.
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td>printer driver (replaced by new driver procedures) </td></tr><tr><td>printer driver file (replaced by new driver procedures)</td></tr><tr><td>printer driver location (replaced by new driver procedures)</td></tr><tr><td>use rhosts</td></tr><tr><td>postscript</td></tr><tr><td>client code page (replaced by dos charset)</td></tr><tr><td>vfs path</td></tr><tr><td>vfs options</td></tr></table></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3003319"></a>Password Backend</h2></div></div><div></div></div><p>
+Effective with the release of samba-3 it is now imperative that the password backend
+be correctly defined in smb.conf.
+</p><p>
+Those migrating from samba-2.x with plaintext password support need the following:
+<span class="emphasis"><em>passdb backend = guest</em></span>.
+</p><p>
+Those migrating from samba-2.x with encrypted password support should add to smb.conf
+<span class="emphasis"><em>passdb backend = smbpasswd, guest</em></span>.
+</p><p>
+LDAP using Samba-2.x systems can continue to operate with the following entry
+<span class="emphasis"><em>passdb backend = ldapsam_compat, guest</em></span>.
+</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="NT4Migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part IV. Migration and Updating </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 31. Migration from NT4 PDC to Samba-3 PDC</td></tr></table></div></body></html>
--- /dev/null
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "SAMBA" 7 "" "" ""
+.SH NAME
+Samba \- A Windows SMB/CIFS fileserver for UNIX
+.SH "SYNOPSIS"
+
+.nf
+\fBSamba\fR
+.fi
+
+.SH "DESCRIPTION"
+
+.PP
+The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems\&. This protocol is sometimes also referred to as the Common Internet File System (CIFS)\&. For a more thorough description, see http://www\&.ubiqx\&.org/cifs/\&. Samba also implements the NetBIOS protocol in nmbd\&.
+
+.TP
+\fBsmbd\fR(8)
+The \fBsmbd\fR daemon provides the file and print services to SMB clients, such as Windows 95/98, Windows NT, Windows for Workgroups or LanManager\&. The configuration file for this daemon is described in \fBsmb.conf\fR(5)
+
+
+.TP
+\fBnmbd\fR(8)
+The \fBnmbd\fR daemon provides NetBIOS nameservice and browsing support\&. The configuration file for this daemon is described in \fBsmb.conf\fR(5)
+
+
+.TP
+\fBsmbclient\fR(1)
+The \fBsmbclient\fR program implements a simple ftp-like client\&. This is useful for accessing SMB shares on other compatible servers (such as Windows NT), and can also be used to allow a UNIX box to print to a printer attached to any SMB server (such as a PC running Windows NT)\&.
+
+
+.TP
+\fBtestparm\fR(1)
+The \fBtestparm\fR utility is a simple syntax checker for Samba's \fBsmb.conf\fR(5) configuration file\&.
+
+
+.TP
+\fBtestprns\fR(1)
+The \fBtestprns\fR utility supports testing printer names defined in your \fIprintcap\fR file used by Samba\&.
+
+
+.TP
+\fBsmbstatus\fR(1)
+The \fBsmbstatus\fR tool provides access to information about the current connections to \fBsmbd\fR\&.
+
+
+.TP
+\fBnmblookup\fR(1)
+The \fBnmblookup\fR tools allows NetBIOS name queries to be made from a UNIX host\&.
+
+
+.TP
+\fBsmbgroupedit\fR(8)
+The \fBsmbgroupedit\fR tool allows for mapping unix groups to NT Builtin, Domain, or Local groups\&. Also it allows setting priviledges for that group, such as saAddUser, etc\&.
+
+
+.TP
+\fBsmbpasswd\fR(8)
+The \fBsmbpasswd\fR command is a tool for changing LanMan and Windows NT password hashes on Samba and Windows NT servers\&.
+
+
+.TP
+\fBsmbcacls\fR(1)
+The \fBsmbcacls\fR command is a tool to set ACL's on remote CIFS servers\&.
+
+
+.TP
+\fBsmbsh\fR(1)
+The \fBsmbsh\fR command is a program that allows you to run a unix shell with with an overloaded VFS\&.
+
+
+.TP
+\fBsmbtree\fR(1)
+The \fBsmbtree\fR command is a text-based network neighborhood tool\&.
+
+
+.TP
+\fBsmbtar\fR(1)
+The \fBsmbtar\fR can make backups of data on CIFS/SMB servers\&.
+
+
+.TP
+\fBsmbspool\fR(8)
+\fBsmbspool\fR is a helper utility for printing on printers connected to CIFS servers\&.
+
+
+.TP
+\fBsmbcontrol\fR(1)
+\fBsmbcontrol\fR is a utility that can change the behaviour of running samba daemons\&.
+
+
+.TP
+\fBrpcclient\fR(1)
+\fBrpcclient\fR is a utility that can be used to execute RPC commands on remote CIFS servers\&.
+
+
+.TP
+\fBpdbedit\fR(8)
+The \fBpdbedit\fR command can be used to maintain the local user database on a samba server\&.
+
+
+.TP
+\fBfindsmb\fR(1)
+The \fBfindsmb\fR command can be used to find SMB servers on the local network\&.
+
+
+.TP
+\fBnet\fR(8)
+The \fBnet\fR command is supposed to work similar to the DOS/Windows NET\&.EXE command\&.
+
+
+.TP
+\fBswat\fR(8)
+\fBswat\fR is a web-based interface to configuring \fIsmb\&.conf\fR\&.
+
+
+.TP
+\fBwinbindd\fR(8)
+\fBwinbindd\fR is a daemon that is used for integrating authentication and the user database into unix\&.
+
+
+.TP
+\fBwbinfo\fR(1)
+\fBwbinfo\fR is a utility that retrieves and stores information related to winbind\&.
+
+
+.TP
+\fBeditreg\fR(1)
+\fBeditreg\fR is a command-line utility that can edit windows registry files\&.
+
+
+.TP
+\fBprofiles\fR(1)
+\fBprofiles\fR is a command-line utility that can be used to replace all occurences of a certain SID with another SID\&.
+
+
+.TP
+\fBvfstest\fR(1)
+\fBvfstest\fR is a utility that can be used to test vfs modules\&.
+
+
+.TP
+\fBntlm_auth\fR(1)
+\fBntlm_auth\fR is a helper-utility for external programs wanting to do NTLM-authentication\&.
+
+
+.TP
+\fBsmbmount\fR(8), \fBsmbumount\fR(8), \fBsmbmount\fR(8)
+\fBsmbmount\fR,\fBsmbmnt\fR and \fBsmbmnt\fR are commands that can be used to mount CIFS/SMB shares on Linux\&.
+
+
+.TP
+\fBsmbcquotas\fR(1)
+\fBsmbcquotas\fR is a tool that can set remote QUOTA's on server with NTFS 5\&.
+
+
+.SH "COMPONENTS"
+
+.PP
+The Samba suite is made up of several components\&. Each component is described in a separate manual page\&. It is strongly recommended that you read the documentation that comes with Samba and the manual pages of those components that you use\&. If the manual pages and documents aren't clear enough then please visithttp://devel\&.samba\&.org for information on how to file a bug report or submit a patch\&.
+
+.PP
+If you require help, visit the Samba webpage athttp://www\&.samba\&.org/ and explore the many option available to you\&.
+
+.SH "AVAILABILITY"
+
+.PP
+The Samba software suite is licensed under the GNU Public License(GPL)\&. A copy of that license should have come with the package in the file COPYING\&. You are encouraged to distribute copies of the Samba suite, but please obey the terms of this license\&.
+
+.PP
+The latest version of the Samba suite can be obtained via anonymous ftp from samba\&.org in the directory pub/samba/\&. It is also available on several mirror sites worldwide\&.
+
+.PP
+You may also find useful information about Samba on the newsgroup comp\&.protocol\&.smb and the Samba mailing list\&. Details on how to join the mailing list are given in the README file that comes with Samba\&.
+
+.PP
+If you have access to a WWW viewer (such as Mozilla or Konqueror) then you will also find lots of useful information, including back issues of the Samba mailing list, athttp://lists\&.samba\&.org\&.
+
+.SH "VERSION"
+
+.PP
+This man page is correct for version 3\&.0 of the Samba suite\&.
+
+.SH "CONTRIBUTIONS"
+
+.PP
+If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list athttp://lists\&.samba\&.org\&.
+
+.PP
+If you have patches to submit, visithttp://devel\&.samba\&.org/ for information on how to do it properly\&. We prefer patches in \fBdiff -u\fR format\&.
+
+.SH "CONTRIBUTORS"
+
+.PP
+Contributors to the project are now too numerous to mention here but all deserve the thanks of all Samba users\&. To see a full list, look at the\fIchange-log\fR in the source package for the pre-CVS changes and at http://cvs\&.samba\&.org/ for the contributors to Samba post-CVS\&. CVS is the Open Source source code control system used by the Samba Team to develop Samba\&. The project would have been unmanageable without it\&.
+
+.SH "AUTHOR"
+
+.PP
+The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
+
+.PP
+The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
+
--- /dev/null
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "TDBBACKUP" 8 "" "" ""
+.SH NAME
+tdbbackup \- tool for backing up and for validating the integrity of samba .tdb files
+.SH "SYNOPSIS"
+
+.nf
+\fBtdbbackup\fR [-s suffix] [-v] [-h]
+.fi
+
+.SH "DESCRIPTION"
+
+.PP
+This tool is part of the \fBSamba\fR(1) suite\&.
+
+.PP
+\fBtdbbackup\fR is a tool that may be used to backup samba \&.tdb files\&. This tool may also be used to verify the integrity of the \&.tdb files prior to samba startup, in which case, if it find file damage and it finds a prior backup it will restore the backup file\&.
+
+.SH "OPTIONS"
+
+.TP
+-h
+Get help information\&.
+
+
+.TP
+-s suffix
+The \fB-s\fR option allows the adminisistrator to specify a file backup extension\&. This way it is possible to keep a history of tdb backup files by using a new suffix for each backup\&.
+
+
+.TP
+-v
+The \fB-v\fR will check the database for damages (currupt data) which if detected causes the backup to be restored\&.
+
+
+.SH "COMMANDS"
+
+.PP
+\fBGENERAL INFORMATION\fR
+
+.PP
+The \fBtdbbackup\fR utility should be run as soon as samba has shut down\&. Do NOT run this command on a live database\&. Typical usage for the command will be:
+
+.PP
+tdbbackup [-s suffix] *\&.tdb
+
+.PP
+Before restarting samba the following command may be run to validate \&.tdb files:
+
+.PP
+tdbbackup -v [-s suffix] *\&.tdb
+
+.PP
+Samba \&.tdb files are stored in various locations, be sure to run backup all \&.tdb file on the system\&. Imporatant files includes:
+
+.TP 3
+\(bu
+\fBsecrets.tdb\fR - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&.
+
+.TP
+\(bu
+\fBpassdb.tdb\fR - usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&.
+
+.TP
+\(bu
+\fB*.tdb\fR located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories\&.
+
+.LP
+
+.SH "VERSION"
+
+.PP
+This man page is correct for version 3\&.0 of the Samba suite\&.
+
+.SH "AUTHOR"
+
+.PP
+The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
+
+.PP
+The tdbbackup man page was written by John H Terpstra\&.
+
--- /dev/null
+\e$B!|\e(B samba \e$BF|K\8lBP1~$K$D$$$F\e(B
+
+1. \e$BL\E*\e(B
+
+ \e$BF|K\8lBP1~$O!"\e(B
+
+ (1) MS-Windows \e$B>e$G!"4A;z%U%!%$%kL>$r$I$&$7$F$b07$&I,MW$N$"$k%"%W%j%1!<%7%g%s$,$A$c\e(B
+ \e$B$s$HF0:n$9$k!#Nc$($P!"\e(BMS-WORD 5 \e$B$J$I$O!"%$%s%9%H!<%k;~$K4A;z$N%U%!%$%kL>$r>!<j\e(B
+ \e$B$K$D$1$F$7$^$$$^$9!#$3$&$$$C$?>l9g$K$A$c$s$HBP1~$G$-$k$h$&$K$9$k!#\e(B
+
+ (2) UNIX \e$B$O!":G6a$G$O$[$H$s$I$N$b$N$,\e(B 8 bits \e$B$N%U%!%$%kL>$r%5%]!<%H$7$F$$$^$9$,!"\e(B
+ \e$BCf$K$O!"$3$l$r%5%]!<%H$7$F$$$J$$$b$N$b$"$j$^$9!#$3$N$h$&$J>l9g$G$b!"\e(B(1)\e$B$NL\E*\e(B
+ \e$B$,K~B-$G$-$k$h$&$K$9$k!#\e(B
+
+ \e$B$rL\E*$H$7$F$$$^$9!#$=$N$?$a!"F|K\8lBP1~$O!"I,MW:G>.8B$7$+9T$J$C$F$*$j$^$;$s!#\e(B
+
+ \e$BF|K\8lBP1~$7$?\e(B samba \e$B$rMxMQ$9$k$?$a$K$O!"%3%s%Q%$%k$9$k;~$K!"I,$:!"\e(BKANJI \e$B$NDj5A$rDI\e(B
+ \e$B2C$7$F$/$@$5$$!#$3$N%*%W%7%g%s$r;XDj$7$F$$$J$$>l9g$O!"F|K\8l$N%U%!%$%kL>$r@5$7$/07\e(B
+ \e$B$&$3$H$O$G$-$^$;$s!#!J%3%s%Q%$%k$K$D$$$F$O!"2<5-\e(B 3. \e$B$r;2>H$7$F2<$5$$!K\e(B
+
+2. \e$BMxMQJ}K!\e(B
+
+(1) \e$BDI2C$7$?%Q%i%a!<%?\e(B
+
+ smb.conf \e$B%U%!%$%k$N\e(B global \e$B%;%/%7%g%s$K0J2<$N%Q%i%a!<%?$r@_Dj$G$-$k$h$&$K$7$^$7$?!#\e(B
+
+ [global]
+ ....
+ coding system = <\e$B%3!<%I7O\e(B>
+
+ \e$B$3$3$G;XDj$5$l$?%3!<%I7O$,\e(B UNIX \e$B>e$N%U%!%$%k%7%9%F%`$N%U%!%$%kL>$N%3!<%I$K$J$j$^$9!#\e(B
+ \e$B@_Dj$G$-$k$b$N$O!"<!$N$h$&$K$J$C$F$$$^$9!#\e(B
+
+ sjis: SHIFT JIS (MS \e$B4A;z%3!<%I\e(B)
+ euc: EUC \e$B%3!<%I\e(B
+ hex: 7 bits \e$B$N\e(B ASCII \e$B%3!<%I0J30$N%3!<%I$r0J2<$N7A<0$GI=$9J}<0$G$9!#Nc$($P!"\e(B
+ '\e$B%*%U%#%9\e(B' \e$B$H$$$&L>A0$O!"\e(B':83:49:83:74:83:42:83:58' \e$B$N$h$&$K!"\e(B':' \e$B$N8e$K#27e\e(B
+ \e$B$N\e(B16\e$B?J?t$rB3$1$k7A<0$K$J$j$^$9!#\e(B
+ \e$B$3$3$G!"\e(B':' \e$B$rB>$NJ8;z$KJQ99$7$?$$>l9g$O!"\e(Bhex \e$B$N8e$m$K$=$NJ8;z$r;XDj$7$^$9!#\e(B
+ \e$BNc$($P!"\e(B@\e$B$rJQ$o$j$K;H$$$?$$>l9g$O!"\e(B'hex@'\e$B$N$h$&$K;XDj$7$^$9!#\e(B
+ cap: 7 bits \e$B$N\e(B ASCII \e$B%3!<%I0J30$N%3!<%I$r0J2<$N7A<0$GI=$9J}<0$H$$$&E@$G$O\e(B
+ hex\e$B$HF1MM$G$9$,!"\e(BCAP (The Columbia AppleTalk Package)\e$B$H8_49@-$r;}$DJQ49\e(B
+ \e$BJ}<0$H$J$C$F$$$^$9!#\e(Bhex\e$B$H$N0c$$$O\e(B0x80\e$B0J>e$N%3!<%I$N$_\e(B':80'\e$B$N$h$&$KJQ49\e(B
+ \e$B$5$l!"$=$NB>$O\e(BASCII\e$B%3!<%I$G8=$5$l$^$9!#\e(B
+ \e$BNc$($P!"\e(B'\e$B%*%U%#%9\e(B'\e$B$H$$$&L>A0$O!"\e(B':83I:83t:83B:83X'\e$B$H$J$j$^$9!#\e(B
+
+ JIS \e$B%3!<%I$K$D$$$F$O!"0J2<$NI=$r;2>H$7$F2<$5$$!#\e(B
+ \e$B(#(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(((!(!(!(!(!(!(!(!(!($\e(B
+ \e$B(";XDj\e(B \e$B("4A;z3+;O("4A;z=*N;("%+%J3+;O("%+%J=*N;("1Q?t3+;O("Hw9M\e(B \e$B("\e(B
+ \e$B('(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(+(!(!(!(!(!(!(!(!(!()\e(B
+ \e$B("\e(Bjis7 \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(J \e$B("\e(Bjis 7\e$BC10LId9f\e(B \e$B("\e(B
+ \e$B("\e(Bjunet \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B\E(I \e$B("\e(B\E(J \e$B("\e(B\E(J \e$B("\e(B7bits \e$B%3!<%I\e(B \e$B("\e(B
+ \e$B("\e(Bjis8 \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(J \e$B("\e(Bjis 8\e$BC10LId9f\e(B \e$B("\e(B
+ \e$B("\e(Bj7bb \e$B("\e(B\E$B \e$B("\e(B\E(B \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj7bj \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(J \e$B("\e(Bjis7\e$B$HF1$8\e(B \e$B("\e(B
+ \e$B("\e(Bj7bh \e$B("\e(B\E$B \e$B("\e(B\E(H \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj7@b \e$B("\e(B\E$@ \e$B("\e(B\E(B \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj7@j \e$B("\e(B\E$@ \e$B("\e(B\E(J \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(J \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj7@h \e$B("\e(B\E$@ \e$B("\e(B\E(H \e$B("\e(B0x0e \e$B("\e(B0x0f \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj8bb \e$B("\e(B\E$B \e$B("\e(B\E(B \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj8bj \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(J \e$B("\e(Bjis8\e$B$HF1$8\e(B \e$B("\e(B
+ \e$B("\e(Bj8bh \e$B("\e(B\E$B \e$B("\e(B\E(H \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj8@b \e$B("\e(B\E@@ \e$B("\e(B\E(B \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj8@j \e$B("\e(B\E$@ \e$B("\e(B\E(J \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(J \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bj8@h \e$B("\e(B\E$@ \e$B("\e(B\E(H \e$B("\e(B-- \e$B("\e(B-- \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bjubb \e$B("\e(B\E$B \e$B("\e(B\E(B \e$B("\e(B\E(I \e$B("\e(B\E(B \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bjubj \e$B("\e(B\E$B \e$B("\e(B\E(J \e$B("\e(B\E(I \e$B("\e(B\E(J \e$B("\e(B\E(J \e$B("\e(Bjunet\e$B$HF1$8\e(B \e$B("\e(B
+ \e$B("\e(Bjubh \e$B("\e(B\E$B \e$B("\e(B\E(H \e$B("\e(B\E(I \e$B("\e(B\E(H \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bju@b \e$B("\e(B\E$@ \e$B("\e(B\E(B \e$B("\e(B\E(I \e$B("\e(B\E(B \e$B("\e(B\E(B \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bju@j \e$B("\e(B\E$@ \e$B("\e(B\E(J \e$B("\e(B\E(I \e$B("\e(B\E(J \e$B("\e(B\E(J \e$B("\e(B \e$B("\e(B
+ \e$B("\e(Bju@h \e$B("\e(B\E$@ \e$B("\e(B\E(H \e$B("\e(B\E(I \e$B("\e(B\E(H \e$B("\e(B\E(H \e$B("\e(B \e$B("\e(B
+ \e$B(&(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(*(!(!(!(!(!(!(!(!(!(%\e(B
+
+ \e$B$$$:$l$N>l9g$b!"$9$G$KB8:_$7$F$$$kL>A0$KBP$7$F$O!"4A;z$N3+;O=*N;%7!<%1%s%9$O!"0J2<\e(B
+ \e$B$N$b$N$rG'<1$7$^$9!#\e(B
+ \e$B4A;z$N;O$^$j\e(B: \E$B \e$B$+\e(B \E$@
+ \e$B4A;z$N=*$j\e(B: \E(J \e$B$+\e(B \E(B \e$B$+\e(B \E(H
+
+(2) smbclient \e$B$N%*%W%7%g%s\e(B
+
+ \e$B%/%i%$%"%s%H%W%m%0%i%`$G$b!"4A;z$d2>L>$r4^$s$@%U%!%$%k$r07$($k$h$&$K!"<!$N%*%W%7%g%s\e(B
+ \e$B$rDI2C$7$^$7$?!#\e(B
+
+ -t <\e$B%?!<%_%J%k%3!<%I7O\e(B>
+
+ \e$B$3$3$G!"\e(B<\e$B%?!<%_%J%k%3!<%I7O\e(B>\e$B$K;XDj$G$-$k$b$N$O!">e$N\e(B<\e$B%3!<%I7O\e(B>\e$B$HF1$8$b$N$G$9!#\e(B
+
+(3) \e$B%G%U%)%k%H\e(B
+
+ \e$B%G%U%)%k%H$N%3!<%I7O$O!"%3%s%Q%$%k;~$K7h$^$j$^$9!#\e(B
+
+3. \e$B%3%s%Q%$%k;~$N@_Dj\e(B
+
+ Makefile \e$B$K@_Dj$9$k9`L\$r0J2<$K<($7$^$9!#\e(B
+
+(1) KANJI \e$B%U%i%0\e(B
+
+ \e$B%3%s%Q%$%k%*%W%7%g%s$K\e(B -DKANJI=\"\e$B%3!<%I7O\e(B\" \e$B$r;XDj$7$^$9!#$3$N%3!<%I7O$O\e(B 2. \e$B$G;X\e(B
+ \e$BDj$9$k$b$N$HF1$8$G$9!#Nc$($P!"\e(B-DKANJI=\"euc\" \e$B$r\e(BFLAGSM \e$B$K@_Dj$9$k$H\e(B UNIX \e$B>e$N%U%!\e(B
+ \e$B%$%kL>$O!"\e(BEUC \e$B%3!<%I$K$J$j$^$9!#$3$3$G;XDj$7$?%3!<%I7O$O!"%5!<%P5Z$S%/%i%$%"%s%H\e(B
+ \e$B%W%m%0%i%`$N%G%U%)%k%H$KCM$J$j$^$9!#\e(B
+
+ \e$B>0!"%*%W%7%g%sCf$N\e(B \ \e$B$d\e(B " \e$B$bK:$l$:$K;XDj$7$F2<$5$$!#\e(B
+
+3. \e$B@)8B;v9`\e(B
+
+(1) \e$B4A;z%3!<%I\e(B
+ smbd \e$B$rF0:n$5$;$k%[%9%H$N\e(B UNIX \e$B$,%5%]!<%H$7$F$$$J$$4A;z%3!<%I$O!"MxMQ$G$-$J$$$3$H$,\e(B
+ \e$B$"$j$^$9!#JQ$JF0:n$r$9$k$h$&$J$i\e(B hex \e$B$N;XDj$r$9$k$N$,NI$$$G$7$g$&!#\e(B
+
+(2) smbclient \e$B%3%^%s%I\e(B
+ \e$B%7%U%H%3!<%I$J$I$N4X78$G!"4A;z$d2>L>$r4^$s$@%U%!%$%kL>$N\e(B ls \e$B$NI=<($,Mp$l$k$3$H$,$"$j\e(B
+ \e$B$^$9!#\e(B
+
+(3) \e$B%o%$%k%I%+!<%I$K$D$$$F\e(B
+ \e$B$A$c$s$H$7$?%9%Z%C%/$,$h$/$o$+$i$J$+$C$?$N$G$9$,!"0l1~!"\e(BDOS/V \e$B$NF0:n$HF1$8F0:n$r9T$J\e(B
+ \e$B$&$h$&$K$J$C$F$$$^$9!#\e(B
+
+(4) \e$B%m%s%0%U%!%$%kL>$K$D$$$F\e(B
+ Windows NT/95 \e$B$G$O!"%m%s%0%U%!%$%kL>$,07$($^$9!#%m%s%0%U%!%$%kL>$r\e(B 8.3 \e$B%U%)!<%^%C%H\e(B
+ \e$B$G07$&$?$a$K!"\e(Bmangling \e$B$7$F$$$^$9$,!"$3$NJ}K!$O!"\e(BNT \e$B$d\e(B 95 \e$B$,9T$J$C$F$$$k\e(B mangling \e$B$H\e(B
+ \e$B$O0[$J$j$^$9$N$GCm0U$7$F2<$5$$!#\e(B
+
+4. \e$B>c32Ey$N%l%]!<%H$K$D$$$F\e(B
+
+ \e$BF|K\8l$N%U%!%$%kL>$K4X$7$F!"J8;z2=$1Ey$N>c32$,$"$l$P!";d$K%l%]!<%H$7$FD:$1$l$P9,$$$G\e(B
+
\e$B$9!#$?$@$7!"%*%j%8%J%k$+$i$NLdBjE@$d<ALd$K$D$$$F$O!"%*%j%8%J%k$N:n<T$XD>@\Ld$$9g$o$;$k
\e(B
+\e$B$+!"$b$7$/$O%a!<%j%s%0%j%9%H$J$I$X%l%]!<%H$9$k$h$&$K$7$F2<$5$$!#\e(B
+
+\e$B%l%]!<%H$5$l$k>l9g!"MxMQ$5$l$F$$$k4D6-\e(B(UNIX \e$B5Z$S\e(B PC \e$BB&$N\e(BOS\e$B$J$I\e(B)\e$B$H$G$-$^$7$?$i@_Dj%U%!\e(B
+\e$B%$%k$d%m%0$J$I$rE:IU$7$FD:$1$k$H9,$$$G$9!#\e(B
+
+5. \e$B$=$NB>\e(B
+
+ \e$B%3!<%IJQ49$O0J2<$NJ}!9$,:n$i$l$?%W%m%0%i%`$rMxMQ$7$F$$$^$9!#\e(B
+
+ hex \e$B7A<0\e(B \e$BBgLZ!wBgDM!&C^GH\e(B <ohki@gssm.otsuka.tsukuba.ac.jp>\e$B;a\e(B
+ cap \e$B7A<0\e(B \e$BI%ED\e(B \e$BF;O:\e(B (michiro@po.iijnet.or.jp)(michiro@dms.toppan.co.jp)\e$B;a\e(B
+
+ \e$B$=$NB>!"$?$/$5$s$NJ}!9$+$i$$$m$$$m$H8f65<($$$?$@$-$"$j$,$H$&$4$6$$$^$7$?!#:#8e$H$b$h\e(B
+\e$B$m$7$/$*4j$$CW$7$^$9!#\e(B
+
+1994\e$BG/\e(B10\e$B7n\e(B28\e$BF|\e(B \e$BBh#1HG\e(B
+1995\e$BG/\e(B 8\e$B7n\e(B16\e$BF|\e(B \e$BBh#2HG\e(B
+1995\e$BG/\e(B11\e$B7n\e(B24\e$BF|\e(B \e$BBh#3HG\e(B
+1996\e$BG/\e(B 5\e$B7n\e(B13\e$BF|\e(B \e$BBh#4HG\e(B
+
+\e$BF#ED\e(B \e$B?r\e(B fujita@ainix.isac.co.jp
+
--- /dev/null
+#!/usr/bin/perl
+##
+## Example script to export ldap entries into an smbpasswd file format
+## using the Mozilla PerLDAP module.
+##
+## writen by jerry@samba.org
+##
+## ported to Net::LDAP by dkrovich@slackworks.com
+
+use Net::LDAP;
+
+######################################################
+## Set these values to whatever you need for your site
+##
+
+$DN="dc=samba,dc=my-domain,dc=com";
+$ROOTDN="cn=Manager,dc=my-domain,dc=com";
+$rootpw = "secret";
+$LDAPSERVER="localhost";
+
+##
+## end local site variables
+######################################################
+
+$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
+
+print "##\n";
+print "## Autogenerated smbpasswd file via ldapsearch\n";
+print "## from $LDAPSERVER ($DN)\n";
+print "##\n";
+
+## scheck for the existence of the posixAccount first
+$result = $ldap->search ( base => "$DN",
+ scope => "sub",
+ filter => "(objectclass=sambaAccount)"
+ );
+
+
+
+## loop over the entries we found
+while ( $entry = $result->shift_entry() ) {
+
+ @uid = $entry->get_value("uid");
+ @uidNumber = $entry->get_value("uidNumber");
+ @lm_pw = $entry->get_value("lmpassword");
+ @nt_pw = $entry->get_value("ntpassword");
+ @acct = $entry->get_value("acctFlags");
+ @pwdLastSet = $entry->get_value("pwdLastSet");
+
+ if (($#uid+1) && ($#uidNumber+1)) {
+
+ $lm_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#lm_pw+1));
+ $nt_pw[0] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" if (! ($#nt_pw+1));
+ $acct[0] = "[DU ]" if (! ($#acct+1));
+ $pwdLastSet[0] = "FFFFFFFF" if (! ($#pwdLastSet+1));
+
+ print "$uid[0]:$uidNumber[0]:$lm_pw[0]:$nt_pw[0]:$acct[0]:LCT-$pwdLastSet[0]\n";
+ }
+
+}
+
+$ldap->unbind();
+exit 0;
+
--- /dev/null
+#!/usr/bin/perl
+##
+## Example script of how you could import a smbpasswd file into an LDAP
+## directory using the Mozilla PerLDAP module.
+##
+## writen by jerry@samba.org
+##
+## ported to Net::LDAP by dkrovich@slackworks.com
+
+use Net::LDAP;
+
+#################################################
+## set these to a value appropriate for your site
+##
+
+$DN="ou=people,dc=plainjoe,dc=org";
+$ROOTDN="cn=Manager,dc=plainjoe,dc=org";
+# If you use perl special character in your
+# rootpw, escape them:
+# $rootpw = "secr\@t" instead of $rootpw = "secr@t"
+$rootpw = "n0pass";
+$LDAPSERVER="scooby";
+
+##
+## end local site variables
+#################################################
+
+$ldap = Net::LDAP->new($LDAPSERVER) or die "Unable to connect to LDAP server $LDAPSERVER";
+
+## Bind as $ROOTDN so you can do updates
+$mesg = $ldap->bind($ROOTDN, password => $rootpw);
+$mesg->error() if $mesg->code();
+
+while ( $string = <STDIN> ) {
+ chomp ($string);
+
+ ## Get the account info from the smbpasswd file
+ @smbentry = split (/:/, $string);
+
+ ## Check for the existence of a system account
+ @getpwinfo = getpwnam($smbentry[0]);
+ if (! @getpwinfo ) {
+ print STDERR "**$smbentry[0] does not have a system account... \n";
+ next;
+ }
+ ## Calculate RID = uid*2 +1000
+ $rid=@getpwinfo[2]*2+1000;
+
+ ## check and see if account info already exists in LDAP.
+ $result = $ldap->search ( base => "$DN",
+ scope => "sub",
+ filter => "(uid=$smbentry[0])"
+ );
+
+ ## If no LDAP entry exists, create one.
+ if ( $result->count == 0 ) {
+ $new_entry = Net::LDAP::Entry->new();
+ $new_entry->add( dn => "uid=$smbentry[0],$DN",
+ uid => $smbentry[0],
+ rid => $rid,
+ lmPassword => $smbentry[2],
+ ntPassword => $smbentry[3],
+ acctFlags => $smbentry[4],
+ cn => $smbentry[0],
+ pwdLastSet => hex(substr($smbentry[5],4)),
+ objectclass => 'sambaAccount' );
+
+ $result = $ldap->add( $new_entry );
+ $result->error() if $result->code();
+ print "Adding [uid=" . $smbentry[0] . "," . $DN . "]\n";
+
+ ## Otherwise, supplement/update the existing entry.
+ }
+ elsif ($result->count == 1)
+ {
+ # Put the search results into an entry object
+ $entry = $result->entry(0);
+
+ print "Updating [" . $entry->dn . "]\n";
+
+ ## Add the objectclass: sambaAccount attribute if it's not there
+ @values = $entry->get_value( "objectclass" );
+ $flag = 1;
+ foreach $item (@values) {
+ print "$item\n";
+ if ( "$item" eq "sambaAccount" ) {
+ $flag = 0;
+ }
+ }
+ if ( $flag ) {
+ ## Adding sambaAccount objectclass requires adding at least rid:
+ ## uid attribute already exists we know since we searched on it
+ $entry->add(objectclass => "sambaAccount",
+ rid => $rid );
+ }
+
+ ## Set the other attribute values
+ $entry->replace(rid => $rid,
+ lmPassword => $smbentry[2],
+ ntPassword => $smbentry[3],
+ acctFlags => $smbentry[4],
+ pwdLastSet => hex(substr($smbentry[5],4)));
+
+ ## Apply changes to the LDAP server
+ $updatemesg = $entry->update($ldap);
+ $updatemesg->error() if $updatemesg->code();
+
+ ## If we get here, the LDAP search returned more than one value
+ ## which shouldn't happen under normal circumstances.
+ } else {
+ print STDERR "LDAP search returned more than one entry for $smbentry[0]... skipping!\n";
+ next;
+ }
+}
+
+$ldap->unbind();
+exit 0;
+
+
--- /dev/null
+CC = @CC@
+CFLAGS = @CFLAGS@
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LDSHFLAGS = @LDSHFLAGS@
+INSTALLCMD = @INSTALL@
+SAMBA_SOURCE = @SAMBA_SOURCE@
+SHLIBEXT = @SHLIBEXT@
+OBJEXT = @OBJEXT@
+FLAGS = $(CFLAGS) -Iinclude -I$(SAMBA_SOURCE)/include -I$(SAMBA_SOURCE)/ubiqx -I$(SAMBA_SOURCE)/smbwrapper -I. $(CPPFLAGS) -I$(SAMBA_SOURCE)
+
+
+prefix = @prefix@
+libdir = @libdir@
+
+VFS_LIBDIR = $(libdir)/vfs
+
+# Auto target
+default: $(patsubst %.c,%.$(SHLIBEXT),$(wildcard *.c))
+
+# Pattern rules
+
+%.$(SHLIBEXT): %.$(OBJEXT)
+ @echo "Linking $@"
+ @$(CC) $(LDSHFLAGS) $(LDFLAGS) -o $@ $<
+
+%.$(OBJEXT): %.c
+ @echo "Compiling $<"
+ @$(CC) $(FLAGS) -c $<
+
+
+install: default
+ $(INSTALLCMD) -d $(VFS_LIBDIR)
+ $(INSTALLCMD) -m 755 *.$(SHLIBEXT) $(VFS_LIBDIR)
+
+# Misc targets
+clean:
+ rm -rf .libs
+ rm -f core *~ *% *.bak *.o *.$(SHLIBEXT)
+
+distclean: clean
+ rm config.* Makefile
+
--- /dev/null
+#!/bin/sh
+
+# Run this script to build samba from CVS.
+
+## insert all possible names (only works with
+## autoconf 2.x
+#TESTAUTOHEADER="autoheader autoheader-2.53"
+TESTAUTOCONF="autoconf autoconf-2.53"
+
+#AUTOHEADERFOUND="0"
+AUTOCONFFOUND="0"
+
+
+##
+## Look for autoheader
+##
+#for i in $TESTAUTOHEADER; do
+# if which $i > /dev/null 2>&1; then
+# if [ `$i --version | head -n 1 | cut -d. -f 2` -ge 53 ]; then
+# AUTOHEADER=$i
+# AUTOHEADERFOUND="1"
+# break
+# fi
+# fi
+#done
+
+##
+## Look for autoconf
+##
+
+for i in $TESTAUTOCONF; do
+ if which $i > /dev/null 2>&1; then
+ if [ `$i --version | head -n 1 | cut -d. -f 2` -ge 53 ]; then
+ AUTOCONF=$i
+ AUTOCONFFOUND="1"
+ break
+ fi
+ fi
+done
+
+
+##
+## do we have it?
+##
+if [ "$AUTOCONFFOUND" = "0" -o "$AUTOHEADERFOUND" = "0" ]; then
+ echo "$0: need autoconf 2.53 or later to build samba from CVS" >&2
+ exit 1
+fi
+
+
+
+#echo "$0: running $AUTOHEADER"
+#$AUTOHEADER || exit 1
+
+echo "$0: running $AUTOCONF"
+$AUTOCONF || exit 1
+
+echo "Now run ./configure and then make."
+exit 0
+
--- /dev/null
+dnl -*- mode: m4-mode -*-
+dnl Process this file with autoconf to produce a configure script.
+
+dnl We must use autotools 2.53 or above
+AC_PREREQ(2.53)
+AC_INIT(Makefile.in)
+
+#dnl Uncomment this if you want to use your own define's too
+#AC_CONFIG_HEADER(module_config.h)
+#dnl To make sure that didn't get #define PACKAGE_* in modules_config.h
+#echo "" > confdefs.h
+
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_INSTALL
+
+#################################################
+# Directory handling stuff to support both the
+# legacy SAMBA directories and FHS compliant
+# ones...
+AC_PREFIX_DEFAULT(/usr/local/samba)
+
+AC_ARG_WITH(fhs,
+[ --with-fhs Use FHS-compliant paths (default=no)],
+ libdir="\${prefix}/lib/samba",
+ libdir="\${prefix}/lib")
+
+AC_SUBST(libdir)
+
+SAMBA_SOURCE="../../source"
+####################################################
+# set the location location of the samba source tree
+AC_ARG_WITH(samba-source,
+[ --with-samba-source=DIR Where is the samba source tree (../../source)],
+[ case "$withval" in
+ yes|no)
+ #
+ # Just in case anybody calls it without argument
+ #
+ AC_MSG_WARN([--with-samba-source called without argument - will use default])
+ ;;
+ * )
+ SAMBA_SOURCE="$withval"
+ ;;
+ esac])
+
+AC_SUBST(SAMBA_SOURCE)
+
+dnl Unique-to-Samba variables we'll be playing with.
+AC_SUBST(CC)
+AC_SUBST(SHELL)
+AC_SUBST(LDSHFLAGS)
+AC_SUBST(SONAMEFLAG)
+AC_SUBST(SHLD)
+AC_SUBST(HOST_OS)
+AC_SUBST(PICFLAG)
+AC_SUBST(PICSUFFIX)
+AC_SUBST(POBAD_CC)
+AC_SUBST(SHLIBEXT)
+AC_SUBST(INSTALLCLIENTCMD_SH)
+AC_SUBST(INSTALLCLIENTCMD_A)
+AC_SUBST(SHLIB_PROGS)
+AC_SUBST(EXTRA_BIN_PROGS)
+AC_SUBST(EXTRA_SBIN_PROGS)
+AC_SUBST(EXTRA_ALL_TARGETS)
+
+AC_ARG_ENABLE(debug,
+[ --enable-debug Turn on compiler debugging information (default=no)],
+ [if eval "test x$enable_debug = xyes"; then
+ CFLAGS="${CFLAGS} -g"
+ fi])
+
+AC_ARG_ENABLE(developer, [ --enable-developer Turn on developer warnings and debugging (default=no)],
+ [if eval "test x$enable_developer = xyes"; then
+ developer=yes
+ CFLAGS="${CFLAGS} -g -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -DDEBUG_PASSWORD -DDEVELOPER"
+ fi])
+
+# compile with optimization and without debugging by default, but
+# allow people to set their own preference.
+if test "x$CFLAGS" = x
+then
+ CFLAGS="-O ${CFLAGS}"
+fi
+
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+ AC_MSG_CHECKING(for working krb5-config)
+ if test -x "$KRB5_CONFIG"; then
+ CFLAGS="$CFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ CPPFLAGS="$CPPFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ FOUND_KRB5=yes
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
+ fi
+
+ if test x$FOUND_KRB5 = x"no"; then
+ #################################################
+ # check for location of Kerberos 5 install
+ AC_MSG_CHECKING(for kerberos 5 install path)
+ AC_ARG_WITH(krb5,
+ [ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)],
+ [ case "$withval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *)
+ AC_MSG_RESULT(yes)
+ CFLAGS="$CFLAGS -I$withval/include"
+ CPPFLAGS="$CPPFLAGS -I$withval/include"
+ FOUND_KRB5=yes
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+ fi
+
+if test x$FOUND_KRB5 = x"no"; then
+#################################################
+# see if this box has the SuSE location for the heimdal kerberos implementation
+AC_MSG_CHECKING(for /usr/include/heimdal)
+if test -d /usr/include/heimdal; then
+ if test -f /usr/lib/heimdal/lib/libkrb5.a; then
+ CFLAGS="$CFLAGS -I/usr/include/heimdal"
+ CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
+ AC_MSG_RESULT(yes)
+ else
+ CFLAGS="$CFLAGS -I/usr/include/heimdal"
+ CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
+ AC_MSG_RESULT(yes)
+
+ fi
+else
+ AC_MSG_RESULT(no)
+fi
+fi
+
+
+if test x$FOUND_KRB5 = x"no"; then
+#################################################
+# see if this box has the RedHat location for kerberos
+AC_MSG_CHECKING(for /usr/kerberos)
+if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
+ LDFLAGS="$LDFLAGS -L/usr/kerberos/lib"
+ CFLAGS="$CFLAGS -I/usr/kerberos/include"
+ CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+fi
+
+ # now check for krb5.h. Some systems have the libraries without the headers!
+ # note that this check is done here to allow for different kerberos
+ # include paths
+ AC_CHECK_HEADERS(krb5.h)
+
+ # now check for gssapi headers. This is also done here to allow for
+ # different kerberos include paths
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+
+#dnl Check if we use GNU ld
+#LD=ld
+#AC_PROG_LD_GNU
+
+#dnl look for executable suffix
+#AC_EXEEXT
+
+builddir=`pwd`
+AC_SUBST(builddir)
+
+# Assume non-shared by default and override below
+BLDSHARED="false"
+
+# these are the defaults, good for lots of systems
+HOST_OS="$host_os"
+LDSHFLAGS="-shared"
+SONAMEFLAG="#"
+SHLD="\${CC}"
+PICFLAG=""
+PICSUFFIX="po"
+POBAD_CC="#"
+SHLIBEXT="so"
+
+if test "$enable_shared" = "yes"; then
+ # this bit needs to be modified for each OS that is suported by
+ # smbwrapper. You need to specify how to created a shared library and
+ # how to compile C code to produce PIC object files
+
+ AC_MSG_CHECKING([ability to build shared libraries])
+
+ # and these are for particular systems
+ case "$host_os" in
+ *linux*)
+ BLDSHARED="true"
+ LDSHFLAGS="-shared"
+ DYNEXP="-Wl,--export-dynamic"
+ PICFLAG="-fPIC"
+ SONAMEFLAG="-Wl,-soname="
+ ;;
+ *solaris*)
+ BLDSHARED="true"
+ LDSHFLAGS="-G"
+ SONAMEFLAG="-h "
+ if test "${GCC}" = "yes"; then
+ PICFLAG="-fPIC"
+ if test "${ac_cv_prog_gnu_ld}" = "yes"; then
+ DYNEXP="-Wl,-E"
+ fi
+ else
+ PICFLAG="-KPIC"
+ ## ${CFLAGS} added for building 64-bit shared
+ ## libs using Sun's Compiler
+ LDSHFLAGS="-G \${CFLAGS}"
+ POBAD_CC=""
+ PICSUFFIX="po.o"
+ fi
+ ;;
+ *sunos*)
+ BLDSHARED="true"
+ LDSHFLAGS="-G"
+ SONAMEFLAG="-Wl,-h,"
+ PICFLAG="-KPIC" # Is this correct for SunOS
+ ;;
+ *netbsd* | *freebsd*) BLDSHARED="true"
+ LDSHFLAGS="-shared"
+ DYNEXP="-Wl,--export-dynamic"
+ SONAMEFLAG="-Wl,-soname,"
+ PICFLAG="-fPIC -DPIC"
+ ;;
+ *openbsd*) BLDSHARED="true"
+ LDSHFLAGS="-shared"
+ DYNEXP="-Wl,-Bdynamic"
+ SONAMEFLAG="-Wl,-soname,"
+ PICFLAG="-fPIC"
+ ;;
+ *irix*)
+ case "$host_os" in
+ *irix6*)
+ ;;
+ esac
+ ATTEMPT_WRAP32_BUILD=yes
+ BLDSHARED="true"
+ LDSHFLAGS="-set_version sgi1.0 -shared"
+ SONAMEFLAG="-soname "
+ SHLD="\${LD}"
+ if test "${GCC}" = "yes"; then
+ PICFLAG="-fPIC"
+ else
+ PICFLAG="-KPIC"
+ fi
+ ;;
+ *aix*)
+ BLDSHARED="true"
+ LDSHFLAGS="-Wl,-bexpall,-bM:SRE,-bnoentry,-berok"
+ DYNEXP="-Wl,-brtl,-bexpall"
+ PICFLAG="-O2"
+ if test "${GCC}" != "yes"; then
+ ## for funky AIX compiler using strncpy()
+ CFLAGS="$CFLAGS -D_LINUX_SOURCE_COMPAT -qmaxmem=32000"
+ fi
+ ;;
+ *hpux*)
+ SHLIBEXT="sl"
+ # Use special PIC flags for the native HP-UX compiler.
+ if test $ac_cv_prog_cc_Ae = yes; then
+ BLDSHARED="true"
+ SHLD="/usr/bin/ld"
+ LDSHFLAGS="-B symbolic -b -z"
+ SONAMEFLAG="+h "
+ PICFLAG="+z"
+ fi
+ DYNEXP="-Wl,-E"
+ ;;
+ *qnx*)
+ ;;
+ *osf*)
+ BLDSHARED="true"
+ LDSHFLAGS="-shared"
+ SONAMEFLAG="-Wl,-soname,"
+ PICFLAG="-fPIC"
+ ;;
+ *sco*)
+ ;;
+ *unixware*)
+ BLDSHARED="true"
+ LDSHFLAGS="-shared"
+ SONAMEFLAG="-Wl,-soname,"
+ PICFLAG="-KPIC"
+ ;;
+ *next2*)
+ ;;
+ *dgux*) AC_CHECK_PROG( ROFF, groff, [groff -etpsR -Tascii -man])
+ ;;
+ *sysv4*)
+ case "$host" in
+ *-univel-*)
+ LDSHFLAGS="-G"
+ DYNEXP="-Bexport"
+ ;;
+ *mips-sni-sysv4*)
+ ;;
+ esac
+ ;;
+
+ *sysv5*)
+ LDSHFLAGS="-G"
+ ;;
+ *vos*)
+ BLDSHARED="false"
+ LDSHFLAGS=""
+ ;;
+ *)
+ ;;
+ esac
+ AC_SUBST(DYNEXP)
+ AC_MSG_RESULT($BLDSHARED)
+ AC_MSG_CHECKING([linker flags for shared libraries])
+ AC_MSG_RESULT([$LDSHFLAGS])
+ AC_MSG_CHECKING([compiler flags for position-independent code])
+ AC_MSG_RESULT([$PICFLAGS])
+fi
+
+#######################################################
+# test whether building a shared library actually works
+if test $BLDSHARED = true; then
+AC_CACHE_CHECK([whether building shared libraries actually works],
+ [ac_cv_shlib_works],[
+ ac_cv_shlib_works=no
+ # try building a trivial shared library
+ if test "$PICSUFFIX" = "po"; then
+ $CC $CPPFLAGS $CFLAGS $PICFLAG -c -o shlib.po ${srcdir-.}/tests/shlib.c &&
+ $CC $CPPFLAGS $CFLAGS `eval echo $LDSHFLAGS` -o "shlib.$SHLIBEXT" shlib.po &&
+ ac_cv_shlib_works=yes
+ else
+ $CC $CPPFLAGS $CFLAGS $PICFLAG -c -o shlib.$PICSUFFIX ${srcdir-.}/tests/shlib.c &&
+ mv shlib.$PICSUFFIX shlib.po &&
+ $CC $CPPFLAGS $CFLAGS `eval echo $LDSHFLAGS` -o "shlib.$SHLIBEXT" shlib.po &&
+ ac_cv_shlib_works=yes
+ fi
+ rm -f "shlib.$SHLIBEXT" shlib.po
+])
+if test $ac_cv_shlib_works = no; then
+ BLDSHARED=false
+fi
+fi
+
+
+
+
+AC_OUTPUT(Makefile)
--- /dev/null
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+ case $1 in
+ -c) instcmd="$cpprog"
+ shift
+ continue;;
+
+ -d) dir_arg=true
+ shift
+ continue;;
+
+ -m) chmodcmd="$chmodprog $2"
+ shift
+ shift
+ continue;;
+
+ -o) chowncmd="$chownprog $2"
+ shift
+ shift
+ continue;;
+
+ -g) chgrpcmd="$chgrpprog $2"
+ shift
+ shift
+ continue;;
+
+ -s) stripcmd="$stripprog"
+ shift
+ continue;;
+
+ -t=*) transformarg=`echo $1 | sed 's/-t=//'`
+ shift
+ continue;;
+
+ -b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+ shift
+ continue;;
+
+ *) if [ x"$src" = x ]
+ then
+ src=$1
+ else
+ # this colon is to work around a 386BSD /bin/sh bug
+ :
+ dst=$1
+ fi
+ shift
+ continue;;
+ esac
+done
+
+if [ x"$src" = x ]
+then
+ echo "install: no input file specified"
+ exit 1
+else
+ true
+fi
+
+if [ x"$dir_arg" != x ]; then
+ dst=$src
+ src=""
+
+ if [ -d $dst ]; then
+ instcmd=:
+ else
+ instcmd=mkdir
+ fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad
+# if $src (and thus $dsttmp) contains '*'.
+
+ if [ -f $src -o -d $src ]
+ then
+ true
+ else
+ echo "install: $src does not exist"
+ exit 1
+ fi
+
+ if [ x"$dst" = x ]
+ then
+ echo "install: no destination specified"
+ exit 1
+ else
+ true
+ fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+ if [ -d $dst ]
+ then
+ dst="$dst"/`basename $src`
+ else
+ true
+ fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+# this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+ pathcomp="${pathcomp}${1}"
+ shift
+
+ if [ ! -d "${pathcomp}" ] ;
+ then
+ $mkdirprog "${pathcomp}"
+ else
+ true
+ fi
+
+ pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+ $doit $instcmd $dst &&
+
+ if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+ if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+ if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+ if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+ if [ x"$transformarg" = x ]
+ then
+ dstfile=`basename $dst`
+ else
+ dstfile=`basename $dst $transformbasename |
+ sed $transformarg`$transformbasename
+ fi
+
+# don't allow the sed command to completely eliminate the filename
+
+ if [ x"$dstfile" = x ]
+ then
+ dstfile=`basename $dst`
+ else
+ true
+ fi
+
+# Make a temp file name in the proper directory.
+
+ dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+ $doit $instcmd $src $dsttmp &&
+
+ trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing. If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+ if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+ if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+ if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+ if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+ $doit $rmcmd -f $dstdir/$dstfile &&
+ $doit $mvcmd $dsttmp $dstdir/$dstfile
+
+fi &&
+
+
+exit 0
--- /dev/null
+/*
+ * Skeleton VFS module. Implements passthrough operation of all VFS
+ * calls to disk functions.
+ *
+ * Copyright (C) Tim Potter, 1999-2000
+ * Copyright (C) Alexander Bokovoy, 2002
+ * Copyright (C) Stefan (metze) Metzmacher, 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+
+#include "includes.h"
+
+/* PLEASE,PLEASE READ THE VFS MODULES CHAPTER OF THE
+ SAMBA DEVELOPERS GUIDE!!!!!!
+ */
+
+/* If you take this file as template for your module
+ * please make sure that you remove all vfswrap_* functions and
+ * implement your own function!!
+ *
+ * for functions you didn't want to provide implement dummy functions
+ * witch return ERROR and errno = ENOSYS; !
+ *
+ * --metze
+ */
+
+static int skel_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user)
+{
+ return 0;
+}
+
+static void skel_disconnect(vfs_handle_struct *handle, connection_struct *conn)
+{
+ return;
+}
+
+static SMB_BIG_UINT skel_disk_free(vfs_handle_struct *handle, connection_struct *conn, const char *path,
+ BOOL small_query, SMB_BIG_UINT *bsize,
+ SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize)
+{
+ return vfswrap_disk_free(NULL, conn, path, small_query, bsize,
+ dfree, dsize);
+}
+
+static int skel_get_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
+{
+ return vfswrap_get_quota(NULL, conn, qtype, id, dq);
+}
+
+static int skel_set_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
+{
+ return vfswrap_set_quota(NULL, conn, qtype, id, dq);
+}
+
+static DIR *skel_opendir(vfs_handle_struct *handle, connection_struct *conn, const char *fname)
+{
+ return vfswrap_opendir(NULL, conn, fname);
+}
+
+static struct dirent *skel_readdir(vfs_handle_struct *handle, connection_struct *conn, DIR *dirp)
+{
+ return vfswrap_readdir(NULL, conn, dirp);
+}
+
+static int skel_mkdir(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
+{
+ return vfswrap_mkdir(NULL, conn, path, mode);
+}
+
+static int skel_rmdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return vfswrap_rmdir(NULL, conn, path);
+}
+
+static int skel_closedir(vfs_handle_struct *handle, connection_struct *conn, DIR *dir)
+{
+ return vfswrap_closedir(NULL, conn, dir);
+}
+
+static int skel_open(vfs_handle_struct *handle, connection_struct *conn, const char *fname, int flags, mode_t mode)
+{
+ return vfswrap_open(NULL, conn, fname, flags, mode);
+}
+
+static int skel_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return vfswrap_close(NULL, fsp, fd);
+}
+
+static ssize_t skel_read(vfs_handle_struct *handle, files_struct *fsp, int fd, void *data, size_t n)
+{
+ return vfswrap_read(NULL, fsp, fd, data, n);
+}
+
+static ssize_t skel_write(vfs_handle_struct *handle, files_struct *fsp, int fd, const void *data, size_t n)
+{
+ return vfswrap_write(NULL, fsp, fd, data, n);
+}
+
+static SMB_OFF_T skel_lseek(vfs_handle_struct *handle, files_struct *fsp, int filedes, SMB_OFF_T offset, int whence)
+{
+ return vfswrap_lseek(NULL, fsp, filedes, offset, whence);
+}
+
+static int skel_rename(vfs_handle_struct *handle, connection_struct *conn, const char *old, const char *new)
+{
+ return vfswrap_rename(NULL, conn, old, new);
+}
+
+static int skel_fsync(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return vfswrap_fsync(NULL, fsp, fd);
+}
+
+static int skel_stat(vfs_handle_struct *handle, connection_struct *conn, const char *fname, SMB_STRUCT_STAT *sbuf)
+{
+ return vfswrap_stat(NULL, conn, fname, sbuf);
+}
+
+static int skel_fstat(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_STRUCT_STAT *sbuf)
+{
+ return vfswrap_fstat(NULL, fsp, fd, sbuf);
+}
+
+static int skel_lstat(vfs_handle_struct *handle, connection_struct *conn, const char *path, SMB_STRUCT_STAT *sbuf)
+{
+ return vfswrap_lstat(NULL, conn, path, sbuf);
+}
+
+static int skel_unlink(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return vfswrap_unlink(NULL, conn, path);
+}
+
+static int skel_chmod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
+{
+ return vfswrap_chmod(NULL, conn, path, mode);
+}
+
+static int skel_fchmod(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
+{
+ return vfswrap_fchmod(NULL, fsp, fd, mode);
+}
+
+static int skel_chown(vfs_handle_struct *handle, connection_struct *conn, const char *path, uid_t uid, gid_t gid)
+{
+ return vfswrap_chown(NULL, conn, path, uid, gid);
+}
+
+static int skel_fchown(vfs_handle_struct *handle, files_struct *fsp, int fd, uid_t uid, gid_t gid)
+{
+ return vfswrap_fchown(NULL, fsp, fd, uid, gid);
+}
+
+static int skel_chdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return vfswrap_chdir(NULL, conn, path);
+}
+
+static char *skel_getwd(vfs_handle_struct *handle, connection_struct *conn, char *buf)
+{
+ return vfswrap_getwd(NULL, conn, buf);
+}
+
+static int skel_utime(vfs_handle_struct *handle, connection_struct *conn, const char *path, struct utimbuf *times)
+{
+ return vfswrap_utime(NULL, conn, path, times);
+}
+
+static int skel_ftruncate(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_OFF_T offset)
+{
+ return vfswrap_ftruncate(NULL, fsp, fd, offset);
+}
+
+static BOOL skel_lock(vfs_handle_struct *handle, files_struct *fsp, int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
+{
+ return vfswrap_lock(NULL, fsp, fd, op, offset, count, type);
+}
+
+static BOOL skel_symlink(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
+{
+ return vfswrap_symlink(NULL, conn, oldpath, newpath);
+}
+
+static BOOL skel_readlink(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *buf, size_t bufsiz)
+{
+ return vfswrap_readlink(NULL, conn, path, buf, bufsiz);
+}
+
+static int skel_link(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
+{
+ return vfswrap_link(NULL, conn, oldpath, newpath);
+}
+
+static int skel_mknod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode, SMB_DEV_T dev)
+{
+ return vfswrap_mknod(NULL, conn, path, mode, dev);
+}
+
+static char *skel_realpath(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *resolved_path)
+{
+ return vfswrap_realpath(NULL, conn, path, resolved_path);
+}
+
+static size_t skel_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info, struct security_descriptor_info **ppdesc)
+{
+ errno = ENOSYS;
+ return 0;
+}
+
+static size_t skel_get_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info, struct security_descriptor_info **ppdesc)
+{
+ errno = ENOSYS;
+ return 0;
+}
+
+static BOOL skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info_sent, struct security_descriptor_info *psd)
+{
+ errno = ENOSYS;
+ return False;
+}
+
+static BOOL skel_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info_sent, struct security_descriptor_info *psd)
+{
+ errno = ENOSYS;
+ return False;
+}
+
+static int skel_chmod_acl(vfs_handle_struct *handle, connection_struct *conn, const char *name, mode_t mode)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_get_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_get_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_get_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static void *skel_sys_acl_get_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d)
+{
+ errno = ENOSYS;
+ return NULL;
+}
+
+static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle, connection_struct *conn, const char *path_p, SMB_ACL_TYPE_T type)
+{
+ errno = ENOSYS;
+ return NULL;
+}
+
+static SMB_ACL_T skel_sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ errno = ENOSYS;
+ return NULL;
+}
+
+static int skel_sys_acl_clear_perms(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_add_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static char *skel_sys_acl_to_text(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, ssize_t *plen)
+{
+ errno = ENOSYS;
+ return NULL;
+}
+
+static SMB_ACL_T skel_sys_acl_init(vfs_handle_struct *handle, connection_struct *conn, int count)
+{
+ errno = ENOSYS;
+ return NULL;
+}
+
+static int skel_sys_acl_create_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_set_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_set_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, void *qual)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_set_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_valid(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl )
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_set_file(vfs_handle_struct *handle, connection_struct *conn, const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_ACL_T theacl)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_delete_def_file(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_get_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_free_text(vfs_handle_struct *handle, connection_struct *conn, char *text)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_free_acl(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T posix_acl)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_sys_acl_free_qualifier(vfs_handle_struct *handle, connection_struct *conn, void *qualifier, SMB_ACL_TAG_T tagtype)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_getxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_lgetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t
+size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_fgetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, void *value, size_t size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_listxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_llistxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static ssize_t skel_flistxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, char *list, size_t size)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_removexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_lremovexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_fremovexattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_setxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_lsetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+static int skel_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, const void *value, size_t size, int flags)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+/* VFS operations structure */
+
+static vfs_op_tuple skel_op_tuples[] = {
+
+ /* Disk operations */
+
+ {SMB_VFS_OP(skel_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_disk_free), SMB_VFS_OP_DISK_FREE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_get_quota), SMB_VFS_OP_GET_QUOTA, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_set_quota), SMB_VFS_OP_SET_QUOTA, SMB_VFS_LAYER_OPAQUE},
+
+ /* Directory operations */
+
+ {SMB_VFS_OP(skel_opendir), SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_readdir), SMB_VFS_OP_READDIR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_mkdir), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_rmdir), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_closedir), SMB_VFS_OP_CLOSEDIR, SMB_VFS_LAYER_OPAQUE},
+
+ /* File operations */
+
+ {SMB_VFS_OP(skel_open), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_close), SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_read), SMB_VFS_OP_READ, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_write), SMB_VFS_OP_WRITE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lseek), SMB_VFS_OP_LSEEK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fsync), SMB_VFS_OP_FSYNC, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_chmod), SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fchmod), SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_chown), SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fchown), SMB_VFS_OP_FCHOWN, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_chdir), SMB_VFS_OP_CHDIR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_getwd), SMB_VFS_OP_GETWD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_utime), SMB_VFS_OP_UTIME, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_ftruncate), SMB_VFS_OP_FTRUNCATE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lock), SMB_VFS_OP_LOCK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_symlink), SMB_VFS_OP_SYMLINK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_readlink), SMB_VFS_OP_READLINK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_link), SMB_VFS_OP_LINK, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_mknod), SMB_VFS_OP_MKNOD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_realpath), SMB_VFS_OP_REALPATH, SMB_VFS_LAYER_OPAQUE},
+
+ /* NT File ACL operations */
+
+ {SMB_VFS_OP(skel_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_set_nt_acl), SMB_VFS_OP_SET_NT_ACL, SMB_VFS_LAYER_OPAQUE},
+
+ /* POSIX ACL operations */
+
+ {SMB_VFS_OP(skel_chmod_acl), SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fchmod_acl), SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_OPAQUE},
+
+ {SMB_VFS_OP(skel_sys_acl_get_entry), SMB_VFS_OP_SYS_ACL_GET_ENTRY, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_tag_type), SMB_VFS_OP_SYS_ACL_GET_TAG_TYPE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_permset), SMB_VFS_OP_SYS_ACL_GET_PERMSET, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_qualifier), SMB_VFS_OP_SYS_ACL_GET_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_file), SMB_VFS_OP_SYS_ACL_GET_FILE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_fd), SMB_VFS_OP_SYS_ACL_GET_FD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_clear_perms), SMB_VFS_OP_SYS_ACL_CLEAR_PERMS, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_add_perm), SMB_VFS_OP_SYS_ACL_ADD_PERM, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_to_text), SMB_VFS_OP_SYS_ACL_TO_TEXT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_init), SMB_VFS_OP_SYS_ACL_INIT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_create_entry), SMB_VFS_OP_SYS_ACL_CREATE_ENTRY, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_set_tag_type), SMB_VFS_OP_SYS_ACL_SET_TAG_TYPE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_set_qualifier), SMB_VFS_OP_SYS_ACL_SET_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_set_permset), SMB_VFS_OP_SYS_ACL_SET_PERMSET, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_valid), SMB_VFS_OP_SYS_ACL_VALID, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_set_file), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_set_fd), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_delete_def_file), SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_get_perm), SMB_VFS_OP_SYS_ACL_GET_PERM, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_free_text), SMB_VFS_OP_SYS_ACL_FREE_TEXT, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_free_acl), SMB_VFS_OP_SYS_ACL_FREE_ACL, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_sys_acl_free_qualifier), SMB_VFS_OP_SYS_ACL_FREE_QUALIFIER, SMB_VFS_LAYER_OPAQUE},
+
+ /* EA operations. */
+ {SMB_VFS_OP(skel_getxattr), SMB_VFS_OP_GETXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lgetxattr), SMB_VFS_OP_LGETXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fgetxattr), SMB_VFS_OP_FGETXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_listxattr), SMB_VFS_OP_LISTXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_llistxattr), SMB_VFS_OP_LLISTXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_flistxattr), SMB_VFS_OP_FLISTXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_removexattr), SMB_VFS_OP_REMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lremovexattr), SMB_VFS_OP_LREMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fremovexattr), SMB_VFS_OP_FREMOVEXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_setxattr), SMB_VFS_OP_SETXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_lsetxattr), SMB_VFS_OP_LSETXATTR, SMB_VFS_LAYER_OPAQUE},
+ {SMB_VFS_OP(skel_fsetxattr), SMB_VFS_OP_FSETXATTR, SMB_VFS_LAYER_OPAQUE},
+
+ {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+NTSTATUS init_module(void)
+{
+ return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "skel_opaque", skel_op_tuples);
+}
--- /dev/null
+/*
+ * Skeleton VFS module. Implements passthrough operation of all VFS
+ * calls to disk functions.
+ *
+ * Copyright (C) Tim Potter, 1999-2000
+ * Copyright (C) Alexander Bokovoy, 2002
+ * Copyright (C) Stefan (metze) Metzmacher, 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+
+#include "includes.h"
+
+/* PLEASE,PLEASE READ THE VFS MODULES CHAPTER OF THE
+ SAMBA DEVELOPERS GUIDE!!!!!!
+ */
+
+/* If you take this file as template for your module
+ * please make sure that you remove all functions you didn't
+ * want to implement!!
+ *
+ * This passthrough operations are useless in reall vfs modules!
+ *
+ * --metze
+ */
+
+static int skel_connect(vfs_handle_struct *handle, connection_struct *conn, const char *service, const char *user)
+{
+ return SMB_VFS_NEXT_CONNECT(handle, conn, service, user);
+}
+
+static void skel_disconnect(vfs_handle_struct *handle, connection_struct *conn)
+{
+ SMB_VFS_NEXT_DISCONNECT(handle, conn);
+}
+
+static SMB_BIG_UINT skel_disk_free(vfs_handle_struct *handle, connection_struct *conn, const char *path,
+ BOOL small_query, SMB_BIG_UINT *bsize,
+ SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize)
+{
+ return SMB_VFS_NEXT_DISK_FREE(handle, conn, path, small_query, bsize,
+ dfree, dsize);
+}
+
+static int skel_get_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
+{
+ return SMB_VFS_NEXT_GET_QUOTA(handle, conn, qtype, id, dq);
+}
+
+static int skel_set_quota(vfs_handle_struct *handle, connection_struct *conn, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq)
+{
+ return SMB_VFS_NEXT_SET_QUOTA(handle, conn, qtype, id, dq);
+}
+
+static DIR *skel_opendir(vfs_handle_struct *handle, connection_struct *conn, const char *fname)
+{
+ return SMB_VFS_NEXT_OPENDIR(handle, conn, fname);
+}
+
+static struct dirent *skel_readdir(vfs_handle_struct *handle, connection_struct *conn, DIR *dirp)
+{
+ return SMB_VFS_NEXT_READDIR(handle, conn, dirp);
+}
+
+static int skel_mkdir(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
+{
+ return SMB_VFS_NEXT_MKDIR(handle, conn, path, mode);
+}
+
+static int skel_rmdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return SMB_VFS_NEXT_RMDIR(handle, conn, path);
+}
+
+static int skel_closedir(vfs_handle_struct *handle, connection_struct *conn, DIR *dir)
+{
+ return SMB_VFS_NEXT_CLOSEDIR(handle, conn, dir);
+}
+
+static int skel_open(vfs_handle_struct *handle, connection_struct *conn, const char *fname, int flags, mode_t mode)
+{
+ return SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode);
+}
+
+static int skel_close(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return SMB_VFS_NEXT_CLOSE(handle, fsp, fd);
+}
+
+static ssize_t skel_read(vfs_handle_struct *handle, files_struct *fsp, int fd, void *data, size_t n)
+{
+ return SMB_VFS_NEXT_READ(handle, fsp, fd, data, n);
+}
+
+static ssize_t skel_write(vfs_handle_struct *handle, files_struct *fsp, int fd, const void *data, size_t n)
+{
+ return SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n);
+}
+
+static SMB_OFF_T skel_lseek(vfs_handle_struct *handle, files_struct *fsp, int filedes, SMB_OFF_T offset, int whence)
+{
+ return SMB_VFS_NEXT_LSEEK(handle, fsp, filedes, offset, whence);
+}
+
+static int skel_rename(vfs_handle_struct *handle, connection_struct *conn, const char *old, const char *new)
+{
+ return SMB_VFS_NEXT_RENAME(handle, conn, old, new);
+}
+
+static int skel_fsync(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return SMB_VFS_NEXT_FSYNC(handle, fsp, fd);
+}
+
+static int skel_stat(vfs_handle_struct *handle, connection_struct *conn, const char *fname, SMB_STRUCT_STAT *sbuf)
+{
+ return SMB_VFS_NEXT_STAT(handle, conn, fname, sbuf);
+}
+
+static int skel_fstat(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_STRUCT_STAT *sbuf)
+{
+ return SMB_VFS_NEXT_FSTAT(handle, fsp, fd, sbuf);
+}
+
+static int skel_lstat(vfs_handle_struct *handle, connection_struct *conn, const char *path, SMB_STRUCT_STAT *sbuf)
+{
+ return SMB_VFS_NEXT_LSTAT(handle, conn, path, sbuf);
+}
+
+static int skel_unlink(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return SMB_VFS_NEXT_UNLINK(handle, conn, path);
+}
+
+static int skel_chmod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode)
+{
+ return SMB_VFS_NEXT_CHMOD(handle, conn, path, mode);
+}
+
+static int skel_fchmod(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
+{
+ return SMB_VFS_NEXT_FCHMOD(handle, fsp, fd, mode);
+}
+
+static int skel_chown(vfs_handle_struct *handle, connection_struct *conn, const char *path, uid_t uid, gid_t gid)
+{
+ return SMB_VFS_NEXT_CHOWN(handle, conn, path, uid, gid);
+}
+
+static int skel_fchown(vfs_handle_struct *handle, files_struct *fsp, int fd, uid_t uid, gid_t gid)
+{
+ return SMB_VFS_NEXT_FCHOWN(handle, fsp, fd, uid, gid);
+}
+
+static int skel_chdir(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return SMB_VFS_NEXT_CHDIR(handle, conn, path);
+}
+
+static char *skel_getwd(vfs_handle_struct *handle, connection_struct *conn, char *buf)
+{
+ return SMB_VFS_NEXT_GETWD(handle, conn, buf);
+}
+
+static int skel_utime(vfs_handle_struct *handle, connection_struct *conn, const char *path, struct utimbuf *times)
+{
+ return SMB_VFS_NEXT_UTIME(handle, conn, path, times);
+}
+
+static int skel_ftruncate(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_OFF_T offset)
+{
+ return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, fd, offset);
+}
+
+static BOOL skel_lock(vfs_handle_struct *handle, files_struct *fsp, int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
+{
+ return SMB_VFS_NEXT_LOCK(handle, fsp, fd, op, offset, count, type);
+}
+
+static BOOL skel_symlink(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
+{
+ return SMB_VFS_NEXT_SYMLINK(handle, conn, oldpath, newpath);
+}
+
+static BOOL skel_readlink(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *buf, size_t bufsiz)
+{
+ return SMB_VFS_NEXT_READLINK(handle, conn, path, buf, bufsiz);
+}
+
+static int skel_link(vfs_handle_struct *handle, connection_struct *conn, const char *oldpath, const char *newpath)
+{
+ return SMB_VFS_NEXT_LINK(handle, conn, oldpath, newpath);
+}
+
+static int skel_mknod(vfs_handle_struct *handle, connection_struct *conn, const char *path, mode_t mode, SMB_DEV_T dev)
+{
+ return SMB_VFS_NEXT_MKNOD(handle, conn, path, mode, dev);
+}
+
+static char *skel_realpath(vfs_handle_struct *handle, connection_struct *conn, const char *path, char *resolved_path)
+{
+ return SMB_VFS_NEXT_REALPATH(handle, conn, path, resolved_path);
+}
+
+static size_t skel_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info, struct security_descriptor_info **ppdesc)
+{
+ return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, fd, security_info, ppdesc);
+}
+
+static size_t skel_get_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info, struct security_descriptor_info **ppdesc)
+{
+ return SMB_VFS_NEXT_GET_NT_ACL(handle, fsp, name, security_info, ppdesc);
+}
+
+static BOOL skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, uint32 security_info_sent, struct security_descriptor_info *psd)
+{
+ return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, fd, security_info_sent, psd);
+}
+
+static BOOL skel_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp, const char *name, uint32 security_info_sent, struct security_descriptor_info *psd)
+{
+ return SMB_VFS_NEXT_SET_NT_ACL(handle, fsp, name, security_info_sent, psd);
+}
+
+static int skel_chmod_acl(vfs_handle_struct *handle, connection_struct *conn, const char *name, mode_t mode)
+{
+ /* If the underlying VFS doesn't have ACL support... */
+ if (!handle->vfs_next.ops.chmod_acl) {
+ errno = ENOSYS;
+ return -1;
+ }
+ return SMB_VFS_NEXT_CHMOD_ACL(handle, conn, name, mode);
+}
+
+static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, int fd, mode_t mode)
+{
+ /* If the underlying VFS doesn't have ACL support... */
+ if (!handle->vfs_next.ops.fchmod_acl) {
+ errno = ENOSYS;
+ return -1;
+ }
+ return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, fd, mode);
+}
+
+static int skel_sys_acl_get_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_ENTRY(handle, conn, theacl, entry_id, entry_p);
+}
+
+static int skel_sys_acl_get_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_TAG_TYPE(handle, conn, entry_d, tag_type_p);
+}
+
+static int skel_sys_acl_get_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_PERMSET(handle, conn, entry_d, permset_p);
+}
+
+static void *skel_sys_acl_get_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry_d)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_QUALIFIER(handle, conn, entry_d);
+}
+
+static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle, connection_struct *conn, const char *path_p, SMB_ACL_TYPE_T type)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_FILE(handle, conn, path_p, type);
+}
+
+static SMB_ACL_T skel_sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp, int fd)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, fd);
+}
+
+static int skel_sys_acl_clear_perms(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset)
+{
+ return SMB_VFS_NEXT_SYS_ACL_CLEAR_PERMS(handle, conn, permset);
+}
+
+static int skel_sys_acl_add_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+ return SMB_VFS_NEXT_SYS_ACL_ADD_PERM(handle, conn, permset, perm);
+}
+
+static char *skel_sys_acl_to_text(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl, ssize_t *plen)
+{
+ return SMB_VFS_NEXT_SYS_ACL_TO_TEXT(handle, conn, theacl, plen);
+}
+
+static SMB_ACL_T skel_sys_acl_init(vfs_handle_struct *handle, connection_struct *conn, int count)
+{
+ return SMB_VFS_NEXT_SYS_ACL_INIT(handle, conn, count);
+}
+
+static int skel_sys_acl_create_entry(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T *pacl, SMB_ACL_ENTRY_T *pentry)
+{
+ return SMB_VFS_NEXT_SYS_ACL_CREATE_ENTRY(handle, conn, pacl, pentry);
+}
+
+static int skel_sys_acl_set_tag_type(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T tagtype)
+{
+ return SMB_VFS_NEXT_SYS_ACL_SET_TAG_TYPE(handle, conn, entry, tagtype);
+}
+
+static int skel_sys_acl_set_qualifier(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, void *qual)
+{
+ return SMB_VFS_NEXT_SYS_ACL_SET_QUALIFIER(handle, conn, entry, qual);
+}
+
+static int skel_sys_acl_set_permset(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_ENTRY_T entry, SMB_ACL_PERMSET_T permset)
+{
+ return SMB_VFS_NEXT_SYS_ACL_SET_PERMSET(handle, conn, entry, permset);
+}
+
+static int skel_sys_acl_valid(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T theacl )
+{
+ return SMB_VFS_NEXT_SYS_ACL_VALID(handle, conn, theacl);
+}
+
+static int skel_sys_acl_set_file(vfs_handle_struct *handle, connection_struct *conn, const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
+{
+ return SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, conn, name, acltype, theacl);
+}
+
+static int skel_sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp, int fd, SMB_ACL_T theacl)
+{
+ return SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, fd, theacl);
+}
+
+static int skel_sys_acl_delete_def_file(vfs_handle_struct *handle, connection_struct *conn, const char *path)
+{
+ return SMB_VFS_NEXT_SYS_ACL_DELETE_DEF_FILE(handle, conn, path);
+}
+
+static int skel_sys_acl_get_perm(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
+{
+ return SMB_VFS_NEXT_SYS_ACL_GET_PERM(handle, conn, permset, perm);
+}
+
+static int skel_sys_acl_free_text(vfs_handle_struct *handle, connection_struct *conn, char *text)
+{
+ return SMB_VFS_NEXT_SYS_ACL_FREE_TEXT(handle, conn, text);
+}
+
+static int skel_sys_acl_free_acl(vfs_handle_struct *handle, connection_struct *conn, SMB_ACL_T posix_acl)
+{
+ return SMB_VFS_NEXT_SYS_ACL_FREE_ACL(handle, conn, posix_acl);
+}
+
+static int skel_sys_acl_free_qualifier(vfs_handle_struct *handle, connection_struct *conn, void *qualifier, SMB_ACL_TAG_T tagtype)
+{
+ return SMB_VFS_NEXT_SYS_ACL_FREE_QUALIFIER(handle, conn, qualifier, tagtype);
+}
+
+static ssize_t skel_getxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t size)
+{
+ return SMB_VFS_NEXT_GETXATTR(handle, conn, path, name, value, size);
+}
+
+static ssize_t skel_lgetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, void *value, size_t
+size)
+{
+ return SMB_VFS_NEXT_LGETXATTR(handle, conn, path, name, value, size);
+}
+
+static ssize_t skel_fgetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, void *value, size_t size)
+{
+ return SMB_VFS_NEXT_FGETXATTR(handle, fsp, fd, name, value, size);
+}
+
+static ssize_t skel_listxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
+{
+ return SMB_VFS_NEXT_LISTXATTR(handle, conn, path, list, size);
+}
+
+static ssize_t skel_llistxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, char *list, size_t size)
+{
+ return SMB_VFS_NEXT_LLISTXATTR(handle, conn, path, list, size);
+}
+
+static ssize_t skel_flistxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, char *list, size_t size)
+{
+ return SMB_VFS_NEXT_FLISTXATTR(handle, fsp, fd, list, size);
+}
+
+static int skel_removexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
+{
+ return SMB_VFS_NEXT_REMOVEXATTR(handle, conn, path, name);
+}
+
+static int skel_lremovexattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name)
+{
+ return SMB_VFS_NEXT_LREMOVEXATTR(handle, conn, path, name);
+}
+
+static int skel_fremovexattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name)
+{
+ return SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, fd, name);
+}
+
+static int skel_setxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
+{
+ return SMB_VFS_NEXT_SETXATTR(handle, conn, path, name, value, size, flags);
+}
+
+static int skel_lsetxattr(vfs_handle_struct *handle, struct connection_struct *conn,const char *path, const char *name, const void *value, size_t size, int flags)
+{
+ return SMB_VFS_NEXT_LSETXATTR(handle, conn, path, name, value, size, flags);
+}
+
+static int skel_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp,int fd, const char *name, const void *value, size_t size, int flags)
+{
+ return SMB_VFS_NEXT_FSETXATTR(handle, fsp, fd, name, value, size, flags);
+}
+
+/* VFS operations structure */
+
+static vfs_op_tuple skel_op_tuples[] = {
+
+ /* Disk operations */
+
+ {SMB_VFS_OP(skel_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_disk_free), SMB_VFS_OP_DISK_FREE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_get_quota), SMB_VFS_OP_GET_QUOTA, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_set_quota), SMB_VFS_OP_SET_QUOTA, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* Directory operations */
+
+ {SMB_VFS_OP(skel_opendir), SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_readdir), SMB_VFS_OP_READDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_mkdir), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_rmdir), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_closedir), SMB_VFS_OP_CLOSEDIR, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* File operations */
+
+ {SMB_VFS_OP(skel_open), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_close), SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_read), SMB_VFS_OP_READ, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_write), SMB_VFS_OP_WRITE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lseek), SMB_VFS_OP_LSEEK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_rename), SMB_VFS_OP_RENAME, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fsync), SMB_VFS_OP_FSYNC, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_stat), SMB_VFS_OP_STAT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fstat), SMB_VFS_OP_FSTAT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lstat), SMB_VFS_OP_LSTAT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_chmod), SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fchmod), SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_chown), SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fchown), SMB_VFS_OP_FCHOWN, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_chdir), SMB_VFS_OP_CHDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_getwd), SMB_VFS_OP_GETWD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_utime), SMB_VFS_OP_UTIME, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_ftruncate), SMB_VFS_OP_FTRUNCATE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lock), SMB_VFS_OP_LOCK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_symlink), SMB_VFS_OP_SYMLINK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_readlink), SMB_VFS_OP_READLINK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_link), SMB_VFS_OP_LINK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_mknod), SMB_VFS_OP_MKNOD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_realpath), SMB_VFS_OP_REALPATH, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* NT File ACL operations */
+
+ {SMB_VFS_OP(skel_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_set_nt_acl), SMB_VFS_OP_SET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* POSIX ACL operations */
+
+ {SMB_VFS_OP(skel_chmod_acl), SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fchmod_acl), SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_TRANSPARENT},
+
+ {SMB_VFS_OP(skel_sys_acl_get_entry), SMB_VFS_OP_SYS_ACL_GET_ENTRY, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_tag_type), SMB_VFS_OP_SYS_ACL_GET_TAG_TYPE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_permset), SMB_VFS_OP_SYS_ACL_GET_PERMSET, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_qualifier), SMB_VFS_OP_SYS_ACL_GET_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_file), SMB_VFS_OP_SYS_ACL_GET_FILE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_fd), SMB_VFS_OP_SYS_ACL_GET_FD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_clear_perms), SMB_VFS_OP_SYS_ACL_CLEAR_PERMS, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_add_perm), SMB_VFS_OP_SYS_ACL_ADD_PERM, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_to_text), SMB_VFS_OP_SYS_ACL_TO_TEXT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_init), SMB_VFS_OP_SYS_ACL_INIT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_create_entry), SMB_VFS_OP_SYS_ACL_CREATE_ENTRY, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_set_tag_type), SMB_VFS_OP_SYS_ACL_SET_TAG_TYPE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_set_qualifier), SMB_VFS_OP_SYS_ACL_SET_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_set_permset), SMB_VFS_OP_SYS_ACL_SET_PERMSET, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_valid), SMB_VFS_OP_SYS_ACL_VALID, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_set_file), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_set_fd), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_delete_def_file), SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_get_perm), SMB_VFS_OP_SYS_ACL_GET_PERM, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_free_text), SMB_VFS_OP_SYS_ACL_FREE_TEXT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_free_acl), SMB_VFS_OP_SYS_ACL_FREE_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_sys_acl_free_qualifier), SMB_VFS_OP_SYS_ACL_FREE_QUALIFIER, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* EA operations. */
+ {SMB_VFS_OP(skel_getxattr), SMB_VFS_OP_GETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lgetxattr), SMB_VFS_OP_LGETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fgetxattr), SMB_VFS_OP_FGETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_listxattr), SMB_VFS_OP_LISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_llistxattr), SMB_VFS_OP_LLISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_flistxattr), SMB_VFS_OP_FLISTXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_removexattr), SMB_VFS_OP_REMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lremovexattr), SMB_VFS_OP_LREMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fremovexattr), SMB_VFS_OP_FREMOVEXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_setxattr), SMB_VFS_OP_SETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_lsetxattr), SMB_VFS_OP_LSETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(skel_fsetxattr), SMB_VFS_OP_FSETXATTR, SMB_VFS_LAYER_TRANSPARENT},
+
+ {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+NTSTATUS init_module(void)
+{
+ return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "skel_transparent", skel_op_tuples);
+}
--- /dev/null
+<!ELEMENT samba:crypt (#PCDATA)* >
+<!ATTLIST samba:crypt type CDATA #REQUIRED >
+
+<!ELEMENT samba:password (samba:crypt*) >
+<!ATTLIST samba:password last_set CDATA #IMPLIED
+ must_change CDATA #IMPLIED
+ can_change CDATA #IMPLIED>
+
+<!ELEMENT samba:group (#PCDATA)* >
+<!ATTLIST samba:group sid CDATA #REQUIRED
+ gid CDATA #IMPLIED >
+
+<!ELEMENT samba:domain (#PCDATA)* >
+<!ELEMENT samba:fullname (#PCDATA)* >
+<!ELEMENT samba:nt_username (#PCDATA)* >
+<!ELEMENT samba:logon_script (#PCDATA)* >
+<!ELEMENT samba:profile_path (#PCDATA)* >
+<!ELEMENT samba:logon_time (#PCDATA)* >
+<!ELEMENT samba:logoff_time (#PCDATA)* >
+<!ELEMENT samba:kickoff_time (#PCDATA)* >
+<!ELEMENT samba:logon_divs (#PCDATA)* >
+<!ELEMENT samba:hours_len (#PCDATA)* >
+<!ELEMENT samba:unknown_3 (#PCDATA)* >
+<!ELEMENT samba:unknown_5 (#PCDATA)* >
+<!ELEMENT samba:unknown_6 (#PCDATA)* >
+<!ELEMENT samba:homedir (#PCDATA)* >
+<!ELEMENT samba:unknown_str (#PCDATA)* >
+<!ELEMENT samba:dir_drive (#PCDATA)* >
+<!ELEMENT samba:munged_dial (#PCDATA)* >
+<!ELEMENT samba:acct_desc (#PCDATA)* >
+<!ELEMENT samba:acct_ctrl (#PCDATA)* >
+<!ELEMENT samba:workstations (#PCDATA)* >
+
+<!ELEMENT samba:user ( samba:group?, samba:domain?, samba:nt_username?, samba:fullname?, samba:homedir?, samba:dir_drive?, samba:logon_script?, samba:profile_path?, samba:password?, samba:acct_ctrl?,samba:unknown_3?, samba:logon_divs?, samba:hours_len?, samba:logon_time?, samba:logoff_time?, samba:kickoff_time?, samba:unknown_5?, samba:unknown_6?, samba:unknown_str?, samba:munged_dial?, samba:acct_desc?, samba:workstations? ) >
+
+<!ATTLIST samba:user sid CDATA #REQUIRED
+ uid CDATA #IMPLIED
+ name CDATA #REQUIRED>
+
+<!ELEMENT samba:users (samba:user*) >
+
+<!ELEMENT samba (samba:users?) >
+
+<!ATTLIST samba
+ xmlns CDATA #FIXED 'http://samba.org/~jelmer/sambapdb.dtd'>
+
--- /dev/null
+--- samba_3_0/source/Makefile.in.orig 2003-07-15 12:26:55.000000000 -0400
++++ samba_3_0/source/Makefile.in 2003-07-15 12:26:57.000000000 -0400
+@@ -32,7 +32,6 @@
+ ACLLIBS=@ACLLIBS@
+ PASSDBLIBS=@PASSDBLIBS@
+ IDMAP_LIBS=@IDMAP_LIBS@
+-ADSLIBS=@ADSLIBS@
+ KRB5LIBS=@KRB5_LIBS@
+ LDAPLIBS=@LDAP_LIBS@
+
+@@ -735,12 +734,12 @@
+
+ bin/smbd@EXEEXT@: $(SMBD_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(SMBD_OBJ) $(ADSLIBS) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
++ @$(CC) $(FLAGS) -o $@ $(SMBD_OBJ) $(KRB5LIBS) $(LDAPLIBS) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
+ $(AUTHLIBS) $(ACLLIBS) $(PASSDBLIBS) $(LIBS) @POPTLIBS@
+
+ bin/nmbd@EXEEXT@: $(NMBD_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(NMBD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(ADSLIBS)
++ @$(CC) $(FLAGS) -o $@ $(NMBD_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/wrepld@EXEEXT@: $(WREPL_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+@@ -749,19 +748,19 @@
+ bin/swat@EXEEXT@: $(SWAT_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(SWAT_OBJ) $(LDFLAGS) $(DYNEXP) $(PRINTLIBS) \
+- $(AUTHLIBS) $(LIBS) $(PASSDBLIBS) @POPTLIBS@ $(KRB5LIBS)
++ $(AUTHLIBS) $(LIBS) $(PASSDBLIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/rpcclient@EXEEXT@: $(RPCCLIENT_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(PASSDBLIBS) $(RPCCLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(ADSLIBS)
++ @$(CC) $(FLAGS) -o $@ $(PASSDBLIBS) $(RPCCLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/smbclient@EXEEXT@: $(CLIENT_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(CLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(ADSLIBS)
++ @$(CC) $(FLAGS) -o $@ $(CLIENT_OBJ) $(LDFLAGS) $(DYNEXP) $(TERMLDFLAGS) $(TERMLIBS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/net@EXEEXT@: $(NET_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(ADSLIBS) $(PASSDBLIBS)
++ @$(CC) $(FLAGS) -o $@ $(NET_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS) $(PASSDBLIBS)
+
+ bin/profiles@EXEEXT@: $(PROFILES_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+@@ -809,7 +808,7 @@
+
+ bin/smbpasswd@EXEEXT@: $(SMBPASSWD_OBJ) bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS)
++ @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+@@ -881,7 +880,7 @@
+
+ bin/smbw_sample@EXEEXT@: $(SMBW_OBJ) utils/smbw_sample.o bin/.dummy
+ @echo Linking $@
+- @$(CC) $(FLAGS) -o $@ $(SMBW_OBJ) utils/smbw_sample.o $(LDFLAGS) $(LIBS) $(KRB5LIBS)
++ @$(CC) $(FLAGS) -o $@ $(SMBW_OBJ) utils/smbw_sample.o $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+
+ bin/smbsh@EXEEXT@: $(SMBSH_OBJ) bin/.dummy
+ @echo Linking $@
+@@ -890,12 +889,14 @@
+ bin/smbwrapper.@SHLIBEXT@: $(PICOBJS) bin/.dummy
+ @echo Linking shared library $@
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(PICOBJS) $(LIBS) \
+- @SONAMEFLAG@`basename $@` $(KRB5LIBS)
++ $(KRB5LIBS) $(LDAPLIBS) \
++ @SONAMEFLAG@`basename $@`
+
+ bin/libsmbclient.@SHLIBEXT@: $(LIBSMBCLIENT_PICOBJS)
+ @echo Linking libsmbclient shared library $@
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(LIBSMBCLIENT_PICOBJS) $(LDFLAGS) $(LIBS) \
+- $(KRB5LIBS) @SONAMEFLAG@`basename $@`.$(LIBSMBCLIENT_MAJOR)
++ $(KRB5LIBS) $(LDAPLIBS) \
++ @SONAMEFLAG@`basename $@`.$(LIBSMBCLIENT_MAJOR)
+
+ bin/libsmbclient.a: $(LIBSMBCLIENT_PICOBJS)
+ @echo Linking libsmbclient non-shared library $@
+@@ -905,7 +906,8 @@
+ bin/libbigballofmud.@SHLIBEXT@: $(LIBBIGBALLOFMUD_PICOBJS)
+ @echo Linking bigballofmud shared library $@
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(LIBBIGBALLOFMUD_PICOBJS) $(LIBS) \
+- @SONAMEFLAG@`basename $@`.$(LIBBIGBALLOFMUD_MAJOR) $(PASSDBLIBS) $(IDMAP_LIBS) $(ADSLIBS)
++ $(PASSDBLIBS) $(IDMAP_LIBS) $(KRB5LIBS) $(LDAPLIBS) \
++ @SONAMEFLAG@`basename $@`.$(LIBBIGBALLOFMUD_MAJOR)
+ ln -snf libbigballofmud.so bin/libbigballofmud.so.0
+
+ # It would be nice to build a static bigballofmud too, but when I try
+diff -uNr samba-3.0.0beta2.orig/source/aclocal.m4 samba-3.0.0beta2/source/aclocal.m4
+--- samba-3.0.0beta2.orig/source/aclocal.m4 2003-07-01 15:44:25.000000000 -0500
++++ samba-3.0.0beta2/source/aclocal.m4 2003-07-05 16:22:30.000000000 -0500
+@@ -111,6 +111,113 @@
+ esac
+ ])
+
++# AC_CHECK_LIB_EXT(LIBRARY, [EXT_LIBS], [FUNCTION],
++# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND],
++# [ADD-ACTION-IF-FOUND],[OTHER-LIBRARIES])
++# ------------------------------------------------------
++#
++# Use a cache variable name containing both the library and function name,
++# because the test really is for library $1 defining function $3, not
++# just for library $1. Separate tests with the same $1 and different $3s
++# may have different results.
++#
++# Note that using directly AS_VAR_PUSHDEF([ac_Lib], [ac_cv_lib_$1_$3])
++# is asking for troubles, since AC_CHECK_LIB($lib, fun) would give
++# ac_cv_lib_$lib_fun, which is definitely not what was meant. Hence
++# the AS_LITERAL_IF indirection.
++#
++# FIXME: This macro is extremely suspicious. It DEFINEs unconditionnally,
++# whatever the FUNCTION, in addition to not being a *S macro. Note
++# that the cache does depend upon the function we are looking for.
++#
++# It is on purpose we used `ac_check_lib_ext_save_LIBS' and not just
++# `ac_save_LIBS': there are many macros which don't want to see `LIBS'
++# changed but still want to use AC_CHECK_LIB_EXT, so they save `LIBS'.
++# And ``ac_save_LIBS' is too tempting a name, so let's leave them some
++# freedom.
++AC_DEFUN([AC_CHECK_LIB_EXT],
++[
++AH_CHECK_LIB_EXT([$1])
++ac_check_lib_ext_save_LIBS=$LIBS
++LIBS="-l$1 $$2 $7 $LIBS"
++AS_LITERAL_IF([$1],
++ [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1])],
++ [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1''])])dnl
++
++m4_ifval([$3],
++ [
++ AH_CHECK_FUNC_EXT([$3])
++ AS_LITERAL_IF([$1],
++ [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1_$3])],
++ [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1''_$3])])dnl
++ AC_CACHE_CHECK([for $3 in -l$1], ac_Lib_func,
++ [AC_TRY_LINK_FUNC($3,
++ [AS_VAR_SET(ac_Lib_func, yes);
++ AS_VAR_SET(ac_Lib_ext, yes)],
++ [AS_VAR_SET(ac_Lib_func, no);
++ AS_VAR_SET(ac_Lib_ext, no)])
++ ])
++ AS_IF([test AS_VAR_GET(ac_Lib_func) = yes],
++ [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_$3))])dnl
++ AS_VAR_POPDEF([ac_Lib_func])dnl
++ ],[
++ AC_CACHE_CHECK([for -l$1], ac_Lib_ext,
++ [AC_TRY_LINK_FUNC([main],
++ [AS_VAR_SET(ac_Lib_ext, yes)],
++ [AS_VAR_SET(ac_Lib_ext, no)])
++ ])
++ ])
++LIBS=$ac_check_lib_ext_save_LIBS
++
++AS_IF([test AS_VAR_GET(ac_Lib_ext) = yes],
++ [m4_default([$4],
++ [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_LIB$1))
++ case "$$2" in
++ *-l$1*)
++ ;;
++ *)
++ $2="$$2 -l$1"
++ ;;
++ esac])
++ [$6]
++ ],
++ [$5])dnl
++AS_VAR_POPDEF([ac_Lib_ext])dnl
++])# AC_CHECK_LIB_EXT
++
++# AH_CHECK_LIB_EXT(LIBNAME)
++# ---------------------
++m4_define([AH_CHECK_LIB_EXT],
++[AH_TEMPLATE(AS_TR_CPP(HAVE_LIB$1),
++ [Define to 1 if you have the `]$1[' library (-l]$1[).])])
++
++# AC_CHECK_FUNCS_EXT(FUNCTION, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
++# -----------------------------------------------------------------
++dnl check for a function in a $LIBS and $OTHER_LIBS libraries variable.
++dnl AC_CHECK_FUNC_EXT(func,OTHER_LIBS,IF-TRUE,IF-FALSE)
++AC_DEFUN([AC_CHECK_FUNC_EXT],
++[
++ AH_CHECK_FUNC_EXT($1)
++ ac_check_func_ext_save_LIBS=$LIBS
++ LIBS="$2 $LIBS"
++ AS_VAR_PUSHDEF([ac_var], [ac_cv_func_ext_$1])dnl
++ AC_CACHE_CHECK([for $1], ac_var,
++ [AC_LINK_IFELSE([AC_LANG_FUNC_LINK_TRY([$1])],
++ [AS_VAR_SET(ac_var, yes)],
++ [AS_VAR_SET(ac_var, no)])])
++ LIBS=$ac_check_func_ext_save_LIBS
++ AS_IF([test AS_VAR_GET(ac_var) = yes],
++ [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1])) $3],
++ [$4])dnl
++AS_VAR_POPDEF([ac_var])dnl
++])# AC_CHECK_FUNC
++
++# AH_CHECK_FUNC_EXT(FUNCNAME)
++# ---------------------
++m4_define([AH_CHECK_FUNC_EXT],
++[AH_TEMPLATE(AS_TR_CPP(HAVE_$1),
++ [Define to 1 if you have the `]$1[' function.])])
++
+ dnl Define an AC_DEFINE with ifndef guard.
+ dnl AC_N_DEFINE(VARIABLE [, VALUE])
+ define(AC_N_DEFINE,
+diff -uNr samba-3.0.0beta2.orig/source/configure.in samba-3.0.0beta2/source/configure.in
+--- samba-3.0.0beta2.orig/source/configure.in 2003-07-05 16:22:00.000000000 -0500
++++ samba-3.0.0beta2/source/configure.in 2003-07-05 16:23:53.000000000 -0500
+@@ -162,12 +162,10 @@
+ AC_SUBST(PRINTLIBS)
+ AC_SUBST(AUTHLIBS)
+ AC_SUBST(ACLLIBS)
+-AC_SUBST(ADSLIBS)
+ AC_SUBST(PASSDBLIBS)
+ AC_SUBST(IDMAP_LIBS)
+ AC_SUBST(KRB5_LIBS)
+ AC_SUBST(LDAP_LIBS)
+-AC_SUBST(LDAP_OBJ)
+ AC_SUBST(SHLIB_PROGS)
+ AC_SUBST(SMBWRAPPER)
+ AC_SUBST(EXTRA_BIN_PROGS)
+@@ -2105,14 +2103,107 @@
+ AC_MSG_RESULT(no)
+ )
+
++########################################################
++# Compile with LDAP support?
++
++with_ldap_support=auto
++AC_MSG_CHECKING([for LDAP support])
++
++AC_ARG_WITH(ldap,
++[ --with-ldap LDAP support (default yes)],
++[ case "$withval" in
++ yes|no)
++ with_ldap_support=$withval
++ ;;
++ esac ])
++
++AC_MSG_RESULT($with_ldap_support)
++
++SMBLDAP=""
++SMBLDAP_PROTO=""
++AC_SUBST(SMBLDAP)
++AC_SUBST(SMBLDAP_PROTO)
++if test x"$with_ldap_support" != x"no"; then
++
++ ##################################################################
++ # first test for ldap.h and lber.h
++ # (ldap.h is required for this test)
++ AC_CHECK_HEADERS(ldap.h lber.h)
++
++ if test x"$ac_cv_header_ldap_h" != x"yes"; then
++ if test x"$with_ldap_support" = x"yes"; then
++ AC_MSG_ERROR(ldap.h is needed for LDAP support)
++ else
++ AC_MSG_WARN(ldap.h is needed for LDAP support)
++ fi
++
++ with_ldap_support=no
++ fi
++fi
++
++if test x"$with_ldap_support" != x"no"; then
++ ac_save_LIBS=$LIBS
++
++ ##################################################################
++ # we might need the lber lib on some systems. To avoid link errors
++ # this test must be before the libldap test
++ AC_CHECK_LIB_EXT(lber, LDAP_LIBS, ber_scanf)
++
++ ########################################################
++ # now see if we can find the ldap libs in standard paths
++ AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
++
++ AC_CHECK_FUNC_EXT(ldap_domain2hostlist,$LDAP_LIBS)
++
++ ########################################################
++ # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
++ # Check found in pam_ldap 145.
++ AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
++
++ LIBS="$LIBS $LDAP_LIBS"
++ AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, smb_ldap_cv_ldap_set_rebind_proc, [
++ AC_TRY_COMPILE([
++ #include <lber.h>
++ #include <ldap.h>],
++ [ldap_set_rebind_proc(0, 0, 0);],
++ [smb_ldap_cv_ldap_set_rebind_proc=3],
++ [smb_ldap_cv_ldap_set_rebind_proc=2]
++ )
++ ])
++
++ AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $smb_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
++
++ AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)
++
++ if test x"$ac_cv_lib_ext_ldap_ldap_init" = x"yes" -a x"$ac_cv_func_ext_ldap_domain2hostlist" = x"yes"; then
++ AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
++ default_static_modules="$default_static_modules pdb_ldap idmap_ldap";
++ SMBLDAP="lib/smbldap.o"
++ with_ldap_support=yes
++ AC_MSG_CHECKING(whether LDAP support is used)
++ AC_MSG_RESULT(yes)
++ else
++ if test x"$with_ldap_support" = x"yes"; then
++ AC_MSG_ERROR(libldap is needed for LDAP support)
++ else
++ AC_MSG_WARN(libldap is needed for LDAP support)
++ fi
++
++ LDAP_LIBS=""
++ with_ldap_support=no
++ fi
++ LIBS=$ac_save_LIBS
++fi
++
++
+ #################################################
+ # active directory support
+
+ with_ads_support=auto
+-AC_MSG_CHECKING([whether to use Active Directory])
++AC_MSG_CHECKING([for Active Directory and krb5 support])
+
+ AC_ARG_WITH(ads,
+-[ --with-ads Active Directory support (default yes)],
++[ --with-ads Active Directory support (default auto)],
+ [ case "$withval" in
+ yes|no)
+ with_ads_support="$withval"
+@@ -2124,22 +2215,28 @@
+ FOUND_KRB5=no
+ KRB5_LIBS=""
+
++if test x"$with_ldap_support" != x"yes"; then
++ if test x"$with_ads_support" = x"yes"; then
++ AC_MSG_ERROR(Active Directory Support requires LDAP support)
++ elif test x"$with_ads_support" != x"no"; then
++ AC_MSG_WARN(Active Directory Support requires LDAP support)
++ fi
++ with_ads_support=no
++fi
++
+ if test x"$with_ads_support" != x"no"; then
+
+ # Do no harm to the values of CFLAGS and LIBS while testing for
+ # Kerberos support.
+
+- ac_save_CFLAGS="$CFLAGS"
+- ac_save_LIBS="$LIBS"
+-
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+ AC_MSG_CHECKING(for working krb5-config)
+ if test -x "$KRB5_CONFIG"; then
+- LIBS="$LIBS `$KRB5_CONFIG --libs`"
+- CFLAGS="$CFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+- CPPFLAGS="$CPPFLAGS `$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
++ KRB5_LIBS="`CFLAGS='' $KRB5_CONFIG --libs gssapi`"
++ KRB5_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
++ KRB5_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ FOUND_KRB5=yes
+ AC_MSG_RESULT(yes)
+ else
+@@ -2154,18 +2251,23 @@
+ [ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)],
+ [ case "$withval" in
+ no)
+- AC_MSG_RESULT(no)
++ AC_MSG_RESULT(no krb5-path given)
++ ;;
++ yes)
++ AC_MSG_RESULT(/usr)
++ KRB5_LIBS="-lkrb5"
++ FOUND_KRB5=yes
+ ;;
+ *)
+- AC_MSG_RESULT(yes)
+- LIBS="$LIBS -lkrb5"
+- CFLAGS="$CFLAGS -I$withval/include"
+- CPPFLAGS="$CPPFLAGS -I$withval/include"
+- LDFLAGS="$LDFLAGS -L$withval/lib"
++ AC_MSG_RESULT($withval)
++ KRB5_LIBS="-lkrb5"
++ KRB5_CFLAGS="-I$withval/include"
++ KRB5_CPPFLAGS="-I$withval/include"
++ KRB5_LDFLAGS="-L$withval/lib"
+ FOUND_KRB5=yes
+ ;;
+ esac ],
+- AC_MSG_RESULT(no)
++ AC_MSG_RESULT(no krb5-path given)
+ )
+ fi
+
+@@ -2175,15 +2277,15 @@
+ AC_MSG_CHECKING(for /usr/include/heimdal)
+ if test -d /usr/include/heimdal; then
+ if test -f /usr/lib/heimdal/lib/libkrb5.a; then
+- LIBS="$LIBS -lkrb5"
+- CFLAGS="$CFLAGS -I/usr/include/heimdal"
+- CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
+- LDFLAGS="$LDFLAGS -L/usr/lib/heimdal/lib"
++ KRB5_LIBS="-lkrb5"
++ KRB5_CFLAGS="-I/usr/include/heimdal"
++ KRB5_CPPFLAGS="-I/usr/include/heimdal"
++ KRB5_LDFLAGS="-L/usr/lib/heimdal/lib"
+ AC_MSG_RESULT(yes)
+ else
+- LIBS="$LIBS -lkrb5"
+- CFLAGS="$CFLAGS -I/usr/include/heimdal"
+- CPPFLAGS="$CPPFLAGS -I/usr/include/heimdal"
++ KRB5_LIBS="-lkrb5"
++ KRB5_CFLAGS="-I/usr/include/heimdal"
++ KRB5_CPPFLAGS="-I/usr/include/heimdal"
+ AC_MSG_RESULT(yes)
+ fi
+ else
+@@ -2196,16 +2298,26 @@
+ # see if this box has the RedHat location for kerberos
+ AC_MSG_CHECKING(for /usr/kerberos)
+ if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
+- LIBS="$LIBS -lkrb5"
+- LDFLAGS="$LDFLAGS -L/usr/kerberos/lib"
+- CFLAGS="$CFLAGS -I/usr/kerberos/include"
+- CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
++ KRB5_LIBS="-lkrb5"
++ KRB5_LDFLAGS="-L/usr/kerberos/lib"
++ KRB5_CFLAGS="-I/usr/kerberos/include"
++ KRB5_CPPFLAGS="-I/usr/kerberos/include"
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
++ ac_save_CFLAGS=$CFLAGS
++ ac_save_CPPFLAGS=$CPPFLAGS
++ ac_save_LDFLAGS=$LDFLAGS
++
++ CFLAGS="$CFLAGS $KRB5_CFLAGS"
++ CPPFLAGS="$CPPFLAGS $KRB5_CPPFLAGS"
++ LDFLAGS="$LDFLAGS $KRB5_LDFLAGS"
++
++ KRB5_LIBS="$KRB5_LDFLAGS $KRB5_LIBS"
++
+ # now check for krb5.h. Some systems have the libraries without the headers!
+ # note that this check is done here to allow for different kerberos
+ # include paths
+@@ -2225,24 +2337,17 @@
+ # Turn off AD support and restore CFLAGS and LIBS variables
+
+ with_ads_support="no"
+-
+- CFLAGS="$ac_save_CFLAGS"
+- LIBS="$ac_save_LIBS"
+-
+- else
+-
+- # Get rid of case where $with_ads_support=auto
+-
+- with_ads_support="yes"
+-
++
++ CFLAGS=$ac_save_CFLAGS
++ CPPFLAGS=$ac_save_CPPFLAGS
++ LDFLAGS=$ac_save_LDFLAGS
+ fi
+ fi
+
+ # Now we have determined whether we really want ADS support
+
+-if test x"$with_ads_support" = x"yes"; then
+-
+- AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
++if test x"$with_ads_support" != x"no"; then
++ ac_save_LIBS=$LIBS
+
+ # now check for gssapi headers. This is also done here to allow for
+ # different kerberos include paths
+@@ -2250,62 +2355,45 @@
+
+ ##################################################################
+ # we might need the k5crypto and com_err libraries on some systems
+- AC_CHECK_LIB(com_err, _et_list)
+- AC_CHECK_LIB(k5crypto, krb5_encrypt_data)
++ AC_CHECK_LIB_EXT(com_err, KRB5_LIBS, _et_list)
++ AC_CHECK_LIB_EXT(k5crypto, KRB5_LIBS, krb5_encrypt_data)
+
+ # Heimdal checks.
+- AC_CHECK_LIB(crypto, des_set_key)
+- AC_CHECK_LIB(asn1, copy_Authenticator)
+- AC_CHECK_LIB(roken, roken_getaddrinfo_hostspec)
++ AC_CHECK_LIB_EXT(crypto, KRB5_LIBS, des_set_key)
++ AC_CHECK_LIB_EXT(asn1, KRB5_LIBS, copy_Authenticator)
++ AC_CHECK_LIB_EXT(roken, KRB5_LIBS, roken_getaddrinfo_hostspec)
+
+ # Heimdal checks. On static Heimdal gssapi must be linked before krb5.
+- AC_CHECK_LIB(gssapi, gss_display_status, [LIBS="$LIBS -lgssapi -lkrb5";
+- AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
++ AC_CHECK_LIB_EXT(gssapi, KRB5_LIBS, gss_display_status, [KRB5_LIBS="$KRB5_LIBS -lgssapi -lkrb5";
++ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
++
++ ########################################################
++ # now see if we can find the krb5 libs in standard paths
++ # or as specified above
++ AC_CHECK_LIB_EXT(krb5, KRB5_LIBS, krb5_mk_req_extended)
++
++ ########################################################
++ # now see if we can find the gssapi libs in standard paths
++ AC_CHECK_LIB_EXT(gssapi_krb5, KRB5_LIBS,gss_display_status,[],[],
++ AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available]))
+
+- AC_CHECK_LIB(krb5, krb5_set_real_time,
+- [AC_DEFINE(HAVE_KRB5_SET_REAL_TIME,1,
+- [Whether krb5_set_real_time is available])])
+- AC_CHECK_LIB(krb5, krb5_set_default_in_tkt_etypes,
+- [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES,1,
+- [Whether krb5_set_default_in_tkt_etypes, is available])])
+- AC_CHECK_LIB(krb5, krb5_set_default_tgs_ktypes,
+- [AC_DEFINE(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES,1,
+- [Whether krb5_set_default_tgs_ktypes is available])])
+-
+- AC_CHECK_LIB(krb5, krb5_principal2salt,
+- [AC_DEFINE(HAVE_KRB5_PRINCIPAL2SALT,1,
+- [Whether krb5_principal2salt is available])])
+- AC_CHECK_LIB(krb5, krb5_use_enctype,
+- [AC_DEFINE(HAVE_KRB5_USE_ENCTYPE,1,
+- [Whether krb5_use_enctype is available])])
+- AC_CHECK_LIB(krb5, krb5_string_to_key,
+- [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY,1,
+- [Whether krb5_string_to_key is available])])
+- AC_CHECK_LIB(krb5, krb5_get_pw_salt,
+- [AC_DEFINE(HAVE_KRB5_GET_PW_SALT,1,
+- [Whether krb5_get_pw_salt is available])])
+- AC_CHECK_LIB(krb5, krb5_string_to_key_salt,
+- [AC_DEFINE(HAVE_KRB5_STRING_TO_KEY_SALT,1,
+- [Whether krb5_string_to_key_salt is available])])
+- AC_CHECK_LIB(krb5, krb5_auth_con_setkey,
+- [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETKEY,1,
+- [Whether krb5_auth_con_setkey is available])])
+- AC_CHECK_LIB(krb5, krb5_auth_con_setuseruserkey,
+- [AC_DEFINE(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY,1,
+- [Whether krb5_auth_con_setuseruserkey is available])])
+- AC_CHECK_LIB(krb5, krb5_locate_kdc,
+- [AC_DEFINE(HAVE_KRB5_LOCATE_KDC,1,
+- [Whether krb5_locate_kdc is available])])
+- AC_CHECK_LIB(krb5, krb5_get_permitted_enctypes,
+- [AC_DEFINE(HAVE_KRB5_GET_PERMITTED_ENCTYPES,1,
+- [Whether krb5_get_permitted_enctypes is available])])
+- AC_CHECK_LIB(krb5, krb5_get_default_in_tkt_etypes,
+- [AC_DEFINE(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES,1,
+- [Whether krb5_get_default_in_tkt_etypes is available])])
+- AC_CHECK_LIB(krb5, krb5_free_ktypes,
+- [AC_DEFINE(HAVE_KRB5_FREE_KTYPES,1,
+- [Whether krb5_free_ktypes is available])])
++ AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_set_default_in_tkt_etypes, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_set_default_tgs_ktypes, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_principal2salt, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_use_enctype, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_string_to_key, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_get_pw_salt, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_string_to_key_salt, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_auth_con_setkey, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_auth_con_setuseruserkey, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS)
++ AC_CHECK_FUNC_EXT(krb5_free_ktypes, $KRB5_LIBS)
+
++ LIBS="$LIBS $KRB5_LIBS"
++
+ AC_CACHE_CHECK([for addrtype in krb5_address],
+ samba_cv_HAVE_ADDRTYPE_IN_KRB5_ADDRESS,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+@@ -2365,87 +2453,21 @@
+ [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available])
+ fi
+
+- ########################################################
+- # now see if we can find the krb5 libs in standard paths
+- # or as specified above
+- AC_CHECK_LIB(krb5, krb5_mk_req_extended, [KRB5_LIBS="$LIBS -lkrb5";
+- KRB5_CFLAGS="$CFLAGS";
+- AC_DEFINE(HAVE_KRB5,1,[Whether KRB5 is available])])
+-
+- ########################################################
+- # now see if we can find the gssapi libs in standard paths
+- AC_CHECK_LIB(gssapi_krb5, gss_display_status,
+- [KRB5_LIBS="$KRB5_LIBS -lgssapi_krb5";
+- AC_DEFINE(HAVE_GSSAPI,1,[Whether GSSAPI is available])])
+-
+- CFLAGS="$ac_save_CFLAGS"
+- LIBS="$ac_save_LIBS"
+-fi
+-
+-########################################################
+-# Compile with LDAP support?
+-
+-LDAP_OBJ=""
+-with_ldap_support=yes
+-AC_MSG_CHECKING([whether to use LDAP])
+-
+-AC_ARG_WITH(ldap,
+-[ --with-ldap LDAP support (default yes)],
+-[ case "$withval" in
+- no)
+- with_ldap_support=no
+- ;;
+- esac ])
+-
+-AC_MSG_RESULT($with_ldap_support)
+-
+-SMBLDAP=""
+-if test x"$with_ldap_support" = x"yes"; then
+- ac_save_LIBS="$LIBS"
+- LIBS=""
+-
+- ##################################################################
+- # we might need the lber lib on some systems. To avoid link errors
+- # this test must be before the libldap test
+- AC_CHECK_LIB(lber, ber_scanf)
+-
+- ########################################################
+- # now see if we can find the ldap libs in standard paths
+- if test x$have_ldap != xyes; then
+- AC_CHECK_LIB(ldap, ldap_init, [
+- LIBS="$LIBS -lldap";
+- AC_CHECK_LIB(ldap, ldap_domain2hostlist, [
+- AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
+- AC_CHECK_HEADERS([ldap.h lber.h],
+- [default_static_modules="$default_static_modules pdb_ldap idmap_ldap";
+- SMBLDAP="lib/smbldap.o"])
+- ])
+- ])
+-
+- ########################################################
+- # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
+- # Check found in pam_ldap 145.
+- AC_CHECK_FUNCS(ldap_set_rebind_proc)
+- AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, pam_ldap_cv_ldap_set_rebind_proc, [
+- AC_TRY_COMPILE([
+- #include <lber.h>
+- #include <ldap.h>], [ldap_set_rebind_proc(0, 0, 0);], [pam_ldap_cv_ldap_set_rebind_proc=3], [pam_ldap_cv_ldap_set_rebind_proc=2]) ])
+- AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $pam_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
+- AC_CHECK_FUNCS(ldap_initialize)
+- fi
+-
+- AC_SUBST(SMBLDAP)
+- LDAP_LIBS="$LIBS";
+- LIBS="$ac_save_LIBS";
+-else
+- # Can't have ADS support without LDAP
++ if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" = x"yes"; then
++ AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
++ AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
++ AC_MSG_CHECKING(whether Active Directory and krb5 support is used)
++ AC_MSG_RESULT(yes)
++ else
+ if test x"$with_ads_support" = x"yes"; then
+- AC_MSG_ERROR(Active directory support requires LDAP)
++ AC_MSG_ERROR(libkrb5 is needed for Active Directory support)
++ else
++ AC_MSG_WARN(libkrb5 is needed for Active Directory support)
+ fi
+-fi
+-
+-if test x"$with_ads_support" = x"yes"; then
+- ADSLIBS="$LDAP_LIBS $KRB5_LIBS"
++ KRB5_LIBS=""
++ with_ads_support=no
++ fi
++ LIBS="$ac_save_LIBS"
+ fi
+
+ ########################################################
--- /dev/null
+diff -uNr samba-3.0.0beta2.orig/source/Makefile.in samba-3.0.0beta2/source/Makefile.in
+--- samba-3.0.0beta2.orig/source/Makefile.in 2003-07-05 16:24:34.000000000 -0500
++++ samba-3.0.0beta2/source/Makefile.in 2003-07-05 16:24:54.000000000 -0500
+@@ -579,8 +579,8 @@
+ PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
+ pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \
+ libsmb/smbencrypt.o libsmb/smbdes.o libsmb/nterr.o \
+- $(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
+- $(SECRETS_OBJ) $(UBIQX_OBJ)
++ $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(PASSDB_OBJ) \
++ $(GROUPDB_OBJ) $(SECRETS_OBJ) $(UBIQX_OBJ) $(SMBLDAP_OBJ)
+
+ PAM_SMBPASS_PICOOBJ = $(PAM_SMBPASS_OBJ_0:.o=.po)
+
+@@ -1076,7 +1076,8 @@
+
+ bin/pam_smbpass.@SHLIBEXT@: $(PAM_SMBPASS_PICOOBJ)
+ @echo "Linking shared library $@"
+- @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_PICOOBJ) -lpam $(DYNEXP) $(LIBS) -lc
++ @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_PICOOBJ) -lpam $(DYNEXP) \
++ $(PASSDBLIBS) $(LIBS) -lc
+
+ bin/libmsrpc.a: $(LIBMSRPC_PICOBJ)
+ @-$(AR) -rc $@ $(LIBMSRPC_PICOBJ)
--- /dev/null
+diff -uNr samba-3.0.0beta2.orig/source/client/client.c samba-3.0.0beta2/source/client/client.c
+--- samba-3.0.0beta2.orig/source/client/client.c 2003-07-01 22:36:24.000000000 -0500
++++ samba-3.0.0beta2/source/client/client.c 2003-07-06 15:17:36.000000000 -0500
+@@ -2731,6 +2731,7 @@
+ int opt;
+ pstring query_host;
+ BOOL message = False;
++ char* tar_args = NULL;
+ extern char tar_type;
+ pstring term_code;
+ static const char *new_name_resolve_order = NULL;
+@@ -2816,7 +2817,7 @@
+ max_protocol = interpret_protocol(poptGetOptArg(pc), max_protocol);
+ break;
+ case 'T':
+- if (!tar_parseargs(argc, argv, poptGetOptArg(pc), optind)) {
++ if (!(tar_args = poptGetOptArg(pc))) {
+ poptPrintUsage(pc, stderr, 0);
+ exit(1);
+ }
+@@ -2848,6 +2849,22 @@
+ pstrcpy(cmdline_auth_info.password,poptGetArg(pc));
+ }
+
++ /* The tar command may take a number of string options; pass
++ everything we have left to tar_parseargs(). */
++ if (tar_args) {
++ const char **argv2 = poptGetArgs(pc);
++ int argc2 = 0;
++
++ if (argv2) {
++ while (argv2[argc2]) argc2++;
++ }
++
++ if (!tar_parseargs(argc2, argv2, tar_args, 0)) {
++ poptPrintUsage(pc, stderr, 0);
++ exit(1);
++ }
++ }
++
+ init_names();
+
+ if(new_name_resolve_order)
--- /dev/null
+Summary: Samba SMB client and server
+Name: samba
+Version: PVERSION
+Release: PRELEASE
+License: GNU GPL version 2
+Group: Networking
+Source: http://download.samba.org/samba/ftp/samba-%{version}.tar.bz2
+Packager: Gerald Carter [Samba-Team] <jerry@samba.org>
+Requires: pam >= 0.72 kernel >= 2.2.1 glibc >= 2.1.2
+Prereq: chkconfig fileutils
+Provides: samba = %{version}
+Obsoletes: samba-common, samba-client, samba-swat
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Prefix: /usr
+
+%description
+Samba provides an SMB/CIFS server which can be used to provide
+network file and print services to SMB/CIFS clients, including
+various versions of MS Windows, OS/2, and other Linux machines.
+Samba also provides some SMB clients, which complement the
+built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP
+(NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS
+frame) protocol.
+
+Samba 3.0 also introduces UNICODE support and kerberos/ldap
+integration as a member server in a Windows 2000 domain.
+
+Please refer to the WHATSNEW.txt document for fixup information.
+docs directory for implementation details.
+
+%changelog
+* Mon Nov 18 2002 Gerald Carter <jerry@samba.org>
+ - removed change log entries since history
+ is being maintained in CVS
+
+%prep
+%setup
+
+%build
+## Build main Samba source
+cd source
+
+%ifarch ia64
+libtoolize --copy --force # get it to recognize IA-64
+autoheader
+autoconf
+EXTRA="-D_LARGEFILE64_SOURCE"
+%endif
+NUMCPU=`grep processor /proc/cpuinfo | wc -l`
+if [ ! -f "configure" ]; then
+ ./autogen.sh
+fi
+CFLAGS="$RPM_OPT_FLAGS $EXTRA" ./configure \
+ --prefix=%{prefix} \
+ --localstatedir=/var \
+ --with-configdir=/etc/samba \
+ --with-privatedir=/etc/samba \
+ --with-fhs \
+ --with-quotas \
+ --with-smbmount \
+ --with-pam \
+ --with-pam_smbpass \
+ --with-syslog \
+ --with-utmp \
+ --with-sambabook=%{prefix}/share/swat/using_samba \
+ --with-swatdir=%{prefix}/share/swat \
+ --with-libsmbclient
+make -j${NUMCPU} proto
+make -j${NUMCPU} all nsswitch/libnss_wins.so modules
+make -j${NUMCPU} debug2html
+make -j${NUMCPU} bin/smbspool
+
+# Remove some permission bits to avoid to many dependencies
+find examples docs -type f | xargs -r chmod -x
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/sbin
+mkdir -p $RPM_BUILD_ROOT/etc/samba
+mkdir -p $RPM_BUILD_ROOT/etc/{logrotate.d,pam.d,samba}
+mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
+mkdir -p $RPM_BUILD_ROOT%{prefix}/{bin,sbin}
+mkdir -p $RPM_BUILD_ROOT%{prefix}/share/swat/{images,help,include,using_samba}
+mkdir -p $RPM_BUILD_ROOT%{prefix}/share/swat/using_samba/{figs,gifs}
+mkdir -p $RPM_BUILD_ROOTMANDIR_MACRO
+mkdir -p $RPM_BUILD_ROOT/var/cache/samba
+mkdir -p $RPM_BUILD_ROOT/var/{log,run}/samba
+mkdir -p $RPM_BUILD_ROOT/var/spool/samba
+mkdir -p $RPM_BUILD_ROOT/lib/security
+mkdir -p $RPM_BUILD_ROOT%{prefix}/lib/samba/vfs
+mkdir -p $RPM_BUILD_ROOT%{prefix}/{lib,include}
+
+# Install standard binary files
+for i in nmblookup smbclient smbpasswd smbstatus testparm testprns \
+ rpcclient smbspool smbcacls smbcontrol wbinfo smbmnt net \
+ smbcacls pdbedit tdbbackup smbtree
+do
+ install -m755 source/bin/$i $RPM_BUILD_ROOT%{prefix}/bin
+done
+
+for i in mksmbpasswd.sh smbtar findsmb
+do
+ install -m755 source/script/$i $RPM_BUILD_ROOT%{prefix}/bin
+done
+
+# Install secure binary files
+for i in smbd nmbd swat smbmount smbumount debug2html winbindd
+do
+ install -m755 source/bin/$i $RPM_BUILD_ROOT%{prefix}/sbin
+done
+
+# we need a symlink for mount to recognise the smb and smbfs filesystem types
+ln -sf %{prefix}/sbin/smbmount $RPM_BUILD_ROOT/sbin/mount.smbfs
+ln -sf %{prefix}/sbin/smbmount $RPM_BUILD_ROOT/sbin/mount.smb
+
+# This allows us to get away without duplicating code that
+# sombody else can maintain for us.
+cd source
+make DESTDIR=$RPM_BUILD_ROOT \
+ BASEDIR=/usr \
+ CONFIGDIR=/etc/samba \
+ LIBDIR=%{prefix}/lib/samba \
+ VARDIR=/var \
+ SBINDIR=%{prefix}/sbin \
+ BINDIR=$%{prefix}/bin \
+ MANDIR=MANDIR_MACRO \
+ SWATDIR=%{prefix}/share/swat \
+ SAMBABOOK=%{prefix}/share/swat/using_samba \
+ installman installswat installdat installmodules
+cd ..
+
+# Install the nsswitch wins library
+install -m755 source/nsswitch/libnss_wins.so $RPM_BUILD_ROOT/lib
+( cd $RPM_BUILD_ROOT/lib; ln -sf libnss_wins.so libnss_wins.so.2; )
+
+# Install winbind shared libraries
+install -m755 source/nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/lib
+( cd $RPM_BUILD_ROOT/lib; ln -sf libnss_winbind.so libnss_winbind.so.2; )
+install -m755 source/nsswitch/pam_winbind.so $RPM_BUILD_ROOT/lib/security
+
+# Install pam_smbpass.so
+install -m755 source/bin/pam_smbpass.so $RPM_BUILD_ROOT/lib/security
+
+# libsmbclient
+install -m 755 source/bin/libsmbclient.so $RPM_BUILD_ROOT%{prefix}/lib/
+install -m 755 source/bin/libsmbclient.a $RPM_BUILD_ROOT%{prefix}/lib/
+install -m 644 source/include/libsmbclient.h $RPM_BUILD_ROOT%{prefix}/include/
+
+# Install SWAT helper files
+#for i in swat/help/*.html docs/htmldocs/*.html
+#do
+# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/help
+#done
+#for i in swat/images/*.gif
+#do
+# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/images
+#done
+#for i in swat/include/*.html
+#do
+# install -m644 $i $RPM_BUILD_ROOT%{prefix}/share/swat/include
+#done
+
+# Install the miscellany
+install -m755 swat/README $RPM_BUILD_ROOT%{prefix}/share/swat/README
+install -m755 packaging/RedHat/smbprint $RPM_BUILD_ROOT%{prefix}/bin
+install -m755 packaging/RedHat/smb.init $RPM_BUILD_ROOT/etc/rc.d/init.d/smb
+install -m755 packaging/RedHat/winbind.init $RPM_BUILD_ROOT/etc/rc.d/init.d/winbind
+install -m755 packaging/RedHat/smb.init $RPM_BUILD_ROOT%{prefix}/sbin/samba
+install -m644 packaging/RedHat/samba.log $RPM_BUILD_ROOT/etc/logrotate.d/samba
+install -m644 packaging/RedHat/smb.conf $RPM_BUILD_ROOT/etc/samba/smb.conf
+install -m644 packaging/RedHat/smbusers $RPM_BUILD_ROOT/etc/samba/smbusers
+install -m644 packaging/RedHat/samba.pamd $RPM_BUILD_ROOT/etc/pam.d/samba
+install -m644 packaging/RedHat/samba.pamd.stack $RPM_BUILD_ROOT/etc/samba/samba.stack
+install -m644 packaging/RedHat/samba.xinetd $RPM_BUILD_ROOT/etc/samba/samba.xinetd
+echo 127.0.0.1 localhost > $RPM_BUILD_ROOT/etc/samba/lmhosts
+
+# Remove "*.old" files
+find $RPM_BUILD_ROOT -name "*.old" -exec rm -f {} \;
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ "$1" -eq "1" ]; then
+ /sbin/chkconfig --add smb
+ /sbin/chkconfig --add winbind
+ /sbin/chkconfig smb off
+ /sbin/chkconfig winbind off
+fi
+
+echo "Looking for old /etc/smb.conf..."
+if [ -f /etc/smb.conf -a ! -f /etc/samba/smb.conf ]; then
+ echo "Moving old /etc/smb.conf to /etc/samba/smb.conf"
+ mv /etc/smb.conf /etc/samba/smb.conf
+fi
+
+echo "Looking for old /etc/smbusers..."
+if [ -f /etc/smbusers -a ! -f /etc/samba/smbusers ]; then
+ echo "Moving old /etc/smbusers to /etc/samba/smbusers"
+ mv /etc/smbusers /etc/samba/smbusers
+fi
+
+echo "Looking for old /etc/lmhosts..."
+if [ -f /etc/lmhosts -a ! -f /etc/samba/lmhosts ]; then
+ echo "Moving old /etc/lmhosts to /etc/samba/lmhosts"
+ mv /etc/lmhosts /etc/samba/lmhosts
+fi
+
+echo "Looking for old /etc/MACHINE.SID..."
+if [ -f /etc/MACHINE.SID -a ! -f /etc/samba/MACHINE.SID ]; then
+ echo "Moving old /etc/MACHINE.SID to /etc/samba/MACHINE.SID"
+ mv /etc/MACHINE.SID /etc/samba/MACHINE.SID
+fi
+
+echo "Looking for old /etc/smbpasswd..."
+if [ -f /etc/smbpasswd -a ! -f /etc/samba/smbpasswd ]; then
+ echo "Moving old /etc/smbpasswd to /etc/samba/smbpasswd"
+ mv /etc/smbpasswd /etc/samba/smbpasswd
+fi
+
+#
+# For 2.2.1 we move the tdb files from /var/lock/samba to /var/cache/samba
+# to preserve across reboots.
+#
+echo "Moving tdb files in /var/lock/samba/*.tdb to /var/cache/samba/*.tdb"
+for i in /var/lock/samba/*.tdb
+do
+if [ -f $i ]; then
+ newname=`echo $i | sed -e's|var\/lock\/samba|var\/cache\/samba|'`
+ echo "Moving $i to $newname"
+ mv $i $newname
+fi
+done
+
+# Remove the transient tdb files.
+if [ -e /var/cache/samba/brlock.tdb ]; then
+ rm -f /var/cache/samba/brlock.tdb
+fi
+
+if [ -e /var/cache/samba/unexpected.tdb ]; then
+ rm -f /var/cache/samba/unexpected.tdb
+fi
+
+if [ -e /var/cache/samba/connections.tdb ]; then
+ rm -f /var/cache/samba/connections.tdb
+fi
+
+if [ -e /var/cache/samba/locking.tdb ]; then
+ rm -f /var/cache/samba/locking.tdb
+fi
+
+if [ -e /var/cache/samba/messages.tdb ]; then
+ rm -f /var/cache/samba/messages.tdb
+fi
+
+if [ -d /var/lock/samba ]; then
+ rm -rf /var/lock/samba
+fi
+
+# Add swat entry to /etc/services if not already there.
+if !( grep ^[:space:]*swat /etc/services > /dev/null ) then
+ echo 'swat 901/tcp # Add swat service used via inetd' >> /etc/services
+fi
+
+# Add swat entry to /etc/inetd.conf if needed.
+if [ -f /etc/inetd.conf ]; then
+ if !( grep ^[:space:]*swat /etc/inetd.conf > /dev/null ) then
+ echo 'swat stream tcp nowait.400 root %{prefix}/sbin/swat swat' >> /etc/inetd.conf
+ killall -1 inetd || :
+ fi
+fi
+
+# Add swat entry to xinetd.d if needed.
+if [ -d $RPM_BUILD_ROOT/etc/xinetd.d -a ! -f /etc/xinetd.d/swat ]; then
+ mv /etc/samba/samba.xinetd /etc/xinetd.d/swat
+else
+ rm -f /etc/samba/samba.xinetd
+fi
+
+# Install the correct version of the samba pam file, depending on pam version.
+if [ -f /lib/security/pam_stack.so ]; then
+ echo "Installing stack version of /etc/pam.d/samba..."
+ mv /etc/samba/samba.stack /etc/pam.d/samba
+else
+ echo "Installing non-stack version of /etc/pam.d/samba..."
+ rm -f /etc/samba/samba.stack
+fi
+
+# Create winbind nss client symlink
+
+if [ -e /lib/libnss_winbind.so ]; then
+ ln -sf /lib/libnss_winbind.so /lib/libnss_winbind.so.2
+fi
+
+%preun
+if [ $1 = 0 ] ; then
+ /sbin/chkconfig --del smb
+
+ # We want to remove the browse.dat and wins.dat files so they can not interfer with a new version of samba!
+ if [ -e /var/cache/samba/browse.dat ]; then
+ rm -f /var/cache/samba/browse.dat
+ fi
+ if [ -e /var/cache/samba/wins.dat ]; then
+ rm -f /var/cache/samba/wins.dat
+ fi
+
+ # Remove the transient tdb files.
+ if [ -e /var/cache/samba/brlock.tdb ]; then
+ rm -f /var/cache/samba/brlock.tdb
+ fi
+
+ if [ -e /var/cache/samba/unexpected.tdb ]; then
+ rm -f /var/cache/samba/unexpected.tdb
+ fi
+
+ if [ -e /var/cache/samba/connections.tdb ]; then
+ rm -f /var/cache/samba/connections.tdb
+ fi
+
+ if [ -e /var/cache/samba/locking.tdb ]; then
+ rm -f /var/cache/samba/locking.tdb
+ fi
+
+ if [ -e /var/cache/samba/messages.tdb ]; then
+ rm -f /var/cache/samba/messages.tdb
+ fi
+
+ # Remove winbind nss client symlink
+
+ if [ -L /lib/libnss_winbind.so.2 ]; then
+ rm -f /lib/libnss_winbind.so.2
+ fi
+fi
+
+%postun
+# Only delete remnants of samba if this is the final deletion.
+if [ $1 = 0 ] ; then
+ if [ -x /etc/pam.d/samba ]; then
+ rm -f /etc/pam.d/samba
+ fi
+ if [ -e /var/log/samba ]; then
+ rm -rf /var/log/samba
+ fi
+ if [ -e /var/cache/samba ]; then
+ rm -rf /var/cache/samba
+ fi
+
+ # Remove swat entries from /etc/inetd.conf and /etc/services
+ cd /etc
+ tmpfile=/etc/tmp.$$
+ if [ -f /etc/inetd.conf ]; then
+ # preserve inetd.conf permissions.
+ cp -p /etc/inetd.conf $tmpfile
+ sed -e '/^[:space:]*swat.*$/d' /etc/inetd.conf > $tmpfile
+ mv $tmpfile inetd.conf
+ fi
+ # preserve services permissions.
+ cp -p /etc/services $tmpfile
+ sed -e '/^[:space:]*swat.*$/d' /etc/services > $tmpfile
+ mv $tmpfile /etc/services
+
+ # Remove swat entry from /etc/xinetd.d
+ if [ -f /etc/xinetd.d/swat ]; then
+ rm -r /etc/xinetd.d/swat
+ fi
+fi
+
+%files
+%defattr(-,root,root)
+%doc README COPYING Manifest Read-Manifest-Now
+%doc WHATSNEW.txt Roadmap
+%doc docs
+%doc swat/README
+%doc examples
+%{prefix}/sbin/smbd
+%{prefix}/sbin/nmbd
+%{prefix}/sbin/swat
+%{prefix}/bin/smbmnt
+%{prefix}/sbin/smbmount
+%{prefix}/sbin/smbumount
+%{prefix}/sbin/winbindd
+%{prefix}/sbin/samba
+%{prefix}/sbin/debug2html
+/sbin/mount.smbfs
+/sbin/mount.smb
+%{prefix}/bin/mksmbpasswd.sh
+%{prefix}/bin/smbclient
+%{prefix}/bin/smbspool
+%{prefix}/bin/rpcclient
+%{prefix}/bin/testparm
+%{prefix}/bin/testprns
+%{prefix}/bin/findsmb
+%{prefix}/bin/smbstatus
+%{prefix}/bin/nmblookup
+%{prefix}/bin/smbpasswd
+%{prefix}/bin/smbtar
+%{prefix}/bin/smbprint
+%{prefix}/bin/smbcontrol
+%{prefix}/bin/wbinfo
+%{prefix}/bin/net
+%{prefix}/bin/smbcacls
+%{prefix}/bin/pdbedit
+%{prefix}/bin/tdbbackup
+%{prefix}/bin/smbtree
+%attr(755,root,root) /lib/libnss_wins.s*
+%attr(755,root,root) %{prefix}/lib/samba/vfs/*.so
+#%attr(755,root,root) %{prefix}/lib/samba/pdb/*.so
+%attr(755,root,root) %{prefix}/lib/samba/*.dat
+%{prefix}/include/libsmbclient.h
+%{prefix}/lib/libsmbclient.a
+%{prefix}/lib/libsmbclient.so
+%{prefix}/share/swat/help/*
+%{prefix}/share/swat/images/*
+%{prefix}/share/swat/include/*.html
+%{prefix}/share/swat/lang/*/help/*
+%{prefix}/share/swat/lang/*/images/*
+%{prefix}/share/swat/lang/*/include/*.html
+%{prefix}/share/swat/using_samba/*
+%{prefix}/share/swat/README
+%config(noreplace) /etc/samba/lmhosts
+%config(noreplace) /etc/samba/smb.conf
+%config(noreplace) /etc/samba/smbusers
+/etc/samba/samba.stack
+/etc/samba/samba.xinetd
+/etc/rc.d/init.d/smb
+/etc/rc.d/init.d/winbind
+/etc/logrotate.d/samba
+%config(noreplace) /etc/pam.d/samba
+MANDIR_MACRO/man1/*
+MANDIR_MACRO/man5/*
+MANDIR_MACRO/man7/*
+MANDIR_MACRO/man8/*
+%attr(755,root,root) %dir /var/cache/samba
+%dir /var/log/samba
+%dir /var/run/samba
+%attr(1777,root,root) %dir /var/spool/samba
+%attr(-,root,root) /lib/libnss_winbind.so
+%attr(-,root,root) /lib/security/pam_winbind.so
+%attr(-,root,root) /lib/security/pam_smbpass.so
--- /dev/null
+inetd.conf
+pkginfo
+prototype
+samba.server
--- /dev/null
+Date: March 29, 2003
+
+Note: The current packaging files are NOT officially supported files.
+---------------------------------------------------------------------
+
+While the SPEC file shows who the original author was, these files imply no warranty of
+fitness what so ever. These files are NOT official SuSE files and are NOT supported by
+them. If you have ANY problems with the use of these files then please email jht@samba.org
+and NOT SuSE support.
+
+
+These files may be used to build Samba-3.0 packages for SuSE Linux 8.1 and/or for
+UnitedLinux 1.0 systems.
+
+Note2: You most likely will need to update to heimdal-0.5.1 or later if you intend to
+use any Kerberos functionality.
+
+- John T.
--- /dev/null
+--- source/param/loadparm.c Wed Oct 9 21:17:05 2002
++++ source/param/loadparm.c Mon Oct 14 16:33:08 2002
+@@ -386,6 +386,8 @@
+ BOOL bInheritPerms;
+ BOOL bInheritACLS;
+ BOOL bMSDfsRoot;
++ BOOL bMSDfsProxy;
++ char *bMSDfsLinkName;
+ BOOL bUseClientDriver;
+ BOOL bDefaultDevmode;
+ BOOL bNTAclSupport;
+@@ -508,6 +510,8 @@
+ False, /* bInheritPerms */
+ False, /* bInheritACLS */
+ False, /* bMSDfsRoot */
++ False, /* bMSDfsProxy */
++ NULL, /* bMSDfsLinkName */
+ False, /* bUseClientDriver */
+ False, /* bDefaultDevmode */
+ True, /* bNTAclSupport */
+@@ -1079,6 +1083,8 @@
+
+
+ {"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
++ {"msdfs proxy", P_BOOL, P_LOCAL, &sDefault.bMSDfsProxy, NULL, NULL, FLAG_SHARE},
++ {"msdfs link name", P_STRING, P_LOCAL, &sDefault.bMSDfsLinkName, NULL, NULL, FLAG_SHARE},
+ {"host msdfs", P_BOOL, P_GLOBAL, &Globals.bHostMSDfs, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+
+ {"Winbind options", P_SEP, P_SEPARATOR},
+@@ -1730,6 +1736,8 @@
+ FN_LOCAL_STRING(lp_veto_oplocks, szVetoOplockFiles)
+ FN_LOCAL_STRING(lp_driverlocation, szPrinterDriverLocation)
+ FN_LOCAL_BOOL(lp_msdfs_root, bMSDfsRoot)
++FN_LOCAL_BOOL(lp_msdfs_proxy, bMSDfsProxy)
++FN_LOCAL_STRING(lp_msdfs_link_name, bMSDfsLinkName)
+ FN_LOCAL_BOOL(lp_autoloaded, autoloaded)
+ FN_LOCAL_BOOL(lp_preexec_close, bPreexecClose)
+ FN_LOCAL_BOOL(lp_rootpreexec_close, bRootpreexecClose)
+--- source/msdfs/msdfs.c Tue Jul 2 08:34:24 2002
++++ source/msdfs/msdfs.c Mon Oct 14 16:49:57 2002
+@@ -600,12 +600,38 @@
+ int reply_size = 0;
+ char *pathnamep = pathname;
+
++ struct connection_struct conns;
++ struct connection_struct* conn = &conns;
++ int snum;
++ pstring conn_path;
++ struct dfs_path dpi;
++
++ struct junction_map junction2;
++ parse_dfs_path(pathname, &dpi);
++ pstrcpy(junction2.service_name, dpi.servicename);
++ snum = lp_servicenumber(junction2.service_name);
++ create_conn_struct(conn, snum, conn_path);
++
++
+ ZERO_STRUCT(junction);
+
+ /* get the junction entry */
+ if (!pathnamep)
+ return -1;
+
++ if (lp_msdfs_proxy(SNUM(conn))) {
++ DEBUG(10,("running in proxy mode\n"));
++ pstrcpy(pathnamep, "\\");
++ pstrcat(pathnamep, dpi.hostname);
++ pstrcat(pathnamep, "\\");
++ pstrcat(pathnamep, dpi.servicename);
++ pstrcat(pathnamep, "\\");
++ pstrcat(pathnamep, (char *) lp_msdfs_link_name(SNUM(conn)));
++ } else {
++ DEBUG(10,("running in normal mode\n"));
++ }
++
++
+ /* Trim pathname sent by client so it begins with only one backslash.
+ Two backslashes confuse some dfs clients
+ */
+@@ -631,6 +657,17 @@
+ }
+ }
+
++ if ( lp_msdfs_proxy(SNUM(conn)) ) {
++ DEBUG(10,("running in proxy mode\n"));
++ pstrcpy ( pathnamep, "\\" );
++ pstrcat ( pathnamep, dpi.hostname);
++ pstrcat ( pathnamep, "\\" );
++ pstrcat ( pathnamep, dpi.servicename);
++ } else {
++ DEBUG(10,("running in normal mode\n"));
++ }
++
++
+ /* create the referral depeding on version */
+ DEBUG(10,("max_referral_level :%d\n",max_referral_level));
+ if(max_referral_level<2 || max_referral_level>3)
--- /dev/null
+diff -Nur source/utils/net.c source/utils/net.c
+--- source/utils/net.c Fri Sep 27 09:42:34 2002
++++ source/utils/net.c Tue Oct 1 12:22:00 2002
+@@ -68,6 +68,7 @@
+ int opt_port = 0;
+ int opt_maxusers = -1;
+ char *opt_comment = "";
++char *opt_container = "cn=Users";
+ int opt_flags = -1;
+ int opt_jobid = 0;
+ int opt_timeout = 0;
+@@ -459,6 +460,7 @@
+ {"myname", 'n', POPT_ARG_STRING, &opt_requester_name},
+ {"conf", 's', POPT_ARG_STRING, &servicesf},
+ {"server", 'S', POPT_ARG_STRING, &opt_host},
++ {"container", 'c', POPT_ARG_STRING, &opt_container},
+ {"comment", 'C', POPT_ARG_STRING, &opt_comment},
+ {"maxusers", 'M', POPT_ARG_INT, &opt_maxusers},
+ {"flags", 'F', POPT_ARG_INT, &opt_flags},
+diff -Nur source/utils/net.h source/utils/net.h
+--- source/utils/net.h Tue Jun 25 04:29:09 2002
++++ source/utils/net.h Tue Oct 1 12:19:51 2002
+@@ -38,10 +38,8 @@
+
+ extern int opt_maxusers;
+ extern char *opt_comment;
++extern char *opt_container;
+ extern int opt_flags;
+-
+-extern char *opt_comment;
+-
+ extern char *opt_target_workgroup;
+ extern int opt_long_list_entries;
+ extern int opt_reboot;
+diff -Nur source/utils/net_ads.c source/utils/net_ads.c
+--- source/utils/net_ads.c Tue Sep 17 14:15:52 2002
++++ source/utils/net_ads.c Tue Oct 1 12:33:44 2002
+@@ -255,7 +255,7 @@
+ goto done;
+ }
+
+- status = ads_add_user_acct(ads, argv[0], opt_comment);
++ status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);
+
+ if (!ADS_ERR_OK(status)) {
+ d_printf("Could not add user %s: %s\n", argv[0],
+@@ -431,7 +431,7 @@
+ goto done;
+ }
+
+- status = ads_add_group_acct(ads, argv[0], opt_comment);
++ status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
+
+ if (ADS_ERR_OK(status)) {
+ d_printf("Group %s added\n", argv[0]);
+diff -Nur source/utils/net_help.c source/utils/net_help.c
+--- source/utils/net_help.c Tue Sep 24 20:10:30 2002
++++ source/utils/net_help.c Tue Oct 1 13:01:50 2002
+@@ -69,14 +69,14 @@
+ "\n\tDelete specified user\n");
+ d_printf("\nnet [<method>] user INFO <name> [misc. options] [targets]"\
+ "\n\tList the domain groups of the specified user\n");
+- d_printf("\nnet [<method>] user ADD <name> [password] "\
++ d_printf("\nnet [<method>] user ADD <name> [password] [-c container] "\
+ "[-F user flags] [misc. options]"\
+ " [targets]\n\tAdd specified user\n");
+
+ net_common_methods_usage(argc, argv);
+ net_common_flags_usage(argc, argv);
+- d_printf(
+- "\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
++ d_printf("\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
++ d_printf("\t-c or --container=<container>\tLDAP container, defaults to cn=Users (for add in ADS only)\n");
+ return -1;
+ }
+
+@@ -85,12 +85,12 @@
+ "\n\tList user groups\n\n");
+ d_printf("net [<method>] group DELETE <name> [misc. options] [targets]"\
+ "\n\tDelete specified group\n");
+- d_printf("\nnet [<method>] group ADD <name> [-C comment]"\
++ d_printf("\nnet [<method>] group ADD <name> [-C comment] [-c container]"\
+ " [misc. options] [targets]\n\tCreate specified group\n");
+ net_common_methods_usage(argc, argv);
+ net_common_flags_usage(argc, argv);
+- d_printf(
+- "\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
++ d_printf("\t-C or --comment=<comment>\tdescriptive comment (for add only)\n");
++ d_printf("\t-c or --container=<container>\tLDAP container, defaults to cn=Users (for add in ADS only)\n");
+ return -1;
+ }
+
+diff -Nur source/libads/ldap_user.c source/libads/ldap_user.c
+--- source/libads/ldap_user.c Wed Aug 7 12:33:22 2002
++++ source/libads/ldap_user.c Tue Oct 1 12:46:08 2002
+@@ -38,7 +38,7 @@
+ }
+
+ ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
+- const char *fullname)
++ const char *container, const char *fullname)
+ {
+ TALLOC_CTX *ctx;
+ ADS_MODLIST mods;
+@@ -57,7 +60,7 @@
+
+ if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm)))
+ goto done;
+- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,cn=Users,%s", name,
++ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container,
+ ads->config.bind_path)))
+ goto done;
+ if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT)))
+@@ -80,7 +83,7 @@
+ }
+
+ ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
+- const char *comment)
++ const char *container, const char *comment)
+ {
+ TALLOC_CTX *ctx;
+ ADS_MODLIST mods;
+@@ -93,7 +96,7 @@
+
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+
+- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,cn=Users,%s", group,
++ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container,
+ ads->config.bind_path)))
+ goto done;
+ if (!(mods = ads_init_mods(ctx)))
+@@ -102,7 +105,7 @@
+ ads_mod_str(ctx, &mods, "cn", group);
+ ads_mod_strlist(ctx, &mods, "objectClass",objectClass);
+ ads_mod_str(ctx, &mods, "name", group);
+- if (comment)
++ if (comment && *comment)
+ ads_mod_str(ctx, &mods, "description", comment);
+ ads_mod_str(ctx, &mods, "sAMAccountName", group);
+ status = ads_gen_add(ads, new_dn, mods);
--- /dev/null
+--- examples/pdb/Makefile Thu Sep 5 02:11:41 2002
++++ examples/pdb/Makefile Thu Sep 5 02:11:59 2002
+@@ -8,7 +8,7 @@
+ SAMBA_INCL = ../../source/include
+ UBIQX_SRC = ../../source/ubiqx
+ SMBWR_SRC = ../../source/smbwrapper
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -Wall -g
++CFLAGS = -I/usr/include/heimdal -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -Wall -g
+ PDB_OBJS = pdb_test.so
+
+ # Default target
--- /dev/null
+--- source/python/py_common.c 2002-12-22 03:07:40.000000000 +0100
++++ source/python/py_common.c 2002-11-29 11:50:22.000000000 +0100
+@@ -45,9 +45,6 @@
+
+ void py_samba_init(void)
+ {
+- extern pstring global_myname;
+- char *p;
+-
+ if (initialised)
+ return;
+
+@@ -59,11 +56,7 @@
+ /* Misc other stuff */
+
+ load_interfaces();
+-
+- fstrcpy(global_myname, myhostname());
+- p = strchr(global_myname, '.');
+- if (p)
+- *p = 0;
++ init_names();
+
+ initialised = True;
+ }
+--- source/python/py_smb.c 2002-11-27 03:54:20.000000000 +0100
++++ source/python/py_smb.c 2002-11-29 11:50:22.000000000 +0100
+@@ -61,7 +61,6 @@
+ static char *kwlist[] = { "called", "calling", NULL };
+ char *calling_name = NULL, *called_name;
+ struct nmb_name calling, called;
+- extern pstring global_myname;
+ BOOL result;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kw, "s|s", kwlist, &called_name,
+@@ -69,7 +68,7 @@
+ return NULL;
+
+ if (!calling_name)
+- calling_name = global_myname;
++ calling_name = global_myname();
+
+ make_nmb_name(&calling, calling_name, 0x00);
+ make_nmb_name(&called, called_name, 0x20);
--- /dev/null
+--- examples/VFS/samba-vscan-0.3.1/fprot/Makefile 2002-11-26 15:20:17.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/fprot/Makefile 2002-12-19 13:26:19.000000000 +0100
+@@ -14,7 +14,7 @@
+ SMBWR_SRC = ../../../../source/smbwrapper
+ SMBVS_INCL = ../include
+ SMBVS_GLB = ../global
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ VFS_OBJS = vscan-fprotd.so
+ SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-fprotd.c vscan-fprotd_core.c vscan-fprotd.h vscan-fprotd_core.h
+ OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-fprotd.lo vscan-fprotd_core.lo
+--- examples/VFS/samba-vscan-0.3.1/include/vscan-global.h 2002-11-25 16:48:10.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/include/vscan-global.h 2002-12-19 13:26:34.000000000 +0100
+@@ -93,7 +93,7 @@
+ */
+
+ #ifndef SAMBA_VERSION_MAJOR
+-# define SAMBA_VERSION_MAJOR 2
++# define SAMBA_VERSION_MAJOR 3
+ #endif
+
+ #ifndef SAMBA_VERSION_MINOR
+--- examples/VFS/samba-vscan-0.3.1/kaspersky/Makefile 2002-11-28 17:40:35.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/kaspersky/Makefile 2002-12-19 13:27:23.000000000 +0100
+@@ -23,9 +23,9 @@
+ VFS_OBJS = vscan-kavp.so
+
+ ifdef USE_DEBUG
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ else
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ endif
+
+ ifndef USE_KAVPSHAREDLIB
+--- examples/VFS/samba-vscan-0.3.1/mks/Makefile 2002-11-26 16:29:55.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/mks/Makefile 2002-12-19 13:27:53.000000000 +0100
+@@ -13,7 +13,7 @@
+ SMBWR_SRC = ../../../../source/smbwrapper
+ SMBVS_INCL = ../include
+ SMBVS_GLB = ../global
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ VFS_OBJS = vscan-mksd.so
+ SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-mksd.c vscan-mksd_core.c vscan-mksd.h vscan-mksd_core.h mks.h mks_c.c
+ OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-mksd.lo vscan-mksd_core.lo mks_c.lo
+--- examples/VFS/samba-vscan-0.3.1/openantivirus/Makefile 2002-11-27 19:24:03.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/openantivirus/Makefile 2002-12-19 13:28:10.000000000 +0100
+@@ -15,7 +15,7 @@
+ SMBWR_SRC = ../../../../source/smbwrapper
+ SMBVS_INCL = ../include
+ SMBVS_GLB = ../global
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ VFS_OBJS = vscan-oav.so
+ SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-oav.c vscan-oav_core.c vscan-oav.h vscan-oav_core.h
+ OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-oav.lo vscan-oav_core.lo
+--- examples/VFS/samba-vscan-0.3.1/sophos/Makefile 2002-11-27 19:24:03.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/sophos/Makefile 2002-12-19 13:29:20.000000000 +0100
+@@ -15,7 +15,7 @@
+ SMBWR_SRC = ../../../../source/smbwrapper
+ SMBVS_INCL = ../include
+ SMBVS_GLB = ../global
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ VFS_OBJS = vscan-sophos.so
+ SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-sophos.c vscan-sophos_core.c vscan-sophos.h vscan-sophos_core.h
+ OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-sophos.lo vscan-sophos_core.lo
+--- examples/VFS/samba-vscan-0.3.1/trend/Makefile 2002-11-27 19:24:03.000000000 +0100
++++ examples/VFS/samba-vscan-0.3.1/trend/Makefile 2002-12-19 13:29:31.000000000 +0100
+@@ -15,7 +15,7 @@
+ SMBWR_SRC = ../../../../source/smbwrapper
+ SMBVS_INCL = ../include
+ SMBVS_GLB = ../global
+-CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++CFLAGS = -I$(SAMBA_SRC) -I$(SAMBA_INCL) -I$(UBIQX_SRC) -I$(SMBWR_SRC) -I$(SMBVS_INCL) -Wall -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/heimdal
+ VFS_OBJS = vscan-trend.so
+ SOURCES = $(SMBVS_GLB)/vscan-functions.c $(SMBVS_GLB)/vscan-message.c $(SMBVS_GLB)/vscan-quarantine.c vscan-trend.c vscan-trend_core.c vscan-trend.h vscan-trend_core.h
+ OBJS = vscan-functions.lo vscan-message.lo vscan-quarantine.lo vscan-trend.lo vscan-trend_core.lo
--- /dev/null
+#
+# spec file for package samba (Version HEAD) CVS
+#
+# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
+# This file and all modifications and additions to the pristine
+# package are under the same license as the package itself.
+#
+# packaged by Guenther Deschner <gd@suse.de> - work is not finished yet !
+
+# neededforbuild acl acl-devel attr attr-devel autoconf automake heimdal-devel heimdal-lib libxml2 libxml2-devel mysql-devel mysql-shared openldap2 openldap2-client openldap2-devel openssl openssl-devel popt popt-devel python python-devel readline readline-devel
+# usedforbuild aaa_base aaa_version acl attr bash bind9-utils bison cpio cpp cyrus-sasl db devs diffutils e2fsprogs file filesystem fileutils fillup findutils flex gawk gdbm-devel glibc glibc-devel glibc-locale gpm grep groff gzip kbd less libgcc libstdc++ libxcrypt m4 make man mktemp modutils ncurses ncurses-devel net-tools netcfg pam pam-devel pam-modules patch permissions ps rcs readline sed sendmail sh-utils shadow strace syslogd sysvinit tar texinfo textutils timezone unzip util-linux vim zlib-devel acl-devel attr-devel autoconf automake binutils bzip2 cracklib gcc gdbm gettext heimdal-devel heimdal-lib libtool libxml2 libxml2-devel mysql-devel mysql-shared openldap2 openldap2-client openldap2-devel openssl openssl-devel perl popt popt-devel python python-devel readline-devel rpm zlib
+
+
+Vendor: SuSE Linux AG, GS Berlin, Germany
+Distribution: SuSE Linux 8.1 (i386)
+Name: samba
+Packager: gd@suse.de
+License: GPL
+Group: Productivity/Networking/Samba
+Url: http://www.samba.org
+Provides: samba smbfs
+Obsoletes: samba-classic samba-ldap
+Autoreqprov: on
+%define smbwrap 0
+%define mit_kerberos 0
+%define heimdal_kerberos 1
+%define devel 0
+%define head 0
+%define python 1
+%define netatalk 0
+%define newsam 0
+%define samba_ver 3.0.0
+Requires: samba-client = %{samba_ver}
+Version: 3.0.0
+Release: %(date +%%j)
+Summary: An SMB file server for Unix
+Source: %{name}-%{version}.tar.bz2
+Source10: %{name}-%{version}.files.tar.bz2
+Source50: http://prdownloads.sourceforge.net/openantivirus/samba-vscan-%{vscan_ver}.tar.bz2
+Patch1: %{name}-%{version}-pdb.diff
+Patch10: %{name}-%{version}-net_ads.diff
+Patch22: %{name}-%{version}-msdfs.diff
+Patch30: %{name}-%{version}-python.diff
+BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
+%define DOCDIR %{_defaultdocdir}/%{name}
+%define SWATDIR %{_datadir}/samba/swat
+%define vscan_ver 0.3.1
+%define vscan_modules fprot kaspersky mks openantivirus sophos trend
+Patch51: %{name}-%{version}-vscan.diff
+
+%package client
+Summary: Samba client utilities
+Autoreqprov: on
+Requires: cups-libs
+Obsoletes: smbclnt samba-classic-client samba-ldap-client
+Group: Productivity/Networking/Samba
+
+%package winbind
+Requires: samba-client samba
+Summary: Samba Winbind-package
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+%package utils
+Summary: Samba Testing Utilities
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+%package doc
+Summary: Samba Documentation
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+%package pdb
+Summary: Samba PDB-Modules
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+%package vfs
+Summary: Samba VFS-Modules
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+%if %{newsam} > 0
+%package sam
+Summary: Samba SAM-Modules
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+%endif
+
+%package vscan
+Summary: Samba VFS-Modules for Virusscanners
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+Version: 0.3.1
+
+%package python
+Summary: Samba Python-Modules
+Autoreqprov: on
+Group: Productivity/Networking/Samba
+
+
+
+
+%changelog
+* Sat Nov 3 2001 - gd@suse.de
+- start
+
+
+%prep
+[ $RPM_BUILD_ROOT = "/" ] && (echo "your buildroot is /" && exit 0) || rm -rf $RPM_BUILD_ROOT
+mkdir $RPM_BUILD_ROOT
+
+%setup -n %{name}-%{samba_ver}
+%setup -T -D -a 50
+cp -ar samba-vscan-%{vscan_ver} examples/VFS/
+
+# untar my configs
+%setup -T -D -a 10
+
+%if %{heimdal_kerberos} > 0
+%patch1
+%patch51
+%endif
+#%patch10
+#%patch22
+#%patch30
+
+find . -name CVS -print | xargs rm -rf
+find . -name ".cvsignore" -print | xargs rm -rf
+find . -name "'*.gd'" -print | xargs rm -rvf
+find . -name "'*.orig'" -print | xargs rm -rvf
+
+%build %{name}-%{samba_ver}
+%{?suse_update_config:%{suse_update_config -f}}
+cd source
+./autogen.sh
+libtoolize --force --copy
+autoconf
+export CFLAGS="$RPM_OPT_FLAGS -Wall -O -D_GNU_SOURCE -D_LARGEFILE64_SOURCE"
+%ifarch ppc64
+export CFLAGS="$CFLAGS -mminimal-toc"
+%endif
+CONF_OPTS_BASIC="\
+ --prefix=/usr \
+ --libdir=/etc/samba \
+ --localstatedir=/var/lib/samba \
+ --mandir=%{_mandir} \
+ --sbindir=/usr/sbin \
+ --with-privatedir=/etc/samba \
+ --with-piddir=/var/run/samba \
+ --with-codepagedir=/usr/share/samba/codepages \
+ --with-swatdir=/usr/share/samba/swat \
+ --with-smbmount \
+ --with-automount \
+ --enable-cups \
+ --with-msdfs \
+ --with-vfs \
+ --with-pam \
+ --with-pam_smbpass \
+ --with-utmp \
+ --with-winbind \
+ --with-tdbsam \
+ --with-ldapsam \
+%if %{smbwrap}
+ --with-smbwrapper \
+%endif
+ --with-quotas \
+ --with-acl-support \
+ --with-python=python2.2 \
+ --with-syslog \
+"
+CONF_OPTS_HEAD="\
+ --with-sam \
+"
+CONF_OPTS_HEIMDAL_KERBEROS="\
+ --with-krb5impl=heimdal \
+"
+CONF_OPTS_HEIMDAL_51_KERBEROS="\
+ --with-krb5impl=heimdal \
+ --with-krb5includes=/opt/heimdal-0.5.1/include \
+ --with-krb5libs=/opt/heimdal-0.5.1/lib \
+"
+CONF_OPTS_MIT_KERBEROS="\
+ --with-krb5impl=mit \
+ --with-krb5includes=/usr/kerberos/include \
+ --with-krb5libs=/usr/kerberos/lib \
+"
+CONF_OPTS_DEVEL="\
+ --enable-developer \
+ --enable-krb5developer \
+ --with-profiling-data \
+"
+CONF_OPTS="$CONF_OPTS_BASIC"
+%if %{head} > 0
+CONF_OPTS="$CONF_OPTS $CONF_OPTS_HEAD"
+%endif
+%if %{heimdal_kerberos} > 0
+CONF_OPTS="$CONF_OPTS $CONF_OPTS_HEIMDAL_KERBEROS"
+%endif
+%if %{mit_kerberos} > 0
+CONF_OPTS="$CONF_OPTS $CONF_OPTS_MIT_KERBEROS"
+%endif
+%if %{devel} > 0
+CONF_OPTS="$CONF_OPTS $CONF_OPTS_DEVEL"
+%endif
+
+./configure $CONF_OPTS
+
+### --with-ldapsam is now standard!
+### --with-sendfile-support ---default now
+# --with-nisplussam \
+# --with-nisplus_home \
+
+# with the new passdb-code we can finaly compile several passdb-backends
+# and make our choice at runtime.
+# HEAD and thus alpha21 no longer need this
+#make proto
+
+make \
+ LOCKDIR=/var/lib/samba \
+ LOGFILEBASE=/var/log/samba \
+ SBINDIR=/usr/sbin \
+ all \
+ torture \
+ nsswitch/libnss_wins.so \
+ debug2html \
+ libsmbclient \
+ bin/profiles \
+ everything
+
+# everything = nsswitch smbwrapper smbtorture debug2html smbfilter nsswitch/libnss_wins.so
+
+%if %{newsam} > 0
+make bin/samtest
+%endif
+make modules
+
+make -C tdb tdbdump tdbtest tdbtool tdbtorture
+# tdbbackup is now in main Makefile
+
+make talloctort
+
+# VFS,PDB and SAM
+EXAMPLEDIRS="pdb"
+for i in $EXAMPLEDIRS; do make -C ../examples/$i; done
+
+export USE_KAVPSHAREDLIB=0
+for module in %{vscan_modules}; do
+ make -C ../examples/VFS/%{name}-vscan-%{vscan_ver}/${module};
+done
+
+# tim potters python
+%if %{python} > 0
+make python_ext
+%endif
+
+
+
+%install
+
+mkdir -p \
+ $RPM_BUILD_ROOT/usr/{bin,sbin} \
+ $RPM_BUILD_ROOT/usr/share/{man,samba/{scripts,swat}} \
+ $RPM_BUILD_ROOT/usr/lib/samba/{vfs,pdb,sam,vscan} \
+ $RPM_BUILD_ROOT/usr/lib/python2.2/lib-dynload \
+ $RPM_BUILD_ROOT/usr/include \
+ $RPM_BUILD_ROOT/etc/{pam.d,init.d,samba} \
+ $RPM_BUILD_ROOT/var/adm \
+ $RPM_BUILD_ROOT/sbin \
+ $RPM_BUILD_ROOT/lib/security \
+ $RPM_BUILD_ROOT/%{DOCDIR} \
+ $RPM_BUILD_ROOT/%{DOCDIR}-vscan \
+ $RPM_BUILD_ROOT/var/spool/samba \
+ $RPM_BUILD_ROOT/var/log/samba \
+ $RPM_BUILD_ROOT/var/run/samba \
+ $RPM_BUILD_ROOT/var/lib/samba/{netlogon,drivers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC},profiles}
+
+cd source/
+make install \
+ LIBDIR=$RPM_BUILD_ROOT/etc/samba \
+ LOGFILEBASE=$RPM_BUILD_ROOT/var/log/samba \
+ CONFIGFILE=$RPM_BUILD_ROOT/etc/samba/smb.conf \
+ LMHOSTSFILE=$RPM_BUILD_ROOT/etc/samba/lmhosts \
+ SWATDIR=$RPM_BUILD_ROOT/usr/share/samba/swat \
+ SBINDIR=$RPM_BUILD_ROOT/usr/sbin \
+ LOCKDIR=$RPM_BUILD_ROOT/var/lock/samba \
+ CODEPAGEDIR=$RPM_BUILD_ROOT/usr/share/samba/codepages \
+ DRIVERFILE=$RPM_BUILD_ROOT/etc/samba/printers.def \
+ BINDIR=$RPM_BUILD_ROOT/usr/bin \
+ SMB_PASSWD_FILE=$RPM_BUILD_ROOT/etc/samba/smbpasswd \
+ TDB_PASSWD_FILE=$RPM_BUILD_ROOT/etc/samba/smbpasswd.tdb \
+ MANDIR=$RPM_BUILD_ROOT/usr/share/man
+cd ..
+
+# utility scripts
+%if %{head} > 0
+scripts="creategroup cvslog.pl scancvslog.pl"
+%else
+scripts="scancvslog.pl"
+%endif
+for i in $scripts; do
+ cp -a source/script/$i $RPM_BUILD_ROOT/usr/share/samba/scripts/
+done
+
+# move the man-pages (ugly lang thing, fixed in alpha16)
+#mv $RPM_BUILD_ROOT/usr/share/man/lang/* $RPM_BUILD_ROOT/usr/share/man/
+
+# configuration files
+install -m 644 smb.conf* $RPM_BUILD_ROOT/etc/samba/
+install -m 644 shares.conf $RPM_BUILD_ROOT/etc/samba/
+install -m 644 lmhosts $RPM_BUILD_ROOT/etc/samba/
+install -m 600 smbpasswd -o root -g root $RPM_BUILD_ROOT/etc/samba/
+
+# pam
+install -m 644 samba.pamd $RPM_BUILD_ROOT/etc/pam.d/samba
+
+# sambamount
+ln -sf /usr/bin/smbmount $RPM_BUILD_ROOT/sbin/mount.smbfs
+
+# start scripts
+install rc.smb $RPM_BUILD_ROOT/etc/init.d/smb
+ln -sf ../../etc/init.d/smb $RPM_BUILD_ROOT/usr/sbin/rcsmb
+install rc.smbfs $RPM_BUILD_ROOT/etc/init.d/smbfs
+ln -sf ../../etc/init.d/smbfs $RPM_BUILD_ROOT/usr/sbin/rcsmbfs
+install rc.winbind $RPM_BUILD_ROOT/etc/init.d/winbind
+ln -sf ../../etc/init.d/winbind $RPM_BUILD_ROOT/usr/sbin/rcwinbind
+install rc.wrepl $RPM_BUILD_ROOT/etc/init.d/wrepl
+ln -sf ../../etc/init.d/wrepl $RPM_BUILD_ROOT/usr/sbin/rcwrepl
+
+#### disabled for 8.0
+### rc.config fragment
+mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+cp rc.config.samba $RPM_BUILD_ROOT/var/adm/fillup-templates
+cp rc.config.winbind $RPM_BUILD_ROOT/var/adm/fillup-templates
+cp rc.config.wrepl $RPM_BUILD_ROOT/var/adm/fillup-templates
+
+# libnss_wins.so
+cp source/nsswitch/libnss_wins.so $RPM_BUILD_ROOT/lib/libnss_wins.so
+ln -sf /lib/libnss_wins.so $RPM_BUILD_ROOT/lib/libnss_wins.so.2
+
+# winbind stuff
+cp -a source/nsswitch/pam_winbind.so $RPM_BUILD_ROOT/lib/security/
+cp -a source/nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/lib/
+cp -a source/bin/winbindd $RPM_BUILD_ROOT/usr/sbin/
+ln -sf /lib/libnss_winbind.so $RPM_BUILD_ROOT/lib/libnss_winbind.so.2
+
+# pam_smbpass
+cp -a source/bin/pam_smbpass.so $RPM_BUILD_ROOT/lib/security/
+
+# smbfilter
+cp -a source/bin/smbfilter $RPM_BUILD_ROOT/usr/bin/
+
+
+%{?suse_check}
+
+## install libsmbclient
+install -m0755 source/bin/{libsmbclient.so,libsmbclient.a} $RPM_BUILD_ROOT/%{_libdir}
+ln -s /usr/lib/libsmbclient.so $RPM_BUILD_ROOT/%{_libdir}/libsmbclient.so.0
+install -m0644 source/include/libsmbclient.h $RPM_BUILD_ROOT/%{_includedir}
+
+# install smbtorture and other test-programs
+install -m0755 source/bin/smbtorture $RPM_BUILD_ROOT/usr/bin/
+install -m0755 source/bin/talloctort $RPM_BUILD_ROOT/usr/bin/
+install -m0755 source/bin/{msgtest,masktest,locktest*} $RPM_BUILD_ROOT/usr/bin/
+install -m0755 source/bin/{vfstest,nsstest} $RPM_BUILD_ROOT/usr/bin/
+%if %{head} > 0
+%if %{newsam} > 0
+install -m0755 source/bin/samtest $RPM_BUILD_ROOT/usr/bin/
+%endif
+%endif
+
+# install tdb tools
+install -m0755 source/tdb/{tdbdump,tdbtest,tdbtool,tdbtorture} $RPM_BUILD_ROOT/usr/bin/
+
+
+# install VFS-modules
+%if %{head} > 0
+install -m0755 source/bin/developer.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+#install -m0755 examples/VFS/block/block.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+#install -m0755 examples/VFS/skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+%else
+#install -m0755 examples/VFS/block/block.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+#install -m0755 examples/VFS/skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+%endif
+install -m0755 source/bin/vfs_audit.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+install -m0755 source/bin/vfs_extd_audit.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+install -m0755 source/bin/vfs_recycle.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+%if %{netatalk}
+install -m0755 source/bin/vfs_netatalk.so $RPM_BUILD_ROOT/%{_libdir}/samba/vfs/
+%endif
+
+# install PDB-modules
+%if %{head} > 0
+install -m0755 source/bin/xml.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
+install -m0755 source/bin/mysql.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
+%else
+install -m0755 source/bin/pdb_xml.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
+install -m0755 source/bin/pdb_mysql.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
+%endif
+install -m0755 examples/pdb/pdb_test.so $RPM_BUILD_ROOT/%{_libdir}/samba/pdb/
+
+# install SAM-modules
+%if %{head} > 0
+%if %{newsam} > 0
+install -m0755 examples/sam/sam_skel.so $RPM_BUILD_ROOT/%{_libdir}/samba/sam/
+%endif
+%endif
+
+# install VSCAN-vfs-modules
+install -m0755 examples/VFS/%{name}-vscan-%{vscan_ver}/*/*.so $RPM_BUILD_ROOT/%{_libdir}/samba/vscan/
+
+# make examples clean
+VFS="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/VFS"
+VSCAN="$VFS/%{name}-vscan-%{vscan_ver}"
+PDB="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/pdb"
+%if %{head} > 0
+%if %{newsam} > 0
+SAM="$RPM_BUILD_DIR/%{name}-%{samba_ver}/examples/sam"
+%endif
+%endif
+dirs="$PDB $SAM"
+(for i in $dirs; do make -C $i clean; done)
+(for i in %{vscan_modules}; do make -C $VSCAN/$i clean; done)
+
+%if %{python} > 0
+# install python
+cp -a source/build/lib.*/samba $RPM_BUILD_ROOT/usr/lib/python2.2/lib-dynload/
+%endif
+
+# whats this ?
+install -m0755 source/bin/debug2html $RPM_BUILD_ROOT/usr/bin/
+
+%if %{smbwrap}
+# install smbwrapper
+install -m0755 source/bin/smbwrapper.so $RPM_BUILD_ROOT/%{_libdir}/samba/
+install -m0755 source/bin/smbsh $RPM_BUILD_ROOT/usr/bin/
+%endif
+
+# finally obsolete with alpha17 makefile
+# install unicode-codepages
+#install -m0755 source/codepages/{lowcase,upcase,valid}.dat $RPM_BUILD_ROOT/etc/samba/
+
+# cleanup docs
+rm -rf docs/*.[0-9]
+chmod 644 `find docs examples -type f`
+chmod 755 `find docs examples -type d`
+mv COPYING Manifest README Read-Manifest-Now Roadmap WHATSNEW.txt $RPM_BUILD_ROOT/%{DOCDIR}/
+cp source/msdfs/README $RPM_BUILD_ROOT/%{DOCDIR}/README.msdfs
+#cp source/nsswitch/README $RPM_BUILD_ROOT/%{DOCDIR}/README.nsswitch
+cp source/smbwrapper/README $RPM_BUILD_ROOT/%{DOCDIR}/README.smbwrapper
+cp -a docs/* $RPM_BUILD_ROOT/%{DOCDIR}
+cp -a examples/ $RPM_BUILD_ROOT/%{DOCDIR}
+# save space...
+rm -r \
+ $RPM_BUILD_ROOT/%{SWATDIR}/using_samba
+ln -s %{DOCDIR}/htmldocs/using_samba $RPM_BUILD_ROOT/%{SWATDIR}
+
+
+%post
+###### disabled for 8.1
+###echo "Updating etc/rc.config..."
+##if [ -x bin/fillup ] ; then
+## bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.samba
+## bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.winbind
+##else
+## echo "ERROR: fillup not found. This should not happen. Please compare"
+## echo "etc/rc.config and var/adm/fillup-templates/rc.config.samba and"
+## echo "var/adm/fillup-templates/rc.config.winbind and update by hand."
+##fi
+mkdir -p $RPM_BUILD_ROOT/var/adm/notify/messages
+cat << EOF > var/adm/notify/messages/samba-notify
+Achtung!
+
+This is %{name}-%{samba_ver}. Please do not run on production systems.
+
+You have been warned.
+EOF
+
+# Initialize runlevel links
+#
+%{fillup_and_insserv smb}
+#sbin/insserv /etc/init.d/smb
+
+%post client
+#sbin/insserv /etc/init.d/smbfs
+%{fillup_and_insserv -fpy smbfs}
+%{fillup_only -ans samba client}
+
+%postun
+%{insserv_cleanup}
+#sbin/insserv /etc/init.d/
+
+%postun client
+%{insserv_cleanup}
+#sbin/insserv /etc/init.d/
+
+%post winbind
+%{fillup_and_insserv winbind}
+#sbin/insserv /etc/init.d/winbind
+
+%postun winbind
+%{insserv_cleanup}
+#sbin/insserv /etc/init.d/
+
+%clean
+#make -C source realclean
+
+%files
+%config(noreplace) /etc/samba/smbpasswd
+%config /etc/pam.d/samba
+%config /etc/init.d/smb
+%config /etc/init.d/wrepl
+#/usr/bin/make_printerdef
+/usr/bin/addtosmbpass
+/usr/bin/convert_smbpasswd
+/usr/bin/ntlm_auth
+/usr/bin/profiles
+/usr/bin/smbfilter
+/usr/bin/smbpasswd
+/usr/bin/smbstatus
+/usr/bin/testparm
+/usr/bin/testprns
+#%doc %{_mandir}/man1/smbrun.1.gz
+%doc %{_mandir}/man1/smbsh.1.gz
+%doc %{_mandir}/man1/smbstatus.1.gz
+%doc %{_mandir}/man1/testparm.1.gz
+%doc %{_mandir}/man1/testprns.1.gz
+%doc %{_mandir}/man5/smbpasswd.5.gz
+%doc %{_mandir}/man7/samba.7.gz
+%doc %{_mandir}/man8/nmbd.8.gz
+%doc %{_mandir}/man8/smbd.8.gz
+%doc %{_mandir}/man8/smbpasswd.8.gz
+%doc %{_mandir}/man8/swat.8.gz
+/usr/sbin/nmbd
+/usr/sbin/smbd
+/usr/sbin/swat
+/usr/sbin/wrepld
+/usr/sbin/rcsmb
+/usr/sbin/rcwrepl
+#/var/adm/fillup-templates/rc.config.samba
+/var/log/samba
+/var/spool/samba
+/var/run/samba
+/var/lib/samba
+/usr/share/samba
+/lib/security/pam_smbpass.so
+
+%files client
+%config(noreplace) /etc/samba/smb.conf
+%config(noreplace) /etc/samba/lmhosts
+/etc/samba/lowcase.dat
+/etc/samba/upcase.dat
+/etc/samba/valid.dat
+%config /etc/init.d/smbfs
+/usr/sbin/rcsmbfs
+/sbin/mount.smbfs
+/usr/bin/findsmb
+/usr/bin/net
+/usr/bin/nmblookup
+/usr/bin/pdbedit
+/usr/bin/rpcclient
+/usr/bin/smbcacls
+/usr/bin/smbcontrol
+/usr/bin/smbclient
+/usr/bin/smbmnt
+/usr/bin/smbmount
+%if %{smbwrap}
+/usr/bin/smbsh
+%endif
+/usr/bin/smbumount
+/usr/bin/smbspool
+/usr/bin/smbtar
+/usr/bin/smbtree
+%doc %{_mandir}/man1/nmblookup.1.gz
+%doc %{_mandir}/man1/rpcclient.1.gz
+%doc %{_mandir}/man1/smbclient.1.gz
+%doc %{_mandir}/man1/smbcacls.1.gz
+%doc %{_mandir}/man1/smbcontrol.1.gz
+%doc %{_mandir}/man1/smbtar.1.gz
+%doc %{_mandir}/man5/lmhosts.5.gz
+%doc %{_mandir}/man5/smb.conf.5.gz
+%doc %{_mandir}/man8/net.8.gz
+%doc %{_mandir}/man8/pdbedit.8.gz
+%doc %{_mandir}/man8/smbmnt.8.gz
+%doc %{_mandir}/man8/smbmount.8.gz
+%doc %{_mandir}/man8/smbspool.8.gz
+%doc %{_mandir}/man8/smbumount.8.gz
+/usr/include/libsmbclient.h
+%if %{smbwrap}
+/usr/lib/samba/smbwrapper.so
+%endif
+/usr/lib/libsmbclient.a
+/usr/lib/libsmbclient.so
+/usr/lib/libsmbclient.so.0
+
+%files winbind
+%config(noreplace) /etc/samba/smb.conf.winbind
+%config /etc/init.d/winbind
+%doc %{_mandir}/man1/wbinfo.1.gz
+%doc %{_mandir}/man8/winbindd.8.gz
+/usr/bin/wbinfo
+%if %{head} > 0
+/usr/bin/ntlm_auth
+%endif
+/usr/sbin/winbindd
+/usr/sbin/rcwinbind
+#/var/adm/fillup-templates/rc.config.winbind
+/lib/security/pam_winbind.so
+/lib/libnss_winbind.so
+/lib/libnss_winbind.so.2
+/lib/libnss_wins.so
+/lib/libnss_wins.so.2
+
+%files utils
+/usr/bin/smbtorture
+/usr/bin/msgtest
+/usr/bin/masktest
+/usr/bin/locktest
+/usr/bin/locktest2
+/usr/bin/debug2html
+/usr/bin/talloctort
+/usr/bin/tdbbackup
+/usr/bin/tdbdump
+/usr/bin/tdbtest
+/usr/bin/tdbtool
+/usr/bin/tdbtorture
+/usr/bin/vfstest
+/usr/bin/nsstest
+%if %{head} > 0
+%if %{newsam} > 0
+/usr/bin/samtest
+%endif
+/usr/bin/profiles
+/usr/bin/editreg
+%endif
+%doc %{_mandir}/man1/vfstest.1.gz
+
+%files doc
+%docdir %{DOCDIR}
+%{DOCDIR}
+
+%files pdb
+/usr/lib/samba/pdb
+%doc examples/pdb/*
+
+%files vfs
+/usr/lib/samba/vfs
+%doc examples/VFS/README*
+%doc examples/VFS/Makefile*
+#doc examples/VFS/audit*
+#%doc examples/VFS/block*
+#doc examples/VFS/netatalk*
+#doc examples/VFS/recycle*
+%doc examples/VFS/skel*
+
+%if %{newsam} > 0
+%files sam
+/usr/lib/samba/sam
+%if %{head} > 0
+%doc examples/sam/*
+%endif
+%endif
+
+%files vscan
+/usr/lib/samba/vscan
+%doc %{name}-vscan-%{vscan_ver}/{AUTHORS,COPYING,ChangeLog,FAQ,NEWS,README,TODO}
+
+
+%files python
+%doc source/python/README
+%if %{python} > 0
+/usr/lib/python2.2/lib-dynload/samba
+%doc source/python/examples
+%doc source/python/gprinterdata
+%doc source/python/gtdbtool
+%doc source/python/gtkdictbrowser.py
+%if %{head} > 0
+%doc source/python/gtkdictbrowser.pyc
+%doc source/python/printerdata.pyc
+%endif
+%endif
+
+%description
+Samba is a suite of programs which work together to allow clients to
+access Unix filespace and printers via the SMB protocol (Server Message
+Block).
+In practice, this means that you can redirect disks and printers to
+Unix disks and printers from LAN Manager clients, Windows for
+Workgroups 3.11 clients, Windows'95 clients, Windows NT clients
+and OS/2 clients. There is
+also a Unix client program supplied as part of the suite which allows
+Unix users to use an ftp-like interface to access filespace and
+printers on any other SMB server.
+Samba includes the following programs (in summary):
+* smbd, the SMB server. This handles actual connections from clients.
+* nmbd, the Netbios name server, which helps clients locate servers.
+* smbclient, the Unix-hosted client program.
+* smbrun, a little 'glue' program to help the server run external
+programs.
+* testprns, a program to test server access to printers.
+* testparm, a program to test the Samba configuration file for correctness.
+* smb.conf, the Samba configuration file.
+* smbprint, a sample script to allow a Unix host to use smbclient
+to print to an SMB server.
+The suite is supplied with full source and is GPLed.
+This package expects its config file under /etc/smb.conf .
+
+Authors:
+--------
+ Andrew Tridgell <Andrew.Tridgell@anu.edu.au>
+ Karl Auer <Karl.Auer@anu.edu.au>
+ Jeremy Allison <jeremy@netcom.com>
+
+SuSE series: n
+
+
+%description client
+This package contains all programs, that are needed to act as a samba
+client. This includes also smbmount, of course.
+
+Authors:
+--------
+ Andrew Tridgell <Andrew.Tridgell@anu.edu.au>
+ Karl Auer <Karl.Auer@anu.edu.au>
+ Jeremy Allison <jeremy@netcom.com>
+
+SuSE series: n
+
+
+%description winbind
+This is the winbind-daemon and the wbinfo-tool.
+
+%description utils
+Some of the debug-tools for developpers.
+Contains:
+ - debug2html
+ - locktest
+ - locktest2
+ - masktest
+ - msgtest
+ - smbtorture
+ - talloctort
+ - several tdb-tools
+
+%description doc
+The Samba Documentation.
+
+%description vfs
+The Samba VFS-Modules.
+
+%description pdb
+The Samba PDB-Modules.
+
+%if %{newsam} > 0
+%description sam
+The Samba SAM-Modules.
+%endif
+
+%description vscan
+The Samba VFS-Modules for Virusscanners.
+
+%description python
+The Samba python-Modules.
--- /dev/null
+#!/bin/sh
+
+umask 022
+
+## Build options
+CONFIGUREOPT="--enable-debug --enable-developer --with-pam --with-libsmbclient=no --with-static-modules"
+export CONFIGUREOPT
+
+./autogen.sh
+
+case "$1" in
+ dmalloc)
+ env CFLAGS="-Wall" ./configure \
+ --enable-dmalloc \
+ $CONFIGUREOPT
+ ;;
+ insure)
+ env CFLAGS="-g" CC="insure" ./configure \
+ $CONFIGUREOPT
+ ;;
+ ccache)
+ env CFLAGS="-Wall" CC="ccache gcc" ./configure \
+ $CONFIGUREOPT
+ ;;
+ *)
+ env CFLAGS="-Wall" ./configure \
+ $CONFIGUREOPT
+ ;;
+esac
+
+## disable optimization
+sed 's/-O //g' Makefile | sed 's/-O2 //g' > Makefile.new; /bin/mv -f Makefile.new Makefile
+
+## build
+make proto
+make all modules
--- /dev/null
+/*
+ Unix SMB/CIFS mplementation.
+ LDAP protocol helper functions for SAMBA
+ Copyright (C) Gerald Carter 2001-2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#ifndef _SMBLDAP_H
+#define _SMBLDAP_H
+
+#ifdef HAVE_LDAP
+
+/* specify schema versions between 2.2. and 3.0 */
+
+#define SCHEMAVER_SAMBAACCOUNT 1
+#define SCHEMAVER_SAMBASAMACCOUNT 2
+
+/* objectclass names */
+
+#define LDAP_OBJ_SAMBASAMACCOUNT "sambaSamAccount"
+#define LDAP_OBJ_SAMBAACCOUNT "sambaAccount"
+#define LDAP_OBJ_GROUPMAP "sambaGroupMapping"
+#define LDAP_OBJ_DOMINFO "sambaDomain"
+#define LDAP_OBJ_IDPOOL "sambaUnixIdPool"
+#define LDAP_OBJ_IDMAP_ENTRY "sambaIdmapEntry"
+#define LDAP_OBJ_SID_ENTRY "sambaSidEntry"
+
+#define LDAP_OBJ_ACCOUNT "account"
+#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
+#define LDAP_OBJ_POSIXGROUP "posixGroup"
+#define LDAP_OBJ_OU "organizationalUnit"
+
+/* some generic attributes that get reused a lot */
+
+#define LDAP_ATTRIBUTE_SID "sambaSID"
+#define LDAP_ATTRIBUTE_UIDNUMBER "uidNumber"
+#define LDAP_ATTRIBUTE_GIDNUMBER "gidNumber"
+
+/* attribute map table indexes */
+
+#define LDAP_ATTR_LIST_END 0
+#define LDAP_ATTR_UID 1
+#define LDAP_ATTR_UIDNUMBER 2
+#define LDAP_ATTR_GIDNUMBER 3
+#define LDAP_ATTR_UNIX_HOME 4
+#define LDAP_ATTR_PWD_LAST_SET 5
+#define LDAP_ATTR_PWD_CAN_CHANGE 6
+#define LDAP_ATTR_PWD_MUST_CHANGE 7
+#define LDAP_ATTR_LOGON_TIME 8
+#define LDAP_ATTR_LOGOFF_TIME 9
+#define LDAP_ATTR_KICKOFF_TIME 10
+#define LDAP_ATTR_CN 11
+#define LDAP_ATTR_DISPLAY_NAME 12
+#define LDAP_ATTR_HOME_PATH 13
+#define LDAP_ATTR_LOGON_SCRIPT 14
+#define LDAP_ATTR_PROFILE_PATH 15
+#define LDAP_ATTR_DESC 16
+#define LDAP_ATTR_USER_WKS 17
+#define LDAP_ATTR_USER_SID 18
+#define LDAP_ATTR_USER_RID 18
+#define LDAP_ATTR_PRIMARY_GROUP_SID 19
+#define LDAP_ATTR_PRIMARY_GROUP_RID 20
+#define LDAP_ATTR_LMPW 21
+#define LDAP_ATTR_NTPW 22
+#define LDAP_ATTR_DOMAIN 23
+#define LDAP_ATTR_OBJCLASS 24
+#define LDAP_ATTR_ACB_INFO 25
+#define LDAP_ATTR_NEXT_USERRID 26
+#define LDAP_ATTR_NEXT_GROUPRID 27
+#define LDAP_ATTR_DOM_SID 28
+#define LDAP_ATTR_HOME_DRIVE 29
+#define LDAP_ATTR_GROUP_SID 30
+#define LDAP_ATTR_GROUP_TYPE 31
+#define LDAP_ATTR_SID 32
+#define LDAP_ATTR_ALGORITHMIC_RID_BASE 33
+#define LDAP_ATTR_NEXT_RID 34
+
+typedef struct _attrib_map_entry {
+ int attrib;
+ const char *name;
+} ATTRIB_MAP_ENTRY;
+
+
+/* structures */
+
+extern ATTRIB_MAP_ENTRY attrib_map_v22[];
+extern ATTRIB_MAP_ENTRY attrib_map_v30[];
+extern ATTRIB_MAP_ENTRY dominfo_attr_list[];
+extern ATTRIB_MAP_ENTRY groupmap_attr_list[];
+extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[];
+extern ATTRIB_MAP_ENTRY idpool_attr_list[];
+extern ATTRIB_MAP_ENTRY sidmap_attr_list[];
+
+/* Function declarations -- not included in proto.h so we don't
+ have to worry about LDAP structure types */
+
+const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key );
+char** get_attr_list( ATTRIB_MAP_ENTRY table[] );
+void free_attr_list( char **list );
+void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value);
+void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
+ LDAPMod ***mods,
+ const char *attribute, const char *newval);
+BOOL smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
+ const char *attribute, pstring value);
+
+/**
+ * Struct to keep the state for all the ldap stuff
+ *
+ */
+
+struct smbldap_state {
+ LDAP *ldap_struct;
+ time_t last_ping;
+ /* retrive-once info */
+ const char *uri;
+ char *bind_dn;
+ char *bind_secret;
+
+ unsigned int num_failures;
+};
+
+#endif /* HAVE_LDAP */
+
+struct smbldap_state;
+
+#endif /* _SMBLDAP_H */
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ SYS QUOTA code constants
+ Copyright (C) Stefan (metze) Metzmacher 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _SYSQUOTAS_H
+#define _SYSQUOTAS_H
+
+#ifdef HAVE_SYS_QUOTAS
+
+/* Sometimes we need this on linux for linux/quota.h */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_ASM_TYPES_H
+#include <asm/types.h>
+#endif
+
+/*
+ * This shouldn't be neccessary - it should be /usr/include/sys/quota.h
+ * Unfortunately, RH7.1 ships with a different quota system using struct mem_dqblk
+ * rather than the struct dqblk defined in /usr/include/sys/quota.h.
+ * This means we must include linux/quota.h to have a hope of working on
+ * RH7.1 systems. And it also means this breaks if the kernel is upgraded
+ * to a Linus 2.4.x (where x > the minor number shipped with RH7.1) until
+ * Linus synchronises with the AC patches. Sometimes I *hate* Linux :-). JRA.
+ */
+#ifdef HAVE_LINUX_QUOTA_H
+#include <linux/quota.h>
+#elif defined(HAVE_SYS_QUOTA_H)
+#include <sys/quota.h>
+#endif
+
+#if defined(HAVE_STRUCT_IF_DQBLK)
+# define SYS_DQBLK if_dqblk
+# define dqb_curblocks dqb_curspace/bsize
+#elif defined(HAVE_STRUCT_MEM_DQBLK)
+# define SYS_DQBLK mem_dqblk
+# define dqb_curblocks dqb_curspace/bsize
+#else /* STRUCT_DQBLK */
+# define SYS_DQBLK dqblk
+#endif
+
+#ifndef Q_SETQLIM
+#define Q_SETQLIM Q_SETQUOTA
+#endif
+
+/*********************************************
+ check for XFS QUOTA MANAGER
+ *********************************************/
+/* on linux */
+#ifdef HAVE_LINUX_XQM_H
+# include <linux/xqm.h>
+# define HAVE_XFS_QUOTA
+#else
+# ifdef HAVE_XFS_XQM_H
+# include <xfs/xqm.h>
+# define HAVE_XFS_QUOTA
+# else
+# ifdef HAVE_LINUX_DQBLK_XFS_H
+# include <linux/dqblk_xfs.h>
+# define HAVE_XFS_QUOTA
+# endif
+# endif
+#endif
+/* on IRIX */
+#ifdef Q_XGETQUOTA
+# ifndef HAVE_XFS_QUOTA
+# define HAVE_XFS_QUOTA
+# ifndef Q_XQUOTAON
+# define Q_XQUOTAON Q_QUOTAON
+# endif /* Q_XQUOTAON */
+# ifndef Q_XQUOTAOFF
+# define Q_XQUOTAOFF Q_QUOTAOFF
+# endif /* Q_XQUOTAOFF */
+# ifndef Q_XGETQSTAT
+# define Q_XGETQSTAT Q_GETQSTAT
+# endif /* Q_XGETQSTAT */
+# endif /* HAVE_XFS_QUOTA */
+#endif /* Q_XGETQUOTA */
+
+#ifdef HAVE_XFS_QUOTA
+/* Linux has BBSIZE in <linux/xfs_fs.h>
+ * or <xfs/xfs_fs.h>
+ * IRIX has BBSIZE in <sys/param.h>
+ */
+#ifdef HAVE_LINUX_XFS_FS_H
+#include <linux/xfs_fs.h>
+#elif defined(HAVE_XFS_XFS_FS_H)
+#include <xfs/xfs_fs.h>
+#endif /* *_XFS_FS_H */
+
+#ifndef BBSHIFT
+#define BBSHIFT 9
+#endif /* BBSHIFT */
+#ifndef BBSIZE
+#define BBSIZE (1<<BBSHIFT)
+#endif /* BBSIZE */
+
+#endif /* HAVE_XFS_QUOTA */
+
+#ifdef LINUX
+# ifndef QUOTABLOCK_SIZE
+# define QUOTABLOCK_SIZE 1024
+# endif
+/* end LINUX */
+#elif defined(IRIX6)
+# ifndef QUOTABLOCK_SIZE
+# define QUOTABLOCK_SIZE BBSIZE
+# endif
+/* end IRIX6 */
+#else /* HPUP,... */
+# ifndef QUOTABLOCK_SIZE
+# define QUOTABLOCK_SIZE DEV_BSIZE
+# endif
+#endif /* HPUP,... */
+
+#if !defined(QUOTAFILENAME) && defined(QFILENAME)
+#define QUOTAFILENAME QFILENAME
+#endif
+
+#ifdef INITQFNAMES
+#define USERQUOTAFILE_EXTENSION ".user"
+#else
+#define USERQUOTAFILE_EXTENSION ""
+#endif
+
+/* this check should be before the QCMD fake! */
+#if defined(QCMD)&&defined(GRPQUOTA)
+#define HAVE_GROUP_QUOTA
+#endif
+
+/* on some systems we have to fake this up ...*/
+#ifndef QCMD
+#define QCMD(cmd,type) (cmd)
+#endif /* QCMD */
+
+
+#ifdef HAVE_DQB_FSOFTLIMIT
+#define dqb_isoftlimit dqb_fsoftlimit
+#define dqb_ihardlimit dqb_fhardlimit
+#define dqb_curinodes dqb_curfiles
+#endif
+
+/* maybe we can add a configure test for HAVE_CADDR_T,
+ * but it's not needed
+ */
+#ifdef HAVE_CADDR_T
+#define CADDR_T caddr_t
+#else /* CADDR_T */
+#define CADDR_T void*
+#endif /* CADDR_T */
+
+#if defined(HAVE_MNTENT_H)&&defined(HAVE_SETMNTENT)&&defined(HAVE_GETMNTENT)&&defined(HAVE_ENDMNTENT)
+#include <mntent.h>
+#define HAVE_MNTENT 1
+/*#endif defined(HAVE_MNTENT_H)&&defined(HAVE_SETMNTENT)&&defined(HAVE_GETMNTENT)&&defined(HAVE_ENDMNTENT) */
+#elif defined(HAVE_DEVNM_H)&&defined(HAVE_DEVNM)
+#include <devnm.h>
+#endif /* defined(HAVE_DEVNM_H)&&defined(HAVE_DEVNM) */
+
+#endif /* HAVE_SYS_QUOTAS */
+
+
+#ifndef QUOTABLOCK_SIZE
+#define QUOTABLOCK_SIZE 1024
+#endif
+
+/**************************************************
+ Some stuff for the sys_quota api.
+ **************************************************/
+
+#define SMB_QUOTAS_NO_LIMIT ((SMB_BIG_UINT)(0))
+#define SMB_QUOTAS_NO_SPACE ((SMB_BIG_UINT)(1))
+
+typedef struct _SMB_DISK_QUOTA {
+ enum SMB_QUOTA_TYPE qtype;
+ SMB_BIG_UINT bsize;
+ SMB_BIG_UINT hardlimit; /* In bsize units. */
+ SMB_BIG_UINT softlimit; /* In bsize units. */
+ SMB_BIG_UINT curblocks; /* In bsize units. */
+ SMB_BIG_UINT ihardlimit; /* inode hard limit. */
+ SMB_BIG_UINT isoftlimit; /* inode soft limit. */
+ SMB_BIG_UINT curinodes; /* Current used inodes. */
+ uint32 qflags;
+} SMB_DISK_QUOTA;
+
+#endif /*_SYSQUOTAS_H */
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ VFS wrapper macros
+ Copyright (C) Stefan (metze) Metzmacher 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _VFS_MACROS_H
+#define _VFS_MACROS_H
+
+/*******************************************************************
+ Don't access conn->vfs.ops.* directly!!!
+ Use this macros!
+ (Fixes should go also into the vfs_opaque_* and vfs_next_* macros!)
+********************************************************************/
+
+/* Disk operations */
+#define SMB_VFS_CONNECT(conn, service, user) ((conn)->vfs.ops.connect((conn)->vfs.handles.connect, (conn), (service), (user)))
+#define SMB_VFS_DISCONNECT(conn) ((conn)->vfs.ops.disconnect((conn)->vfs.handles.disconnect, (conn)))
+#define SMB_VFS_DISK_FREE(conn, path, small_query, bsize, dfree ,dsize) ((conn)->vfs.ops.disk_free((conn)->vfs.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
+#define SMB_VFS_GET_QUOTA(conn, qtype, id, qt) ((conn)->vfs.ops.get_quota((conn)->vfs.handles.get_quota, (conn), (qtype), (id), (qt)))
+#define SMB_VFS_SET_QUOTA(conn, qtype, id, qt) ((conn)->vfs.ops.set_quota((conn)->vfs.handles.set_quota, (conn), (qtype), (id), (qt)))
+
+/* Directory operations */
+#define SMB_VFS_OPENDIR(conn, fname) ((conn)->vfs.ops.opendir((conn)->vfs.handles.opendir, (conn), (fname)))
+#define SMB_VFS_READDIR(conn, dirp) ((conn)->vfs.ops.readdir((conn)->vfs.handles.readdir, (conn), (dirp)))
+#define SMB_VFS_MKDIR(conn, path, mode) ((conn)->vfs.ops.mkdir((conn)->vfs.handles.mkdir,(conn), (path), (mode)))
+#define SMB_VFS_RMDIR(conn, path) ((conn)->vfs.ops.rmdir((conn)->vfs.handles.rmdir, (conn), (path)))
+#define SMB_VFS_CLOSEDIR(conn, dir) ((conn)->vfs.ops.closedir((conn)->vfs.handles.closedir, (conn), dir))
+
+/* File operations */
+#define SMB_VFS_OPEN(conn, fname, flags, mode) ((conn)->vfs.ops.open((conn)->vfs.handles.open, (conn), (fname), (flags), (mode)))
+#define SMB_VFS_CLOSE(fsp, fd) ((fsp)->conn->vfs.ops.close((fsp)->conn->vfs.handles.close, (fsp), (fd)))
+#define SMB_VFS_READ(fsp, fd, data, n) ((fsp)->conn->vfs.ops.read((fsp)->conn->vfs.handles.read, (fsp), (fd), (data), (n)))
+#define SMB_VFS_WRITE(fsp, fd, data, n) ((fsp)->conn->vfs.ops.write((fsp)->conn->vfs.handles.write, (fsp), (fd), (data), (n)))
+#define SMB_VFS_LSEEK(fsp, fd, offset, whence) ((fsp)->conn->vfs.ops.lseek((fsp)->conn->vfs.handles.lseek, (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_SENDFILE(tofd, fsp, fromfd, header, offset, count) ((fsp)->conn->vfs.ops.sendfile((fsp)->conn->vfs.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
+#define SMB_VFS_RENAME(conn, old, new) ((conn)->vfs.ops.rename((conn)->vfs.handles.rename, (conn), (old), (new)))
+#define SMB_VFS_FSYNC(fsp, fd) ((fsp)->conn->vfs.ops.fsync((fsp)->conn->vfs.handles.fsync, (fsp), (fd)))
+#define SMB_VFS_STAT(conn, fname, sbuf) ((conn)->vfs.ops.stat((conn)->vfs.handles.stat, (conn), (fname), (sbuf)))
+#define SMB_VFS_FSTAT(fsp, fd, sbuf) ((fsp)->conn->vfs.ops.fstat((fsp)->conn->vfs.handles.fstat, (fsp) ,(fd) ,(sbuf)))
+#define SMB_VFS_LSTAT(conn, path, sbuf) ((conn)->vfs.ops.lstat((conn)->vfs.handles.lstat, (conn), (path), (sbuf)))
+#define SMB_VFS_UNLINK(conn, path) ((conn)->vfs.ops.unlink((conn)->vfs.handles.unlink, (conn), (path)))
+#define SMB_VFS_CHMOD(conn, path, mode) ((conn)->vfs.ops.chmod((conn)->vfs.handles.chmod, (conn), (path), (mode)))
+#define SMB_VFS_FCHMOD(fsp, fd, mode) ((fsp)->conn->vfs.ops.fchmod((fsp)->conn->vfs.handles.fchmod, (fsp), (fd), (mode)))
+#define SMB_VFS_CHOWN(conn, path, uid, gid) ((conn)->vfs.ops.chown((conn)->vfs.handles.chown, (conn), (path), (uid), (gid)))
+#define SMB_VFS_FCHOWN(fsp, fd, uid, gid) ((fsp)->conn->vfs.ops.fchown((fsp)->conn->vfs.handles.fchown, (fsp), (fd), (uid), (gid)))
+#define SMB_VFS_CHDIR(conn, path) ((conn)->vfs.ops.chdir((conn)->vfs.handles.chdir, (conn), (path)))
+#define SMB_VFS_GETWD(conn, buf) ((conn)->vfs.ops.getwd((conn)->vfs.handles.getwd, (conn), (buf)))
+#define SMB_VFS_UTIME(conn, path, times) ((conn)->vfs.ops.utime((conn)->vfs.handles.utime, (conn), (path), (times)))
+#define SMB_VFS_FTRUNCATE(fsp, fd, offset) ((fsp)->conn->vfs.ops.ftruncate((fsp)->conn->vfs.handles.ftruncate, (fsp), (fd), (offset)))
+#define SMB_VFS_LOCK(fsp, fd, op, offset, count, type) ((fsp)->conn->vfs.ops.lock((fsp)->conn->vfs.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
+#define SMB_VFS_SYMLINK(conn, oldpath, newpath) ((conn)->vfs.ops.symlink((conn)->vfs.handles.symlink, (conn), (oldpath), (newpath)))
+#define SMB_VFS_READLINK(conn, path, buf, bufsiz) ((conn)->vfs.ops.readlink((conn)->vfs.handles.readlink, (conn), (path), (buf), (bufsiz)))
+#define SMB_VFS_LINK(conn, oldpath, newpath) ((conn)->vfs.ops.link((conn)->vfs.handles.link, (conn), (oldpath), (newpath)))
+#define SMB_VFS_MKNOD(conn, path, mode, dev) ((conn)->vfs.ops.mknod((conn)->vfs.handles.mknod, (conn), (path), (mode), (dev)))
+#define SMB_VFS_REALPATH(conn, path, resolved_path) ((conn)->vfs.ops.realpath((conn)->vfs.handles.realpath, (conn), (path), (resolved_path)))
+
+/* NT ACL operations. */
+#define SMB_VFS_FGET_NT_ACL(fsp, fd, security_info, ppdesc) ((fsp)->conn->vfs.ops.fget_nt_acl((fsp)->conn->vfs.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
+#define SMB_VFS_GET_NT_ACL(fsp, name, security_info, ppdesc) ((fsp)->conn->vfs.ops.get_nt_acl((fsp)->conn->vfs.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
+#define SMB_VFS_FSET_NT_ACL(fsp, fd, security_info_sent, psd) ((fsp)->conn->vfs.ops.fset_nt_acl((fsp)->conn->vfs.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
+#define SMB_VFS_SET_NT_ACL(fsp, name, security_info_sent, psd) ((fsp)->conn->vfs.ops.set_nt_acl((fsp)->conn->vfs.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
+
+/* POSIX ACL operations. */
+#define SMB_VFS_CHMOD_ACL(conn, name, mode) ((conn)->vfs.ops.chmod_acl((conn)->vfs.handles.chmod_acl, (conn), (name), (mode)))
+#define SMB_VFS_FCHMOD_ACL(fsp, fd, mode) ((fsp)->conn->vfs.ops.fchmod_acl((fsp)->conn->vfs.handles.chmod_acl, (fsp), (fd), (mode)))
+
+#define SMB_VFS_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs.ops.sys_acl_get_entry((conn)->vfs.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
+#define SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs.ops.sys_acl_get_tag_type((conn)->vfs.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
+#define SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry_d, permset_p) ((conn)->vfs.ops.sys_acl_get_permset((conn)->vfs.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
+#define SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry_d) ((conn)->vfs.ops.sys_acl_get_qualifier((conn)->vfs.handles.sys_acl_get_qualifier, (conn), (entry_d)))
+#define SMB_VFS_SYS_ACL_GET_FILE(conn, path_p, type) ((conn)->vfs.ops.sys_acl_get_file((conn)->vfs.handles.sys_acl_get_file, (conn), (path_p), (type)))
+#define SMB_VFS_SYS_ACL_GET_FD(fsp, fd) ((fsp)->conn->vfs.ops.sys_acl_get_fd((fsp)->conn->vfs.handles.sys_acl_get_fd, (fsp), (fd)))
+#define SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, permset) ((conn)->vfs.ops.sys_acl_clear_perms((conn)->vfs.handles.sys_acl_clear_perms, (conn), (permset)))
+#define SMB_VFS_SYS_ACL_ADD_PERM(conn, permset, perm) ((conn)->vfs.ops.sys_acl_add_perm((conn)->vfs.handles.sys_acl_add_perm, (conn), (permset), (perm)))
+#define SMB_VFS_SYS_ACL_TO_TEXT(conn, theacl, plen) ((conn)->vfs.ops.sys_acl_to_text((conn)->vfs.handles.sys_acl_to_text, (conn), (theacl), (plen)))
+#define SMB_VFS_SYS_ACL_INIT(conn, count) ((conn)->vfs.ops.sys_acl_init((conn)->vfs.handles.sys_acl_init, (conn), (count)))
+#define SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, pacl, pentry) ((conn)->vfs.ops.sys_acl_create_entry((conn)->vfs.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
+#define SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, entry, tagtype) ((conn)->vfs.ops.sys_acl_set_tag_type((conn)->vfs.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
+#define SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, entry, qual) ((conn)->vfs.ops.sys_acl_set_qualifier((conn)->vfs.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
+#define SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) ((conn)->vfs.ops.sys_acl_set_permset((conn)->vfs.handles.sys_acl_set_permset, (conn), (entry), (permset)))
+#define SMB_VFS_SYS_ACL_VALID(conn, theacl) ((conn)->vfs.ops.sys_acl_valid((conn)->vfs.handles.sys_acl_valid, (conn), (theacl)))
+#define SMB_VFS_SYS_ACL_SET_FILE(conn, name, acltype, theacl) ((conn)->vfs.ops.sys_acl_set_file((conn)->vfs.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
+#define SMB_VFS_SYS_ACL_SET_FD(fsp, fd, theacl) ((fsp)->conn->vfs.ops.sys_acl_set_fd((fsp)->conn->vfs.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
+#define SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, path) ((conn)->vfs.ops.sys_acl_delete_def_file((conn)->vfs.handles.sys_acl_delete_def_file, (conn), (path)))
+#define SMB_VFS_SYS_ACL_GET_PERM(conn, permset, perm) ((conn)->vfs.ops.sys_acl_get_perm((conn)->vfs.handles.sys_acl_get_perm, (conn), (permset), (perm)))
+#define SMB_VFS_SYS_ACL_FREE_TEXT(conn, text) ((conn)->vfs.ops.sys_acl_free_text((conn)->vfs.handles.sys_acl_free_text, (conn), (text)))
+#define SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl) ((conn)->vfs.ops.sys_acl_free_acl((conn)->vfs.handles.sys_acl_free_acl, (conn), (posix_acl)))
+#define SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, qualifier, tagtype) ((conn)->vfs.ops.sys_acl_free_qualifier((conn)->vfs.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
+
+/* EA operations. */
+#define SMB_VFS_GETXATTR(conn,path,name,value,size) ((conn)->vfs.ops.getxattr((conn)->vfs.handles.getxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_LGETXATTR(conn,path,name,value,size) ((conn)->vfs.ops.lgetxattr((conn)->vfs.handles.lgetxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_FGETXATTR(fsp,fd,name,value,size) ((fsp)->conn->vfs.ops.fgetxattr((fsp)->conn->vfs.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
+#define SMB_VFS_LISTXATTR(conn,path,list,size) ((conn)->vfs.ops.listxattr((conn)->vfs.handles.listxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_LLISTXATTR(conn,path,list,size) ((conn)->vfs.ops.llistxattr((conn)->vfs.handles.llistxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_FLISTXATTR(fsp,fd,list,size) ((fsp)->conn->vfs.ops.flistxattr((fsp)->conn->vfs.handles.flistxattr,(fsp),(fd),(list),(size)))
+#define SMB_VFS_REMOVEXATTR(conn,path,name) ((conn)->vfs.ops.removexattr((conn)->vfs.handles.removexattr,(conn),(path),(name)))
+#define SMB_VFS_LREMOVEXATTR(conn,path,name) ((conn)->vfs.ops.lremovexattr((conn)->vfs.handles.lremovexattr,(conn),(path),(name)))
+#define SMB_VFS_FREMOVEXATTR(fsp,fd,name) ((fsp)->conn->vfs.ops.fremovexattr((fsp)->conn->vfs.handles.fremovexattr,(fsp),(fd),(name)))
+#define SMB_VFS_SETXATTR(conn,path,name,value,size,flags) ((conn)->vfs.ops.setxattr((conn)->vfs.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_LSETXATTR(conn,path,name,value,size,flags) ((conn)->vfs.ops.lsetxattr((conn)->vfs.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_FSETXATTR(fsp,fd,name,value,size,flags) ((fsp)->conn->vfs.ops.fsetxattr((fsp)->conn->vfs.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
+
+/*******************************************************************
+ Don't access conn->vfs_opaque.ops directly!!!
+ Use this macros!
+ (Fixes should also go into the vfs_* and vfs_next_* macros!)
+********************************************************************/
+
+/* Disk operations */
+#define SMB_VFS_OPAQUE_CONNECT(conn, service, user) ((conn)->vfs_opaque.ops.connect((conn)->vfs_opaque.handles.connect, (conn), (service), (user)))
+#define SMB_VFS_OPAQUE_DISCONNECT(conn) ((conn)->vfs_opaque.ops.disconnect((conn)->vfs_opaque.handles.disconnect, (conn)))
+#define SMB_VFS_OPAQUE_DISK_FREE(conn, path, small_query, bsize, dfree ,dsize) ((conn)->vfs_opaque.ops.disk_free((conn)->vfs_opaque.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
+#define SMB_VFS_OPAQUE_GET_QUOTA(conn, qtype, id, qt) ((conn)->vfs_opaque.ops.get_quota((conn)->vfs_opaque.handles.get_quota, (conn), (qtype), (id), (qt)))
+#define SMB_VFS_OPAQUE_SET_QUOTA(conn, qtype, id, qt) ((conn)->vfs_opaque.ops.set_quota((conn)->vfs_opaque.handles.set_quota, (conn), (qtype), (id), (qt)))
+
+/* Directory operations */
+#define SMB_VFS_OPAQUE_OPENDIR(conn, fname) ((conn)->vfs_opaque.ops.opendir((conn)->vfs_opaque.handles.opendir, (conn), (fname)))
+#define SMB_VFS_OPAQUE_READDIR(conn, dirp) ((conn)->vfs_opaque.ops.readdir((conn)->vfs_opaque.handles.readdir, (conn), (dirp)))
+#define SMB_VFS_OPAQUE_MKDIR(conn, path, mode) ((conn)->vfs_opaque.ops.mkdir((conn)->vfs_opaque.handles.mkdir,(conn), (path), (mode)))
+#define SMB_VFS_OPAQUE_RMDIR(conn, path) ((conn)->vfs_opaque.ops.rmdir((conn)->vfs_opaque.handles.rmdir, (conn), (path)))
+#define SMB_VFS_OPAQUE_CLOSEDIR(conn, dir) ((conn)->vfs_opaque.ops.closedir((conn)->vfs_opaque.handles.closedir, (conn), dir))
+
+/* File operations */
+#define SMB_VFS_OPAQUE_OPEN(conn, fname, flags, mode) ((conn)->vfs_opaque.ops.open((conn)->vfs_opaque.handles.open, (conn), (fname), (flags), (mode)))
+#define SMB_VFS_OPAQUE_CLOSE(fsp, fd) ((fsp)->conn->vfs_opaque.ops.close((fsp)->conn->vfs_opaque.handles.close, (fsp), (fd)))
+#define SMB_VFS_OPAQUE_READ(fsp, fd, data, n) ((fsp)->conn->vfs_opaque.ops.read((fsp)->conn->vfs_opaque.handles.read, (fsp), (fd), (data), (n)))
+#define SMB_VFS_OPAQUE_WRITE(fsp, fd, data, n) ((fsp)->conn->vfs_opaque.ops.write((fsp)->conn->vfs_opaque.handles.write, (fsp), (fd), (data), (n)))
+#define SMB_VFS_OPAQUE_LSEEK(fsp, fd, offset, whence) ((fsp)->conn->vfs_opaque.ops.lseek((fsp)->conn->vfs_opaque.handles.lseek, (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_OPAQUE_SENDFILE(tofd, fsp, fromfd, header, offset, count) ((fsp)->conn->vfs_opaque.ops.sendfile((fsp)->conn->vfs_opaque.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
+#define SMB_VFS_OPAQUE_RENAME(conn, old, new) ((conn)->vfs_opaque.ops.rename((conn)->vfs_opaque.handles.rename, (conn), (old), (new)))
+#define SMB_VFS_OPAQUE_FSYNC(fsp, fd) ((fsp)->conn->vfs_opaque.ops.fsync((fsp)->conn->vfs_opaque.handles.fsync, (fsp), (fd)))
+#define SMB_VFS_OPAQUE_STAT(conn, fname, sbuf) ((conn)->vfs_opaque.ops.stat((conn)->vfs_opaque.handles.stat, (conn), (fname), (sbuf)))
+#define SMB_VFS_OPAQUE_FSTAT(fsp, fd, sbuf) ((fsp)->conn->vfs_opaque.ops.fstat((fsp)->conn->vfs_opaque.handles.fstat, (fsp) ,(fd) ,(sbuf)))
+#define SMB_VFS_OPAQUE_LSTAT(conn, path, sbuf) ((conn)->vfs_opaque.ops.lstat((conn)->vfs_opaque.handles.lstat, (conn), (path), (sbuf)))
+#define SMB_VFS_OPAQUE_UNLINK(conn, path) ((conn)->vfs_opaque.ops.unlink((conn)->vfs_opaque.handles.unlink, (conn), (path)))
+#define SMB_VFS_OPAQUE_CHMOD(conn, path, mode) ((conn)->vfs_opaque.ops.chmod((conn)->vfs_opaque.handles.chmod, (conn), (path), (mode)))
+#define SMB_VFS_OPAQUE_FCHMOD(fsp, fd, mode) ((fsp)->conn->vfs_opaque.ops.fchmod((fsp)->conn->vfs_opaque.handles.fchmod, (fsp), (fd), (mode)))
+#define SMB_VFS_OPAQUE_CHOWN(conn, path, uid, gid) ((conn)->vfs_opaque.ops.chown((conn)->vfs_opaque.handles.chown, (conn), (path), (uid), (gid)))
+#define SMB_VFS_OPAQUE_FCHOWN(fsp, fd, uid, gid) ((fsp)->conn->vfs_opaque.ops.fchown((fsp)->conn->vfs_opaque.handles.fchown, (fsp), (fd), (uid), (gid)))
+#define SMB_VFS_OPAQUE_CHDIR(conn, path) ((conn)->vfs_opaque.ops.chdir((conn)->vfs_opaque.handles.chdir, (conn), (path)))
+#define SMB_VFS_OPAQUE_GETWD(conn, buf) ((conn)->vfs_opaque.ops.getwd((conn)->vfs_opaque.handles.getwd, (conn), (buf)))
+#define SMB_VFS_OPAQUE_UTIME(conn, path, times) ((conn)->vfs_opaque.ops.utime((conn)->vfs_opaque.handles.utime, (conn), (path), (times)))
+#define SMB_VFS_OPAQUE_FTRUNCATE(fsp, fd, offset) ((fsp)->conn->vfs_opaque.ops.ftruncate((fsp)->conn->vfs_opaque.handles.ftruncate, (fsp), (fd), (offset)))
+#define SMB_VFS_OPAQUE_LOCK(fsp, fd, op, offset, count, type) ((fsp)->conn->vfs_opaque.ops.lock((fsp)->conn->vfs_opaque.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
+#define SMB_VFS_OPAQUE_SYMLINK(conn, oldpath, newpath) ((conn)->vfs_opaque.ops.symlink((conn)->vfs_opaque.handles.symlink, (conn), (oldpath), (newpath)))
+#define SMB_VFS_OPAQUE_READLINK(conn, path, buf, bufsiz) ((conn)->vfs_opaque.ops.readlink((conn)->vfs_opaque.handles.readlink, (conn), (path), (buf), (bufsiz)))
+#define SMB_VFS_OPAQUE_LINK(conn, oldpath, newpath) ((conn)->vfs_opaque.ops.link((conn)->vfs_opaque.handles.link, (conn), (oldpath), (newpath)))
+#define SMB_VFS_OPAQUE_MKNOD(conn, path, mode, dev) ((conn)->vfs_opaque.ops.mknod((conn)->vfs_opaque.handles.mknod, (conn), (path), (mode), (dev)))
+#define SMB_VFS_OPAQUE_REALPATH(conn, path, resolved_path) ((conn)->vfs_opaque.ops.realpath((conn)->vfs_opaque.handles.realpath, (conn), (path), (resolved_path)))
+
+/* NT ACL operations. */
+#define SMB_VFS_OPAQUE_FGET_NT_ACL(fsp, fd, security_info, ppdesc) ((fsp)->conn->vfs_opaque.ops.fget_nt_acl((fsp)->conn->vfs_opaque.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
+#define SMB_VFS_OPAQUE_GET_NT_ACL(fsp, name, security_info, ppdesc) ((fsp)->conn->vfs_opaque.ops.get_nt_acl((fsp)->conn->vfs_opaque.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
+#define SMB_VFS_OPAQUE_FSET_NT_ACL(fsp, fd, security_info_sent, psd) ((fsp)->conn->vfs_opaque.ops.fset_nt_acl((fsp)->conn->vfs_opaque.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
+#define SMB_VFS_OPAQUE_SET_NT_ACL(fsp, name, security_info_sent, psd) ((fsp)->conn->vfs_opaque.ops.set_nt_acl((fsp)->conn->vfs_opaque.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
+
+/* POSIX ACL operations. */
+#define SMB_VFS_OPAQUE_CHMOD_ACL(conn, name, mode) ((conn)->vfs_opaque.ops.chmod_acl((conn)->vfs_opaque.handles.chmod_acl, (conn), (name), (mode)))
+#define SMB_VFS_OPAQUE_FCHMOD_ACL(fsp, fd, mode) ((fsp)->conn->vfs_opaque.ops.fchmod_acl((fsp)->conn->vfs_opaque.handles.chmod_acl, (fsp), (fd), (mode)))
+
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_ENTRY(conn, theacl, entry_id, entry_p) ((conn)->vfs_opaque.ops.sys_acl_get_entry((conn)->vfs_opaque.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_TAG_TYPE(conn, entry_d, tag_type_p) ((conn)->vfs_opaque.ops.sys_acl_get_tag_type((conn)->vfs_opaque.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_PERMSET(conn, entry_d, permset_p) ((conn)->vfs_opaque.ops.sys_acl_get_permset((conn)->vfs_opaque.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_QUALIFIER(conn, entry_d) ((conn)->vfs_opaque.ops.sys_acl_get_qualifier((conn)->vfs_opaque.handles.sys_acl_get_qualifier, (conn), (entry_d)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_FILE(conn, path_p, type) ((conn)->vfs_opaque.ops.sys_acl_get_file((conn)->vfs_opaque.handles.sys_acl_get_file, (conn), (path_p), (type)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_FD(fsp, fd) ((fsp)->conn->vfs_opaque.ops.sys_acl_get_fd((fsp)->conn->vfs_opaque.handles.sys_acl_get_fd, (fsp), (fd)))
+#define SMB_VFS_OPAQUE_SYS_ACL_CLEAR_PERMS(conn, permset) ((conn)->vfs_opaque.ops.sys_acl_clear_perms((conn)->vfs_opaque.handles.sys_acl_clear_perms, (conn), (permset)))
+#define SMB_VFS_OPAQUE_SYS_ACL_ADD_PERM(conn, permset, perm) ((conn)->vfs_opaque.ops.sys_acl_add_perm((conn)->vfs_opaque.handles.sys_acl_add_perm, (conn), (permset), (perm)))
+#define SMB_VFS_OPAQUE_SYS_ACL_TO_TEXT(conn, theacl, plen) ((conn)->vfs_opaque.ops.sys_acl_to_text((conn)->vfs_opaque.handles.sys_acl_to_text, (conn), (theacl), (plen)))
+#define SMB_VFS_OPAQUE_SYS_ACL_INIT(conn, count) ((conn)->vfs_opaque.ops.sys_acl_init((conn)->vfs_opaque.handles.sys_acl_init, (conn), (count)))
+#define SMB_VFS_OPAQUE_SYS_ACL_CREATE_ENTRY(conn, pacl, pentry) ((conn)->vfs_opaque.ops.sys_acl_create_entry((conn)->vfs_opaque.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
+#define SMB_VFS_OPAQUE_SYS_ACL_SET_TAG_TYPE(conn, entry, tagtype) ((conn)->vfs_opaque.ops.sys_acl_set_tag_type((conn)->vfs_opaque.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
+#define SMB_VFS_OPAQUE_SYS_ACL_SET_QUALIFIER(conn, entry, qual) ((conn)->vfs_opaque.ops.sys_acl_set_qualifier((conn)->vfs_opaque.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
+#define SMB_VFS_OPAQUE_SYS_ACL_SET_PERMSET(conn, entry, permset) ((conn)->vfs_opaque.ops.sys_acl_set_permset((conn)->vfs_opaque.handles.sys_acl_set_permset, (conn), (entry), (permset)))
+#define SMB_VFS_OPAQUE_SYS_ACL_VALID(conn, theacl) ((conn)->vfs_opaque.ops.sys_acl_valid((conn)->vfs_opaque.handles.sys_acl_valid, (conn), (theacl)))
+#define SMB_VFS_OPAQUE_SYS_ACL_SET_FILE(conn, name, acltype, theacl) ((conn)->vfs_opaque.ops.sys_acl_set_file((conn)->vfs_opaque.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
+#define SMB_VFS_OPAQUE_SYS_ACL_SET_FD(fsp, fd, theacl) ((fsp)->conn->vfs_opaque.ops.sys_acl_set_fd((fsp)->conn->vfs_opaque.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
+#define SMB_VFS_OPAQUE_SYS_ACL_DELETE_DEF_FILE(conn, path) ((conn)->vfs_opaque.ops.sys_acl_delete_def_file((conn)->vfs_opaque.handles.sys_acl_delete_def_file, (conn), (path)))
+#define SMB_VFS_OPAQUE_SYS_ACL_GET_PERM(conn, permset, perm) ((conn)->vfs_opaque.ops.sys_acl_get_perm((conn)->vfs_opaque.handles.sys_acl_get_perm, (conn), (permset), (perm)))
+#define SMB_VFS_OPAQUE_SYS_ACL_FREE_TEXT(conn, text) ((conn)->vfs_opaque.ops.sys_acl_free_text((conn)->vfs_opaque.handles.sys_acl_free_text, (conn), (text)))
+#define SMB_VFS_OPAQUE_SYS_ACL_FREE_ACL(conn, posix_acl) ((conn)->vfs_opaque.ops.sys_acl_free_acl((conn)->vfs_opaque.handles.sys_acl_free_acl, (conn), (posix_acl)))
+#define SMB_VFS_OPAQUE_SYS_ACL_FREE_QUALIFIER(conn, qualifier, tagtype) ((conn)->vfs_opaque.ops.sys_acl_free_qualifier((conn)->vfs_opaque.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
+
+/* EA operations. */
+#define SMB_VFS_OPAQUE_GETXATTR(conn,path,name,value,size) ((conn)->vfs_opaque.ops.getxattr((conn)->vfs_opaque.handles.getxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_OPAQUE_LGETXATTR(conn,path,name,value,size) ((conn)->vfs_opaque.ops.lgetxattr((conn)->vfs_opaque.handles.lgetxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_OPAQUE_FGETXATTR(fsp,fd,name,value,size) ((fsp)->conn->vfs_opaque.ops.fgetxattr((fsp)->conn->vfs_opaque.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
+#define SMB_VFS_OPAQUE_LISTXATTR(conn,path,list,size) ((conn)->vfs_opaque.ops.listxattr((conn)->vfs_opaque.handles.listxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_OPAQUE_LLISTXATTR(conn,path,list,size) ((conn)->vfs_opaque.ops.llistxattr((conn)->vfs_opaque.handles.llistxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_OPAQUE_FLISTXATTR(fsp,fd,list,size) ((fsp)->conn->vfs_opaque.ops.flistxattr((fsp)->conn->vfs_opaque.handles.flistxattr,(fsp),(fd),(list),(size)))
+#define SMB_VFS_OPAQUE_REMOVEXATTR(conn,path,name) ((conn)->vfs_opaque.ops.removexattr((conn)->vfs_opaque.handles.removexattr,(conn),(path),(name)))
+#define SMB_VFS_OPAQUE_LREMOVEXATTR(conn,path,name) ((conn)->vfs_opaque.ops.lremovexattr((conn)->vfs_opaque.handles.lremovexattr,(conn),(path),(name)))
+#define SMB_VFS_OPAQUE_FREMOVEXATTR(fsp,fd,name) ((fsp)->conn->vfs_opaque.ops.fremovexattr((fsp)->conn->vfs_opaque.handles.fremovexattr,(fsp),(fd),(name)))
+#define SMB_VFS_OPAQUE_SETXATTR(conn,path,name,value,size,flags) ((conn)->vfs_opaque.ops.setxattr((conn)->vfs_opaque.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_OPAQUE_LSETXATTR(conn,path,name,value,size,flags) ((conn)->vfs_opaque.ops.lsetxattr((conn)->vfs_opaque.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_OPAQUE_FSETXATTR(fsp,fd,name,value,size,flags) ((fsp)->conn->vfs_opaque.ops.fsetxattr((fsp)->conn->vfs_opaque.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
+
+/*******************************************************************
+ Don't access handle->vfs_next.ops.* directly!!!
+ Use this macros!
+ (Fixes should go also into the vfs_* and vfs_opaque_* macros!)
+********************************************************************/
+
+/* Disk operations */
+#define SMB_VFS_NEXT_CONNECT(handle, conn, service, user) ((handle)->vfs_next.ops.connect((handle)->vfs_next.handles.connect, (conn), (service), (user)))
+#define SMB_VFS_NEXT_DISCONNECT(handle, conn) ((handle)->vfs_next.ops.disconnect((handle)->vfs_next.handles.disconnect, (conn)))
+#define SMB_VFS_NEXT_DISK_FREE(handle, conn, path, small_query, bsize, dfree ,dsize) ((handle)->vfs_next.ops.disk_free((handle)->vfs_next.handles.disk_free, (conn), (path), (small_query), (bsize), (dfree), (dsize)))
+#define SMB_VFS_NEXT_GET_QUOTA(handle, conn, qtype, id, qt) ((handle)->vfs_next.ops.get_quota((handle)->vfs_next.handles.get_quota, (conn), (qtype), (id), (qt)))
+#define SMB_VFS_NEXT_SET_QUOTA(handle, conn, qtype, id, qt) ((handle)->vfs_next.ops.set_quota((handle)->vfs_next.handles.set_quota, (conn), (qtype), (id), (qt)))
+
+/* Directory operations */
+#define SMB_VFS_NEXT_OPENDIR(handle, conn, fname) ((handle)->vfs_next.ops.opendir((handle)->vfs_next.handles.opendir, (conn), (fname)))
+#define SMB_VFS_NEXT_READDIR(handle, conn, dirp) ((handle)->vfs_next.ops.readdir((handle)->vfs_next.handles.readdir, (conn), (dirp)))
+#define SMB_VFS_NEXT_MKDIR(handle, conn, path, mode) ((handle)->vfs_next.ops.mkdir((handle)->vfs_next.handles.mkdir,(conn), (path), (mode)))
+#define SMB_VFS_NEXT_RMDIR(handle, conn, path) ((handle)->vfs_next.ops.rmdir((handle)->vfs_next.handles.rmdir, (conn), (path)))
+#define SMB_VFS_NEXT_CLOSEDIR(handle, conn, dir) ((handle)->vfs_next.ops.closedir((handle)->vfs_next.handles.closedir, (conn), dir))
+
+/* File operations */
+#define SMB_VFS_NEXT_OPEN(handle, conn, fname, flags, mode) ((handle)->vfs_next.ops.open((handle)->vfs_next.handles.open, (conn), (fname), (flags), (mode)))
+#define SMB_VFS_NEXT_CLOSE(handle, fsp, fd) ((handle)->vfs_next.ops.close((handle)->vfs_next.handles.close, (fsp), (fd)))
+#define SMB_VFS_NEXT_READ(handle, fsp, fd, data, n) ((handle)->vfs_next.ops.read((handle)->vfs_next.handles.read, (fsp), (fd), (data), (n)))
+#define SMB_VFS_NEXT_WRITE(handle, fsp, fd, data, n) ((handle)->vfs_next.ops.write((handle)->vfs_next.handles.write, (fsp), (fd), (data), (n)))
+#define SMB_VFS_NEXT_LSEEK(handle, fsp, fd, offset, whence) ((handle)->vfs_next.ops.lseek((handle)->vfs_next.handles.lseek, (fsp), (fd), (offset), (whence)))
+#define SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, fromfd, header, offset, count) ((handle)->vfs_next.ops.sendfile((handle)->vfs_next.handles.sendfile, (tofd), (fsp), (fromfd), (header), (offset), (count)))
+#define SMB_VFS_NEXT_RENAME(handle, conn, old, new) ((handle)->vfs_next.ops.rename((handle)->vfs_next.handles.rename, (conn), (old), (new)))
+#define SMB_VFS_NEXT_FSYNC(handle, fsp, fd) ((handle)->vfs_next.ops.fsync((handle)->vfs_next.handles.fsync, (fsp), (fd)))
+#define SMB_VFS_NEXT_STAT(handle, conn, fname, sbuf) ((handle)->vfs_next.ops.stat((handle)->vfs_next.handles.stat, (conn), (fname), (sbuf)))
+#define SMB_VFS_NEXT_FSTAT(handle, fsp, fd, sbuf) ((handle)->vfs_next.ops.fstat((handle)->vfs_next.handles.fstat, (fsp) ,(fd) ,(sbuf)))
+#define SMB_VFS_NEXT_LSTAT(handle, conn, path, sbuf) ((handle)->vfs_next.ops.lstat((handle)->vfs_next.handles.lstat, (conn), (path), (sbuf)))
+#define SMB_VFS_NEXT_UNLINK(handle, conn, path) ((handle)->vfs_next.ops.unlink((handle)->vfs_next.handles.unlink, (conn), (path)))
+#define SMB_VFS_NEXT_CHMOD(handle, conn, path, mode) ((handle)->vfs_next.ops.chmod((handle)->vfs_next.handles.chmod, (conn), (path), (mode)))
+#define SMB_VFS_NEXT_FCHMOD(handle, fsp, fd, mode) ((handle)->vfs_next.ops.fchmod((handle)->vfs_next.handles.fchmod, (fsp), (fd), (mode)))
+#define SMB_VFS_NEXT_CHOWN(handle, conn, path, uid, gid) ((handle)->vfs_next.ops.chown((handle)->vfs_next.handles.chown, (conn), (path), (uid), (gid)))
+#define SMB_VFS_NEXT_FCHOWN(handle, fsp, fd, uid, gid) ((handle)->vfs_next.ops.fchown((handle)->vfs_next.handles.fchown, (fsp), (fd), (uid), (gid)))
+#define SMB_VFS_NEXT_CHDIR(handle, conn, path) ((handle)->vfs_next.ops.chdir((handle)->vfs_next.handles.chdir, (conn), (path)))
+#define SMB_VFS_NEXT_GETWD(handle, conn, buf) ((handle)->vfs_next.ops.getwd((handle)->vfs_next.handles.getwd, (conn), (buf)))
+#define SMB_VFS_NEXT_UTIME(handle, conn, path, times) ((handle)->vfs_next.ops.utime((handle)->vfs_next.handles.utime, (conn), (path), (times)))
+#define SMB_VFS_NEXT_FTRUNCATE(handle, fsp, fd, offset) ((handle)->vfs_next.ops.ftruncate((handle)->vfs_next.handles.ftruncate, (fsp), (fd), (offset)))
+#define SMB_VFS_NEXT_LOCK(handle, fsp, fd, op, offset, count, type) ((handle)->vfs_next.ops.lock((handle)->vfs_next.handles.lock, (fsp), (fd) ,(op), (offset), (count), (type)))
+#define SMB_VFS_NEXT_SYMLINK(handle, conn, oldpath, newpath) ((handle)->vfs_next.ops.symlink((handle)->vfs_next.handles.symlink, (conn), (oldpath), (newpath)))
+#define SMB_VFS_NEXT_READLINK(handle, conn, path, buf, bufsiz) ((handle)->vfs_next.ops.readlink((handle)->vfs_next.handles.readlink, (conn), (path), (buf), (bufsiz)))
+#define SMB_VFS_NEXT_LINK(handle, conn, oldpath, newpath) ((handle)->vfs_next.ops.link((handle)->vfs_next.handles.link, (conn), (oldpath), (newpath)))
+#define SMB_VFS_NEXT_MKNOD(handle, conn, path, mode, dev) ((handle)->vfs_next.ops.mknod((handle)->vfs_next.handles.mknod, (conn), (path), (mode), (dev)))
+#define SMB_VFS_NEXT_REALPATH(handle, conn, path, resolved_path) ((handle)->vfs_next.ops.realpath((handle)->vfs_next.handles.realpath, (conn), (path), (resolved_path)))
+
+/* NT ACL operations. */
+#define SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, fd, security_info, ppdesc) ((handle)->vfs_next.ops.fget_nt_acl((handle)->vfs_next.handles.fget_nt_acl, (fsp), (fd), (security_info), (ppdesc)))
+#define SMB_VFS_NEXT_GET_NT_ACL(handle, fsp, name, security_info, ppdesc) ((handle)->vfs_next.ops.get_nt_acl((handle)->vfs_next.handles.get_nt_acl, (fsp), (name), (security_info), (ppdesc)))
+#define SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, fd, security_info_sent, psd) ((handle)->vfs_next.ops.fset_nt_acl((handle)->vfs_next.handles.fset_nt_acl, (fsp), (fd), (security_info_sent), (psd)))
+#define SMB_VFS_NEXT_SET_NT_ACL(handle, fsp, name, security_info_sent, psd) ((handle)->vfs_next.ops.set_nt_acl((handle)->vfs_next.handles.set_nt_acl, (fsp), (name), (security_info_sent), (psd)))
+
+/* POSIX ACL operations. */
+#define SMB_VFS_NEXT_CHMOD_ACL(handle, conn, name, mode) ((handle)->vfs_next.ops.chmod_acl((handle)->vfs_next.handles.chmod_acl, (conn), (name), (mode)))
+#define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, fd, mode) ((handle)->vfs_next.ops.fchmod_acl((handle)->vfs_next.handles.chmod_acl, (fsp), (fd), (mode)))
+
+#define SMB_VFS_NEXT_SYS_ACL_GET_ENTRY(handle, conn, theacl, entry_id, entry_p) ((handle)->vfs_next.ops.sys_acl_get_entry((handle)->vfs_next.handles.sys_acl_get_entry, (conn), (theacl), (entry_id), (entry_p)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_TAG_TYPE(handle, conn, entry_d, tag_type_p) ((handle)->vfs_next.ops.sys_acl_get_tag_type((handle)->vfs_next.handles.sys_acl_get_tag_type, (conn), (entry_d), (tag_type_p)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_PERMSET(handle, conn, entry_d, permset_p) ((handle)->vfs_next.ops.sys_acl_get_permset((handle)->vfs_next.handles.sys_acl_get_permset, (conn), (entry_d), (permset_p)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_QUALIFIER(handle, conn, entry_d) ((handle)->vfs_next.ops.sys_acl_get_qualifier((handle)->vfs_next.handles.sys_acl_get_qualifier, (conn), (entry_d)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_FILE(handle, conn, path_p, type) ((handle)->vfs_next.ops.sys_acl_get_file((handle)->vfs_next.handles.sys_acl_get_file, (conn), (path_p), (type)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, fd) ((handle)->vfs_next.ops.sys_acl_get_fd((handle)->vfs_next.handles.sys_acl_get_fd, (fsp), (fd)))
+#define SMB_VFS_NEXT_SYS_ACL_CLEAR_PERMS(handle, conn, permset) ((handle)->vfs_next.ops.sys_acl_clear_perms((handle)->vfs_next.handles.sys_acl_clear_perms, (conn), (permset)))
+#define SMB_VFS_NEXT_SYS_ACL_ADD_PERM(handle, conn, permset, perm) ((handle)->vfs_next.ops.sys_acl_add_perm((handle)->vfs_next.handles.sys_acl_add_perm, (conn), (permset), (perm)))
+#define SMB_VFS_NEXT_SYS_ACL_TO_TEXT(handle, conn, theacl, plen) ((handle)->vfs_next.ops.sys_acl_to_text((handle)->vfs_next.handles.sys_acl_to_text, (conn), (theacl), (plen)))
+#define SMB_VFS_NEXT_SYS_ACL_INIT(handle, conn, count) ((handle)->vfs_next.ops.sys_acl_init((handle)->vfs_next.handles.sys_acl_init, (conn), (count)))
+#define SMB_VFS_NEXT_SYS_ACL_CREATE_ENTRY(handle, conn, pacl, pentry) ((handle)->vfs_next.ops.sys_acl_create_entry((handle)->vfs_next.handles.sys_acl_create_entry, (conn), (pacl), (pentry)))
+#define SMB_VFS_NEXT_SYS_ACL_SET_TAG_TYPE(handle, conn, entry, tagtype) ((handle)->vfs_next.ops.sys_acl_set_tag_type((handle)->vfs_next.handles.sys_acl_set_tag_type, (conn), (entry), (tagtype)))
+#define SMB_VFS_NEXT_SYS_ACL_SET_QUALIFIER(handle, conn, entry, qual) ((handle)->vfs_next.ops.sys_acl_set_qualifier((handle)->vfs_next.handles.sys_acl_set_qualifier, (conn), (entry), (qual)))
+#define SMB_VFS_NEXT_SYS_ACL_SET_PERMSET(handle, conn, entry, permset) ((handle)->vfs_next.ops.sys_acl_set_permset((handle)->vfs_next.handles.sys_acl_set_permset, (conn), (entry), (permset)))
+#define SMB_VFS_NEXT_SYS_ACL_VALID(handle, conn, theacl) ((handle)->vfs_next.ops.sys_acl_valid((handle)->vfs_next.handles.sys_acl_valid, (conn), (theacl)))
+#define SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle, conn, name, acltype, theacl) ((handle)->vfs_next.ops.sys_acl_set_file((handle)->vfs_next.handles.sys_acl_set_file, (conn), (name), (acltype), (theacl)))
+#define SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, fd, theacl) ((handle)->vfs_next.ops.sys_acl_set_fd((handle)->vfs_next.handles.sys_acl_set_fd, (fsp), (fd), (theacl)))
+#define SMB_VFS_NEXT_SYS_ACL_DELETE_DEF_FILE(handle, conn, path) ((handle)->vfs_next.ops.sys_acl_delete_def_file((handle)->vfs_next.handles.sys_acl_delete_def_file, (conn), (path)))
+#define SMB_VFS_NEXT_SYS_ACL_GET_PERM(handle, conn, permset, perm) ((handle)->vfs_next.ops.sys_acl_get_perm((handle)->vfs_next.handles.sys_acl_get_perm, (conn), (permset), (perm)))
+#define SMB_VFS_NEXT_SYS_ACL_FREE_TEXT(handle, conn, text) ((handle)->vfs_next.ops.sys_acl_free_text((handle)->vfs_next.handles.sys_acl_free_text, (conn), (text)))
+#define SMB_VFS_NEXT_SYS_ACL_FREE_ACL(handle, conn, posix_acl) ((handle)->vfs_next.ops.sys_acl_free_acl((handle)->vfs_next.handles.sys_acl_free_acl, (conn), (posix_acl)))
+#define SMB_VFS_NEXT_SYS_ACL_FREE_QUALIFIER(handle, conn, qualifier, tagtype) ((handle)->vfs_next.ops.sys_acl_free_qualifier((handle)->vfs_next.handles.sys_acl_free_qualifier, (conn), (qualifier), (tagtype)))
+
+/* EA operations. */
+#define SMB_VFS_NEXT_GETXATTR(handle,conn,path,name,value,size) ((handle)->vfs_next.ops.getxattr((handle)->vfs_next.handles.getxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_NEXT_LGETXATTR(handle,conn,path,name,value,size) ((handle)->vfs_next.ops.lgetxattr((handle)->vfs_next.handles.lgetxattr,(conn),(path),(name),(value),(size)))
+#define SMB_VFS_NEXT_FGETXATTR(handle,fsp,fd,name,value,size) ((handle)->vfs_next.ops.fgetxattr((handle)->vfs_next.handles.fgetxattr,(fsp),(fd),(name),(value),(size)))
+#define SMB_VFS_NEXT_LISTXATTR(handle,conn,path,list,size) ((handle)->vfs_next.ops.listxattr((handle)->vfs_next.handles.listxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_NEXT_LLISTXATTR(handle,conn,path,list,size) ((handle)->vfs_next.ops.llistxattr((handle)->vfs_next.handles.llistxattr,(conn),(path),(list),(size)))
+#define SMB_VFS_NEXT_FLISTXATTR(handle,fsp,fd,list,size) ((handle)->vfs_next.ops.flistxattr((handle)->vfs_next.handles.flistxattr,(fsp),(fd),(list),(size)))
+#define SMB_VFS_NEXT_REMOVEXATTR(handle,conn,path,name) ((handle)->vfs_next.ops.removexattr((handle)->vfs_next.handles.removexattr,(conn),(path),(name)))
+#define SMB_VFS_NEXT_LREMOVEXATTR(handle,conn,path,name) ((handle)->vfs_next.ops.lremovexattr((handle)->vfs_next.handles.lremovexattr,(conn),(path),(name)))
+#define SMB_VFS_NEXT_FREMOVEXATTR(handle,fsp,fd,name) ((handle)->vfs_next.ops.fremovexattr((handle)->vfs_next.handles.fremovexattr,(fsp),(fd),(name)))
+#define SMB_VFS_NEXT_SETXATTR(handle,conn,path,name,value,size,flags) ((handle)->vfs_next.ops.setxattr((handle)->vfs_next.handles.setxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_NEXT_LSETXATTR(handle,conn,path,name,value,size,flags) ((handle)->vfs_next.ops.lsetxattr((handle)->vfs_next.handles.lsetxattr,(conn),(path),(name),(value),(size),(flags)))
+#define SMB_VFS_NEXT_FSETXATTR(handle,fsp,fd,name,value,size,flags) ((handle)->vfs_next.ops.fsetxattr((handle)->vfs_next.handles.fsetxattr,(fsp),(fd),(name),(value),(size),(flags)))
+
+#endif /* _VFS_MACROS_H */
--- /dev/null
+/*
+ Unix SMB/CIFS mplementation.
+ LDAP protocol helper functions for SAMBA
+ Copyright (C) Jean François Micouleau 1998
+ Copyright (C) Gerald Carter 2001-2003
+ Copyright (C) Shahms King 2001
+ Copyright (C) Andrew Bartlett 2002-2003
+ Copyright (C) Stefan (metze) Metzmacher 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#include "includes.h"
+#include "smbldap.h"
+
+#ifndef LDAP_OPT_SUCCESS
+#define LDAP_OPT_SUCCESS 0
+#endif
+
+/* Try not to hit the up or down server forever */
+
+#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
+#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
+
+
+/* attributes used by Samba 2.2 */
+
+ATTRIB_MAP_ENTRY attrib_map_v22[] = {
+ { LDAP_ATTR_UID, "uid" },
+ { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
+ { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
+ { LDAP_ATTR_UNIX_HOME, "homeDirectory" },
+ { LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
+ { LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
+ { LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
+ { LDAP_ATTR_LOGON_TIME, "logonTime" },
+ { LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
+ { LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
+ { LDAP_ATTR_CN, "cn" },
+ { LDAP_ATTR_DISPLAY_NAME, "displayName" },
+ { LDAP_ATTR_HOME_PATH, "smbHome" },
+ { LDAP_ATTR_HOME_DRIVE, "homeDrives" },
+ { LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
+ { LDAP_ATTR_PROFILE_PATH, "profilePath" },
+ { LDAP_ATTR_DESC, "description" },
+ { LDAP_ATTR_USER_WKS, "userWorkstations"},
+ { LDAP_ATTR_USER_RID, "rid" },
+ { LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
+ { LDAP_ATTR_LMPW, "lmPassword" },
+ { LDAP_ATTR_NTPW, "ntPassword" },
+ { LDAP_ATTR_DOMAIN, "domain" },
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_ACB_INFO, "acctFlags" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+/* attributes used by Samba 3.0's sambaSamAccount */
+
+ATTRIB_MAP_ENTRY attrib_map_v30[] = {
+ { LDAP_ATTR_UID, "uid" },
+ { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
+ { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
+ { LDAP_ATTR_UNIX_HOME, "homeDirectory" },
+ { LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
+ { LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
+ { LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
+ { LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
+ { LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
+ { LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
+ { LDAP_ATTR_CN, "cn" },
+ { LDAP_ATTR_DISPLAY_NAME, "displayName" },
+ { LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
+ { LDAP_ATTR_HOME_PATH, "sambaHomePath" },
+ { LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
+ { LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
+ { LDAP_ATTR_DESC, "description" },
+ { LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
+ { LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
+ { LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
+ { LDAP_ATTR_LMPW, "sambaLMPassword" },
+ { LDAP_ATTR_NTPW, "sambaNTPassword" },
+ { LDAP_ATTR_DOMAIN, "sambaDomainName" },
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+/* attributes used for alalocating RIDs */
+
+ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
+ { LDAP_ATTR_DOMAIN, "sambaDomainName" },
+ { LDAP_ATTR_NEXT_RID, "sambaNextRid" },
+ { LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
+ { LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
+ { LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
+ { LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_LIST_END, NULL },
+};
+
+/* Samba 3.0 group mapping attributes */
+
+ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
+ { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
+ { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
+ { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
+ { LDAP_ATTR_DESC, "description" },
+ { LDAP_ATTR_DISPLAY_NAME, "displayName" },
+ { LDAP_ATTR_CN, "cn" },
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
+ { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
+ { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
+ { LDAP_ATTR_DESC, "description" },
+ { LDAP_ATTR_DISPLAY_NAME, "displayName" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+/* idmap_ldap sambaUnixIdPool */
+
+ATTRIB_MAP_ENTRY idpool_attr_list[] = {
+ { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
+ { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
+ { LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
+ { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
+ { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
+ { LDAP_ATTR_OBJCLASS, "objectClass" },
+ { LDAP_ATTR_LIST_END, NULL }
+};
+
+/**********************************************************************
+ perform a simple table lookup and return the attribute name
+ **********************************************************************/
+
+ const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
+{
+ int i = 0;
+
+ while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+ if ( table[i].attrib == key )
+ return table[i].name;
+ i++;
+ }
+
+ return NULL;
+}
+
+
+/**********************************************************************
+ Return the list of attribute names from a mapping table
+ **********************************************************************/
+
+ char** get_attr_list( ATTRIB_MAP_ENTRY table[] )
+{
+ char **names;
+ int i = 0;
+
+ while ( table[i].attrib != LDAP_ATTR_LIST_END )
+ i++;
+ i++;
+
+ names = (char**)malloc( sizeof(char*)*i );
+ if ( !names ) {
+ DEBUG(0,("get_attr_list: out of memory\n"));
+ return NULL;
+ }
+
+ i = 0;
+ while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+ names[i] = strdup( table[i].name );
+ i++;
+ }
+ names[i] = NULL;
+
+ return names;
+}
+
+/*********************************************************************
+ Cleanup
+ ********************************************************************/
+
+ void free_attr_list( char **list )
+{
+ int i = 0;
+
+ if ( !list )
+ return;
+
+ while ( list[i] ) {
+ SAFE_FREE( list[i] );
+ i+=1;
+ }
+
+ SAFE_FREE( list );
+}
+
+/*******************************************************************
+ find the ldap password
+******************************************************************/
+BOOL fetch_ldap_pw(char **dn, char** pw)
+{
+ char *key = NULL;
+ size_t size;
+
+ *dn = smb_xstrdup(lp_ldap_admin_dn());
+
+ if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
+ SAFE_FREE(*dn);
+ DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
+ }
+
+ *pw=secrets_fetch(key, &size);
+ SAFE_FREE(key);
+
+ if (!size) {
+ /* Upgrade 2.2 style entry */
+ char *p;
+ char* old_style_key = strdup(*dn);
+ char *data;
+ fstring old_style_pw;
+
+ if (!old_style_key) {
+ DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
+ return False;
+ }
+
+ for (p=old_style_key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ data=secrets_fetch(old_style_key, &size);
+ if (!size && size < sizeof(old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+
+ strncpy(old_style_pw, data, size);
+ old_style_pw[size] = 0;
+
+ SAFE_FREE(data);
+
+ if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+ if (!secrets_delete(old_style_key)) {
+ DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
+ }
+
+ SAFE_FREE(old_style_key);
+
+ *pw = smb_xstrdup(old_style_pw);
+ }
+
+ return True;
+}
+
+/*******************************************************************
+search an attribute and return the first value found.
+******************************************************************/
+ BOOL smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
+ const char *attribute, pstring value)
+{
+ char **values;
+
+ if ( !attribute )
+ return False;
+
+ value[0] = '\0';
+
+ if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
+ DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
+
+ return False;
+ }
+
+ if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, sizeof(pstring)) == (size_t)-1)
+ {
+ DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
+ attribute, values[0]));
+ ldap_value_free(values);
+ return False;
+ }
+
+ ldap_value_free(values);
+#ifdef DEBUG_PASSWORDS
+ DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
+#endif
+ return True;
+}
+
+/************************************************************************
+ Routine to manage the LDAPMod structure array
+ manage memory used by the array, by each struct, and values
+ ***********************************************************************/
+
+ void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
+{
+ LDAPMod **mods;
+ int i;
+ int j;
+
+ mods = *modlist;
+
+ /* sanity checks on the mod values */
+
+ if (attribute == NULL || *attribute == '\0')
+ return;
+#if 0 /* commented out after discussion with abartlet. Do not reenable.
+ left here so other so re-add similar code --jerry */
+ if (value == NULL || *value == '\0')
+ return;
+#endif
+
+ if (mods == NULL)
+ {
+ mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[0] = NULL;
+ }
+
+ for (i = 0; mods[i] != NULL; ++i) {
+ if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
+ break;
+ }
+
+ if (mods[i] == NULL)
+ {
+ mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+ if (mods[i] == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i]->mod_op = modop;
+ mods[i]->mod_values = NULL;
+ mods[i]->mod_type = strdup(attribute);
+ mods[i + 1] = NULL;
+ }
+
+ if (value != NULL)
+ {
+ char *utf8_value = NULL;
+
+ j = 0;
+ if (mods[i]->mod_values != NULL) {
+ for (; mods[i]->mod_values[j] != NULL; j++);
+ }
+ mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
+ (j + 2) * sizeof (char *));
+
+ if (mods[i]->mod_values == NULL) {
+ DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
+ return;
+ }
+
+ if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
+ DEBUG (0, ("make_a_mod: String conversion failure!\n"));
+ return;
+ }
+
+ mods[i]->mod_values[j] = utf8_value;
+
+ mods[i]->mod_values[j + 1] = NULL;
+ }
+ *modlist = mods;
+}
+
+
+/**********************************************************************
+ Set attribute to newval in LDAP, regardless of what value the
+ attribute had in LDAP before.
+*********************************************************************/
+ void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
+ LDAPMod ***mods,
+ const char *attribute, const char *newval)
+{
+ char **values = NULL;
+
+ if (existing != NULL) {
+ values = ldap_get_values(ldap_struct, existing, attribute);
+ }
+
+ /* all of our string attributes are case insensitive */
+
+ if ((values != NULL) && (values[0] != NULL) &&
+ StrCaseCmp(values[0], newval) == 0)
+ {
+
+ /* Believe it or not, but LDAP will deny a delete and
+ an add at the same time if the values are the
+ same... */
+
+ ldap_value_free(values);
+ return;
+ }
+
+ /* Regardless of the real operation (add or modify)
+ we add the new value here. We rely on deleting
+ the old value, should it exist. */
+
+ if ((newval != NULL) && (strlen(newval) > 0)) {
+ smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
+ }
+
+ if (values == NULL) {
+ /* There has been no value before, so don't delete it.
+ Here's a possible race: We might end up with
+ duplicate attributes */
+ return;
+ }
+
+ /* By deleting exactly the value we found in the entry this
+ should be race-free in the sense that the LDAP-Server will
+ deny the complete operation if somebody changed the
+ attribute behind our back. */
+
+ smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
+ ldap_value_free(values);
+}
+
+
+/**********************************************************************
+ Some varients of the LDAP rebind code do not pass in the third 'arg'
+ pointer to a void*, so we try and work around it by assuming that the
+ value of the 'LDAP *' pointer is the same as the one we had passed in
+ **********************************************************************/
+
+struct smbldap_state_lookup {
+ LDAP *ld;
+ struct smbldap_state *smbldap_state;
+ struct smbldap_state_lookup *prev, *next;
+};
+
+static struct smbldap_state_lookup *smbldap_state_lookup_list;
+
+static struct smbldap_state *smbldap_find_state(LDAP *ld)
+{
+ struct smbldap_state_lookup *t;
+
+ for (t = smbldap_state_lookup_list; t; t = t->next) {
+ if (t->ld == ld) {
+ return t->smbldap_state;
+ }
+ }
+ return NULL;
+}
+
+static void smbldap_delete_state(struct smbldap_state *smbldap_state)
+{
+ struct smbldap_state_lookup *t;
+
+ for (t = smbldap_state_lookup_list; t; t = t->next) {
+ if (t->smbldap_state == smbldap_state) {
+ DLIST_REMOVE(smbldap_state_lookup_list, t);
+ SAFE_FREE(t);
+ return;
+ }
+ }
+}
+
+static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
+{
+ struct smbldap_state *tmp_ldap_state;
+ struct smbldap_state_lookup *t;
+ struct smbldap_state_lookup *tmp;
+
+ if ((tmp_ldap_state = smbldap_find_state(ld))) {
+ SMB_ASSERT(tmp_ldap_state == smbldap_state);
+ return;
+ }
+
+ t = smb_xmalloc(sizeof(*t));
+ ZERO_STRUCTP(t);
+
+ DLIST_ADD_END(smbldap_state_lookup_list, t, tmp);
+ t->ld = ld;
+ t->smbldap_state = smbldap_state;
+}
+
+/*******************************************************************
+ open a connection to the ldap server.
+******************************************************************/
+static int smbldap_open_connection (struct smbldap_state *ldap_state)
+
+{
+ int rc = LDAP_SUCCESS;
+ int version;
+ BOOL ldap_v3 = False;
+ LDAP **ldap_struct = &ldap_state->ldap_struct;
+
+#ifdef HAVE_LDAP_INITIALIZE
+ DEBUG(10, ("smbldap_open_connection: %s\n", ldap_state->uri));
+
+ if ((rc = ldap_initialize(ldap_struct, ldap_state->uri)) != LDAP_SUCCESS) {
+ DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+ return rc;
+ }
+#else
+
+ /* Parse the string manually */
+
+ {
+ int port = 0;
+ fstring protocol;
+ fstring host;
+ const char *p = ldap_state->uri;
+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+ /* skip leading "URL:" (if any) */
+ if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
+ p += 4;
+ }
+
+ sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
+
+ if (port == 0) {
+ if (strequal(protocol, "ldap")) {
+ port = LDAP_PORT;
+ } else if (strequal(protocol, "ldaps")) {
+ port = LDAPS_PORT;
+ } else {
+ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+ }
+ }
+
+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if (strequal(protocol, "ldaps")) {
+#ifdef LDAP_OPT_X_TLS
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+ {
+ DEBUG(0, ("Failed to setup a TLS session\n"));
+ }
+
+ DEBUG(3,("LDAPS option set...!\n"));
+#else
+ DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+ }
+#endif
+
+ /* Store the LDAP pointer in a lookup list */
+
+ smbldap_store_state(*ldap_struct, ldap_state);
+
+ /* Upgrade to LDAPv3 if possible */
+
+ if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
+ {
+ if (version != LDAP_VERSION3)
+ {
+ version = LDAP_VERSION3;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
+ ldap_v3 = True;
+ }
+ } else {
+ ldap_v3 = True;
+ }
+ }
+
+ if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
+#ifdef LDAP_OPT_X_TLS
+ if (ldap_v3) {
+ if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
+ {
+ DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
+ ldap_err2string(rc)));
+ return rc;
+ }
+ DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
+ } else {
+
+ DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+#else
+ DEBUG(0,("smbldap_open_connection: StartTLS not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+
+ DEBUG(2, ("smbldap_open_connection: connection opened\n"));
+ return rc;
+}
+
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
+ int *methodp, int freeit, void *arg)
+{
+ struct smbldap_state *ldap_state = arg;
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ if (freeit) {
+ SAFE_FREE(*whop);
+ memset(*credp, '\0', strlen(*credp));
+ SAFE_FREE(*credp);
+ } else {
+ DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ *whop = strdup(ldap_state->bind_dn);
+ if (!*whop) {
+ return LDAP_NO_MEMORY;
+ }
+ *credp = strdup(ldap_state->bind_secret);
+ if (!*credp) {
+ SAFE_FREE(*whop);
+ return LDAP_NO_MEMORY;
+ }
+ *methodp = LDAP_AUTH_SIMPLE;
+ }
+ return 0;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+ and actually does the connection.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int rebindproc_connect_with_state (LDAP *ldap_struct,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid, void *arg)
+{
+ struct smbldap_state *ldap_state = arg;
+ int rc;
+ DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+
+ return rc;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ Add a rebind function for authenticated referrals
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
+ int *method, int freeit )
+{
+ struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
+
+ return rebindproc_with_state(ldap_struct, whop, credp,
+ method, freeit, ldap_state);
+
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ this also does the connection, but no void*.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
+ ber_int_t msgid)
+{
+ struct smbldap_state *ldap_state = smbldap_find_state(ld);
+
+ return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
+ ldap_state);
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ connect to the ldap server under system privilege.
+******************************************************************/
+static int smbldap_connect_system(struct smbldap_state *ldap_state, LDAP * ldap_struct)
+{
+ int rc;
+ char *ldap_dn;
+ char *ldap_secret;
+
+ /* get the password */
+ if (!fetch_ldap_pw(&ldap_dn, &ldap_secret))
+ {
+ DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
+ return LDAP_INVALID_CREDENTIALS;
+ }
+
+ ldap_state->bind_dn = ldap_dn;
+ ldap_state->bind_secret = ldap_secret;
+
+ /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
+ (OpenLDAP) doesnt' seem to support it */
+
+ DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
+ ldap_state->uri, ldap_dn));
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
+# endif
+#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
+# endif
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_dn, ldap_secret);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(ldap_state->num_failures ? 2 : 0,
+ ("failed to bind to server with dn= %s Error: %s\n\t%s\n",
+ ldap_dn ? ldap_dn : "(unknown)", ldap_err2string(rc),
+ ld_error ? ld_error : "(unknown)"));
+ SAFE_FREE(ld_error);
+ ldap_state->num_failures++;
+ return rc;
+ }
+
+ ldap_state->num_failures = 0;
+
+ DEBUG(3, ("ldap_connect_system: succesful connection to the LDAP server\n"));
+ return rc;
+}
+
+/**********************************************************************
+Connect to LDAP server (called before every ldap operation)
+*********************************************************************/
+static int smbldap_open(struct smbldap_state *ldap_state)
+{
+ int rc;
+ SMB_ASSERT(ldap_state);
+
+#ifndef NO_LDAP_SECURITY
+ if (geteuid() != 0) {
+ DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
+ return LDAP_INSUFFICIENT_ACCESS;
+ }
+#endif
+
+ if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
+ struct sockaddr_un addr;
+ socklen_t len = sizeof(addr);
+ int sd;
+ if (ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd) == 0 &&
+ getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+ /* the other end has died. reopen. */
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ ldap_state->last_ping = (time_t)0;
+ } else {
+ ldap_state->last_ping = time(NULL);
+ }
+ }
+
+ if (ldap_state->ldap_struct != NULL) {
+ DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
+ return LDAP_SUCCESS;
+ }
+
+ if ((rc = smbldap_open_connection(ldap_state))) {
+ return rc;
+ }
+
+ if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ return rc;
+ }
+
+
+ ldap_state->last_ping = time(NULL);
+ DEBUG(4,("The LDAP server is succesful connected\n"));
+
+ return LDAP_SUCCESS;
+}
+
+/**********************************************************************
+Disconnect from LDAP server
+*********************************************************************/
+static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
+{
+ if (!ldap_state)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ if (ldap_state->ldap_struct != NULL) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ }
+
+ smbldap_delete_state(ldap_state);
+
+ DEBUG(5,("The connection to the LDAP server was closed\n"));
+ /* maybe free the results here --metze */
+
+
+
+ return NT_STATUS_OK;
+}
+
+int smbldap_retry_open(struct smbldap_state *ldap_state, int *attempts)
+{
+ int rc;
+
+ SMB_ASSERT(ldap_state && attempts);
+
+ if (*attempts != 0) {
+ unsigned int sleep_time;
+ uint8 rand_byte;
+
+ /* Sleep for a random timeout */
+ rand_byte = (char)(sys_random());
+
+ sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2;
+ /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds
+ on average.
+ */
+ DEBUG(3, ("Sleeping for %u milliseconds before reconnecting\n",
+ sleep_time));
+ msleep(sleep_time);
+ }
+ (*attempts)++;
+
+ if ((rc = smbldap_open(ldap_state))) {
+ DEBUG(1,("Connection to LDAP Server failed for the %d try!\n",*attempts));
+ return rc;
+ }
+
+ return LDAP_SUCCESS;
+}
+
+
+/*********************************************************************
+ ********************************************************************/
+
+int smbldap_search(struct smbldap_state *ldap_state,
+ const char *base, int scope, const char *filter,
+ char *attrs[], int attrsonly,
+ LDAPMessage **res)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_filter;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < SMBLDAP_NUM_RETRIES)) {
+
+ if ((rc = smbldap_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_search_s(ldap_state->ldap_struct, base, scope,
+ utf8_filter, attrs, attrsonly, res);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ smbldap_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_filter);
+ return rc;
+}
+
+int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < SMBLDAP_NUM_RETRIES)) {
+
+ if ((rc = smbldap_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ smbldap_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+int smbldap_add(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < SMBLDAP_NUM_RETRIES)) {
+
+ if ((rc = smbldap_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ smbldap_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+int smbldap_delete(struct smbldap_state *ldap_state, const char *dn)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < SMBLDAP_NUM_RETRIES)) {
+
+ if ((rc = smbldap_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ smbldap_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+int smbldap_extended_operation(struct smbldap_state *ldap_state,
+ LDAP_CONST char *reqoid, struct berval *reqdata,
+ LDAPControl **serverctrls, LDAPControl **clientctrls,
+ char **retoidp, struct berval **retdatap)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < SMBLDAP_NUM_RETRIES)) {
+
+ if ((rc = smbldap_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid, reqdata,
+ serverctrls, clientctrls, retoidp, retdatap);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ smbldap_close(ldap_state);
+ }
+
+ return rc;
+}
+
+/*******************************************************************
+ run the search by name.
+******************************************************************/
+int smbldap_search_suffix (struct smbldap_state *ldap_state, const char *filter,
+ char **search_attr, LDAPMessage ** result)
+{
+ int scope = LDAP_SCOPE_SUBTREE;
+ int rc;
+
+ DEBUG(2, ("smbldap_search_suffix: searching for:[%s]\n", filter));
+
+ rc = smbldap_search(ldap_state, lp_ldap_suffix(), scope, filter, search_attr, 0, result);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(0,("smbldap_search_suffix: Problem during the LDAP search: %s (%s)\n",
+ ld_error?ld_error:"(unknown)", ldap_err2string (rc)));
+ DEBUG(3,("smbldap_search_suffix: Query was: %s, %s\n", lp_ldap_suffix(),
+ filter));
+ SAFE_FREE(ld_error);
+ }
+
+ return rc;
+}
+
+/**********************************************************************
+ Housekeeping
+ *********************************************************************/
+
+void smbldap_free_struct(struct smbldap_state **ldap_state)
+{
+ smbldap_close(*ldap_state);
+
+ if ((*ldap_state)->bind_secret) {
+ memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
+ }
+
+ SAFE_FREE((*ldap_state)->bind_dn);
+ SAFE_FREE((*ldap_state)->bind_secret);
+
+ *ldap_state = NULL;
+
+ /* No need to free any further, as it is talloc()ed */
+}
+
+
+/**********************************************************************
+ Intitalise the 'general' ldap structures, on which ldap operations may be conducted
+ *********************************************************************/
+
+NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, const char *location, struct smbldap_state **smbldap_state)
+{
+ *smbldap_state = talloc_zero(mem_ctx, sizeof(**smbldap_state));
+ if (!*smbldap_state) {
+ DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (location) {
+ (*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
+ } else {
+ (*smbldap_state)->uri = "ldap://localhost";
+ }
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ Add the sambaDomain to LDAP, so we don't have to search for this stuff
+ again. This is a once-add operation for now.
+
+ TODO: Add other attributes, and allow modification.
+*********************************************************************/
+static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
+ const char *domain_name)
+{
+ fstring sid_string;
+ fstring algorithmic_rid_base_string;
+ pstring filter, dn;
+ LDAPMod **mods = NULL;
+ int rc;
+ int ldap_op;
+ LDAPMessage *result = NULL;
+ int num_result;
+ char **attr_list;
+
+ slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))",
+ get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ domain_name, LDAP_OBJ_DOMINFO);
+
+ attr_list = get_attr_list( dominfo_attr_list );
+ rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
+ free_attr_list( attr_list );
+
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ num_result = ldap_count_entries(ldap_state->ldap_struct, result);
+
+ if (num_result > 1) {
+ DEBUG (0, ("More than domain with that name exists: bailing out!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Check if we need to add an entry */
+ DEBUG(3,("Adding new domain\n"));
+ ldap_op = LDAP_MOD_ADD;
+
+ snprintf(dn, sizeof(dn), "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ domain_name, lp_ldap_suffix());
+
+ /* Free original search */
+ ldap_msgfree(result);
+
+ /* make the changes - the entry *must* not already have samba attributes */
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ domain_name);
+
+ /* If we don't have an entry, then ask secrets.tdb for what it thinks.
+ It may choose to make it up */
+
+ sid_to_string(sid_string, get_global_sam_sid());
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), sid_string);
+
+ slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string) - 1, "%i", algorithmic_rid_base());
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
+ algorithmic_rid_base_string);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
+
+ switch(ldap_op)
+ {
+ case LDAP_MOD_ADD:
+ rc = smbldap_add(ldap_state, dn, mods);
+ break;
+ case LDAP_MOD_REPLACE:
+ rc = smbldap_modify(ldap_state, dn, mods);
+ break;
+ default:
+ DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (rc!=LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
+ DEBUG(1,("failed to %s domain dn= %s with: %s\n\t%s\n",
+ ldap_op == LDAP_MOD_ADD ? "add" : "modify",
+ dn, ldap_err2string(rc),
+ ld_error?ld_error:"unknown"));
+ SAFE_FREE(ld_error);
+
+ ldap_mods_free(mods, True);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(2,("added: domain = %s in the LDAP database\n", domain_name));
+ ldap_mods_free(mods, True);
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Search for the domain info entry
+*********************************************************************/
+NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
+ LDAPMessage ** result, const char *domain_name,
+ BOOL try_add)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ pstring filter;
+ int rc;
+ char **attr_list;
+ int count;
+
+ snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))",
+ LDAP_OBJ_DOMINFO,
+ get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ domain_name);
+
+ DEBUG(2, ("Searching for:[%s]\n", filter));
+
+
+ attr_list = get_attr_list( dominfo_attr_list );
+ rc = smbldap_search_suffix(ldap_state, filter, attr_list , result);
+ free_attr_list( attr_list );
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
+ DEBUG(2,("Query was: %s, %s\n", lp_ldap_suffix(), filter));
+ } else if (ldap_count_entries(ldap_state->ldap_struct, *result) < 1) {
+ DEBUG(3, ("Got no domain info entries for domain\n"));
+ ldap_msgfree(*result);
+ *result = NULL;
+ if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))) {
+ return smbldap_search_domain_info(ldap_state, result, domain_name, False);
+ }
+ else {
+ DEBUG(0, ("Adding domain info for %s failed with %s\n",
+ domain_name, nt_errstr(ret)));
+ return ret;
+ }
+ } else if ((count = ldap_count_entries(ldap_state->ldap_struct, *result)) > 1) {
+ DEBUG(0, ("Got too many (%d) domain info entries for domain %s\n",
+ count, domain_name));
+ ldap_msgfree(*result);
+ *result = NULL;
+ return ret;
+ } else {
+ return NT_STATUS_OK;
+ }
+
+ return ret;
+}
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ System QUOTA function wrappers
+ Copyright (C) Stefan (metze) Metzmacher 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#ifndef AUTOCONF_TEST
+
+#include "includes.h"
+
+#ifdef HAVE_SYS_QUOTAS
+
+#if defined(HAVE_QUOTACTL_4A)
+/* long quotactl(int cmd, char *special, qid_t id, caddr_t addr) */
+/* this is used by: linux,HPUX,IRIX */
+
+/****************************************************************************
+ Abstract out the old and new Linux quota get calls.
+****************************************************************************/
+static int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+ uint32 qflags = 0;
+ struct SYS_DQBLK D;
+ SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+ if (!path||!bdev||!dp)
+ smb_panic("sys_get_vfs_quota: called with NULL pointer");
+
+ ZERO_STRUCT(D);
+ ZERO_STRUCT(*dp);
+ dp->qtype = qtype;
+
+ switch (qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ /* we use id.uid == 0 for default quotas */
+ if (id.uid == 0) {
+ ret = 0;
+ break;
+ }
+
+ if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D))) {
+ return ret;
+ }
+
+ if ((D.dqb_curblocks==0)&&
+ (D.dqb_bsoftlimit==0)&&
+ (D.dqb_bhardlimit==0)) {
+ /* the upper layer functions don't want empty quota records...*/
+ return -1;
+ }
+
+ break;
+#ifdef HAVE_GROUP_QUOTA
+ case SMB_GROUP_QUOTA_TYPE:
+ if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id.gid, (CADDR_T)&D))) {
+ return ret;
+ }
+
+ if ((D.dqb_curblocks==0)&&
+ (D.dqb_bsoftlimit==0)&&
+ (D.dqb_bhardlimit==0)) {
+ /* the upper layer functions don't want empty quota records...*/
+ return -1;
+ }
+
+ break;
+#endif /* HAVE_GROUP_QUOTA */
+ case SMB_USER_FS_QUOTA_TYPE:
+ id.uid = getuid();
+
+ if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D))==0) {
+ qflags |= QUOTAS_DENY_DISK;
+ }
+
+ /* get the default quotas stored in the root's (uid =0) record */
+ if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, 0, (CADDR_T)&D))) {
+ return ret;
+ }
+
+ ret = 0;
+ break;
+ default:
+ errno = ENOSYS;
+ return -1;
+ }
+
+ dp->bsize = bsize;
+ dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
+ dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
+ dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
+ dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
+ dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
+ dp->curblocks = (SMB_BIG_UINT)D.dqb_curblocks;
+
+
+ dp->qflags = qflags;
+
+ return ret;
+}
+
+/****************************************************************************
+ Abstract out the old and new Linux quota set calls.
+****************************************************************************/
+
+static int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+ uint32 qflags = 0;
+ struct SYS_DQBLK D;
+ SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+ if (!path||!bdev||!dp)
+ smb_panic("sys_set_vfs_quota: called with NULL pointer");
+
+ ZERO_STRUCT(D);
+
+ if (bsize == dp->bsize) {
+ D.dqb_bsoftlimit = dp->softlimit;
+ D.dqb_bhardlimit = dp->hardlimit;
+ D.dqb_ihardlimit = dp->ihardlimit;
+ D.dqb_isoftlimit = dp->isoftlimit;
+ } else {
+ D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
+ D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
+ D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+ D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
+ }
+
+ qflags = dp->qflags;
+
+ switch (qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ /* we use id.uid == 0 for default quotas */
+ if (id.uid>0) {
+ ret = quotactl(QCMD(Q_SETQLIM,USRQUOTA), bdev, id.uid, (CADDR_T)&D);
+ }
+ break;
+#ifdef HAVE_GROUP_QUOTA
+ case SMB_GROUP_QUOTA_TYPE:
+ ret = quotactl(QCMD(Q_SETQLIM,GRPQUOTA), bdev, id.gid, (CADDR_T)&D);
+ break;
+#endif /* HAVE_GROUP_QUOTA */
+ case SMB_USER_FS_QUOTA_TYPE:
+ /* this stuff didn't work as it should:
+ * switching on/off quota via quotactl()
+ * didn't work!
+ * So we only set the default limits
+ * --metze
+ *
+ * On HPUX we didn't have the mount path,
+ * we need to fix sys_path_to_bdev()
+ *
+ */
+#if 0
+ uid = getuid();
+
+ ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, uid, (CADDR_T)&D);
+
+ if ((qflags"AS_DENY_DISK)||(qflags"AS_ENABLED)) {
+ if (ret == 0) {
+ char *quota_file = NULL;
+
+ asprintf("a_file,"/%s/%s%s",path, QUOTAFILENAME,USERQUOTAFILE_EXTENSION);
+ if (quota_file == NULL) {
+ DEBUG(0,("asprintf() failed!\n"));
+ errno = ENOMEM;
+ return -1;
+ }
+
+ ret = quotactl(QCMD(Q_QUOTAON,USRQUOTA), bdev, -1,(CADDR_T)quota_file);
+ } else {
+ ret = 0;
+ }
+ } else {
+ if (ret != 0) {
+ /* turn off */
+ ret = quotactl(QCMD(Q_QUOTAOFF,USRQUOTA), bdev, -1, (CADDR_T)0);
+ } else {
+ ret = 0;
+ }
+ }
+
+ DEBUG(0,("vfs_fs_quota: ret(%d) errno(%d)[%s] uid(%d) bdev[%s]\n",
+ ret,errno,strerror(errno),uid,bdev));
+#endif
+
+ /* we use uid == 0 for default quotas */
+ ret = quotactl(QCMD(Q_SETQLIM,USRQUOTA), bdev, 0, (CADDR_T)&D);
+
+ break;
+
+ default:
+ errno = ENOSYS;
+ return -1;
+ }
+
+ return ret;
+}
+
+/*#endif HAVE_QUOTACTL_4A */
+#elif defined(HAVE_QUOTACTL_4B)
+
+#error HAVE_QUOTACTL_4B not implemeted
+
+/*#endif HAVE_QUOTACTL_4B */
+#elif defined(HAVE_QUOTACTL_3)
+
+#error HAVE_QUOTACTL_3 not implemented
+
+/* #endif HAVE_QUOTACTL_3 */
+#else /* NO_QUOTACTL_USED */
+
+static int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+
+ if (!path||!bdev||!dp)
+ smb_panic("sys_get_vfs_quota: called with NULL pointer");
+
+ errno = ENOSYS;
+
+ return ret;
+}
+
+static int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+
+ if (!path||!bdev||!dp)
+ smb_panic("sys_set_vfs_quota: called with NULL pointer");
+
+ errno = ENOSYS;
+
+ return ret;
+}
+
+#endif /* NO_QUOTACTL_USED */
+
+#ifdef HAVE_MNTENT
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+ int ret = -1;
+ SMB_STRUCT_STAT S;
+ FILE *fp;
+ struct mntent *mnt;
+ SMB_DEV_T devno;
+
+ /* find the block device file */
+
+ if (!path||!mntpath||!bdev||!fs)
+ smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+ (*mntpath) = NULL;
+ (*bdev) = NULL;
+ (*fs) = NULL;
+
+ if ( sys_stat(path, &S) == -1 )
+ return (-1);
+
+ devno = S.st_dev ;
+
+ fp = setmntent(MOUNTED,"r");
+
+ while ((mnt = getmntent(fp))) {
+ if ( sys_stat(mnt->mnt_dir,&S) == -1 )
+ continue ;
+
+ if (S.st_dev == devno) {
+ (*mntpath) = strdup(mnt->mnt_dir);
+ (*bdev) = strdup(mnt->mnt_fsname);
+ (*fs) = strdup(mnt->mnt_type);
+ if ((*mntpath)&&(*bdev)&&(*fs)) {
+ ret = 0;
+ } else {
+ SAFE_FREE(*mntpath);
+ SAFE_FREE(*bdev);
+ SAFE_FREE(*fs);
+ ret = -1;
+ }
+
+ break;
+ }
+ }
+
+ endmntent(fp) ;
+
+ return ret;
+}
+/* #endif HAVE_MNTENT */
+#elif defined(HAVE_DEVNM)
+
+/* we have this on HPUX, ... */
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+ int ret = -1;
+ char dev_disk[256];
+ SMB_STRUCT_STAT S;
+
+ if (!path||!mntpath||!bdev||!fs)
+ smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+ (*mntpath) = NULL;
+ (*bdev) = NULL;
+ (*fs) = NULL;
+
+ /* find the block device file */
+
+ if ((ret=sys_stat(path, &S))!=0) {
+ return ret;
+ }
+
+ if ((ret=devnm(S_IFBLK, S.st_dev, dev_disk, 256, 1))!=0) {
+ return ret;
+ }
+
+ /* we should get the mntpath right...
+ * but I don't know how
+ * --metze
+ */
+ (*mntpath) = strdup(path);
+ (*bdev) = strdup(dev_disk);
+ if ((*mntpath)&&(*bdev)) {
+ ret = 0;
+ } else {
+ SAFE_FREE(*mntpath);
+ SAFE_FREE(*bdev);
+ ret = -1;
+ }
+
+
+ return ret;
+}
+
+/* #endif HAVE_DEVNM */
+#else
+/* we should fake this up...*/
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+ int ret = -1;
+
+ if (!path||!mntpath||!bdev||!fs)
+ smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+ (*mntpath) = NULL;
+ (*bdev) = NULL;
+ (*fs) = NULL;
+
+ (*mntpath) = strdup(path);
+ if (*mntpath) {
+ ret = 0;
+ } else {
+ SAFE_FREE(*mntpath);
+ ret = -1;
+ }
+
+ return ret;
+}
+#endif
+
+
+/*********************************************************
+ if we have XFS QUOTAS we should use them
+ *********************************************************/
+#ifdef HAVE_XFS_QUOTA
+/****************************************************************************
+ Abstract out the XFS Quota Manager quota get call.
+****************************************************************************/
+static int sys_get_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret;
+ uint32 qflags = 0;
+ SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
+ struct fs_disk_quota D;
+ struct fs_quota_stat F;
+ ZERO_STRUCT(D);
+ ZERO_STRUCT(F);
+
+ if (!bdev||!dp)
+ smb_panic("sys_get_xfs_quota: called with NULL pointer");
+
+ ZERO_STRUCT(*dp);
+ dp->qtype = qtype;
+
+ switch (qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ /* we use id.uid == 0 for default quotas */
+ if (id.uid == 0) {
+ ret = 0;
+ break;
+ }
+ if ((ret=quotactl(QCMD(Q_XGETQUOTA,USRQUOTA), bdev, id.uid, (CADDR_T)&D)))
+ return ret;
+ break;
+#ifdef HAVE_GROUP_QUOTA
+ case SMB_GROUP_QUOTA_TYPE:
+ if ((ret=quotactl(QCMD(Q_XGETQUOTA,GRPQUOTA), bdev, id.gid, (CADDR_T)&D)))
+ return ret;
+ break;
+#endif /* HAVE_GROUP_QUOTA */
+ case SMB_USER_FS_QUOTA_TYPE:
+ /* TODO: get quota status from quotactl() ... */
+ if ((ret = quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (CADDR_T)&F)))
+ return ret;
+
+ if (F.qs_flags & XFS_QUOTA_UDQ_ENFD) {
+ qflags |= QUOTAS_DENY_DISK;
+ }
+ else if (F.qs_flags & XFS_QUOTA_UDQ_ACCT) {
+ qflags |= QUOTAS_ENABLED;
+ }
+
+ /* we use uid == 0 for default quotas */
+ if ((ret=quotactl(QCMD(Q_XGETQUOTA,USRQUOTA), bdev, 0, (CADDR_T)&D)))
+ return ret;
+
+ break;
+ default:
+ errno = ENOSYS;
+ return -1;
+ }
+
+ dp->bsize = bsize;
+ dp->softlimit = (SMB_BIG_UINT)D.d_blk_softlimit;
+ dp->hardlimit = (SMB_BIG_UINT)D.d_blk_hardlimit;
+ dp->ihardlimit = (SMB_BIG_UINT)D.d_ino_hardlimit;
+ dp->isoftlimit = (SMB_BIG_UINT)D.d_ino_softlimit;
+ dp->curinodes = (SMB_BIG_UINT)D.d_icount;
+ dp->curblocks = (SMB_BIG_UINT)D.d_bcount;
+ dp->qflags = qflags;
+
+ return ret;
+}
+
+/****************************************************************************
+ Abstract out the XFS Quota Manager quota set call.
+****************************************************************************/
+static int sys_set_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+ uint32 qflags = 0;
+ SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
+ struct fs_disk_quota D;
+ struct fs_quota_stat F;
+ int q_on = 0;
+ int q_off = 0;
+ ZERO_STRUCT(D);
+ ZERO_STRUCT(F);
+
+ if (!bdev||!dp)
+ smb_panic("sys_set_xfs_quota: called with NULL pointer");
+
+ if (bsize == dp->bsize) {
+ D.d_blk_softlimit = dp->softlimit;
+ D.d_blk_hardlimit = dp->hardlimit;
+ D.d_ino_hardlimit = dp->ihardlimit;
+ D.d_ino_softlimit = dp->isoftlimit;
+ } else {
+ D.d_blk_softlimit = (dp->softlimit*dp->bsize)/bsize;
+ D.d_blk_hardlimit = (dp->hardlimit*dp->bsize)/bsize;
+ D.d_ino_hardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+ D.d_ino_softlimit = (dp->isoftlimit*dp->bsize)/bsize;
+ }
+
+ qflags = dp->qflags;
+
+ switch (qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ /* we use uid == 0 for default quotas */
+ if (id.uid>0) {
+ D.d_fieldmask |= FS_DQ_LIMIT_MASK;
+ ret = quotactl(QCMD(Q_XSETQLIM,USRQUOTA), bdev, id.uid, (CADDR_T)&D);
+ }
+ break;
+#ifdef HAVE_GROUP_QUOTA
+ case SMB_GROUP_QUOTA_TYPE:
+ D.d_fieldmask |= FS_DQ_LIMIT_MASK;
+ ret = quotactl(QCMD(Q_XSETQLIM,GRPQUOTA), bdev, id.gid, (CADDR_T)&D);
+ break;
+#endif /* HAVE_GROUP_QUOTA */
+ case SMB_USER_FS_QUOTA_TYPE:
+ /* TODO */
+ quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (CADDR_T)&F);
+
+ if (qflags & QUOTAS_DENY_DISK) {
+ if (!(F.qs_flags & XFS_QUOTA_UDQ_ENFD))
+ q_on |= XFS_QUOTA_UDQ_ENFD;
+ if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
+ q_on |= XFS_QUOTA_UDQ_ACCT;
+
+ if (q_on != 0) {
+ ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (CADDR_T)&q_on);
+ }
+
+ } else if (qflags & QUOTAS_ENABLED) {
+ if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
+ q_off |= XFS_QUOTA_UDQ_ENFD;
+
+ if (q_off != 0) {
+ ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (CADDR_T)&q_off);
+ }
+
+ if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
+ q_on |= XFS_QUOTA_UDQ_ACCT;
+
+ if (q_on != 0) {
+ ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (CADDR_T)&q_on);
+ }
+ } else {
+#if 0
+ /* Switch on XFS_QUOTA_UDQ_ACCT didn't work!
+ * only swittching off XFS_QUOTA_UDQ_ACCT work
+ */
+ if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
+ q_off |= XFS_QUOTA_UDQ_ENFD;
+ if (F.qs_flags & XFS_QUOTA_UDQ_ACCT)
+ q_off |= XFS_QUOTA_UDQ_ACCT;
+
+ if (q_off !=0) {
+ ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (CADDR_T)&q_off);
+ }
+#endif
+ }
+
+ /* we use uid == 0 for default quotas */
+ D.d_fieldmask |= FS_DQ_LIMIT_MASK;
+ ret = quotactl(QCMD(Q_XSETQLIM,USRQUOTA), bdev, 0, (CADDR_T)&D);
+ break;
+ default:
+ errno = ENOSYS;
+ return -1;
+ }
+
+ return ret;
+}
+#endif /* HAVE_XFS_QUOTA */
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+/*********************************************************************
+ Now the list of all filesystem specific quota systems we have found
+**********************************************************************/
+static struct {
+ const char *name;
+ int (*get_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
+ int (*set_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
+} sys_quota_backends[] = {
+#ifdef HAVE_XFS_QUOTA
+ {"xfs", sys_get_xfs_quota, sys_set_xfs_quota},
+#endif /* HAVE_XFS_QUOTA */
+ {NULL, NULL, NULL}
+};
+
+static int command_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ const char *get_quota_command;
+
+ get_quota_command = lp_get_quota_command();
+ if (get_quota_command && *get_quota_command) {
+ const char *p;
+ char *p2;
+ char **lines;
+ pstring syscmd;
+ int _id = -1;
+
+ switch(qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ case SMB_USER_FS_QUOTA_TYPE:
+ _id = id.uid;
+ break;
+ case SMB_GROUP_QUOTA_TYPE:
+ case SMB_GROUP_FS_QUOTA_TYPE:
+ _id = id.gid;
+ break;
+ default:
+ DEBUG(0,("invalid quota type.\n"));
+ return -1;
+ }
+
+ slprintf(syscmd, sizeof(syscmd)-1,
+ "%s \"%s\" %d %d",
+ get_quota_command, path, qtype, _id);
+
+ DEBUG (3, ("get_quota: Running command %s\n", syscmd));
+
+ lines = file_lines_pload(syscmd, NULL);
+ if (lines) {
+ char *line = lines[0];
+
+ DEBUG (3, ("Read output from get_quota, \"r%s\"\n", line));
+
+ /* we need to deal with long long unsigned here, if supported */
+
+ dp->qflags = (enum SMB_QUOTA_TYPE)strtoul(line, &p2, 10);
+ p = p2;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->curblocks = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->softlimit = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->hardlimit = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->curinodes = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->isoftlimit = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->ihardlimit = STR_TO_SMB_BIG_UINT(p, &p);
+ else
+ goto invalid_param;
+ while (p && *p && isspace(*p))
+ p++;
+ if (p && *p)
+ dp->bsize = STR_TO_SMB_BIG_UINT(p, NULL);
+ else
+ dp->bsize = 1024;
+ file_lines_free(lines);
+ DEBUG (3, ("Parsed output of get_quota, ...\n"));
+
+#ifdef LARGE_SMB_OFF_T
+ DEBUGADD (5,(
+ "qflags:%u curblocks:%llu softlimit:%llu hardlimit:%llu\n"
+ "curinodes:%llu isoftlimit:%llu ihardlimit:%llu bsize:%llu\n",
+ dp->qflags,(long long unsigned)dp->curblocks,
+ (long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
+ (long long unsigned)dp->curinodes,
+ (long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
+ (long long unsigned)dp->bsize));
+#else /* LARGE_SMB_OFF_T */
+ DEBUGADD (5,(
+ "qflags:%u curblocks:%lu softlimit:%lu hardlimit:%lu\n"
+ "curinodes:%lu isoftlimit:%lu ihardlimit:%lu bsize:%lu\n",
+ dp->qflags,(long unsigned)dp->curblocks,
+ (long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
+ (long unsigned)dp->curinodes,
+ (long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
+ (long unsigned)dp->bsize));
+#endif /* LARGE_SMB_OFF_T */
+ return 0;
+ }
+
+ DEBUG (0, ("get_quota_command failed!\n"));
+ return -1;
+ }
+
+ errno = ENOSYS;
+ return -1;
+
+invalid_param:
+ DEBUG(0,("The output of get_quota_command is invalid!\n"));
+ return -1;
+}
+
+static int command_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ const char *set_quota_command;
+
+ set_quota_command = lp_set_quota_command();
+ if (set_quota_command && *set_quota_command) {
+ char **lines;
+ pstring syscmd;
+ int _id = -1;
+
+ switch(qtype) {
+ case SMB_USER_QUOTA_TYPE:
+ case SMB_USER_FS_QUOTA_TYPE:
+ _id = id.uid;
+ break;
+ case SMB_GROUP_QUOTA_TYPE:
+ case SMB_GROUP_FS_QUOTA_TYPE:
+ _id = id.gid;
+ break;
+ default:
+ return -1;
+ }
+
+#ifdef LARGE_SMB_OFF_T
+ slprintf(syscmd, sizeof(syscmd)-1,
+ "%s \"%s\" %d %d "
+ "%u %llu %llu "
+ "%llu %llu %llu ",
+ set_quota_command, path, qtype, _id, dp->qflags,
+ (long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
+ (long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
+ (long long unsigned)dp->bsize);
+#else /* LARGE_SMB_OFF_T */
+ slprintf(syscmd, sizeof(syscmd)-1,
+ "%s \"%s\" %d %d "
+ "%u %lu %lu "
+ "%lu %lu %lu ",
+ set_quota_command, path, qtype, _id, dp->qflags,
+ (long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
+ (long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
+ (long unsigned)dp->bsize);
+#endif /* LARGE_SMB_OFF_T */
+
+
+
+ DEBUG (3, ("get_quota: Running command %s\n", syscmd));
+
+ lines = file_lines_pload(syscmd, NULL);
+ if (lines) {
+ char *line = lines[0];
+
+ DEBUG (3, ("Read output from set_quota, \"%s\"\n", line));
+
+ file_lines_free(lines);
+
+ return 0;
+ }
+ DEBUG (0, ("set_quota_command failed!\n"));
+ return -1;
+ }
+
+ errno = ENOSYS;
+ return -1;
+}
+
+int sys_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+ int i;
+ BOOL ready = False;
+ char *mntpath = NULL;
+ char *bdev = NULL;
+ char *fs = NULL;
+
+ if (!path||!dp)
+ smb_panic("sys_get_quota: called with NULL pointer");
+
+ if (command_get_quota(path, qtype, id, dp)==0) {
+ return 0;
+ } else if (errno != ENOSYS) {
+ return -1;
+ }
+
+ if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
+ return ret;
+ }
+
+ for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].get_quota);i++) {
+ if (strcmp(fs,sys_quota_backends[i].name)==0) {
+ ret = sys_quota_backends[i].get_quota(mntpath, bdev, qtype, id, dp);
+ ready = True;
+ break;
+ }
+ }
+
+ if (!ready) {
+ /* use the default vfs quota functions */
+ ret = sys_get_vfs_quota(mntpath, bdev, qtype, id, dp);
+ }
+
+ SAFE_FREE(mntpath);
+ SAFE_FREE(bdev);
+ SAFE_FREE(fs);
+
+ if ((ret!=0)&& (errno == EDQUOT)) {
+ return 0;
+ }
+
+ return ret;
+}
+
+int sys_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+ int ret = -1;
+ int i;
+ BOOL ready = False;
+ char *mntpath = NULL;
+ char *bdev = NULL;
+ char *fs = NULL;
+
+ /* find the block device file */
+
+ if (!path||!dp)
+ smb_panic("get_smb_quota: called with NULL pointer");
+
+ if (command_set_quota(path, qtype, id, dp)==0) {
+ return 0;
+ } else if (errno != ENOSYS) {
+ return -1;
+ }
+
+ if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
+ return ret;
+ }
+
+ for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].set_quota);i++) {
+ if (strcmp(fs,sys_quota_backends[i].name)==0) {
+ ret = sys_quota_backends[i].set_quota(mntpath, bdev, qtype, id, dp);
+ ready = True;
+ break;
+ }
+ }
+
+ if (!ready) {
+ /* use the default vfs quota functions */
+ ret=sys_set_vfs_quota(mntpath, bdev, qtype, id, dp);
+ }
+
+ SAFE_FREE(mntpath);
+ SAFE_FREE(bdev);
+ SAFE_FREE(fs);
+
+ if ((ret!=0)&& (errno == EDQUOT)) {
+ return 0;
+ }
+
+ return ret;
+}
+
+#else /* HAVE_SYS_QUOTAS */
+ void dummy_sysquotas_c(void)
+{
+ return;
+}
+#endif /* HAVE_SYS_QUOTAS */
+
+#else /* ! AUTOCONF_TEST */
+/* this is the autoconf driver to test witch quota system we should use */
+
+#if defined(HAVE_QUOTACTL_4A)
+/* long quotactl(int cmd, char *special, qid_t id, caddr_t addr) */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_ASM_TYPES_H
+#include <asm/types.h>
+#endif
+
+#if defined(HAVE_LINUX_QUOTA_H)
+# include <linux/quota.h>
+# if defined(HAVE_STRUCT_IF_DQBLK)
+# define SYS_DQBLK if_dqblk
+# elif defined(HAVE_STRUCT_MEM_DQBLK)
+# define SYS_DQBLK mem_dqblk
+# endif
+#elif defined(HAVE_SYS_QUOTA_H)
+# include <sys/quota.h>
+#endif
+
+#ifndef SYS_DQBLK
+#define SYS_DQBLK dqblk
+#endif
+
+ int autoconf_quota(void)
+{
+ int ret = -1;
+ struct SYS_DQBLK D;
+
+ ret = quotactl(Q_GETQUOTA,"/dev/hda1",0,(void *)&D);
+
+ return ret;
+}
+
+#elif defined(HAVE_QUOTACTL_4B)
+/* int quotactl(const char *path, int cmd, int id, char *addr); */
+
+#ifdef HAVE_SYS_QUOTA_H
+#include <sys/quota.h>
+#else /* *BSD */
+#include <sys/types.h>
+#include <ufs/ufs/quota.h>
+#include <machine/param.h>
+#endif
+
+ int autoconf_quota(void)
+{
+ int ret = -1;
+ struct dqblk D;
+
+ ret = quotactl("/",Q_GETQUOTA,0,(char *) &D);
+
+ return ret;
+}
+
+#elif defined(HAVE_QUOTACTL_3)
+/* int quotactl (char *spec, int request, char *arg); */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_QUOTA_H
+#include <sys/quota.h>
+#endif
+
+ int autoconf_quota(void)
+{
+ int ret = -1;
+ struct q_request request;
+
+ ret = quotactl("/", Q_GETQUOTA, &request);
+
+ return ret;
+}
+
+#elif defined(HAVE_QUOTACTL_2)
+
+#error HAVE_QUOTACTL_2 not implemented
+
+#else
+
+#error Unknow QUOTACTL prototype
+
+#endif
+
+ int main(void)
+{
+ autoconf_quota();
+ return 0;
+}
+#endif /* AUTOCONF_TEST */
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon connection manager
+
+ Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Gerald (Jerry) Carter 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#include "includes.h"
+
+#define FAILED_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
+
+#define CONNCACHE_ADDR 1
+#define CONNCACHE_NAME 2
+
+/* cache entry contains either a server name **or** and IP address as
+ the key. This means that a server could have two entries (one for each key) */
+
+struct failed_connection_cache {
+ fstring domain_name;
+ fstring controller;
+ time_t lookup_time;
+ NTSTATUS nt_status;
+ struct failed_connection_cache *prev, *next;
+};
+
+static struct failed_connection_cache *failed_connection_cache;
+
+/**********************************************************************
+ Check for a previously failed connection
+**********************************************************************/
+
+NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
+{
+ struct failed_connection_cache *fcc;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+
+ /* can't check if we don't have strings */
+
+ if ( !domain || !server )
+ return NT_STATUS_OK;
+
+ for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
+
+ if ( !(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller)) )
+ continue; /* no match; check the next entry */
+
+ /* we have a match so see if it is still current */
+
+ if ((time(NULL) - fcc->lookup_time) > FAILED_CONNECTION_CACHE_TIMEOUT)
+ {
+ /* Cache entry has expired, delete it */
+
+ DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n",
+ domain, server ));
+
+ DLIST_REMOVE(failed_connection_cache, fcc);
+ SAFE_FREE(fcc);
+
+ return NT_STATUS_OK;
+ }
+
+ /* The timeout hasn't expired yet so return false */
+
+ DEBUG(10, ("check_negative_conn_cache: returning negative entry for %s, %s\n",
+ domain, server ));
+
+ result = fcc->nt_status;
+ return result;
+ }
+
+ /* end of function means no cache entry */
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ Add an entry to the failed conneciton cache (aither a name of dotted
+ decimal IP
+**********************************************************************/
+
+void add_failed_connection_entry(const char *domain, const char *server, NTSTATUS result)
+{
+ struct failed_connection_cache *fcc;
+
+ SMB_ASSERT(!NT_STATUS_IS_OK(result));
+
+ /* Check we already aren't in the cache. We always have to have
+ a domain, but maybe not a specific DC name. */
+
+ for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
+ if ( strequal(fcc->domain_name, domain) && strequal(fcc->controller, server) )
+ {
+ DEBUG(10, ("add_failed_connection_entry: domain %s (%s) already tried and failed\n",
+ domain, server ));
+ return;
+ }
+ }
+
+ /* Create negative lookup cache entry for this domain and controller */
+
+ if ( !(fcc = (struct failed_connection_cache *)malloc(sizeof(struct failed_connection_cache))) )
+ {
+ DEBUG(0, ("malloc failed in add_failed_connection_entry!\n"));
+ return;
+ }
+
+ ZERO_STRUCTP(fcc);
+
+ fstrcpy( fcc->domain_name, domain );
+ fstrcpy( fcc->controller, server );
+ fcc->lookup_time = time(NULL);
+ fcc->nt_status = result;
+
+ DEBUG(10,("add_failed_connection_entry: added domain %s (%s) to failed conn cache\n",
+ domain, server ));
+
+ DLIST_ADD(failed_connection_cache, fcc);
+}
+
+/****************************************************************************
+****************************************************************************/
+
+void flush_negative_conn_cache( void )
+{
+ struct failed_connection_cache *fcc;
+
+ fcc = failed_connection_cache;
+
+ while (fcc) {
+ struct failed_connection_cache *fcc_next;
+
+ fcc_next = fcc->next;
+ DLIST_REMOVE(failed_connection_cache, fcc);
+ free(fcc);
+
+ fcc = fcc_next;
+ }
+
+}
+
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Net_sam_logon info3 helpers
+ Copyright (C) Alexander Bokovoy 2002.
+ Copyright (C) Andrew Bartlett 2002.
+ Copyright (C) Gerald Carter 2003.
+ Copyright (C) Tim Potter 2003.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#define NETSAMLOGON_TDB "netsamlogon_cache.tdb"
+
+static TDB_CONTEXT *netsamlogon_tdb = NULL;
+
+/***********************************************************************
+ open the tdb
+ ***********************************************************************/
+
+BOOL netsamlogon_cache_init(void)
+{
+ if (!netsamlogon_tdb) {
+ netsamlogon_tdb = tdb_open_log(lock_path(NETSAMLOGON_TDB), 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
+ }
+
+ return (netsamlogon_tdb != NULL);
+}
+
+
+/***********************************************************************
+ Shutdown samlogon_cache database
+***********************************************************************/
+
+BOOL netsamlogon_cache_shutdown(void)
+{
+ if(netsamlogon_tdb)
+ return (tdb_close(netsamlogon_tdb) == 0);
+
+ return True;
+}
+
+/***********************************************************************
+ Clear cache getpwnam and getgroups entries from the winbindd cache
+***********************************************************************/
+void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, NET_USER_INFO_3 *user)
+{
+ fstring domain;
+ TDB_DATA key;
+ BOOL got_tdb = False;
+
+ /* We may need to call this function from smbd which will not have
+ winbindd_cache.tdb open. Open the tdb if a NULL is passed. */
+
+ if (!tdb) {
+ tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), 5000,
+ TDB_DEFAULT, O_RDWR, 0600);
+ if (!tdb) {
+ DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n"));
+ return;
+ }
+ got_tdb = True;
+ }
+
+ unistr2_to_ascii(domain, &user->uni_logon_dom, sizeof(domain) - 1);
+
+ /* Clear U/DOMAIN/RID cache entry */
+
+ asprintf(&key.dptr, "U/%s/%d", domain, user->user_rid);
+ key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
+
+ DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
+
+ tdb_delete(tdb, key);
+
+ SAFE_FREE(key.dptr);
+
+ /* Clear UG/DOMAIN/RID cache entry */
+
+ asprintf(&key.dptr, "UG/%s/%d", domain, user->user_rid);
+ key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
+
+ DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
+
+ tdb_delete(tdb, key);
+
+ SAFE_FREE(key.dptr);
+
+ if (got_tdb)
+ tdb_close(tdb);
+}
+
+/***********************************************************************
+ Store a NET_USER_INFO_3 structure in a tdb for later user
+***********************************************************************/
+
+BOOL netsamlogon_cache_store(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
+{
+ TDB_DATA data;
+ fstring keystr;
+ prs_struct ps;
+ BOOL result = False;
+ DOM_SID user_sid;
+ time_t t = time(NULL);
+
+
+ if (!netsamlogon_cache_init()) {
+ DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
+ return False;
+ }
+
+ sid_copy( &user_sid, &user->dom_sid.sid );
+ sid_append_rid( &user_sid, user->user_rid );
+
+ /* Prepare key as DOMAIN-SID/USER-RID string */
+ slprintf(keystr, sizeof(keystr), "%s", sid_string_static(&user_sid));
+
+ DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr));
+
+ /* Prepare data */
+
+ prs_init( &ps,MAX_PDU_FRAG_LEN , mem_ctx, MARSHALL);
+
+ if ( !prs_uint32( "timestamp", &ps, 0, (uint32*)&t ) )
+ return False;
+
+ if ( net_io_user_info3("", user, &ps, 0, 3) )
+ {
+ data.dsize = prs_offset( &ps );
+ data.dptr = prs_data_p( &ps );
+
+ if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) != -1)
+ result = True;
+
+ prs_mem_free( &ps );
+ }
+
+ return result;
+}
+
+/***********************************************************************
+ Retrieves a NET_USER_INFO_3 structure from a tdb. Caller must
+ free the user_info struct (malloc()'d memory)
+***********************************************************************/
+
+NET_USER_INFO_3* netsamlogon_cache_get( TALLOC_CTX *mem_ctx, DOM_SID *user_sid)
+{
+ NET_USER_INFO_3 *user = NULL;
+ TDB_DATA data, key;
+ prs_struct ps;
+ fstring keystr;
+ uint32 t;
+
+ if (!netsamlogon_cache_init()) {
+ DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
+ return False;
+ }
+
+ /* Prepare key as DOMAIN-SID/USER-RID string */
+ slprintf(keystr, sizeof(keystr), "%s", sid_string_static(user_sid));
+ DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr));
+ key.dptr = keystr;
+ key.dsize = strlen(keystr)+1;
+ data = tdb_fetch( netsamlogon_tdb, key );
+
+ if ( data.dptr ) {
+
+ if ( (user = (NET_USER_INFO_3*)malloc(sizeof(NET_USER_INFO_3))) == NULL )
+ return NULL;
+
+ prs_init( &ps, 0, mem_ctx, UNMARSHALL );
+ prs_give_memory( &ps, data.dptr, data.dsize, True );
+
+ if ( !prs_uint32( "timestamp", &ps, 0, &t ) ) {
+ prs_mem_free( &ps );
+ return False;
+ }
+
+ if ( !net_io_user_info3("", user, &ps, 0, 3) ) {
+ SAFE_FREE( user );
+ }
+
+ prs_mem_free( &ps );
+
+#if 0 /* The netsamlogon cache needs to hang around. Something about
+ this feels wrong, but it is the only way we can get all of the
+ groups. The old universal groups cache didn't expire either.
+ --jerry */
+ {
+ time_t now = time(NULL);
+ uint32 time_diff;
+
+ /* is the entry expired? */
+ time_diff = now - t;
+
+ if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) {
+ DEBUG(10,("netsamlogon_cache_get: cache entry expired \n"));
+ tdb_delete( netsamlogon_tdb, key );
+ SAFE_FREE( user );
+ }
+#endif
+ }
+
+ return user;
+}
+
+BOOL netsamlogon_cache_have(DOM_SID *user_sid)
+{
+ TALLOC_CTX *mem_ctx = talloc_init("netsamlogon_cache_have");
+ NET_USER_INFO_3 *user = NULL;
+ BOOL result;
+
+ if (!mem_ctx)
+ return False;
+
+ user = netsamlogon_cache_get(mem_ctx, user_sid);
+
+ result = (user != NULL);
+
+ talloc_destroy(mem_ctx);
+ SAFE_FREE(user);
+
+ return result;
+}
--- /dev/null
+/**
+
+@mainpage
+
+@li \ref CodingSuggestions
+
+**/
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Samba module with developer tools
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Jelmer Vernooij 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+static struct {
+ char from;
+ char *to;
+ int len;
+} weird_table[] = {
+ {'q', "^q^", 3},
+ {'Q', "^Q^", 3},
+ {0, NULL}
+};
+
+static size_t weird_pull(void *cd, char **inbuf, size_t *inbytesleft,
+ char **outbuf, size_t *outbytesleft)
+{
+ while (*inbytesleft >= 1 && *outbytesleft >= 2) {
+ int i;
+ int done = 0;
+ for (i=0;weird_table[i].from;i++) {
+ if (strncmp((*inbuf),
+ weird_table[i].to,
+ weird_table[i].len) == 0) {
+ if (*inbytesleft < weird_table[i].len) {
+ DEBUG(0,("ERROR: truncated weird string\n"));
+ /* smb_panic("weird_pull"); */
+
+ } else {
+ (*outbuf)[0] = weird_table[i].from;
+ (*outbuf)[1] = 0;
+ (*inbytesleft) -= weird_table[i].len;
+ (*outbytesleft) -= 2;
+ (*inbuf) += weird_table[i].len;
+ (*outbuf) += 2;
+ done = 1;
+ break;
+ }
+ }
+ }
+ if (done) continue;
+ (*outbuf)[0] = (*inbuf)[0];
+ (*outbuf)[1] = 0;
+ (*inbytesleft) -= 1;
+ (*outbytesleft) -= 2;
+ (*inbuf) += 1;
+ (*outbuf) += 2;
+ }
+
+ if (*inbytesleft > 0) {
+ errno = E2BIG;
+ return -1;
+ }
+
+ return 0;
+}
+
+static size_t weird_push(void *cd, char **inbuf, size_t *inbytesleft,
+ char **outbuf, size_t *outbytesleft)
+{
+ int ir_count=0;
+
+ while (*inbytesleft >= 2 && *outbytesleft >= 1) {
+ int i;
+ int done=0;
+ for (i=0;weird_table[i].from;i++) {
+ if ((*inbuf)[0] == weird_table[i].from &&
+ (*inbuf)[1] == 0) {
+ if (*outbytesleft < weird_table[i].len) {
+ DEBUG(0,("No room for weird character\n"));
+ /* smb_panic("weird_push"); */
+ } else {
+ memcpy(*outbuf, weird_table[i].to,
+ weird_table[i].len);
+ (*inbytesleft) -= 2;
+ (*outbytesleft) -= weird_table[i].len;
+ (*inbuf) += 2;
+ (*outbuf) += weird_table[i].len;
+ done = 1;
+ break;
+ }
+ }
+ }
+ if (done) continue;
+
+ (*outbuf)[0] = (*inbuf)[0];
+ if ((*inbuf)[1]) ir_count++;
+ (*inbytesleft) -= 2;
+ (*outbytesleft) -= 1;
+ (*inbuf) += 2;
+ (*outbuf) += 1;
+ }
+
+ if (*inbytesleft == 1) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (*inbytesleft > 1) {
+ errno = E2BIG;
+ return -1;
+ }
+
+ return ir_count;
+}
+
+struct charset_functions weird_functions = {"WEIRD", weird_pull, weird_push};
+
+NTSTATUS charset_weird_init(void)
+{
+ return smb_register_charset(&weird_functions);
+}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind account management functions
+
+ Copyright (C) by Gerald (Jerry) Carter 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define WBKEY_PASSWD "WBA_PASSWD"
+#define WBKEY_GROUP "WBA_GROUP"
+
+#define NUM_PW_FIELDS 7
+#define NUM_GRP_FIELDS 4
+
+/* Globals */
+
+static TDB_CONTEXT *account_tdb;
+
+extern userdom_struct current_user_info;
+
+struct _check_primary_grp {
+ gid_t gid;
+ BOOL found;
+};
+
+/**********************************************************************
+**********************************************************************/
+
+static void free_winbindd_gr( WINBINDD_GR *grp )
+{
+ int i;
+
+ if ( !grp )
+ return;
+
+ for ( i=0; i<grp->num_gr_mem; i++ )
+ SAFE_FREE( grp->gr_mem[i] );
+
+ SAFE_FREE( grp->gr_mem );
+
+ return;
+}
+
+/*****************************************************************************
+ Initialise auto-account database.
+*****************************************************************************/
+
+static BOOL winbindd_accountdb_init(void)
+{
+ /* see if we've already opened the tdb */
+
+ if ( account_tdb )
+ return True;
+
+ /* Nope. Try to open it */
+
+ if (!(account_tdb = tdb_open_log(lock_path("winbindd_idmap.tdb"), 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT, 0600)))
+ {
+ /* last chance -- maybe idmap has already opened it */
+ if ( !(account_tdb = idmap_tdb_handle()) ) {
+
+ DEBUG(0, ("winbindd_idmap_init: Unable to open idmap database\n"));
+ return False;
+ }
+ }
+
+ /* yeah! */
+
+ return True;
+}
+
+/**********************************************************************
+ Convert a string in /etc/passwd format to a struct passwd* entry
+**********************************************************************/
+
+static WINBINDD_PW* string2passwd( char *string )
+{
+ static WINBINDD_PW pw;
+ char *p, *str;
+ char *fields[NUM_PW_FIELDS];
+ int i;
+
+ if ( !string )
+ return NULL;
+
+ ZERO_STRUCTP( &pw );
+
+ DEBUG(10,("string2passwd: converting \"%s\"\n", string));
+
+ ZERO_STRUCT( fields );
+
+ for ( i=0, str=string; i<NUM_PW_FIELDS-1; i++ ) {
+ if ( !(p = strchr( str, ':' )) ) {
+ DEBUG(0,("string2passwd: parsing failure\n"));
+ return NULL;
+ }
+ *p = '\0';
+ if ( str )
+ fields[i] = str;
+ str = p + 1;
+ }
+ if ( str )
+ fields[i] = str;
+
+ /* copy fields */
+
+ fstrcpy( pw.pw_name, fields[0] );
+ fstrcpy( pw.pw_passwd, fields[1] );
+ pw.pw_uid = atoi( fields[2] );
+ pw.pw_gid = atoi( fields[3] );
+ fstrcpy( pw.pw_gecos, fields[4] );
+ fstrcpy( pw.pw_dir, fields[5] );
+ fstrcpy( pw.pw_shell, fields[6] );
+
+
+ /* last minute sanity checks */
+
+ if ( pw.pw_uid==0 || pw.pw_gid==0 ) {
+ DEBUG(0,("string2passwd: Failure! uid==%d, gid==%d\n",
+ pw.pw_uid, pw.pw_gid));
+ return NULL;
+ }
+
+ DEBUG(10,("string2passwd: Success\n"));
+
+ return &pw;
+}
+
+/**********************************************************************
+ Convert a struct passwd* to a string formatted for /etc/passwd
+**********************************************************************/
+
+static char* passwd2string( const WINBINDD_PW *pw )
+{
+ static pstring string;
+ int ret;
+
+ if ( !pw || !pw->pw_name )
+ return NULL;
+
+ DEBUG(10,("passwd2string: converting passwd struct for %s\n",
+ pw->pw_name));
+
+ ret = snprintf( string, sizeof(string), "%s:%s:%d:%d:%s:%s:%s",
+ pw->pw_name,
+ pw->pw_passwd ? pw->pw_passwd : "x",
+ pw->pw_uid,
+ pw->pw_gid,
+ pw->pw_gecos,
+ pw->pw_dir,
+ pw->pw_shell );
+
+ if ( ret < 0 ) {
+ DEBUG(0,("passwd2string: snprintf() failed!\n"));
+ return NULL;
+ }
+
+ return string;
+}
+
+/**********************************************************************
+ Convert a string in /etc/group format to a struct group* entry
+**********************************************************************/
+
+static WINBINDD_GR* string2group( char *string )
+{
+ static WINBINDD_GR grp;
+ char *p, *str;
+ char *fields[NUM_GRP_FIELDS];
+ int i;
+ char **gr_members = NULL;
+ int num_gr_members = 0;
+
+ if ( !string )
+ return NULL;
+
+ ZERO_STRUCTP( &grp );
+
+ DEBUG(10,("string2group: converting \"%s\"\n", string));
+
+ ZERO_STRUCT( fields );
+
+ for ( i=0, str=string; i<NUM_GRP_FIELDS-1; i++ ) {
+ if ( !(p = strchr( str, ':' )) ) {
+ DEBUG(0,("string2group: parsing failure\n"));
+ return NULL;
+ }
+ *p = '\0';
+ if ( str )
+ fields[i] = str;
+ str = p + 1;
+ }
+
+ /* group members */
+
+ if ( *str ) {
+ /* we already know we have a non-empty string */
+
+ num_gr_members = count_chars(str, ',') + 1;
+
+ /* if there was at least one comma, then there
+ are n+1 members */
+ if ( num_gr_members ) {
+ fstring buffer;
+
+ gr_members = (char**)smb_xmalloc(sizeof(char*)*num_gr_members+1);
+
+ i = 0;
+ while ( next_token(&str, buffer, ",", sizeof(buffer)) && i<num_gr_members ) {
+ gr_members[i++] = smb_xstrdup(buffer);
+ }
+
+ gr_members[i] = NULL;
+ }
+ }
+
+
+ /* copy fields */
+
+ fstrcpy( grp.gr_name, fields[0] );
+ fstrcpy( grp.gr_passwd, fields[1] );
+ grp.gr_gid = atoi( fields[2] );
+
+ grp.num_gr_mem = num_gr_members;
+ grp.gr_mem = gr_members;
+
+ /* last minute sanity checks */
+
+ if ( grp.gr_gid == 0 ) {
+ DEBUG(0,("string2group: Failure! gid==%d\n", grp.gr_gid));
+ SAFE_FREE( gr_members );
+ return NULL;
+ }
+
+ DEBUG(10,("string2group: Success\n"));
+
+ return &grp;
+}
+
+/**********************************************************************
+ Convert a struct group* to a string formatted for /etc/group
+**********************************************************************/
+
+static char* group2string( const WINBINDD_GR *grp )
+{
+ static pstring string;
+ int ret;
+ char *member, *gr_mem_str;
+ int num_members;
+ int i, size;
+
+ if ( !grp || !grp->gr_name )
+ return NULL;
+
+ DEBUG(10,("group2string: converting passwd struct for %s\n",
+ grp->gr_name));
+
+ if ( grp->num_gr_mem ) {
+ int idx = 0;
+
+ member = grp->gr_mem[0];
+ size = 0;
+ num_members = 0;
+
+ while ( member ) {
+ size += strlen(member) + 1;
+ num_members++;
+ member = grp->gr_mem[num_members];
+ }
+
+ gr_mem_str = smb_xmalloc(size);
+
+ for ( i=0; i<num_members; i++ ) {
+ snprintf( &gr_mem_str[idx], size-idx, "%s,", grp->gr_mem[i] );
+ idx += strlen(grp->gr_mem[i]) + 1;
+ }
+ /* add trailing NULL (also removes trailing ',' */
+ gr_mem_str[size-1] = '\0';
+ }
+ else {
+ /* no members */
+ gr_mem_str = smb_xmalloc(sizeof(fstring));
+ fstrcpy( gr_mem_str, "" );
+ }
+
+ ret = snprintf( string, sizeof(string)-1, "%s:%s:%d:%s",
+ grp->gr_name,
+ grp->gr_passwd ? grp->gr_passwd : "*",
+ grp->gr_gid,
+ gr_mem_str );
+
+ SAFE_FREE( gr_mem_str );
+
+ if ( ret < 0 ) {
+ DEBUG(0,("group2string: snprintf() failed!\n"));
+ return NULL;
+ }
+
+ return string;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_userkey_byname( const char *name )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/NAME/%s", WBKEY_PASSWD, name );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_userkey_byuid( uid_t uid )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/UID/%d", WBKEY_PASSWD, uid );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_groupkey_byname( const char *name )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/NAME/%s", WBKEY_GROUP, name );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_groupkey_bygid( gid_t gid )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/GID/%d", WBKEY_GROUP, gid );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_PW* wb_getpwnam( const char * name )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_PW *pw;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getpwnam: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+
+ keystr = acct_userkey_byname( name );
+
+ data = tdb_fetch_bystring( account_tdb, keystr );
+
+ pw = NULL;
+
+ if ( data.dptr ) {
+ pw = string2passwd( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getpwnam: %s user (%s)\n",
+ (pw ? "Found" : "Did not find"), name ));
+
+ return pw;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_PW* wb_getpwuid( const uid_t uid )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_PW *pw;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getpwuid: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+ data = tdb_fetch_bystring( account_tdb, acct_userkey_byuid(uid) );
+ if ( !data.dptr ) {
+ DEBUG(4,("wb_getpwuid: failed to locate uid == %d\n", uid));
+ return NULL;
+ }
+ keystr = acct_userkey_byname( data.dptr );
+
+ SAFE_FREE( data.dptr );
+
+ data = tdb_fetch_bystring( account_tdb, keystr );
+
+ pw = NULL;
+
+ if ( data.dptr ) {
+ pw = string2passwd( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getpwuid: %s user (uid == %d)\n",
+ (pw ? "Found" : "Did not find"), uid ));
+
+ return pw;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+BOOL wb_storepwnam( const WINBINDD_PW *pw )
+{
+ char *namekey, *uidkey;
+ TDB_DATA data;
+ char *str;
+ int ret = 0;
+ fstring username;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_storepwnam: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ namekey = acct_userkey_byname( pw->pw_name );
+
+ /* lock the main entry first */
+
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ str = passwd2string( pw );
+
+ data.dptr = str;
+ data.dsize = strlen(str) + 1;
+
+ if ( (tdb_store_bystring(account_tdb, namekey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to store \"%s\"\n", str));
+ ret = -1;
+ goto done;
+ }
+
+ /* store the uid index */
+
+ uidkey = acct_userkey_byuid(pw->pw_uid);
+
+ fstrcpy( username, pw->pw_name );
+ data.dptr = username;
+ data.dsize = strlen(username) + 1;
+
+ if ( (tdb_store_bystring(account_tdb, uidkey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to store uid key \"%s\"\n", str));
+ tdb_delete_bystring(account_tdb, namekey);
+ ret = -1;
+ goto done;
+ }
+
+ DEBUG(10,("wb_storepwnam: Success -> \"%s\"\n", str));
+
+done:
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return ( ret == 0 );
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_GR* wb_getgrnam( const char * name )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_GR *grp;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getgrnam: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+
+ keystr = acct_groupkey_byname( name );
+
+ data = tdb_fetch_bystring( account_tdb, keystr );
+
+ grp = NULL;
+
+ if ( data.dptr ) {
+ grp = string2group( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getgrnam: %s group (%s)\n",
+ (grp ? "Found" : "Did not find"), name ));
+
+ return grp;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_GR* wb_getgrgid( gid_t gid )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_GR *grp;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getgrgid: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+ data = tdb_fetch_bystring( account_tdb, acct_groupkey_bygid(gid) );
+ if ( !data.dptr ) {
+ DEBUG(4,("wb_getgrgid: failed to locate gid == %d\n", gid));
+ return NULL;
+ }
+ keystr = acct_groupkey_byname( data.dptr );
+
+ SAFE_FREE( data.dptr );
+
+ data = tdb_fetch_bystring( account_tdb, keystr );
+
+ grp = NULL;
+
+ if ( data.dptr ) {
+ grp = string2group( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getgrgid: %s group (gid == %d)\n",
+ (grp ? "Found" : "Did not find"), gid ));
+
+ return grp;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+BOOL wb_storegrnam( const WINBINDD_GR *grp )
+{
+ char *namekey, *gidkey;
+ TDB_DATA data;
+ char *str;
+ int ret = 0;
+ fstring groupname;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_storepwnam: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ namekey = acct_groupkey_byname( grp->gr_name );
+
+ /* lock the main entry first */
+
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ str = group2string( grp );
+
+ data.dptr = str;
+ data.dsize = strlen(str) + 1;
+
+ if ( (tdb_store_bystring(account_tdb, namekey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to store \"%s\"\n", str));
+ ret = -1;
+ goto done;
+ }
+
+ /* store the gid index */
+
+ gidkey = acct_groupkey_bygid(grp->gr_gid);
+
+ fstrcpy( groupname, grp->gr_name );
+ data.dptr = groupname;
+ data.dsize = strlen(groupname) + 1;
+
+ if ( (tdb_store_bystring(account_tdb, gidkey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to store gid key \"%s\"\n", str));
+ tdb_delete_bystring(account_tdb, namekey);
+ ret = -1;
+ goto done;
+ }
+
+ DEBUG(10,("wb_storegrnam: Success -> \"%s\"\n", str));
+
+done:
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return ( ret == 0 );
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_addgrpmember( WINBINDD_GR *grp, const char *user )
+{
+ int i;
+ char **members;
+
+ if ( !grp || !user )
+ return False;
+
+ for ( i=0; i<grp->num_gr_mem; i++ ) {
+ if ( StrCaseCmp( grp->gr_mem[i], user ) == 0 )
+ return True;
+ }
+
+ /* add one new slot and keep an extra for the terminating NULL */
+ members = Realloc( grp->gr_mem, (grp->num_gr_mem+2)*sizeof(char*) );
+ if ( !members )
+ return False;
+
+ grp->gr_mem = members;
+ grp->gr_mem[grp->num_gr_mem++] = smb_xstrdup(user);
+ grp->gr_mem[grp->num_gr_mem] = NULL;
+
+ return True;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_delgrpmember( WINBINDD_GR *grp, const char *user )
+{
+ int i;
+ BOOL found = False;
+
+ if ( !grp || !user )
+ return False;
+
+ for ( i=0; i<grp->num_gr_mem && !found; i++ ) {
+ if ( StrCaseCmp( grp->gr_mem[i], user ) == 0 )
+ found = True;
+ }
+
+ if ( !found )
+ return False;
+
+ /* still some remaining members */
+
+ if ( grp->num_gr_mem > 1 ) {
+ memmove( grp->gr_mem[i], grp->gr_mem[i+1], sizeof(char*)*(grp->num_gr_mem-(i+1)) );
+ grp->num_gr_mem--;
+ }
+ else { /* last one */
+ free_winbindd_gr( grp );
+ grp->gr_mem = NULL;
+ grp->num_gr_mem = 0;
+ }
+
+ return True;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static int cleangroups_traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+ void *state)
+{
+ int len;
+ fstring key;
+ char *name = (char*)state;
+
+ snprintf( key, sizeof(key), "%s/NAME", WBKEY_GROUP );
+ len = strlen(key);
+
+ /* if this is a group entry then, check the members */
+
+ if ( (strncmp(kbuf.dptr, key, len) == 0) && dbuf.dptr ) {
+ WINBINDD_GR *grp;
+
+ if ( !(grp = string2group( dbuf.dptr )) ) {
+ DEBUG(0,("cleangroups_traverse_fn: Failure to parse [%s]\n",
+ dbuf.dptr));
+ return 0;
+ }
+
+ /* just try to delete the user and rely on wb_delgrpmember()
+ to tell you whether or not the group changed. This is more
+ effecient than testing group membership first since the
+ checks for deleting a user from a group is essentially the
+ same as checking if he/she is a member */
+
+ if ( wb_delgrpmember( grp, name ) ) {
+ DEBUG(10,("cleanupgroups_traverse_fn: Removed user (%s) from group (%s)\n",
+ name, grp->gr_name));
+ wb_storegrnam( grp );
+ }
+
+ free_winbindd_gr( grp );
+ }
+
+ return 0;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_delete_user( WINBINDD_PW *pw)
+{
+ char *namekey;
+ char *uidkey;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_delete_user: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ namekey = acct_userkey_byname( pw->pw_name );
+
+ /* lock the main entry first */
+
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_delete_user: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ /* remove user from all groups */
+
+ tdb_traverse(account_tdb, cleangroups_traverse_fn, (void *)pw->pw_name);
+
+ /* remove the user */
+ uidkey = acct_userkey_byuid( pw->pw_uid );
+
+ tdb_delete_bystring( account_tdb, namekey );
+ tdb_delete_bystring( account_tdb, uidkey );
+
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return True;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static int isprimarygroup_traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
+ TDB_DATA dbuf, void *params)
+{
+ int len;
+ fstring key;
+ struct _check_primary_grp *check = (struct _check_primary_grp*)params;
+
+ snprintf( key, sizeof(key), "%s/NAME", WBKEY_PASSWD );
+ len = strlen(key);
+
+ /* if this is a group entry then, check the members */
+
+ if ( (strncmp(kbuf.dptr, key, len) == 0) && dbuf.dptr ) {
+ WINBINDD_PW *pw;;
+
+ if ( !(pw = string2passwd( dbuf.dptr )) ) {
+ DEBUG(0,("isprimarygroup_traverse_fn: Failure to parse [%s]\n",
+ dbuf.dptr));
+ return 0;
+ }
+
+ if ( check->gid == pw->pw_gid ) {
+ check->found = True;
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_delete_group( WINBINDD_GR *grp )
+{
+ struct _check_primary_grp check;
+ char *namekey;
+ char *gidkey;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_delete_group: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ /* lock the main entry first */
+
+ namekey = acct_groupkey_byname( grp->gr_name );
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_delete_group: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ /* is this group the primary group for any user? If
+ so deny delete */
+
+ check.found = False;
+ tdb_traverse(account_tdb, isprimarygroup_traverse_fn, (void *)&check);
+
+ if ( check.found ) {
+ DEBUG(4,("wb_delete_group: Cannot delete group (%s) since it "
+ "is the primary group for some users\n", grp->gr_name));
+ return False;
+ }
+
+ /* We're clear. Delete the group */
+
+ DEBUG(5,("wb_delete_group: Removing group (%s)\n", grp->gr_name));
+
+ gidkey = acct_groupkey_bygid( grp->gr_gid );
+
+ tdb_delete_bystring( account_tdb, namekey );
+ tdb_delete_bystring( account_tdb, gidkey );
+
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return True;
+}
+
+/**********************************************************************
+ Create a new "UNIX" user for the system given a username
+**********************************************************************/
+
+enum winbindd_result winbindd_create_user(struct winbindd_cli_state *state)
+{
+ char *user, *group;
+ unid_t id;
+ WINBINDD_PW pw;
+ WINBINDD_GR *wb_grp;
+ struct group *unix_grp;
+ gid_t primary_gid;
+ uint32 flags = state->request.flags;
+ uint32 rid;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_create_user: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+
+ user = state->request.data.acct_mgt.username;
+ group = state->request.data.acct_mgt.groupname;
+
+ DEBUG(3, ("[%5d]: create_user: user=>(%s), group=>(%s)\n",
+ state->pid, user, group));
+
+ if ( !*group )
+ group = lp_template_primary_group();
+
+ /* validate the primary group
+ 1) lookup in local tdb first
+ 2) call getgrnam() as a last resort */
+
+ if ( (wb_grp=wb_getgrnam(group)) != NULL ) {
+ primary_gid = wb_grp->gr_gid;
+ free_winbindd_gr( wb_grp );
+ }
+ else if ( (unix_grp=sys_getgrnam(group)) != NULL ) {
+ primary_gid = unix_grp->gr_gid;
+ }
+ else {
+ DEBUG(2,("winbindd_create_user: Cannot validate gid for group (%s)\n", group));
+ return WINBINDD_ERROR;
+ }
+
+ /* get a new uid */
+
+ if ( !NT_STATUS_IS_OK(idmap_allocate_id( &id, ID_USERID)) ) {
+ DEBUG(0,("winbindd_create_user: idmap_allocate_id() failed!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* The substitution of %U and %D in the 'template homedir' is done
+ by lp_string() calling standard_sub_basic(). */
+
+ fstrcpy( current_user_info.smb_name, user );
+ sub_set_smb_name( user );
+ fstrcpy( current_user_info.domain, get_global_sam_name() );
+
+ /* fill in the passwd struct */
+
+ fstrcpy( pw.pw_name, user );
+ fstrcpy( pw.pw_passwd, "x" );
+ fstrcpy( pw.pw_gecos, user);
+ fstrcpy( pw.pw_dir, lp_template_homedir() );
+ fstrcpy( pw.pw_shell, lp_template_shell() );
+
+ pw.pw_uid = id.uid;
+ pw.pw_gid = primary_gid;
+
+ /* store the new entry */
+
+ if ( !wb_storepwnam(&pw) )
+ return WINBINDD_ERROR;
+
+ /* do we need a new RID? */
+
+ if ( flags & WBFLAG_ALLOCATE_RID ) {
+ if ( !NT_STATUS_IS_OK(idmap_allocate_rid(&rid, USER_RID_TYPE)) ) {
+ DEBUG(0,("winbindd_create_user: RID allocation failure! Cannot create user (%s)\n",
+ user));
+ wb_delete_user( &pw );
+
+ return WINBINDD_ERROR;
+ }
+
+ state->response.data.rid = rid;
+ }
+
+ return WINBINDD_OK;
+}
+
+/**********************************************************************
+ Create a new "UNIX" group for the system given a username
+**********************************************************************/
+
+enum winbindd_result winbindd_create_group(struct winbindd_cli_state *state)
+{
+ char *group;
+ unid_t id;
+ WINBINDD_GR grp;
+ uint32 flags = state->request.flags;
+ uint32 rid;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_create_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+
+ DEBUG(3, ("[%5d]: create_group: (%s)\n", state->pid, group));
+
+ /* get a new uid */
+
+ if ( !NT_STATUS_IS_OK(idmap_allocate_id( &id, ID_GROUPID)) ) {
+ DEBUG(0,("winbindd_create_group: idmap_allocate_id() failed!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* fill in the group struct */
+
+ fstrcpy( grp.gr_name, group );
+ fstrcpy( grp.gr_passwd, "*" );
+
+ grp.gr_gid = id.gid;
+ grp.gr_mem = NULL; /* start with no members */
+ grp.num_gr_mem = 0;
+
+ if ( !wb_storegrnam(&grp) )
+ return WINBINDD_ERROR;
+
+ /* do we need a new RID? */
+
+ if ( flags & WBFLAG_ALLOCATE_RID ) {
+ if ( !NT_STATUS_IS_OK(idmap_allocate_rid(&rid, GROUP_RID_TYPE)) ) {
+ DEBUG(0,("winbindd_create_group: RID allocation failure! Cannot create group (%s)\n",
+ group));
+ wb_delete_group( &grp );
+
+ return WINBINDD_ERROR;
+ }
+
+ state->response.data.rid = rid;
+ }
+
+ return WINBINDD_OK;
+}
+
+/**********************************************************************
+ Add a user to the membership for a group.
+**********************************************************************/
+
+enum winbindd_result winbindd_add_user_to_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_PW *pw;
+ WINBINDD_GR *grp;
+ char *user, *group;
+ BOOL ret;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_add_user_to_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: add_user_to_group: add %s to %s\n", state->pid,
+ user, group));
+
+ /* make sure it is a valid user */
+
+ if ( !(pw = wb_getpwnam( user )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a non-existent user\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ if ( !wb_addgrpmember( grp, user ) )
+ return WINBINDD_ERROR;
+
+ ret = wb_storegrnam(grp);
+
+ free_winbindd_gr( grp );
+
+ return ( ret ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Remove a user from the membership of a group
+**********************************************************************/
+
+enum winbindd_result winbindd_remove_user_from_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_GR *grp;
+ char *user, *group;
+ BOOL ret;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_remove_user_from_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: remove_user_to_group: delete %s from %s\n", state->pid,
+ user, group));
+
+ /* don't worry about checking the username since we're removing it anyways */
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_remove_user_to_group: Cannot remove a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ if ( !wb_delgrpmember( grp, user ) )
+ return WINBINDD_ERROR;
+
+ ret = wb_storegrnam(grp);
+
+ free_winbindd_gr( grp );
+
+ return ( ret ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Set the primary group membership of a user
+**********************************************************************/
+
+enum winbindd_result winbindd_set_user_primary_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_PW *pw;
+ WINBINDD_GR *grp;
+ char *user, *group;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_set_user_primary_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: set_user_primary_grou:p group %s for user %s\n", state->pid,
+ group, user));
+
+ /* make sure it is a valid user */
+
+ if ( !(pw = wb_getpwnam( user )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a non-existent user\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ pw->pw_gid = grp->gr_gid;
+
+ free_winbindd_gr( grp );
+
+ return ( wb_storepwnam(pw) ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Delete a user from the winbindd account tdb.
+**********************************************************************/
+
+enum winbindd_result winbindd_delete_user(struct winbindd_cli_state *state)
+{
+ WINBINDD_PW *pw;
+ char *user;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_delete_user: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: delete_user: %s\n", state->pid, user));
+
+ /* make sure it is a valid user */
+
+ if ( !(pw = wb_getpwnam( user )) ) {
+ DEBUG(4,("winbindd_delete_user: Cannot delete a non-existent user\n"));
+ return WINBINDD_ERROR;
+ }
+
+ return ( wb_delete_user(pw) ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Delete a group from winbindd's account tdb.
+**********************************************************************/
+
+enum winbindd_result winbindd_delete_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_GR *grp;
+ char *group;
+ BOOL ret;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_delete_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+
+ DEBUG(3, ("[%5d]: delete_group: %s\n", state->pid, group));
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_delete_group: Cannot delete a non-existent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ ret = wb_delete_group(grp);
+
+ free_winbindd_gr( grp );
+
+ return ( ret ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Loadable passdb module interface.
+ Copyright (C) Jelmer Vernooij 2002
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+NTSTATUS pdb_init_plugin(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ void * dl_handle;
+ char *plugin_location, *plugin_name, *p;
+ pdb_init_function plugin_init;
+ int (*plugin_version)(void);
+
+ if (location == NULL) {
+ DEBUG(0, ("The plugin module needs an argument!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_name = smb_xstrdup(location);
+ p = strchr(plugin_name, ':');
+ if (p) {
+ *p = 0;
+ plugin_location = p+1;
+ trim_string(plugin_location, " ", " ");
+ } else plugin_location = NULL;
+ trim_string(plugin_name, " ", " ");
+
+ DEBUG(5, ("Trying to load sam plugin %s\n", plugin_name));
+ dl_handle = sys_dlopen(plugin_name, RTLD_NOW );
+ if (!dl_handle) {
+ DEBUG(0, ("Failed to load sam plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_version = sys_dlsym(dl_handle, "pdb_version");
+ if (!plugin_version) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Failed to find function 'pdb_version' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (plugin_version() != PASSDB_INTERFACE_VERSION) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Wrong PASSDB_INTERFACE_VERSION! sam plugin has version %d and version %d is needed! Please update!\n",
+ plugin_version(),PASSDB_INTERFACE_VERSION));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_init = sys_dlsym(dl_handle, "pdb_init");
+ if (!plugin_init) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(5, ("Starting sam plugin %s with location %s\n", plugin_name, plugin_location));
+ return plugin_init(pdb_context, pdb_method, plugin_location);
+}
--- /dev/null
+BEGIN {
+ print "/* ";
+ print " Unix SMB/CIFS implementation.";
+ print " Build Options for Samba Suite";
+ print " Copyright (C) Vance Lankhaar <vlankhaar@linux.ca> 2003";
+ print " Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001";
+ print " ";
+ print " This program is free software; you can redistribute it and/or modify";
+ print " it under the terms of the GNU General Public License as published by";
+ print " the Free Software Foundation; either version 2 of the License, or";
+ print " (at your option) any later version.";
+ print " ";
+ print " This program is distributed in the hope that it will be useful,";
+ print " but WITHOUT ANY WARRANTY; without even the implied warranty of";
+ print " MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the";
+ print " GNU General Public License for more details.";
+ print " ";
+ print " You should have received a copy of the GNU General Public License";
+ print " along with this program; if not, write to the Free Software";
+ print " Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.";
+ print "*/";
+ print "";
+ print "#include \"includes.h\"";
+ print "#include \"build_env.h\"";
+ print "#include \"dynconfig.h\"";
+ print "";
+ print "static void output(BOOL screen, const char *format, ...) PRINTF_ATTRIBUTE(2,3);";
+ print "";
+ print "";
+ print "/****************************************************************************";
+ print "helper function for build_options";
+ print "****************************************************************************/";
+ print "static void output(BOOL screen, const char *format, ...)";
+ print "{";
+ print " char *ptr;";
+ print " va_list ap;";
+ print " ";
+ print " va_start(ap, format);";
+ print " vasprintf(&ptr,format,ap);";
+ print " va_end(ap);";
+ print "";
+ print " if (screen) {";
+ print " d_printf(\"%s\", ptr);";
+ print " } else {";
+ print " DEBUG(4,(\"%s\", ptr));";
+ print " }";
+ print " ";
+ print " SAFE_FREE(ptr);";
+ print "}";
+ print "";
+ print "/****************************************************************************";
+ print "options set at build time for the samba suite";
+ print "****************************************************************************/";
+ print "void build_options(BOOL screen)";
+ print "{";
+ print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " return;";
+ print " }";
+ print "";
+ print "#ifdef _BUILD_ENV_H";
+ print " /* Output information about the build environment */";
+ print " output(screen,\"Build environment:\\n\");";
+ print " output(screen,\" Built by: %s@%s\\n\",BUILD_ENV_USER,BUILD_ENV_HOST);";
+ print " output(screen,\" Built on: %s\\n\",BUILD_ENV_DATE);";
+ print "";
+ print " output(screen,\" Built using: %s\\n\",BUILD_ENV_COMPILER);";
+ print " output(screen,\" Build host: %s\\n\",BUILD_ENV_UNAME);";
+ print " output(screen,\" SRCDIR: %s\\n\",BUILD_ENV_SRCDIR);";
+ print " output(screen,\" BUILDDIR: %s\\n\",BUILD_ENV_BUILDDIR);";
+ print "";
+ print " ";
+ print "#endif";
+ print "";
+
+ print " /* Output various paths to files and directories */";
+ print " output(screen,\"\\nPaths:\\n\");";
+
+ print " output(screen,\" SBINDIR: %s\\n\", dyn_SBINDIR);";
+ print " output(screen,\" BINDIR: %s\\n\", dyn_BINDIR);";
+ print " output(screen,\" SWATDIR: %s\\n\", dyn_SWATDIR);";
+
+ print " output(screen,\" CONFIGFILE: %s\\n\", dyn_CONFIGFILE);";
+ print " output(screen,\" LOGFILEBASE: %s\\n\", dyn_LOGFILEBASE);";
+ print " output(screen,\" LMHOSTSFILE: %s\\n\",dyn_LMHOSTSFILE);";
+
+ print " output(screen,\" LIBDIR: %s\\n\",dyn_LIBDIR);";
+ print " output(screen,\" SHLIBEXT: %s\\n\",dyn_SHLIBEXT);";
+
+ print " output(screen,\" LOCKDIR: %s\\n\",dyn_LOCKDIR);";
+ print " output(screen,\" PIDDIR: %s\\n\", dyn_PIDDIR);";
+
+ print " output(screen,\" SMB_PASSWD_FILE: %s\\n\",dyn_SMB_PASSWD_FILE);";
+ print " output(screen,\" PRIVATE_DIR: %s\\n\",dyn_PRIVATE_DIR);";
+ print "";
+
+
+##################################################
+# predefine first element of *_ary
+# predefine *_i (num of elements in *_ary)
+ with_ary[0]="";
+ with_i=0;
+ have_ary[0]="";
+ have_i=0;
+ utmp_ary[0]="";
+ utmp_i=0;
+ misc_ary[0]="";
+ misc_i=0;
+ sys_ary[0]="";
+ sys_i=0;
+ headers_ary[0]="";
+ headers_i=0;
+ in_comment = 0;
+}
+
+# capture single line comments
+/^\/\* (.*?)\*\// {
+ last_comment = $0;
+ next;
+}
+
+# end capture multi-line comments
+/(.*?)\*\// {
+ last_comment = last_comment $0;
+ in_comment = 0;
+ next;
+}
+
+# capture middle lines of multi-line comments
+in_comment {
+ last_comment = last_comment $0;
+ next;
+}
+
+# begin capture multi-line comments
+/^\/\* (.*?)/ {
+ last_comment = $0;
+ in_comment = 1;
+ next
+}
+
+##################################################
+# if we have an #undef and a last_comment, store it
+/^\#undef/ {
+ split($0,a);
+ comments_ary[a[2]] = last_comment;
+ last_comment = "";
+}
+
+##################################################
+# for each line, sort into appropriate section
+# then move on
+
+/^\#undef WITH/ {
+ with_ary[with_i++] = a[2];
+ # we want (I think) to allow --with to show up in more than one place, so no next
+}
+
+
+/^\#undef HAVE_UT_UT_/ || /^\#undef .*UTMP/ {
+ utmp_ary[utmp_i++] = a[2];
+ next;
+}
+
+/^\#undef HAVE_SYS_.*?_H$/ {
+ sys_ary[sys_i++] = a[2];
+ next;
+}
+
+/^\#undef HAVE_.*?_H$/ {
+ headers_ary[headers_i++] = a[2];
+ next;
+}
+
+/^\#undef HAVE_/ {
+ have_ary[have_i++] = a[2];
+ next;
+}
+
+/^\#undef/ {
+ misc_ary[misc_i++] = a[2];
+ next;
+}
+
+
+##################################################
+# simple sort function
+function sort(ARRAY, ELEMENTS) {
+ for (i = 1; i <= ELEMENTS; ++i) {
+ for (j = i; (j-1) in ARRAY && (j) in ARRAY && ARRAY[j-1] > ARRAY[j]; --j) {
+ temp = ARRAY[j];
+ ARRAY[j] = ARRAY[j-1];
+ ARRAY[j-1] = temp;
+ }
+ }
+ return;
+}
+
+
+##################################################
+# output code from list of defined
+# expects: ARRAY an array of things defined
+# ELEMENTS number of elements in ARRAY
+# TITLE title for section
+# returns: nothing
+function output(ARRAY, ELEMENTS, TITLE) {
+
+ # add section header
+ print "\n\t/* Show " TITLE " */";
+ print "\toutput(screen, \"\\n " TITLE ":\\n\");\n";
+
+
+ # sort element using bubble sort (slow, but easy)
+ sort(ARRAY, ELEMENTS);
+
+ # loop through array of defines, outputting code
+ for (i = 0; i < ELEMENTS; i++) {
+ print "#ifdef " ARRAY[i];
+
+ # I don't know which one to use....
+
+ print "\toutput(screen, \" " ARRAY[i] "\\n\");";
+ #printf "\toutput(screen, \" %s\\n %s\\n\\n\");\n", comments_ary[ARRAY[i]], ARRAY[i];
+ #printf "\toutput(screen, \" %-35s %s\\n\");\n", ARRAY[i], comments_ary[ARRAY[i]];
+
+ print "#endif";
+ }
+ return;
+}
+
+END {
+ ##################################################
+ # add code to show various options
+ print "/* Output various other options (as gleaned from include/config.h.in) */";
+ output(sys_ary, sys_i, "System Headers");
+ output(headers_ary, headers_i, "Headers");
+ output(utmp_ary, utmp_i, "UTMP Options");
+ output(have_ary, have_i, "HAVE_* Defines");
+ output(with_ary, with_i, "--with Options");
+ output(misc_ary, misc_i, "Build Options");
+
+ ##################################################
+ # add code to display the various type sizes
+ print " /* Output the sizes of the various types */";
+ print " output(screen, \"\\nType sizes:\\n\");";
+ print " output(screen, \" sizeof(char): %u\\n\",sizeof(char));";
+ print " output(screen, \" sizeof(int): %u\\n\",sizeof(int));";
+ print " output(screen, \" sizeof(long): %u\\n\",sizeof(long));";
+ print " output(screen, \" sizeof(uint8): %u\\n\",sizeof(uint8));";
+ print " output(screen, \" sizeof(uint16): %u\\n\",sizeof(uint16));";
+ print " output(screen, \" sizeof(uint32): %u\\n\",sizeof(uint32));";
+ print " output(screen, \" sizeof(short): %u\\n\",sizeof(short));";
+ print " output(screen, \" sizeof(void*): %u\\n\",sizeof(void*));";
+
+ ##################################################
+ # add code to give information about modules
+ print " output(screen, \"\\nBuiltin modules:\\n\");";
+ print " output(screen, \" %s\\n\", STRING_STATIC_MODULES);";
+
+ print "}";
+
+}
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ FAKE FILE suppport, for faking up special files windows want access to
+ Copyright (C) Stefan (metze) Metzmacher 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/****************************************************************************
+ Open a file with a share mode.
+****************************************************************************/
+files_struct *open_fake_file_shared1(enum FAKE_FILE_TYPE fake_file_type, connection_struct *conn,char *fname,
+ SMB_STRUCT_STAT *psbuf,
+ uint32 desired_access,
+ int share_mode,int ofun, mode_t mode,int oplock_request,
+ int *Access,int *action)
+{
+ extern struct current_user current_user;
+ int flags=0;
+ files_struct *fsp = NULL;
+
+ if (fake_file_type == 0) {
+ return open_file_shared1(conn,fname,psbuf,desired_access,
+ share_mode,ofun,mode,
+ oplock_request,Access,action);
+ }
+
+ /* access check */
+ if (conn->admin_user != True) {
+ DEBUG(1,("access_denied to service[%s] file[%s] user[%s]\n",
+ lp_servicename(SNUM(conn)),fname,conn->user));
+ errno = EACCES;
+ return NULL;
+ }
+
+ fsp = file_new(conn);
+ if(!fsp)
+ return NULL;
+
+ DEBUG(5,("open_fake_file_shared1: fname = %s, FID = %d, share_mode = %x, ofun = %x, mode = %o, oplock request = %d\n",
+ fname, fsp->fnum, share_mode, ofun, (int)mode, oplock_request ));
+
+ if (!check_name(fname,conn)) {
+ file_free(fsp);
+ return NULL;
+ }
+
+ fsp->fd = -1;
+ fsp->mode = psbuf->st_mode;
+ fsp->inode = psbuf->st_ino;
+ fsp->dev = psbuf->st_dev;
+ fsp->vuid = current_user.vuid;
+ fsp->size = psbuf->st_size;
+ fsp->pos = -1;
+ fsp->can_lock = True;
+ fsp->can_read = ((flags & O_WRONLY)==0);
+ fsp->can_write = ((flags & (O_WRONLY|O_RDWR))!=0);
+ fsp->share_mode = 0;
+ fsp->desired_access = desired_access;
+ fsp->print_file = False;
+ fsp->modified = False;
+ fsp->oplock_type = NO_OPLOCK;
+ fsp->sent_oplock_break = NO_BREAK_SENT;
+ fsp->is_directory = False;
+ fsp->is_stat = False;
+ fsp->directory_delete_on_close = False;
+ fsp->conn = conn;
+ string_set(&fsp->fsp_name,fname);
+ fsp->wcp = NULL; /* Write cache pointer. */
+
+ fsp->fake_file_handle = init_fake_file_handle(fake_file_type);
+
+ if (fsp->fake_file_handle==NULL) {
+ file_free(fsp);
+ return NULL;
+ }
+
+ conn->num_files_open++;
+ return fsp;
+}
+
+static FAKE_FILE fake_files[] = {
+#ifdef WITH_QUOTAS
+ {FAKE_FILE_NAME_QUOTA, FAKE_FILE_TYPE_QUOTA, init_quota_handle, destroy_quota_handle},
+#endif /* WITH_QUOTAS */
+ {NULL, FAKE_FILE_TYPE_NONE, NULL, NULL }
+};
+
+int is_fake_file(char *fname)
+{
+ int i;
+
+ if (!fname)
+ return 0;
+
+ for (i=0;fake_files[i].name!=NULL;i++) {
+ if (strncmp(fname,fake_files[i].name,strlen(fake_files[i].name))==0) {
+ DEBUG(5,("is_fake_file: [%s] is a fake file\n",fname));
+ return fake_files[i].type;
+ }
+ }
+
+ return FAKE_FILE_TYPE_NONE;
+}
+
+struct _FAKE_FILE_HANDLE *init_fake_file_handle(enum FAKE_FILE_TYPE type)
+{
+ TALLOC_CTX *mem_ctx = NULL;
+ FAKE_FILE_HANDLE *fh = NULL;
+ int i;
+
+ for (i=0;fake_files[i].name!=NULL;i++) {
+ if (fake_files[i].type==type) {
+ DEBUG(5,("init_fake_file_handle: for [%s]\n",fake_files[i].name));
+
+ if ((mem_ctx=talloc_init("fake_file_handle"))==NULL) {
+ DEBUG(0,("talloc_init(fake_file_handle) failed.\n"));
+ return NULL;
+ }
+
+ if ((fh =(FAKE_FILE_HANDLE *)talloc_zero(mem_ctx, sizeof(FAKE_FILE_HANDLE)))==NULL) {
+ DEBUG(0,("talloc_zero() failed.\n"));
+ talloc_destroy(mem_ctx);
+ return NULL;
+ }
+
+ fh->type = type;
+ fh->mem_ctx = mem_ctx;
+
+ if (fake_files[i].init_pd)
+ fh->pd = fake_files[i].init_pd(fh->mem_ctx);
+
+ fh->free_pd = fake_files[i].free_pd;
+
+ return fh;
+ }
+ }
+
+ return NULL;
+}
+
+void destroy_fake_file_handle(FAKE_FILE_HANDLE **fh)
+{
+ if (!fh||!(*fh))
+ return ;
+
+ if ((*fh)->free_pd)
+ (*fh)->free_pd(&(*fh)->pd);
+
+ talloc_destroy((*fh)->mem_ctx);
+ (*fh) = NULL;
+}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ NT QUOTA suppport
+ Copyright (C) Stefan (metze) Metzmacher 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+static SMB_BIG_UINT limit_nt2unix(SMB_BIG_UINT in, SMB_BIG_UINT bsize)
+{
+ SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
+
+ ret = (SMB_BIG_UINT)(in/bsize);
+ if (in>0 && ret==0) {
+ /* we have to make sure that a overflow didn't set NO_LIMIT */
+ ret = (SMB_BIG_UINT)1;
+ }
+
+ if (in == SMB_NTQUOTAS_NO_LIMIT)
+ ret = SMB_QUOTAS_NO_LIMIT;
+ else if (in == SMB_NTQUOTAS_NO_SPACE)
+ ret = SMB_QUOTAS_NO_SPACE;
+ else if (in == SMB_NTQUOTAS_NO_ENTRY)
+ ret = SMB_QUOTAS_NO_LIMIT;
+
+ return ret;
+}
+
+static SMB_BIG_UINT limit_unix2nt(SMB_BIG_UINT in, SMB_BIG_UINT bsize)
+{
+ SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
+
+ ret = (SMB_BIG_UINT)(in*bsize);
+
+ if (ret < in) {
+ /* we overflow */
+ ret = SMB_NTQUOTAS_NO_LIMIT;
+ }
+
+ if (in == SMB_QUOTAS_NO_LIMIT)
+ ret = SMB_NTQUOTAS_NO_LIMIT;
+
+ return ret;
+}
+
+static SMB_BIG_UINT limit_blk2inodes(SMB_BIG_UINT in)
+{
+ SMB_BIG_UINT ret = (SMB_BIG_UINT)0;
+
+ ret = (SMB_BIG_UINT)(in/2);
+
+ if (ret == 0 && in != 0)
+ ret = (SMB_BIG_UINT)1;
+
+ return ret;
+}
+
+int vfs_get_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, SMB_NTQUOTA_STRUCT *qt)
+{
+ int ret;
+ SMB_DISK_QUOTA D;
+ unid_t id;
+
+ ZERO_STRUCT(D);
+
+ if (!fsp||!fsp->conn||!qt)
+ return (-1);
+
+ ZERO_STRUCT(*qt);
+
+ id.uid = -1;
+
+ if (psid && !NT_STATUS_IS_OK(sid_to_uid(psid, &id.uid))) {
+ DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
+ sid_string_static(psid)));
+ }
+
+ ret = SMB_VFS_GET_QUOTA(fsp->conn, qtype, id, &D);
+
+ if (psid)
+ qt->sid = *psid;
+
+ if (ret!=0) {
+ return ret;
+ }
+
+ qt->usedspace = (SMB_BIG_UINT)D.curblocks*D.bsize;
+ qt->softlim = limit_unix2nt(D.softlimit, D.bsize);
+ qt->hardlim = limit_unix2nt(D.hardlimit, D.bsize);
+ qt->qflags = D.qflags;
+
+
+ return 0;
+}
+
+int vfs_set_ntquota(files_struct *fsp, enum SMB_QUOTA_TYPE qtype, DOM_SID *psid, SMB_NTQUOTA_STRUCT *qt)
+{
+ int ret;
+ SMB_DISK_QUOTA D;
+ unid_t id;
+ ZERO_STRUCT(D);
+
+ if (!fsp||!fsp->conn||!qt)
+ return (-1);
+
+ id.uid = -1;
+
+ D.bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+ D.softlimit = limit_nt2unix(qt->softlim,D.bsize);
+ D.hardlimit = limit_nt2unix(qt->hardlim,D.bsize);
+ D.qflags = qt->qflags;
+
+ D.isoftlimit = limit_blk2inodes(D.softlimit);
+ D.ihardlimit = limit_blk2inodes(D.hardlimit);
+
+ if (psid && !NT_STATUS_IS_OK(sid_to_uid(psid, &id.uid))) {
+ DEBUG(0,("sid_to_uid: failed, SID[%s]\n",
+ sid_string_static(psid)));
+ }
+
+ ret = SMB_VFS_SET_QUOTA(fsp->conn, qtype, id, &D);
+
+ return ret;
+}
+
+static BOOL allready_in_quota_list(SMB_NTQUOTA_LIST *qt_list, uid_t uid)
+{
+ SMB_NTQUOTA_LIST *tmp_list = NULL;
+
+ if (!qt_list)
+ return False;
+
+ for (tmp_list=qt_list;tmp_list!=NULL;tmp_list=tmp_list->next) {
+ if (tmp_list->uid == uid) {
+ return True;
+ }
+ }
+
+ return False;
+}
+
+int vfs_get_user_ntquota_list(files_struct *fsp, SMB_NTQUOTA_LIST **qt_list)
+{
+ struct passwd *usr;
+ TALLOC_CTX *mem_ctx = NULL;
+
+ if (!fsp||!fsp->conn||!qt_list)
+ return (-1);
+
+ *qt_list = NULL;
+
+ if ((mem_ctx=talloc_init("SMB_USER_QUOTA_LIST"))==NULL) {
+ DEBUG(0,("talloc_init() failed\n"));
+ return (-1);
+ }
+
+ sys_setpwent();
+ while ((usr = sys_getpwent()) != NULL) {
+ SMB_NTQUOTA_STRUCT tmp_qt;
+ SMB_NTQUOTA_LIST *tmp_list_ent;
+ DOM_SID sid;
+
+ ZERO_STRUCT(tmp_qt);
+
+ if (allready_in_quota_list((*qt_list),usr->pw_uid)) {
+ DEBUG(5,("record for uid[%ld] allready in the list\n",(long)usr->pw_uid));
+ continue;
+ }
+
+ if (!NT_STATUS_IS_OK(uid_to_sid(&sid, usr->pw_uid))) {
+ DEBUG(0,("uid_to_sid failed for %ld\n",(long)usr->pw_uid));
+ continue;
+ }
+
+ if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &tmp_qt)!=0) {
+ DEBUG(1,("no quota entry for sid[%s] path[%s]\n",
+ sid_string_static(&sid),fsp->conn->connectpath));
+ continue;
+ }
+
+ DEBUG(15,("quota entry for id[%s] path[%s]\n",
+ sid_string_static(&sid),fsp->conn->connectpath));
+
+ if ((tmp_list_ent=(SMB_NTQUOTA_LIST *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_LIST)))==NULL) {
+ DEBUG(0,("talloc_zero() failed\n"));
+ *qt_list = NULL;
+ talloc_destroy(mem_ctx);
+ return (-1);
+ }
+
+ if ((tmp_list_ent->quotas=(SMB_NTQUOTA_STRUCT *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_STRUCT)))==NULL) {
+ DEBUG(0,("talloc_zero() failed\n"));
+ *qt_list = NULL;
+ talloc_destroy(mem_ctx);
+ return (-1);
+ }
+
+ tmp_list_ent->uid = usr->pw_uid;
+ memcpy(tmp_list_ent->quotas,&tmp_qt,sizeof(tmp_qt));
+ tmp_list_ent->mem_ctx = mem_ctx;
+
+ DLIST_ADD((*qt_list),tmp_list_ent);
+
+ }
+ sys_endpwent();
+
+ return 0;
+}
+
+void *init_quota_handle(TALLOC_CTX *mem_ctx)
+{
+ SMB_NTQUOTA_HANDLE *qt_handle;
+
+ if (!mem_ctx)
+ return False;
+
+ qt_handle = (SMB_NTQUOTA_HANDLE *)talloc_zero(mem_ctx,sizeof(SMB_NTQUOTA_HANDLE));
+ if (qt_handle==NULL) {
+ DEBUG(0,("talloc_zero() failed\n"));
+ return NULL;
+ }
+
+ return (void *)qt_handle;
+}
+
+void destroy_quota_handle(void **pqt_handle)
+{
+ SMB_NTQUOTA_HANDLE *qt_handle = NULL;
+ if (!pqt_handle||!(*pqt_handle))
+ return;
+
+ qt_handle = (*pqt_handle);
+
+
+ if (qt_handle->quota_list)
+ free_ntquota_list(&qt_handle->quota_list);
+
+ qt_handle->quota_list = NULL;
+ qt_handle->tmp_list = NULL;
+ qt_handle = NULL;
+
+ return;
+}
+
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ low level tdb backup and restore utility
+ Copyright (C) Andrew Tridgell 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+#include <time.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <ctype.h>
+#include <signal.h>
+#include "tdb.h"
+
+static int failed;
+
+char *add_suffix(const char *name, const char *suffix)
+{
+ char *ret;
+ int len = strlen(name) + strlen(suffix) + 1;
+ ret = malloc(len);
+ if (!ret) {
+ fprintf(stderr,"Out of memory!\n");
+ exit(1);
+ }
+ strncpy(ret, name, len);
+ strncat(ret, suffix, len);
+ return ret;
+}
+
+static int copy_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+ TDB_CONTEXT *tdb_new = (TDB_CONTEXT *)state;
+
+ if (tdb_store(tdb_new, key, dbuf, TDB_INSERT) != 0) {
+ fprintf(stderr,"Failed to insert into %s\n", tdb_new->name);
+ failed = 1;
+ return 1;
+ }
+ return 0;
+}
+
+
+static int test_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+ return 0;
+}
+
+/*
+ carefully backup a tdb, validating the contents and
+ only doing the backup if its OK
+ this function is also used for restore
+*/
+int backup_tdb(const char *old_name, const char *new_name)
+{
+ TDB_CONTEXT *tdb;
+ TDB_CONTEXT *tdb_new;
+ char *tmp_name;
+ struct stat st;
+ int count1, count2;
+
+ tmp_name = add_suffix(new_name, ".tmp");
+
+ /* stat the old tdb to find its permissions */
+ if (stat(old_name, &st) != 0) {
+ perror(old_name);
+ return 1;
+ }
+
+ /* open the old tdb */
+ tdb = tdb_open(old_name, 0, 0, O_RDWR, 0);
+ if (!tdb) {
+ printf("Failed to open %s\n", old_name);
+ return 1;
+ }
+
+ /* create the new tdb */
+ unlink(tmp_name);
+ tdb_new = tdb_open(tmp_name, tdb->header.hash_size,
+ TDB_DEFAULT, O_RDWR|O_CREAT|O_EXCL,
+ st.st_mode & 0777);
+ if (!tdb_new) {
+ perror(tmp_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ /* lock the old tdb */
+ if (tdb_lockall(tdb) != 0) {
+ fprintf(stderr,"Failed to lock %s\n", old_name);
+ tdb_close(tdb);
+ tdb_close(tdb_new);
+ unlink(tmp_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ failed = 0;
+
+ /* traverse and copy */
+ count1 = tdb_traverse(tdb, copy_fn, (void *)tdb_new);
+ if (count1 < 0 || failed) {
+ fprintf(stderr,"failed to copy %s\n", old_name);
+ tdb_close(tdb);
+ tdb_close(tdb_new);
+ unlink(tmp_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ /* close the old tdb */
+ tdb_close(tdb);
+
+ /* close the new tdb and re-open read-only */
+ tdb_close(tdb_new);
+ tdb_new = tdb_open(tmp_name, 0, TDB_DEFAULT, O_RDONLY, 0);
+ if (!tdb_new) {
+ fprintf(stderr,"failed to reopen %s\n", tmp_name);
+ unlink(tmp_name);
+ perror(tmp_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ /* traverse the new tdb to confirm */
+ count2 = tdb_traverse(tdb_new, test_fn, 0);
+ if (count2 != count1) {
+ fprintf(stderr,"failed to copy %s\n", old_name);
+ tdb_close(tdb_new);
+ unlink(tmp_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ /* make sure the new tdb has reached stable storage */
+ fsync(tdb_new->fd);
+
+ /* close the new tdb and rename it to .bak */
+ tdb_close(tdb_new);
+ unlink(new_name);
+ if (rename(tmp_name, new_name) != 0) {
+ perror(new_name);
+ free(tmp_name);
+ return 1;
+ }
+
+ free(tmp_name);
+
+ return 0;
+}
+
+
+
+/*
+ verify a tdb and if it is corrupt then restore from *.bak
+*/
+int verify_tdb(const char *fname, const char *bak_name)
+{
+ TDB_CONTEXT *tdb;
+ int count = -1;
+
+ /* open the tdb */
+ tdb = tdb_open(fname, 0, 0, O_RDONLY, 0);
+
+ /* traverse the tdb, then close it */
+ if (tdb) {
+ count = tdb_traverse(tdb, test_fn, NULL);
+ tdb_close(tdb);
+ }
+
+ /* count is < 0 means an error */
+ if (count < 0) {
+ printf("restoring %s\n", fname);
+ return backup_tdb(bak_name, fname);
+ }
+
+ printf("%s : %d records\n", fname, count);
+
+ return 0;
+}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ low level tdb backup and restore utility
+ Copyright (C) Andrew Tridgell 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+char *add_suffix(const char *name, const char *suffix);
+int backup_tdb(const char *old_name, const char *new_name);
+int verify_tdb(const char *fname, const char *bak_name);
--- /dev/null
+/*
+ Samba Unix/Linux SMB client library
+ Distributed SMB/CIFS Server Management Utility
+ Copyright (C) 2003 Andrew Bartlett (abartlet@samba.org)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
+
+#include "includes.h"
+#include "../utils/net.h"
+
+
+/***********************************************************
+ Helper function for net_idmap_dump. Dump one entry.
+ **********************************************************/
+static int net_idmap_dump_one_entry(TDB_CONTEXT *tdb,
+ TDB_DATA key,
+ TDB_DATA data,
+ void *unused)
+{
+ if (strcmp(key.dptr, "USER HWM") == 0) {
+ printf("USER HWM %d\n", IVAL(data.dptr,0));
+ return 0;
+ }
+
+ if (strcmp(key.dptr, "GROUP HWM") == 0) {
+ printf("GROUP HWM %d\n", IVAL(data.dptr,0));
+ return 0;
+ }
+
+ if (strncmp(key.dptr, "S-", 2) != 0)
+ return 0;
+
+ printf("%s %s\n", data.dptr, key.dptr);
+ return 0;
+}
+
+/***********************************************************
+ Dump the current idmap
+ **********************************************************/
+static int net_idmap_dump(int argc, const char **argv)
+{
+ TDB_CONTEXT *idmap_tdb;
+
+ if ( argc != 1 )
+ return net_help_idmap( argc, argv );
+
+ idmap_tdb = tdb_open_log(argv[0], 0, TDB_DEFAULT, O_RDONLY, 0);
+
+ if (idmap_tdb == NULL) {
+ d_printf("Could not open idmap: %s\n", argv[0]);
+ return -1;
+ }
+
+ tdb_traverse(idmap_tdb, net_idmap_dump_one_entry, NULL);
+
+ tdb_close(idmap_tdb);
+
+ return 0;
+}
+
+/***********************************************************
+ Write entries from stdin to current local idmap
+ **********************************************************/
+static int net_idmap_restore(int argc, const char **argv)
+{
+ if (!idmap_init(lp_idmap_backend())) {
+ d_printf("Could not init idmap\n");
+ return -1;
+ }
+
+ while (!feof(stdin)) {
+ fstring line, sid_string;
+ int len;
+ unid_t id;
+ int type = ID_EMPTY;
+ DOM_SID sid;
+
+ if (fgets(line, sizeof(line)-1, stdin) == NULL)
+ break;
+
+ len = strlen(line);
+
+ if ( (len > 0) && (line[len-1] == '\n') )
+ line[len-1] = '\0';
+
+ if (sscanf(line, "GID %d %s", &id.gid, sid_string) == 2) {
+ type = ID_GROUPID;
+ }
+
+ if (sscanf(line, "UID %d %s", &id.uid, sid_string) == 2) {
+ type = ID_USERID;
+ }
+
+ if (type == ID_EMPTY) {
+ d_printf("ignoring invalid line [%s]\n", line);
+ continue;
+ }
+
+ if (!string_to_sid(&sid, sid_string)) {
+ d_printf("ignoring invalid sid [%s]\n", sid_string);
+ continue;
+ }
+
+ if (!NT_STATUS_IS_OK(idmap_set_mapping(&sid, id, type))) {
+ d_printf("Could not set mapping of %s %d to sid %s\n",
+ (type == ID_GROUPID) ? "GID" : "UID",
+ (type == ID_GROUPID) ? id.gid : id.uid,
+ sid_string_static(&sid));
+ continue;
+ }
+
+ }
+
+ idmap_close();
+ return 0;
+}
+
+int net_help_idmap(int argc, const char **argv)
+{
+ d_printf("net idmap dump filename"\
+ "\n Dump current id mapping\n");
+
+ d_printf("net idmap restore"\
+ "\n Restore entries from stdin to current local idmap\n");
+
+ return -1;
+}
+
+/***********************************************************
+ Look at the current idmap
+ **********************************************************/
+int net_idmap(int argc, const char **argv)
+{
+ struct functable func[] = {
+ {"dump", net_idmap_dump},
+ {"restore", net_idmap_restore},
+ {"help", net_help_idmap},
+ {NULL, NULL}
+ };
+
+ return net_run_function(argc, argv, func, net_help_idmap);
+}
+
+
--- /dev/null
+. torture_setup.fns
+test_torture "DIR1"
--- /dev/null
+. torture_setup.fns
+test_torture "FDPASS"
--- /dev/null
+. torture_setup.fns
+test_torture "LOCK6"
--- /dev/null
+. torture_setup.fns
+test_torture "LOCK7"
--- /dev/null
+. torture_setup.fns
+test_torture "MANGLE"
--- /dev/null
+. torture_setup.fns
+test_torture "PROPERTIES"
--- /dev/null
+. torture_setup.fns
+test_torture "TCON1"
--- /dev/null
+. torture_setup.fns
+test_torture "TCON2"
--- /dev/null
+. torture_setup.fns
+test_torture "TCONDEV"
git.samba.org / gd / samba-autobuild / .git / commitdiff
