--- /dev/null
+<chapter id="VFS">
+<chapterinfo>
+ <author><firstname>Jelmer</firstname><surname>Vernooij</surname></author>
+ <author><firstname>Alexander</firstname><surname>Bokovoy</surname></author>
+ <author><firstname>Tim</firstname><surname>Potter</surname></author>
+ <author><firstname>Simo</firstname><surname>Sorce</surname></author>
+</chapterinfo>
+<title>Stackable VFS modules</title>
+
+<sect1>
+<title>Introduction and configuration</title>
+
+<para>
+Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
+Samba passes each request to access the unix file system thru the loaded VFS modules.
+This chapter covers all the modules that come with the samba source and references to
+some external modules.
+</para>
+
+<para>
+You may have problems to compile these modules, as shared libraries are
+compiled and linked in different ways on different systems.
+They currently have been tested against GNU/linux and IRIX.
+</para>
+
+<para>
+To use the VFS modules, create a share similar to the one below. The
+important parameter is the <command>vfs object</command> parameter which must point to
+the exact pathname of the shared library objects. For example, to log all access
+to files and use a recycle bin:
+
+<programlisting>
+ [audit]
+ comment = Audited /data directory
+ path = /data
+ vfs object = /path/to/audit.so /path/to/recycle.so
+ writeable = yes
+ browseable = yes
+</programlisting>
+</para>
+
+<para>
+The modules are used in the order they are specified.
+</para>
+
+<para>
+Further documentation on writing VFS modules for Samba can be found in
+the Samba Developers Guide.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Included modules</title>
+
+<sect2>
+<title>audit</title>
+<para>A simple module to audit file access to the syslog
+facility. The following operations are logged:
+<simplelist>
+<member>share</member>
+<member>connect/disconnect</member>
+<member>directory opens/create/remove</member>
+<member>file open/close/rename/unlink/chmod</member>
+</simplelist>
+</para>
+</sect2>
+
+<sect2>
+<title>recycle</title>
+<para>
+A recycle-bin like modules. When used any unlink call
+will be intercepted and files moved to the recycle
+directory instead of beeing deleted.
+</para>
+
+<para>Supported options:
+<variablelist>
+ <varlistentry>
+ <term>vfs_recycle_bin:repository</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:keeptree</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:versions</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:touch</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:maxsize</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:exclude</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:exclude_dir</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>vfs_recycle_bin:noversions</term>
+ <listitem><para>FIXME</para></listitem>
+ </varlistentry>
+</variablelist>
+</para>
+
+</sect2>
+
+<sect2>
+<title>netatalk</title>
+<para>
+A netatalk module, that will ease co-existence of samba and
+netatalk file sharing services.
+</para>
+
+<para>Advantages compared to the old netatalk module:
+<simplelist>
+<member>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</member>
+<member>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</member>
+</simplelist>
+</para>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>VFS modules available elsewhere</title>
+
+<para>
+This section contains a listing of various other VFS modules that
+have been posted but don't currently reside in the Samba CVS
+tree for one reason ot another (e.g. it is easy for the maintainer
+to have his or her own CVS tree).
+</para>
+
+<para>
+No statemets about the stability or functionality any module
+should be implied due to its presence here.
+</para>
+
+<sect2>
+<title>DatabaseFS</title>
+
+<para>
+URL: <ulink url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
+</para>
+
+<para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer</ulink>.</para>
+
+<para>
+I have created a VFS module which implements a fairly complete read-only
+filesystem. It presents information from a database as a filesystem in
+a modular and generic way to allow different databases to be used
+(originally designed for organizing MP3s under directories such as
+"Artists," "Song Keywords," etc... I have since applied it to a student
+roster database very easily). The directory structure is stored in the
+database itself and the module makes no assumptions about the database
+structure beyond the table it requires to run.
+</para>
+
+<para>
+Any feedback would be appreciated: comments, suggestions, patches,
+etc... If nothing else, hopefully it might prove useful for someone
+else who wishes to create a virtual filesystem.
+</para>
+
+</sect2>
+
+<sect2>
+<title>vscan</title>
+<para>URL: <ulink url="http://www.openantivirus.org/">http://www.openantivirus.org/</ulink></para>
+
+<para>
+samba-vscan is a proof-of-concept module for Samba, which
+uses the VFS (virtual file system) features of Samba 2.2.x/3.0
+alphaX. Of couse, Samba has to be compiled with VFS support.
+samba-vscan supports various virus scanners and is maintained
+by Rainer Link.
+</para>
+
+</sect2>
+
+</sect1>
+
+</chapter>
--- /dev/null
+<chapter id="pdb-mysql">
+<chapterinfo>
+ <author>
+ <firstname>Jelmer</firstname><surname>Vernooij</surname>
+ <affiliation>
+ <orgname>The Samba Team</orgname>
+ <address><email>jelmer@samba.org</email></address>
+ </affiliation>
+ </author>
+ <pubdate>November 2002</pubdate>
+</chapterinfo>
+
+<title>Passdb MySQL plugin</title>
+
+<sect1>
+<title>Building</title>
+
+<para>To build the plugin, run <command>make bin/pdb_mysql.so</command>
+in the <filename>source/</filename> directory of samba distribution.
+</para>
+
+<para>Next, copy pdb_mysql.so to any location you want. I
+strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</para>
+
+</sect1>
+
+<sect1>
+<title>Configuring</title>
+
+<para>This plugin lacks some good documentation, but here is some short info:</para>
+
+<para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>:
+<programlisting>
+passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]
+</programlisting>
+</para>
+
+<para>The identifier can be any string you like, as long as it doesn't collide with
+the identifiers of other plugins or other instances of pdb_mysql. If you
+specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
+use different identifiers!
+</para>
+
+<para>
+Additional options can be given thru the smb.conf file in the [global] section.
+</para>
+
+<para><programlisting>
+identifier:mysql host - host name, defaults to 'localhost'
+identifier:mysql password
+identifier:mysql user - defaults to 'samba'
+identifier:mysql database - defaults to 'samba'
+identifier:mysql port - defaults to 3306
+identifier:table - Name of the table containing users
+</programlisting></para>
+
+<para>Names of the columns in this table(I've added column types those columns should have first):</para>
+
+<para><programlisting>
+identifier:logon time column - int(9)
+identifier:logoff time column - int(9)
+identifier:kickoff time column - int(9)
+identifier:pass last set time column - int(9)
+identifier:pass can change time column - int(9)
+identifier:pass must change time column - int(9)
+identifier:username column - varchar(255) - unix username
+identifier:domain column - varchar(255) - NT domain user is part of
+identifier:nt username column - varchar(255) - NT username
+identifier:fullname column - varchar(255) - Full name of user
+identifier:home dir column - varchar(255) - Unix homedir path
+identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
+identifier:logon script column - varchar(255) - Batch file to run on client side when logging on
+identifier:profile path column - varchar(255) - Path of profile
+identifier:acct desc column - varchar(255) - Some ASCII NT user data
+identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all)
+identifier:unknown string column - varchar(255) - unknown string
+identifier:munged dial column - varchar(255) - ?
+identifier:uid column - int(9) - Unix user ID (uid)
+identifier:gid column - int(9) - Unix user group (gid)
+identifier:user sid column - varchar(255) - NT user SID
+identifier:group sid column - varchar(255) - NT group ID
+identifier:lanman pass column - varchar(255) - encrypted lanman password
+identifier:nt pass column - varchar(255) - encrypted nt passwd
+identifier:plain pass column - varchar(255) - plaintext password
+identifier:acct control column - int(9) - nt user data
+identifier:unknown 3 column - int(9) - unknown
+identifier:logon divs column - int(9) - ?
+identifier:hours len column - int(9) - ?
+identifier:unknown 5 column - int(9) - unknown
+identifier:unknown 6 column - int(9) - unknown
+</programlisting></para>
+
+<para>
+Eventually, you can put a colon (:) after the name of each column, which
+should specify the column to update when updating the table. You can also
+specify nothing behind the colon - then the data from the field will not be
+updated.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Using plaintext passwords or encrypted password</title>
+
+<para>
+I strongly discourage the use of plaintext passwords, however, you can use them:
+</para>
+
+<para>
+If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords.
+</para>
+
+<para>
+If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Getting non-column data from the table</title>
+
+<para>
+It is possible to have not all data in the database and making some 'constant'.
+</para>
+
+<para>
+For example, you can set 'identifier:fullname column' to :
+<command>CONCAT(First_name,' ',Sur_name)</command>
+</para>
+
+<para>
+Or, set 'identifier:workstations column' to :
+<command>NULL</command></para>
+
+<para>See the MySQL documentation for more language constructs.</para>
+
+</sect1>
+</chapter>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Samba as a ADS domain member</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Type of installation"
+HREF="type.html"><LINK
+REL="PREVIOUS"
+TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
+HREF="samba-bdc.html"><LINK
+REL="NEXT"
+TITLE="Samba as a NT4 domain member"
+HREF="domain-security.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="domain-security.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="ADS"
+></A
+>Chapter 9. Samba as a ADS domain member</H1
+><P
+>This is a VERY ROUGH guide to setting up the current (November 2001)
+pre-alpha version of Samba 3.0 with kerberos authentication against a
+Windows2000 KDC. The procedures listed here are likely to change as
+the code develops.</P
+><P
+>Pieces you need before you begin:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>a Windows 2000 server.</TD
+></TR
+><TR
+><TD
+>samba 3.0 or higher.</TD
+></TR
+><TR
+><TD
+>the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work.</TD
+></TR
+><TR
+><TD
+>the OpenLDAP development libraries.</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1203"
+></A
+>9.1. Installing the required packages for Debian</H1
+><P
+>On Debian you need to install the following packages:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>libkrb5-dev</TD
+></TR
+><TR
+><TD
+>krb5-user</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1209"
+></A
+>9.2. Installing the required packages for RedHat</H1
+><P
+>On RedHat this means you should have at least:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>krb5-workstation (for kinit)</TD
+></TR
+><TR
+><TD
+>krb5-libs (for linking with)</TD
+></TR
+><TR
+><TD
+>krb5-devel (because you are compiling from source)</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><P
+>in addition to the standard development environment.</P
+><P
+>Note that these are not standard on a RedHat install, and you may need
+to get them off CD2.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1218"
+></A
+>9.3. Compile Samba</H1
+><P
+>If your kerberos libraries are in a non-standard location then
+ remember to add the configure option --with-krb5=DIR.</P
+><P
+>After you run configure make sure that include/config.h contains
+ lines like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>#define HAVE_KRB5 1
+#define HAVE_LDAP 1</PRE
+></P
+><P
+>If it doesn't then configure did not find your krb5 libraries or
+ your ldap libraries. Look in config.log to figure out why and fix
+ it.</P
+><P
+>Then compile and install Samba as usual. You must use at least the
+ following 3 options in smb.conf:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> realm = YOUR.KERBEROS.REALM
+ ads server = your.kerberos.server
+ security = ADS
+ encrypt passwords = yes</PRE
+></P
+><P
+>Strictly speaking, you can omit the realm name and you can use an IP
+ address for the ads server. In that case Samba will auto-detect these.</P
+><P
+>You do *not* need a smbpasswd file, although it won't do any harm
+ and if you have one then Samba will be able to fall back to normal
+ password security for older clients. I expect that the above
+ required options will change soon when we get better active
+ directory integration.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1230"
+></A
+>9.4. Setup your /etc/krb5.conf</H1
+><P
+>The minimal configuration for krb5.conf is:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> [realms]
+ YOUR.KERBEROS.REALM = {
+ kdc = your.kerberos.server
+ }</PRE
+></P
+><P
+>Test your config by doing a "kinit USERNAME@REALM" and making sure that
+ your password is accepted by the Win2000 KDC. </P
+><P
+>NOTE: The realm must be uppercase. </P
+><P
+>You also must ensure that you can do a reverse DNS lookup on the IP
+address of your KDC. Also, the name that this reverse lookup maps to
+must either be the netbios name of the KDC (ie. the hostname with no
+domain attached) or it can alternatively be the netbios name
+followed by the realm. </P
+><P
+>The easiest way to ensure you get this right is to add a /etc/hosts
+entry mapping the IP address of your KDC to its netbios name. If you
+don't get this right then you will get a "local error" when you try
+to join the realm.</P
+><P
+>If all you want is kerberos support in smbclient then you can skip
+straight to step 5 now. Step 3 is only needed if you want kerberos
+support in smbd.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1240"
+></A
+>9.5. Create the computer account</H1
+><P
+>Do a "kinit" as a user that has authority to change arbitrary
+passwords on the KDC ("Administrator" is a good choice). Then as a
+user that has write permission on the Samba private directory
+(usually root) run:
+<B
+CLASS="COMMAND"
+>net ads join</B
+></P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1244"
+></A
+>9.5.1. Possible errors</H2
+><P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>"bash: kinit: command not found"</DT
+><DD
+><P
+>kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)</P
+></DD
+><DT
+>"ADS support not compiled in"</DT
+><DD
+><P
+>Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1256"
+></A
+>9.6. Test your server setup</H1
+><P
+>On a Windows 2000 client try <B
+CLASS="COMMAND"
+>net use * \\server\share</B
+>. You should
+be logged in with kerberos without needing to know a password. If
+this fails then run <B
+CLASS="COMMAND"
+>klist tickets</B
+>. Did you get a ticket for the
+server? Does it have an encoding type of DES-CBC-MD5 ? </P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1261"
+></A
+>9.7. Testing with smbclient</H1
+><P
+>On your Samba server try to login to a Win2000 server or your Samba
+server using smbclient and kerberos. Use smbclient as usual, but
+specify the -k option to choose kerberos authentication.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1264"
+></A
+>9.8. Notes</H1
+><P
+>You must change administrator password at least once after DC install,
+ to create the right encoding types</P
+><P
+>w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
+ their defaults DNS setup. Maybe fixed in service packs?</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="domain-security.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="type.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Samba as a NT4 domain member</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Appendixes</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="PREVIOUS"
+TITLE="Samba performance issues"
+HREF="speed.html"><LINK
+REL="NEXT"
+TITLE="Portability"
+HREF="portability.html"></HEAD
+><BODY
+CLASS="PART"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="speed.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="portability.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="PART"
+><A
+NAME="APPENDIXES"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+>IV. Appendixes</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>24. <A
+HREF="portability.html"
+>Portability</A
+></DT
+><DD
+><DL
+><DT
+>24.1. <A
+HREF="portability.html#AEN3198"
+>HPUX</A
+></DT
+><DT
+>24.2. <A
+HREF="portability.html#AEN3204"
+>SCO Unix</A
+></DT
+><DT
+>24.3. <A
+HREF="portability.html#AEN3208"
+>DNIX</A
+></DT
+><DT
+>24.4. <A
+HREF="portability.html#AEN3237"
+>RedHat Linux Rembrandt-II</A
+></DT
+></DL
+></DD
+><DT
+>25. <A
+HREF="other-clients.html"
+>Samba and other CIFS clients</A
+></DT
+><DD
+><DL
+><DT
+>25.1. <A
+HREF="other-clients.html#AEN3258"
+>Macintosh clients?</A
+></DT
+><DT
+>25.2. <A
+HREF="other-clients.html#AEN3267"
+>OS2 Client</A
+></DT
+><DD
+><DL
+><DT
+>25.2.1. <A
+HREF="other-clients.html#AEN3269"
+>How can I configure OS/2 Warp Connect or
+ OS/2 Warp 4 as a client for Samba?</A
+></DT
+><DT
+>25.2.2. <A
+HREF="other-clients.html#AEN3284"
+>How can I configure OS/2 Warp 3 (not Connect),
+ OS/2 1.2, 1.3 or 2.x for Samba?</A
+></DT
+><DT
+>25.2.3. <A
+HREF="other-clients.html#AEN3293"
+>Are there any other issues when OS/2 (any version)
+ is used as a client?</A
+></DT
+><DT
+>25.2.4. <A
+HREF="other-clients.html#AEN3297"
+>How do I get printer driver download working
+ for OS/2 clients?</A
+></DT
+></DL
+></DD
+><DT
+>25.3. <A
+HREF="other-clients.html#AEN3307"
+>Windows for Workgroups</A
+></DT
+><DD
+><DL
+><DT
+>25.3.1. <A
+HREF="other-clients.html#AEN3309"
+>Use latest TCP/IP stack from Microsoft</A
+></DT
+><DT
+>25.3.2. <A
+HREF="other-clients.html#AEN3314"
+>Delete .pwl files after password change</A
+></DT
+><DT
+>25.3.3. <A
+HREF="other-clients.html#AEN3319"
+>Configure WfW password handling</A
+></DT
+><DT
+>25.3.4. <A
+HREF="other-clients.html#AEN3323"
+>Case handling of passwords</A
+></DT
+></DL
+></DD
+><DT
+>25.4. <A
+HREF="other-clients.html#AEN3328"
+>Windows '95/'98</A
+></DT
+><DT
+>25.5. <A
+HREF="other-clients.html#AEN3344"
+>Windows 2000 Service Pack 2</A
+></DT
+></DL
+></DD
+><DT
+>26. <A
+HREF="bugreport.html"
+>Reporting Bugs</A
+></DT
+><DD
+><DL
+><DT
+>26.1. <A
+HREF="bugreport.html#AEN3368"
+>Introduction</A
+></DT
+><DT
+>26.2. <A
+HREF="bugreport.html#AEN3378"
+>General info</A
+></DT
+><DT
+>26.3. <A
+HREF="bugreport.html#AEN3384"
+>Debug levels</A
+></DT
+><DT
+>26.4. <A
+HREF="bugreport.html#AEN3401"
+>Internal errors</A
+></DT
+><DT
+>26.5. <A
+HREF="bugreport.html#AEN3411"
+>Attaching to a running process</A
+></DT
+><DT
+>26.6. <A
+HREF="bugreport.html#AEN3414"
+>Patches</A
+></DT
+></DL
+></DD
+><DT
+>27. <A
+HREF="diagnosis.html"
+>Diagnosing your samba server</A
+></DT
+><DD
+><DL
+><DT
+>27.1. <A
+HREF="diagnosis.html#AEN3437"
+>Introduction</A
+></DT
+><DT
+>27.2. <A
+HREF="diagnosis.html#AEN3442"
+>Assumptions</A
+></DT
+><DT
+>27.3. <A
+HREF="diagnosis.html#AEN3452"
+>Tests</A
+></DT
+><DD
+><DL
+><DT
+>27.3.1. <A
+HREF="diagnosis.html#AEN3454"
+>Test 1</A
+></DT
+><DT
+>27.3.2. <A
+HREF="diagnosis.html#AEN3460"
+>Test 2</A
+></DT
+><DT
+>27.3.3. <A
+HREF="diagnosis.html#AEN3466"
+>Test 3</A
+></DT
+><DT
+>27.3.4. <A
+HREF="diagnosis.html#AEN3481"
+>Test 4</A
+></DT
+><DT
+>27.3.5. <A
+HREF="diagnosis.html#AEN3486"
+>Test 5</A
+></DT
+><DT
+>27.3.6. <A
+HREF="diagnosis.html#AEN3492"
+>Test 6</A
+></DT
+><DT
+>27.3.7. <A
+HREF="diagnosis.html#AEN3500"
+>Test 7</A
+></DT
+><DT
+>27.3.8. <A
+HREF="diagnosis.html#AEN3526"
+>Test 8</A
+></DT
+><DT
+>27.3.9. <A
+HREF="diagnosis.html#AEN3543"
+>Test 9</A
+></DT
+><DT
+>27.3.10. <A
+HREF="diagnosis.html#AEN3551"
+>Test 10</A
+></DT
+><DT
+>27.3.11. <A
+HREF="diagnosis.html#AEN3557"
+>Test 11</A
+></DT
+></DL
+></DD
+><DT
+>27.4. <A
+HREF="diagnosis.html#AEN3562"
+>Still having troubles?</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="speed.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="portability.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Samba performance issues</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Portability</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>General installation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="PREVIOUS"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="NEXT"
+TITLE="How to Install and Test SAMBA"
+HREF="install.html"></HEAD
+><BODY
+CLASS="PART"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="install.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="PART"
+><A
+NAME="INTRODUCTION"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+>I. General installation</H1
+><DIV
+CLASS="PARTINTRO"
+><A
+NAME="AEN21"
+></A
+><H1
+>Introduction</H1
+><P
+>This part contains general info on how to install samba
+and how to configure the parts of samba you will most likely need.
+PLEASE read this.</P
+></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1. <A
+HREF="install.html"
+>How to Install and Test SAMBA</A
+></DT
+><DD
+><DL
+><DT
+>1.1. <A
+HREF="install.html#AEN26"
+>Read the man pages</A
+></DT
+><DT
+>1.2. <A
+HREF="install.html#AEN36"
+>Building the Binaries</A
+></DT
+><DT
+>1.3. <A
+HREF="install.html#AEN64"
+>The all important step</A
+></DT
+><DT
+>1.4. <A
+HREF="install.html#AEN68"
+>Create the smb configuration file.</A
+></DT
+><DT
+>1.5. <A
+HREF="install.html#AEN82"
+>Test your config file with
+ <B
+CLASS="COMMAND"
+>testparm</B
+></A
+></DT
+><DT
+>1.6. <A
+HREF="install.html#AEN90"
+>Starting the smbd and nmbd</A
+></DT
+><DD
+><DL
+><DT
+>1.6.1. <A
+HREF="install.html#AEN100"
+>Starting from inetd.conf</A
+></DT
+><DT
+>1.6.2. <A
+HREF="install.html#AEN129"
+>Alternative: starting it as a daemon</A
+></DT
+></DL
+></DD
+><DT
+>1.7. <A
+HREF="install.html#AEN145"
+>Try listing the shares available on your
+ server</A
+></DT
+><DT
+>1.8. <A
+HREF="install.html#AEN154"
+>Try connecting with the unix client</A
+></DT
+><DT
+>1.9. <A
+HREF="install.html#AEN170"
+>Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</A
+></DT
+><DT
+>1.10. <A
+HREF="install.html#AEN184"
+>What If Things Don't Work?</A
+></DT
+><DD
+><DL
+><DT
+>1.10.1. <A
+HREF="install.html#AEN189"
+>Diagnosing Problems</A
+></DT
+><DT
+>1.10.2. <A
+HREF="install.html#AEN193"
+>Scope IDs</A
+></DT
+><DT
+>1.10.3. <A
+HREF="install.html#AEN196"
+>Choosing the Protocol Level</A
+></DT
+><DT
+>1.10.4. <A
+HREF="install.html#AEN205"
+>Printing from UNIX to a Client PC</A
+></DT
+><DT
+>1.10.5. <A
+HREF="install.html#AEN210"
+>Locking</A
+></DT
+><DT
+>1.10.6. <A
+HREF="install.html#AEN219"
+>Mapping Usernames</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>2. <A
+HREF="improved-browsing.html"
+>Improved browsing in samba</A
+></DT
+><DD
+><DL
+><DT
+>2.1. <A
+HREF="improved-browsing.html#AEN229"
+>Overview of browsing</A
+></DT
+><DT
+>2.2. <A
+HREF="improved-browsing.html#AEN233"
+>Browsing support in samba</A
+></DT
+><DT
+>2.3. <A
+HREF="improved-browsing.html#AEN242"
+>Problem resolution</A
+></DT
+><DT
+>2.4. <A
+HREF="improved-browsing.html#AEN249"
+>Browsing across subnets</A
+></DT
+><DD
+><DL
+><DT
+>2.4.1. <A
+HREF="improved-browsing.html#AEN254"
+>How does cross subnet browsing work ?</A
+></DT
+></DL
+></DD
+><DT
+>2.5. <A
+HREF="improved-browsing.html#AEN289"
+>Setting up a WINS server</A
+></DT
+><DT
+>2.6. <A
+HREF="improved-browsing.html#AEN308"
+>Setting up Browsing in a WORKGROUP</A
+></DT
+><DT
+>2.7. <A
+HREF="improved-browsing.html#AEN326"
+>Setting up Browsing in a DOMAIN</A
+></DT
+><DT
+>2.8. <A
+HREF="improved-browsing.html#AEN336"
+>Forcing samba to be the master</A
+></DT
+><DT
+>2.9. <A
+HREF="improved-browsing.html#AEN345"
+>Making samba the domain master</A
+></DT
+><DT
+>2.10. <A
+HREF="improved-browsing.html#AEN363"
+>Note about broadcast addresses</A
+></DT
+><DT
+>2.11. <A
+HREF="improved-browsing.html#AEN366"
+>Multiple interfaces</A
+></DT
+></DL
+></DD
+><DT
+>3. <A
+HREF="oplocks.html"
+>Oplocks</A
+></DT
+><DD
+><DL
+><DT
+>3.1. <A
+HREF="oplocks.html#AEN378"
+>What are oplocks?</A
+></DT
+></DL
+></DD
+><DT
+>4. <A
+HREF="browsing-quick.html"
+>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A
+></DT
+><DD
+><DL
+><DT
+>4.1. <A
+HREF="browsing-quick.html#AEN393"
+>Discussion</A
+></DT
+><DT
+>4.2. <A
+HREF="browsing-quick.html#AEN401"
+>Use of the "Remote Announce" parameter</A
+></DT
+><DT
+>4.3. <A
+HREF="browsing-quick.html#AEN415"
+>Use of the "Remote Browse Sync" parameter</A
+></DT
+><DT
+>4.4. <A
+HREF="browsing-quick.html#AEN420"
+>Use of WINS</A
+></DT
+><DT
+>4.5. <A
+HREF="browsing-quick.html#AEN431"
+>Do NOT use more than one (1) protocol on MS Windows machines</A
+></DT
+><DT
+>4.6. <A
+HREF="browsing-quick.html#AEN437"
+>Name Resolution Order</A
+></DT
+></DL
+></DD
+><DT
+>5. <A
+HREF="pwencrypt.html"
+>LanMan and NT Password Encryption in Samba</A
+></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="pwencrypt.html#AEN473"
+>Introduction</A
+></DT
+><DT
+>5.2. <A
+HREF="pwencrypt.html#AEN478"
+>Important Notes About Security</A
+></DT
+><DD
+><DL
+><DT
+>5.2.1. <A
+HREF="pwencrypt.html#AEN497"
+>Advantages of SMB Encryption</A
+></DT
+><DT
+>5.2.2. <A
+HREF="pwencrypt.html#AEN504"
+>Advantages of non-encrypted passwords</A
+></DT
+></DL
+></DD
+><DT
+>5.3. <A
+HREF="pwencrypt.html#AEN513"
+>The smbpasswd Command</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="install.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>SAMBA Project Documentation</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>How to Install and Test SAMBA</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Oplocks</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="General installation"
+HREF="introduction.html"><LINK
+REL="PREVIOUS"
+TITLE="Improved browsing in samba"
+HREF="improved-browsing.html"><LINK
+REL="NEXT"
+TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
+HREF="browsing-quick.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="improved-browsing.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="browsing-quick.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="OPLOCKS"
+></A
+>Chapter 3. Oplocks</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN378"
+></A
+>3.1. What are oplocks?</H1
+><P
+>When a client opens a file it can request an "oplock" or file
+lease. This is (to simplify a bit) a guarentee that no one else
+has the file open simultaneously. It allows the client to not
+send any updates on the file to the server, thus reducing a
+network file access to local access (once the file is in
+client cache). An "oplock break" is when the server sends
+a request to the client to flush all its changes back to
+the server, so the file is in a consistent state for other
+opens to succeed. If a client fails to respond to this
+asynchronous request then the file can be corrupted. Hence
+the "turn off oplocks" answer if people are having multi-user
+file access problems.</P
+><P
+>Unless the kernel is "oplock aware" (SGI IRIX and Linux are
+the only two UNIXes that are at the moment) then if a local
+UNIX process accesses the file simultaneously then Samba
+has no way of telling this is occuring, so the guarentee
+to the client is broken. This can corrupt the file. Short
+answer - it you have UNIX clients accessing the same file
+as smbd locally or via NFS and you're not running Linux or
+IRIX then turn off oplocks for that file or share.</P
+><P
+>"Share modes". These are modes of opening a file, that
+guarentee an invarient - such as DENY_WRITE - which means
+that if any other opens are requested with write access after
+this current open has succeeded then they should be denied
+with a "sharing violation" error message. Samba handles these
+internally inside smbd. UNIX clients accessing the same file
+ignore these invarients. Just proving that if you need simultaneous
+file access from a Windows and UNIX client you *must* have an
+application that is written to lock records correctly on both
+sides. Few applications are written like this, and even fewer
+are cross platform (UNIX and Windows) so in practice this isn't
+much of a problem.</P
+><P
+>"Locking". This really means "byte range locking" - such as
+lock 10 bytes at file offset 24 for write access. This is the
+area in which well written UNIX and Windows apps will cooperate.
+Windows locks (at least from NT or above) are 64-bit unsigned
+offsets. UNIX locks are either 31 bit or 63 bit and are signed
+(the top bit is used for the sign). Samba handles these by
+first ensuring that all the Windows locks don't conflict (ie.
+if other Windows clients have competing locks then just reject
+immediately) - this allows us to support 64-bit Windows locks
+on 32-bit filesystems. Secondly any locks that are valid are
+then mapped onto UNIX fcntl byte range locks. These are the
+locks that will be seen by UNIX processes. If there is a conflict
+here the lock is rejected.</P
+><P
+>Note that if a client has an oplock then it "knows" that no
+other client can have the file open so usually doesn't bother
+to send to lock request to the server - this means once again
+if you need to share files between UNIX and Windows processes
+either use IRIX or Linux, or turn off oplocks for these
+files/shares.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="improved-browsing.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="browsing-quick.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Improved browsing in samba</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="introduction.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Optional configuration</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="PREVIOUS"
+TITLE="Samba as a NT4 domain member"
+HREF="domain-security.html"><LINK
+REL="NEXT"
+TITLE="Integrating MS Windows networks with Samba"
+HREF="integrate-ms-networks.html"></HEAD
+><BODY
+CLASS="PART"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="domain-security.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="integrate-ms-networks.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="PART"
+><A
+NAME="OPTIONAL"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+>III. Optional configuration</H1
+><DIV
+CLASS="PARTINTRO"
+><A
+NAME="AEN1373"
+></A
+><H1
+>Introduction</H1
+><P
+>Samba has several features that you might want or might not want to use. The chapters in this
+part each cover one specific feature.</P
+></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>11. <A
+HREF="integrate-ms-networks.html"
+>Integrating MS Windows networks with Samba</A
+></DT
+><DD
+><DL
+><DT
+>11.1. <A
+HREF="integrate-ms-networks.html#AEN1387"
+>Agenda</A
+></DT
+><DT
+>11.2. <A
+HREF="integrate-ms-networks.html#AEN1409"
+>Name Resolution in a pure Unix/Linux world</A
+></DT
+><DD
+><DL
+><DT
+>11.2.1. <A
+HREF="integrate-ms-networks.html#AEN1425"
+><TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+></A
+></DT
+><DT
+>11.2.2. <A
+HREF="integrate-ms-networks.html#AEN1441"
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></A
+></DT
+><DT
+>11.2.3. <A
+HREF="integrate-ms-networks.html#AEN1452"
+><TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+></A
+></DT
+><DT
+>11.2.4. <A
+HREF="integrate-ms-networks.html#AEN1460"
+><TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+></A
+></DT
+></DL
+></DD
+><DT
+>11.3. <A
+HREF="integrate-ms-networks.html#AEN1472"
+>Name resolution as used within MS Windows networking</A
+></DT
+><DD
+><DL
+><DT
+>11.3.1. <A
+HREF="integrate-ms-networks.html#AEN1484"
+>The NetBIOS Name Cache</A
+></DT
+><DT
+>11.3.2. <A
+HREF="integrate-ms-networks.html#AEN1489"
+>The LMHOSTS file</A
+></DT
+><DT
+>11.3.3. <A
+HREF="integrate-ms-networks.html#AEN1497"
+>HOSTS file</A
+></DT
+><DT
+>11.3.4. <A
+HREF="integrate-ms-networks.html#AEN1502"
+>DNS Lookup</A
+></DT
+><DT
+>11.3.5. <A
+HREF="integrate-ms-networks.html#AEN1505"
+>WINS Lookup</A
+></DT
+></DL
+></DD
+><DT
+>11.4. <A
+HREF="integrate-ms-networks.html#AEN1517"
+>How browsing functions and how to deploy stable and
+dependable browsing using Samba</A
+></DT
+><DT
+>11.5. <A
+HREF="integrate-ms-networks.html#AEN1527"
+>MS Windows security options and how to configure
+Samba for seemless integration</A
+></DT
+><DD
+><DL
+><DT
+>11.5.1. <A
+HREF="integrate-ms-networks.html#AEN1555"
+>Use MS Windows NT as an authentication server</A
+></DT
+><DT
+>11.5.2. <A
+HREF="integrate-ms-networks.html#AEN1563"
+>Make Samba a member of an MS Windows NT security domain</A
+></DT
+><DT
+>11.5.3. <A
+HREF="integrate-ms-networks.html#AEN1580"
+>Configure Samba as an authentication server</A
+></DT
+></DL
+></DD
+><DT
+>11.6. <A
+HREF="integrate-ms-networks.html#AEN1597"
+>Conclusions</A
+></DT
+></DL
+></DD
+><DT
+>12. <A
+HREF="unix-permissions.html"
+>UNIX Permission Bits and Windows NT Access Control Lists</A
+></DT
+><DD
+><DL
+><DT
+>12.1. <A
+HREF="unix-permissions.html#AEN1618"
+>Viewing and changing UNIX permissions using the NT
+ security dialogs</A
+></DT
+><DT
+>12.2. <A
+HREF="unix-permissions.html#AEN1627"
+>How to view file security on a Samba share</A
+></DT
+><DT
+>12.3. <A
+HREF="unix-permissions.html#AEN1638"
+>Viewing file ownership</A
+></DT
+><DT
+>12.4. <A
+HREF="unix-permissions.html#AEN1658"
+>Viewing file or directory permissions</A
+></DT
+><DD
+><DL
+><DT
+>12.4.1. <A
+HREF="unix-permissions.html#AEN1673"
+>File Permissions</A
+></DT
+><DT
+>12.4.2. <A
+HREF="unix-permissions.html#AEN1687"
+>Directory Permissions</A
+></DT
+></DL
+></DD
+><DT
+>12.5. <A
+HREF="unix-permissions.html#AEN1694"
+>Modifying file or directory permissions</A
+></DT
+><DT
+>12.6. <A
+HREF="unix-permissions.html#AEN1716"
+>Interaction with the standard Samba create mask
+ parameters</A
+></DT
+><DT
+>12.7. <A
+HREF="unix-permissions.html#AEN1780"
+>Interaction with the standard Samba file attribute
+ mapping</A
+></DT
+></DL
+></DD
+><DT
+>13. <A
+HREF="pam.html"
+>Configuring PAM for distributed but centrally
+managed authentication</A
+></DT
+><DD
+><DL
+><DT
+>13.1. <A
+HREF="pam.html#AEN1801"
+>Samba and PAM</A
+></DT
+><DT
+>13.2. <A
+HREF="pam.html#AEN1845"
+>Distributed Authentication</A
+></DT
+><DT
+>13.3. <A
+HREF="pam.html#AEN1852"
+>PAM Configuration in smb.conf</A
+></DT
+></DL
+></DD
+><DT
+>14. <A
+HREF="msdfs.html"
+>Hosting a Microsoft Distributed File System tree on Samba</A
+></DT
+><DD
+><DL
+><DT
+>14.1. <A
+HREF="msdfs.html#AEN1872"
+>Instructions</A
+></DT
+><DD
+><DL
+><DT
+>14.1.1. <A
+HREF="msdfs.html#AEN1907"
+>Notes</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>15. <A
+HREF="printing.html"
+>Printing Support</A
+></DT
+><DD
+><DL
+><DT
+>15.1. <A
+HREF="printing.html#AEN1933"
+>Introduction</A
+></DT
+><DT
+>15.2. <A
+HREF="printing.html#AEN1955"
+>Configuration</A
+></DT
+><DD
+><DL
+><DT
+>15.2.1. <A
+HREF="printing.html#AEN1963"
+>Creating [print$]</A
+></DT
+><DT
+>15.2.2. <A
+HREF="printing.html#AEN1998"
+>Setting Drivers for Existing Printers</A
+></DT
+><DT
+>15.2.3. <A
+HREF="printing.html#AEN2014"
+>Support a large number of printers</A
+></DT
+><DT
+>15.2.4. <A
+HREF="printing.html#AEN2025"
+>Adding New Printers via the Windows NT APW</A
+></DT
+><DT
+>15.2.5. <A
+HREF="printing.html#AEN2055"
+>Samba and Printer Ports</A
+></DT
+></DL
+></DD
+><DT
+>15.3. <A
+HREF="printing.html#AEN2063"
+>The Imprints Toolset</A
+></DT
+><DD
+><DL
+><DT
+>15.3.1. <A
+HREF="printing.html#AEN2067"
+>What is Imprints?</A
+></DT
+><DT
+>15.3.2. <A
+HREF="printing.html#AEN2077"
+>Creating Printer Driver Packages</A
+></DT
+><DT
+>15.3.3. <A
+HREF="printing.html#AEN2080"
+>The Imprints server</A
+></DT
+><DT
+>15.3.4. <A
+HREF="printing.html#AEN2084"
+>The Installation Client</A
+></DT
+></DL
+></DD
+><DT
+>15.4. <A
+HREF="printing.html#AEN2106"
+>Diagnosis</A
+></DT
+><DD
+><DL
+><DT
+>15.4.1. <A
+HREF="printing.html#AEN2108"
+>Introduction</A
+></DT
+><DT
+>15.4.2. <A
+HREF="printing.html#AEN2124"
+>Debugging printer problems</A
+></DT
+><DT
+>15.4.3. <A
+HREF="printing.html#AEN2133"
+>What printers do I have?</A
+></DT
+><DT
+>15.4.4. <A
+HREF="printing.html#AEN2141"
+>Setting up printcap and print servers</A
+></DT
+><DT
+>15.4.5. <A
+HREF="printing.html#AEN2169"
+>Job sent, no output</A
+></DT
+><DT
+>15.4.6. <A
+HREF="printing.html#AEN2180"
+>Job sent, strange output</A
+></DT
+><DT
+>15.4.7. <A
+HREF="printing.html#AEN2192"
+>Raw PostScript printed</A
+></DT
+><DT
+>15.4.8. <A
+HREF="printing.html#AEN2195"
+>Advanced Printing</A
+></DT
+><DT
+>15.4.9. <A
+HREF="printing.html#AEN2198"
+>Real debugging</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>16. <A
+HREF="winbind.html"
+>Unified Logons between Windows NT and UNIX using Winbind</A
+></DT
+><DD
+><DL
+><DT
+>16.1. <A
+HREF="winbind.html#AEN2238"
+>Abstract</A
+></DT
+><DT
+>16.2. <A
+HREF="winbind.html#AEN2242"
+>Introduction</A
+></DT
+><DT
+>16.3. <A
+HREF="winbind.html#AEN2255"
+>What Winbind Provides</A
+></DT
+><DD
+><DL
+><DT
+>16.3.1. <A
+HREF="winbind.html#AEN2262"
+>Target Uses</A
+></DT
+></DL
+></DD
+><DT
+>16.4. <A
+HREF="winbind.html#AEN2266"
+>How Winbind Works</A
+></DT
+><DD
+><DL
+><DT
+>16.4.1. <A
+HREF="winbind.html#AEN2271"
+>Microsoft Remote Procedure Calls</A
+></DT
+><DT
+>16.4.2. <A
+HREF="winbind.html#AEN2275"
+>Name Service Switch</A
+></DT
+><DT
+>16.4.3. <A
+HREF="winbind.html#AEN2291"
+>Pluggable Authentication Modules</A
+></DT
+><DT
+>16.4.4. <A
+HREF="winbind.html#AEN2299"
+>User and Group ID Allocation</A
+></DT
+><DT
+>16.4.5. <A
+HREF="winbind.html#AEN2303"
+>Result Caching</A
+></DT
+></DL
+></DD
+><DT
+>16.5. <A
+HREF="winbind.html#AEN2306"
+>Installation and Configuration</A
+></DT
+><DD
+><DL
+><DT
+>16.5.1. <A
+HREF="winbind.html#AEN2313"
+>Introduction</A
+></DT
+><DT
+>16.5.2. <A
+HREF="winbind.html#AEN2326"
+>Requirements</A
+></DT
+><DT
+>16.5.3. <A
+HREF="winbind.html#AEN2340"
+>Testing Things Out</A
+></DT
+></DL
+></DD
+><DT
+>16.6. <A
+HREF="winbind.html#AEN2555"
+>Limitations</A
+></DT
+><DT
+>16.7. <A
+HREF="winbind.html#AEN2565"
+>Conclusion</A
+></DT
+></DL
+></DD
+><DT
+>17. <A
+HREF="pdb-mysql.html"
+>Passdb MySQL plugin</A
+></DT
+><DD
+><DL
+><DT
+>17.1. <A
+HREF="pdb-mysql.html#AEN2579"
+>Building</A
+></DT
+><DT
+>17.2. <A
+HREF="pdb-mysql.html#AEN2585"
+>Configuring</A
+></DT
+><DT
+>17.3. <A
+HREF="pdb-mysql.html#AEN2600"
+>Using plaintext passwords or encrypted password</A
+></DT
+><DT
+>17.4. <A
+HREF="pdb-mysql.html#AEN2605"
+>Getting non-column data from the table</A
+></DT
+></DL
+></DD
+><DT
+>18. <A
+HREF="pdb-xml.html"
+>Passdb XML plugin</A
+></DT
+><DD
+><DL
+><DT
+>18.1. <A
+HREF="pdb-xml.html#AEN2624"
+>Building</A
+></DT
+><DT
+>18.2. <A
+HREF="pdb-xml.html#AEN2630"
+>Usage</A
+></DT
+></DL
+></DD
+><DT
+>19. <A
+HREF="vfs.html"
+>Stackable VFS modules</A
+></DT
+><DD
+><DL
+><DT
+>19.1. <A
+HREF="vfs.html#AEN2651"
+>Introduction and configuration</A
+></DT
+><DT
+>19.2. <A
+HREF="vfs.html#AEN2659"
+>Included modules</A
+></DT
+><DD
+><DL
+><DT
+>19.2.1. <A
+HREF="vfs.html#AEN2661"
+>audit</A
+></DT
+><DT
+>19.2.2. <A
+HREF="vfs.html#AEN2669"
+>recycle</A
+></DT
+><DT
+>19.2.3. <A
+HREF="vfs.html#AEN2706"
+>netatalk</A
+></DT
+></DL
+></DD
+><DT
+>19.3. <A
+HREF="vfs.html#AEN2713"
+>VFS modules available elsewhere</A
+></DT
+><DD
+><DL
+><DT
+>19.3.1. <A
+HREF="vfs.html#AEN2717"
+>DatabaseFS</A
+></DT
+><DT
+>19.3.2. <A
+HREF="vfs.html#AEN2725"
+>vscan</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>20. <A
+HREF="samba-ldap-howto.html"
+>Storing Samba's User/Machine Account information in an LDAP Directory</A
+></DT
+><DD
+><DL
+><DT
+>20.1. <A
+HREF="samba-ldap-howto.html#AEN2747"
+>Purpose</A
+></DT
+><DT
+>20.2. <A
+HREF="samba-ldap-howto.html#AEN2767"
+>Introduction</A
+></DT
+><DT
+>20.3. <A
+HREF="samba-ldap-howto.html#AEN2796"
+>Supported LDAP Servers</A
+></DT
+><DT
+>20.4. <A
+HREF="samba-ldap-howto.html#AEN2801"
+>Schema and Relationship to the RFC 2307 posixAccount</A
+></DT
+><DT
+>20.5. <A
+HREF="samba-ldap-howto.html#AEN2813"
+>Configuring Samba with LDAP</A
+></DT
+><DD
+><DL
+><DT
+>20.5.1. <A
+HREF="samba-ldap-howto.html#AEN2815"
+>OpenLDAP configuration</A
+></DT
+><DT
+>20.5.2. <A
+HREF="samba-ldap-howto.html#AEN2832"
+>Configuring Samba</A
+></DT
+></DL
+></DD
+><DT
+>20.6. <A
+HREF="samba-ldap-howto.html#AEN2860"
+>Accounts and Groups management</A
+></DT
+><DT
+>20.7. <A
+HREF="samba-ldap-howto.html#AEN2865"
+>Security and sambaAccount</A
+></DT
+><DT
+>20.8. <A
+HREF="samba-ldap-howto.html#AEN2885"
+>LDAP specials attributes for sambaAccounts</A
+></DT
+><DT
+>20.9. <A
+HREF="samba-ldap-howto.html#AEN2955"
+>Example LDIF Entries for a sambaAccount</A
+></DT
+><DT
+>20.10. <A
+HREF="samba-ldap-howto.html#AEN2963"
+>Comments</A
+></DT
+></DL
+></DD
+><DT
+>21. <A
+HREF="cvs-access.html"
+>HOWTO Access Samba source code via CVS</A
+></DT
+><DD
+><DL
+><DT
+>21.1. <A
+HREF="cvs-access.html#AEN2974"
+>Introduction</A
+></DT
+><DT
+>21.2. <A
+HREF="cvs-access.html#AEN2979"
+>CVS Access to samba.org</A
+></DT
+><DD
+><DL
+><DT
+>21.2.1. <A
+HREF="cvs-access.html#AEN2982"
+>Access via CVSweb</A
+></DT
+><DT
+>21.2.2. <A
+HREF="cvs-access.html#AEN2987"
+>Access via cvs</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>22. <A
+HREF="groupmapping.html"
+>Group mapping HOWTO</A
+></DT
+><DT
+>23. <A
+HREF="speed.html"
+>Samba performance issues</A
+></DT
+><DD
+><DL
+><DT
+>23.1. <A
+HREF="speed.html#AEN3065"
+>Comparisons</A
+></DT
+><DT
+>23.2. <A
+HREF="speed.html#AEN3071"
+>Oplocks</A
+></DT
+><DD
+><DL
+><DT
+>23.2.1. <A
+HREF="speed.html#AEN3073"
+>Overview</A
+></DT
+><DT
+>23.2.2. <A
+HREF="speed.html#AEN3081"
+>Level2 Oplocks</A
+></DT
+><DT
+>23.2.3. <A
+HREF="speed.html#AEN3087"
+>Old 'fake oplocks' option - deprecated</A
+></DT
+></DL
+></DD
+><DT
+>23.3. <A
+HREF="speed.html#AEN3091"
+>Socket options</A
+></DT
+><DT
+>23.4. <A
+HREF="speed.html#AEN3098"
+>Read size</A
+></DT
+><DT
+>23.5. <A
+HREF="speed.html#AEN3103"
+>Max xmit</A
+></DT
+><DT
+>23.6. <A
+HREF="speed.html#AEN3108"
+>Locking</A
+></DT
+><DT
+>23.7. <A
+HREF="speed.html#AEN3112"
+>Share modes</A
+></DT
+><DT
+>23.8. <A
+HREF="speed.html#AEN3117"
+>Log level</A
+></DT
+><DT
+>23.9. <A
+HREF="speed.html#AEN3120"
+>Wide lines</A
+></DT
+><DT
+>23.10. <A
+HREF="speed.html#AEN3123"
+>Read raw</A
+></DT
+><DT
+>23.11. <A
+HREF="speed.html#AEN3128"
+>Write raw</A
+></DT
+><DT
+>23.12. <A
+HREF="speed.html#AEN3132"
+>Read prediction</A
+></DT
+><DT
+>23.13. <A
+HREF="speed.html#AEN3139"
+>Memory mapping</A
+></DT
+><DT
+>23.14. <A
+HREF="speed.html#AEN3144"
+>Slow Clients</A
+></DT
+><DT
+>23.15. <A
+HREF="speed.html#AEN3148"
+>Slow Logins</A
+></DT
+><DT
+>23.16. <A
+HREF="speed.html#AEN3151"
+>Client tuning</A
+></DT
+><DT
+>23.17. <A
+HREF="speed.html#AEN3183"
+>My Results</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="domain-security.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="integrate-ms-networks.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Samba as a NT4 domain member</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Integrating MS Windows networks with Samba</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Passdb MySQL plugin</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Optional configuration"
+HREF="optional.html"><LINK
+REL="PREVIOUS"
+TITLE="Unified Logons between Windows NT and UNIX using Winbind"
+HREF="winbind.html"><LINK
+REL="NEXT"
+TITLE="Passdb XML plugin"
+HREF="pdb-xml.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="winbind.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="pdb-xml.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="PDB-MYSQL"
+></A
+>Chapter 17. Passdb MySQL plugin</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2579"
+></A
+>17.1. Building</H1
+><P
+>To build the plugin, run <B
+CLASS="COMMAND"
+>make bin/pdb_mysql.so</B
+>
+in the <TT
+CLASS="FILENAME"
+>source/</TT
+> directory of samba distribution. </P
+><P
+>Next, copy pdb_mysql.so to any location you want. I
+strongly recommend installing it in $PREFIX/lib or /usr/lib/samba/</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2585"
+></A
+>17.2. Configuring</H1
+><P
+>This plugin lacks some good documentation, but here is some short info:</P
+><P
+>Add a the following to the <B
+CLASS="COMMAND"
+>passdb backend</B
+> variable in your <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>:
+<PRE
+CLASS="PROGRAMLISTING"
+>passdb backend = [other-plugins] plugin:/location/to/pdb_mysql.so:identifier [other-plugins]</PRE
+></P
+><P
+>The identifier can be any string you like, as long as it doesn't collide with
+the identifiers of other plugins or other instances of pdb_mysql. If you
+specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
+use different identifiers!</P
+><P
+>Additional options can be given thru the smb.conf file in the [global] section.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>identifier:mysql host - host name, defaults to 'localhost'
+identifier:mysql password
+identifier:mysql user - defaults to 'samba'
+identifier:mysql database - defaults to 'samba'
+identifier:mysql port - defaults to 3306
+identifier:table - Name of the table containing users</PRE
+></P
+><P
+>Names of the columns in this table(I've added column types those columns should have first):</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>identifier:logon time column - int(9)
+identifier:logoff time column - int(9)
+identifier:kickoff time column - int(9)
+identifier:pass last set time column - int(9)
+identifier:pass can change time column - int(9)
+identifier:pass must change time column - int(9)
+identifier:username column - varchar(255) - unix username
+identifier:domain column - varchar(255) - NT domain user is part of
+identifier:nt username column - varchar(255) - NT username
+identifier:fullname column - varchar(255) - Full name of user
+identifier:home dir column - varchar(255) - Unix homedir path
+identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
+identifier:logon script column - varchar(255) - Batch file to run on client side when logging on
+identifier:profile path column - varchar(255) - Path of profile
+identifier:acct desc column - varchar(255) - Some ASCII NT user data
+identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all)
+identifier:unknown string column - varchar(255) - unknown string
+identifier:munged dial column - varchar(255) - ?
+identifier:uid column - int(9) - Unix user ID (uid)
+identifier:gid column - int(9) - Unix user group (gid)
+identifier:user sid column - varchar(255) - NT user SID
+identifier:group sid column - varchar(255) - NT group ID
+identifier:lanman pass column - varchar(255) - encrypted lanman password
+identifier:nt pass column - varchar(255) - encrypted nt passwd
+identifier:plain pass column - varchar(255) - plaintext password
+identifier:acct control column - int(9) - nt user data
+identifier:unknown 3 column - int(9) - unknown
+identifier:logon divs column - int(9) - ?
+identifier:hours len column - int(9) - ?
+identifier:unknown 5 column - int(9) - unknown
+identifier:unknown 6 column - int(9) - unknown</PRE
+></P
+><P
+>Eventually, you can put a colon (:) after the name of each column, which
+should specify the column to update when updating the table. You can also
+specify nothing behind the colon - then the data from the field will not be
+updated. </P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2600"
+></A
+>17.3. Using plaintext passwords or encrypted password</H1
+><P
+>I strongly discourage the use of plaintext passwords, however, you can use them:</P
+><P
+>If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. </P
+><P
+>If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2605"
+></A
+>17.4. Getting non-column data from the table</H1
+><P
+>It is possible to have not all data in the database and making some 'constant'.</P
+><P
+>For example, you can set 'identifier:fullname column' to :
+<B
+CLASS="COMMAND"
+>CONCAT(First_name,' ',Sur_name)</B
+></P
+><P
+>Or, set 'identifier:workstations column' to :
+<B
+CLASS="COMMAND"
+>NULL</B
+></P
+><P
+>See the MySQL documentation for more language constructs.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="winbind.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="pdb-xml.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Unified Logons between Windows NT and UNIX using Winbind</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="optional.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Passdb XML plugin</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Passdb XML plugin</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Optional configuration"
+HREF="optional.html"><LINK
+REL="PREVIOUS"
+TITLE="Passdb MySQL plugin"
+HREF="pdb-mysql.html"><LINK
+REL="NEXT"
+TITLE="Stackable VFS modules"
+HREF="vfs.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="pdb-mysql.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="vfs.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="PDB-XML"
+></A
+>Chapter 18. Passdb XML plugin</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2624"
+></A
+>18.1. Building</H1
+><P
+>This module requires libxml2 to be installed.</P
+><P
+>To build pdb_xml, run: <B
+CLASS="COMMAND"
+>make bin/pdb_xml.so</B
+> in
+the directory <TT
+CLASS="FILENAME"
+>source/</TT
+>. </P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2630"
+></A
+>18.2. Usage</H1
+><P
+>The usage of pdb_xml is pretty straightforward. To export data, use:
+
+<B
+CLASS="COMMAND"
+>pdbedit -e plugin:/usr/lib/samba/pdb_xml.so:filename</B
+>
+
+(where filename is the name of the file to put the data in)</P
+><P
+>To import data, use:
+<B
+CLASS="COMMAND"
+>pdbedit -i plugin:/usr/lib/samba/pdb_xml.so:filename -e current-pdb</B
+>
+
+Where filename is the name to read the data from and current-pdb to put it in.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="pdb-mysql.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="vfs.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Passdb MySQL plugin</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="optional.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Stackable VFS modules</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>LanMan and NT Password Encryption in Samba</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="General installation"
+HREF="introduction.html"><LINK
+REL="PREVIOUS"
+TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
+HREF="browsing-quick.html"><LINK
+REL="NEXT"
+TITLE="Type of installation"
+HREF="type.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="browsing-quick.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="type.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="PWENCRYPT"
+></A
+>Chapter 5. LanMan and NT Password Encryption in Samba</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN473"
+></A
+>5.1. Introduction</H1
+><P
+>Newer windows clients send encrypted passwords over
+ the wire, instead of plain text passwords. The newest clients
+ will only send encrypted passwords and refuse to send plain text
+ passwords, unless their registry is tweaked.</P
+><P
+>These passwords can't be converted to unix style encrypted
+ passwords. Because of that you can't use the standard unix
+ user database, and you have to store the Lanman and NT hashes
+ somewhere else. For more information, see the documentation
+ about the <B
+CLASS="COMMAND"
+>passdb backend = </B
+> parameter.
+ </P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN478"
+></A
+>5.2. Important Notes About Security</H1
+><P
+>The unix and SMB password encryption techniques seem similar
+ on the surface. This similarity is, however, only skin deep. The unix
+ scheme typically sends clear text passwords over the network when
+ logging in. This is bad. The SMB encryption scheme never sends the
+ cleartext password over the network but it does store the 16 byte
+ hashed values on disk. This is also bad. Why? Because the 16 byte hashed
+ values are a "password equivalent". You cannot derive the user's
+ password from them, but they could potentially be used in a modified
+ client to gain access to a server. This would require considerable
+ technical knowledge on behalf of the attacker but is perfectly possible.
+ You should thus treat the smbpasswd file as though it contained the
+ cleartext passwords of all your users. Its contents must be kept
+ secret, and the file should be protected accordingly.</P
+><P
+>Ideally we would like a password scheme which neither requires
+ plain text passwords on the net or on disk. Unfortunately this
+ is not available as Samba is stuck with being compatible with
+ other SMB systems (WinNT, WfWg, Win95 etc). </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Note that Windows NT 4.0 Service pack 3 changed the
+ default for permissible authentication so that plaintext
+ passwords are <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>never</I
+></SPAN
+> sent over the wire.
+ The solution to this is either to switch to encrypted passwords
+ with Samba or edit the Windows NT registry to re-enable plaintext
+ passwords. See the document WinNT.txt for details on how to do
+ this.</P
+><P
+>Other Microsoft operating systems which also exhibit
+ this behavior includes</P
+><P
+></P
+><UL
+><LI
+><P
+>MS DOS Network client 3.0 with
+ the basic network redirector installed</P
+></LI
+><LI
+><P
+>Windows 95 with the network redirector
+ update installed</P
+></LI
+><LI
+><P
+>Windows 98 [se]</P
+></LI
+><LI
+><P
+>Windows 2000</P
+></LI
+></UL
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Note :</I
+></SPAN
+>All current release of
+ Microsoft SMB/CIFS clients support authentication via the
+ SMB Challenge/Response mechanism described here. Enabling
+ clear text authentication does not disable the ability
+ of the client to participate in encrypted authentication.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN497"
+></A
+>5.2.1. Advantages of SMB Encryption</H2
+><P
+></P
+><UL
+><LI
+><P
+>plain text passwords are not passed across
+ the network. Someone using a network sniffer cannot just
+ record passwords going to the SMB server.</P
+></LI
+><LI
+><P
+>WinNT doesn't like talking to a server
+ that isn't using SMB encrypted passwords. It will refuse
+ to browse the server if the server is also in user level
+ security mode. It will insist on prompting the user for the
+ password on each connection, which is very annoying. The
+ only things you can do to stop this is to use SMB encryption.
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN504"
+></A
+>5.2.2. Advantages of non-encrypted passwords</H2
+><P
+></P
+><UL
+><LI
+><P
+>plain text passwords are not kept
+ on disk. </P
+></LI
+><LI
+><P
+>uses same password file as other unix
+ services such as login and ftp</P
+></LI
+><LI
+><P
+>you are probably already using other
+ services (such as telnet and ftp) which send plain text
+ passwords over the net, so sending them for SMB isn't
+ such a big deal.</P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN513"
+></A
+>5.3. The smbpasswd Command</H1
+><P
+>The smbpasswd command maintains the two 32 byte password fields
+ in the smbpasswd file. If you wish to make it similar to the unix
+ <B
+CLASS="COMMAND"
+>passwd</B
+> or <B
+CLASS="COMMAND"
+>yppasswd</B
+> programs,
+ install it in <TT
+CLASS="FILENAME"
+>/usr/local/samba/bin/</TT
+> (or your
+ main Samba binary directory).</P
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> now works in a client-server mode
+ where it contacts the local smbd to change the user's password on its
+ behalf. This has enormous benefits - as follows.</P
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> now has the capability
+ to change passwords on Windows NT servers (this only works when
+ the request is sent to the NT Primary Domain Controller if you
+ are changing an NT Domain user's password).</P
+><P
+>To run smbpasswd as a normal user just type :</P
+><P
+><TT
+CLASS="PROMPT"
+>$ </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd</B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>Old SMB password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+><type old value here -
+ or hit return if there was no old password></B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>New SMB Password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+><type new value>
+ </B
+></TT
+></P
+><P
+><TT
+CLASS="PROMPT"
+>Repeat New SMB Password: </TT
+><TT
+CLASS="USERINPUT"
+><B
+><re-type new value
+ </B
+></TT
+></P
+><P
+>If the old value does not match the current value stored for
+ that user, or the two new values do not match each other, then the
+ password will not be changed.</P
+><P
+>If invoked by an ordinary user it will only allow the user
+ to change his or her own Samba password.</P
+><P
+>If run by the root user smbpasswd may take an optional
+ argument, specifying the user name whose SMB password you wish to
+ change. Note that when run as root smbpasswd does not prompt for
+ or check the old password value, thus allowing root to set passwords
+ for users who have forgotten their passwords.</P
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> is designed to work in the same way
+ and be familiar to UNIX users who use the <B
+CLASS="COMMAND"
+>passwd</B
+> or
+ <B
+CLASS="COMMAND"
+>yppasswd</B
+> commands.</P
+><P
+>For more details on using <B
+CLASS="COMMAND"
+>smbpasswd</B
+> refer
+ to the man page which will always be the definitive reference.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="browsing-quick.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="type.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="introduction.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Type of installation</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>SAMBA Project Documentation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="NEXT"
+TITLE="General installation"
+HREF="introduction.html"></HEAD
+><BODY
+CLASS="BOOK"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="SAMBA-HOWTO-COLLECTION"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+><A
+NAME="SAMBA-HOWTO-COLLECTION"
+></A
+>SAMBA Project Documentation</H1
+><H3
+CLASS="AUTHOR"
+><A
+NAME="AEN4"
+></A
+>SAMBA Team</H3
+><HR></DIV
+><H1
+><A
+NAME="AEN8"
+></A
+>Abstract</H1
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Last Update</I
+></SPAN
+> : $Date: 2002/11/13 15:34:49 $</P
+><P
+>This book is a collection of HOWTOs added to Samba documentation over the years.
+I try to ensure that all are current, but sometimes the is a larger job
+than one person can maintain. The most recent version of this document
+can be found at <A
+HREF="http://www.samba.org/"
+TARGET="_top"
+>http://www.samba.org/</A
+>
+on the "Documentation" page. Please send updates to <A
+HREF="mailto:jerry@samba.org"
+TARGET="_top"
+>jerry@samba.org</A
+> or
+<A
+HREF="mailto:jelmer@samba.org"
+TARGET="_top"
+>jelmer@samba.org</A
+>.</P
+><P
+>This documentation is distributed under the GNU General Public License (GPL)
+version 2. A copy of the license is included with the Samba source
+distribution. A copy can be found on-line at <A
+HREF="http://www.fsf.org/licenses/gpl.txt"
+TARGET="_top"
+>http://www.fsf.org/licenses/gpl.txt</A
+></P
+><P
+>Cheers, jerry</P
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>I. <A
+HREF="introduction.html"
+>General installation</A
+></DT
+><DD
+><DL
+><DT
+>1. <A
+HREF="install.html"
+>How to Install and Test SAMBA</A
+></DT
+><DD
+><DL
+><DT
+>1.1. <A
+HREF="install.html#AEN26"
+>Read the man pages</A
+></DT
+><DT
+>1.2. <A
+HREF="install.html#AEN36"
+>Building the Binaries</A
+></DT
+><DT
+>1.3. <A
+HREF="install.html#AEN64"
+>The all important step</A
+></DT
+><DT
+>1.4. <A
+HREF="install.html#AEN68"
+>Create the smb configuration file.</A
+></DT
+><DT
+>1.5. <A
+HREF="install.html#AEN82"
+>Test your config file with
+ <B
+CLASS="COMMAND"
+>testparm</B
+></A
+></DT
+><DT
+>1.6. <A
+HREF="install.html#AEN90"
+>Starting the smbd and nmbd</A
+></DT
+><DT
+>1.7. <A
+HREF="install.html#AEN145"
+>Try listing the shares available on your
+ server</A
+></DT
+><DT
+>1.8. <A
+HREF="install.html#AEN154"
+>Try connecting with the unix client</A
+></DT
+><DT
+>1.9. <A
+HREF="install.html#AEN170"
+>Try connecting from a DOS, WfWg, Win9x, WinNT,
+ Win2k, OS/2, etc... client</A
+></DT
+><DT
+>1.10. <A
+HREF="install.html#AEN184"
+>What If Things Don't Work?</A
+></DT
+></DL
+></DD
+><DT
+>2. <A
+HREF="improved-browsing.html"
+>Improved browsing in samba</A
+></DT
+><DD
+><DL
+><DT
+>2.1. <A
+HREF="improved-browsing.html#AEN229"
+>Overview of browsing</A
+></DT
+><DT
+>2.2. <A
+HREF="improved-browsing.html#AEN233"
+>Browsing support in samba</A
+></DT
+><DT
+>2.3. <A
+HREF="improved-browsing.html#AEN242"
+>Problem resolution</A
+></DT
+><DT
+>2.4. <A
+HREF="improved-browsing.html#AEN249"
+>Browsing across subnets</A
+></DT
+><DT
+>2.5. <A
+HREF="improved-browsing.html#AEN289"
+>Setting up a WINS server</A
+></DT
+><DT
+>2.6. <A
+HREF="improved-browsing.html#AEN308"
+>Setting up Browsing in a WORKGROUP</A
+></DT
+><DT
+>2.7. <A
+HREF="improved-browsing.html#AEN326"
+>Setting up Browsing in a DOMAIN</A
+></DT
+><DT
+>2.8. <A
+HREF="improved-browsing.html#AEN336"
+>Forcing samba to be the master</A
+></DT
+><DT
+>2.9. <A
+HREF="improved-browsing.html#AEN345"
+>Making samba the domain master</A
+></DT
+><DT
+>2.10. <A
+HREF="improved-browsing.html#AEN363"
+>Note about broadcast addresses</A
+></DT
+><DT
+>2.11. <A
+HREF="improved-browsing.html#AEN366"
+>Multiple interfaces</A
+></DT
+></DL
+></DD
+><DT
+>3. <A
+HREF="oplocks.html"
+>Oplocks</A
+></DT
+><DD
+><DL
+><DT
+>3.1. <A
+HREF="oplocks.html#AEN378"
+>What are oplocks?</A
+></DT
+></DL
+></DD
+><DT
+>4. <A
+HREF="browsing-quick.html"
+>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</A
+></DT
+><DD
+><DL
+><DT
+>4.1. <A
+HREF="browsing-quick.html#AEN393"
+>Discussion</A
+></DT
+><DT
+>4.2. <A
+HREF="browsing-quick.html#AEN401"
+>Use of the "Remote Announce" parameter</A
+></DT
+><DT
+>4.3. <A
+HREF="browsing-quick.html#AEN415"
+>Use of the "Remote Browse Sync" parameter</A
+></DT
+><DT
+>4.4. <A
+HREF="browsing-quick.html#AEN420"
+>Use of WINS</A
+></DT
+><DT
+>4.5. <A
+HREF="browsing-quick.html#AEN431"
+>Do NOT use more than one (1) protocol on MS Windows machines</A
+></DT
+><DT
+>4.6. <A
+HREF="browsing-quick.html#AEN437"
+>Name Resolution Order</A
+></DT
+></DL
+></DD
+><DT
+>5. <A
+HREF="pwencrypt.html"
+>LanMan and NT Password Encryption in Samba</A
+></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="pwencrypt.html#AEN473"
+>Introduction</A
+></DT
+><DT
+>5.2. <A
+HREF="pwencrypt.html#AEN478"
+>Important Notes About Security</A
+></DT
+><DT
+>5.3. <A
+HREF="pwencrypt.html#AEN513"
+>The smbpasswd Command</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>II. <A
+HREF="type.html"
+>Type of installation</A
+></DT
+><DD
+><DL
+><DT
+>6. <A
+HREF="securitylevels.html"
+>User and Share security level (for servers not in a domain)</A
+></DT
+><DT
+>7. <A
+HREF="samba-pdc.html"
+>How to Configure Samba as a NT4 Primary Domain Controller</A
+></DT
+><DD
+><DL
+><DT
+>7.1. <A
+HREF="samba-pdc.html#AEN591"
+>Prerequisite Reading</A
+></DT
+><DT
+>7.2. <A
+HREF="samba-pdc.html#AEN597"
+>Background</A
+></DT
+><DT
+>7.3. <A
+HREF="samba-pdc.html#AEN636"
+>Configuring the Samba Domain Controller</A
+></DT
+><DT
+>7.4. <A
+HREF="samba-pdc.html#AEN679"
+>Creating Machine Trust Accounts and Joining Clients to the
+Domain</A
+></DT
+><DT
+>7.5. <A
+HREF="samba-pdc.html#AEN763"
+>Common Problems and Errors</A
+></DT
+><DT
+>7.6. <A
+HREF="samba-pdc.html#AEN811"
+>System Policies and Profiles</A
+></DT
+><DT
+>7.7. <A
+HREF="samba-pdc.html#AEN855"
+>What other help can I get?</A
+></DT
+><DT
+>7.8. <A
+HREF="samba-pdc.html#AEN969"
+>Domain Control for Windows 9x/ME</A
+></DT
+><DT
+>7.9. <A
+HREF="samba-pdc.html#AEN1107"
+>DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
+></DT
+></DL
+></DD
+><DT
+>8. <A
+HREF="samba-bdc.html"
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
+></DT
+><DD
+><DL
+><DT
+>8.1. <A
+HREF="samba-bdc.html#AEN1143"
+>Prerequisite Reading</A
+></DT
+><DT
+>8.2. <A
+HREF="samba-bdc.html#AEN1147"
+>Background</A
+></DT
+><DT
+>8.3. <A
+HREF="samba-bdc.html#AEN1155"
+>What qualifies a Domain Controller on the network?</A
+></DT
+><DT
+>8.4. <A
+HREF="samba-bdc.html#AEN1164"
+>Can Samba be a Backup Domain Controller?</A
+></DT
+><DT
+>8.5. <A
+HREF="samba-bdc.html#AEN1168"
+>How do I set up a Samba BDC?</A
+></DT
+></DL
+></DD
+><DT
+>9. <A
+HREF="ads.html"
+>Samba as a ADS domain member</A
+></DT
+><DD
+><DL
+><DT
+>9.1. <A
+HREF="ads.html#AEN1203"
+>Installing the required packages for Debian</A
+></DT
+><DT
+>9.2. <A
+HREF="ads.html#AEN1209"
+>Installing the required packages for RedHat</A
+></DT
+><DT
+>9.3. <A
+HREF="ads.html#AEN1218"
+>Compile Samba</A
+></DT
+><DT
+>9.4. <A
+HREF="ads.html#AEN1230"
+>Setup your /etc/krb5.conf</A
+></DT
+><DT
+>9.5. <A
+HREF="ads.html#AEN1240"
+>Create the computer account</A
+></DT
+><DT
+>9.6. <A
+HREF="ads.html#AEN1256"
+>Test your server setup</A
+></DT
+><DT
+>9.7. <A
+HREF="ads.html#AEN1261"
+>Testing with smbclient</A
+></DT
+><DT
+>9.8. <A
+HREF="ads.html#AEN1264"
+>Notes</A
+></DT
+></DL
+></DD
+><DT
+>10. <A
+HREF="domain-security.html"
+>Samba as a NT4 domain member</A
+></DT
+><DD
+><DL
+><DT
+>10.1. <A
+HREF="domain-security.html#AEN1286"
+>Joining an NT Domain with Samba 2.2</A
+></DT
+><DT
+>10.2. <A
+HREF="domain-security.html#AEN1350"
+>Samba and Windows 2000 Domains</A
+></DT
+><DT
+>10.3. <A
+HREF="domain-security.html#AEN1355"
+>Why is this better than security = server?</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>III. <A
+HREF="optional.html"
+>Optional configuration</A
+></DT
+><DD
+><DL
+><DT
+>11. <A
+HREF="integrate-ms-networks.html"
+>Integrating MS Windows networks with Samba</A
+></DT
+><DD
+><DL
+><DT
+>11.1. <A
+HREF="integrate-ms-networks.html#AEN1387"
+>Agenda</A
+></DT
+><DT
+>11.2. <A
+HREF="integrate-ms-networks.html#AEN1409"
+>Name Resolution in a pure Unix/Linux world</A
+></DT
+><DT
+>11.3. <A
+HREF="integrate-ms-networks.html#AEN1472"
+>Name resolution as used within MS Windows networking</A
+></DT
+><DT
+>11.4. <A
+HREF="integrate-ms-networks.html#AEN1517"
+>How browsing functions and how to deploy stable and
+dependable browsing using Samba</A
+></DT
+><DT
+>11.5. <A
+HREF="integrate-ms-networks.html#AEN1527"
+>MS Windows security options and how to configure
+Samba for seemless integration</A
+></DT
+><DT
+>11.6. <A
+HREF="integrate-ms-networks.html#AEN1597"
+>Conclusions</A
+></DT
+></DL
+></DD
+><DT
+>12. <A
+HREF="unix-permissions.html"
+>UNIX Permission Bits and Windows NT Access Control Lists</A
+></DT
+><DD
+><DL
+><DT
+>12.1. <A
+HREF="unix-permissions.html#AEN1618"
+>Viewing and changing UNIX permissions using the NT
+ security dialogs</A
+></DT
+><DT
+>12.2. <A
+HREF="unix-permissions.html#AEN1627"
+>How to view file security on a Samba share</A
+></DT
+><DT
+>12.3. <A
+HREF="unix-permissions.html#AEN1638"
+>Viewing file ownership</A
+></DT
+><DT
+>12.4. <A
+HREF="unix-permissions.html#AEN1658"
+>Viewing file or directory permissions</A
+></DT
+><DT
+>12.5. <A
+HREF="unix-permissions.html#AEN1694"
+>Modifying file or directory permissions</A
+></DT
+><DT
+>12.6. <A
+HREF="unix-permissions.html#AEN1716"
+>Interaction with the standard Samba create mask
+ parameters</A
+></DT
+><DT
+>12.7. <A
+HREF="unix-permissions.html#AEN1780"
+>Interaction with the standard Samba file attribute
+ mapping</A
+></DT
+></DL
+></DD
+><DT
+>13. <A
+HREF="pam.html"
+>Configuring PAM for distributed but centrally
+managed authentication</A
+></DT
+><DD
+><DL
+><DT
+>13.1. <A
+HREF="pam.html#AEN1801"
+>Samba and PAM</A
+></DT
+><DT
+>13.2. <A
+HREF="pam.html#AEN1845"
+>Distributed Authentication</A
+></DT
+><DT
+>13.3. <A
+HREF="pam.html#AEN1852"
+>PAM Configuration in smb.conf</A
+></DT
+></DL
+></DD
+><DT
+>14. <A
+HREF="msdfs.html"
+>Hosting a Microsoft Distributed File System tree on Samba</A
+></DT
+><DD
+><DL
+><DT
+>14.1. <A
+HREF="msdfs.html#AEN1872"
+>Instructions</A
+></DT
+></DL
+></DD
+><DT
+>15. <A
+HREF="printing.html"
+>Printing Support</A
+></DT
+><DD
+><DL
+><DT
+>15.1. <A
+HREF="printing.html#AEN1933"
+>Introduction</A
+></DT
+><DT
+>15.2. <A
+HREF="printing.html#AEN1955"
+>Configuration</A
+></DT
+><DT
+>15.3. <A
+HREF="printing.html#AEN2063"
+>The Imprints Toolset</A
+></DT
+><DT
+>15.4. <A
+HREF="printing.html#AEN2106"
+>Diagnosis</A
+></DT
+></DL
+></DD
+><DT
+>16. <A
+HREF="winbind.html"
+>Unified Logons between Windows NT and UNIX using Winbind</A
+></DT
+><DD
+><DL
+><DT
+>16.1. <A
+HREF="winbind.html#AEN2238"
+>Abstract</A
+></DT
+><DT
+>16.2. <A
+HREF="winbind.html#AEN2242"
+>Introduction</A
+></DT
+><DT
+>16.3. <A
+HREF="winbind.html#AEN2255"
+>What Winbind Provides</A
+></DT
+><DT
+>16.4. <A
+HREF="winbind.html#AEN2266"
+>How Winbind Works</A
+></DT
+><DT
+>16.5. <A
+HREF="winbind.html#AEN2306"
+>Installation and Configuration</A
+></DT
+><DT
+>16.6. <A
+HREF="winbind.html#AEN2555"
+>Limitations</A
+></DT
+><DT
+>16.7. <A
+HREF="winbind.html#AEN2565"
+>Conclusion</A
+></DT
+></DL
+></DD
+><DT
+>17. <A
+HREF="pdb-mysql.html"
+>Passdb MySQL plugin</A
+></DT
+><DD
+><DL
+><DT
+>17.1. <A
+HREF="pdb-mysql.html#AEN2579"
+>Building</A
+></DT
+><DT
+>17.2. <A
+HREF="pdb-mysql.html#AEN2585"
+>Configuring</A
+></DT
+><DT
+>17.3. <A
+HREF="pdb-mysql.html#AEN2600"
+>Using plaintext passwords or encrypted password</A
+></DT
+><DT
+>17.4. <A
+HREF="pdb-mysql.html#AEN2605"
+>Getting non-column data from the table</A
+></DT
+></DL
+></DD
+><DT
+>18. <A
+HREF="pdb-xml.html"
+>Passdb XML plugin</A
+></DT
+><DD
+><DL
+><DT
+>18.1. <A
+HREF="pdb-xml.html#AEN2624"
+>Building</A
+></DT
+><DT
+>18.2. <A
+HREF="pdb-xml.html#AEN2630"
+>Usage</A
+></DT
+></DL
+></DD
+><DT
+>19. <A
+HREF="vfs.html"
+>Stackable VFS modules</A
+></DT
+><DD
+><DL
+><DT
+>19.1. <A
+HREF="vfs.html#AEN2651"
+>Introduction and configuration</A
+></DT
+><DT
+>19.2. <A
+HREF="vfs.html#AEN2659"
+>Included modules</A
+></DT
+><DT
+>19.3. <A
+HREF="vfs.html#AEN2713"
+>VFS modules available elsewhere</A
+></DT
+></DL
+></DD
+><DT
+>20. <A
+HREF="samba-ldap-howto.html"
+>Storing Samba's User/Machine Account information in an LDAP Directory</A
+></DT
+><DD
+><DL
+><DT
+>20.1. <A
+HREF="samba-ldap-howto.html#AEN2747"
+>Purpose</A
+></DT
+><DT
+>20.2. <A
+HREF="samba-ldap-howto.html#AEN2767"
+>Introduction</A
+></DT
+><DT
+>20.3. <A
+HREF="samba-ldap-howto.html#AEN2796"
+>Supported LDAP Servers</A
+></DT
+><DT
+>20.4. <A
+HREF="samba-ldap-howto.html#AEN2801"
+>Schema and Relationship to the RFC 2307 posixAccount</A
+></DT
+><DT
+>20.5. <A
+HREF="samba-ldap-howto.html#AEN2813"
+>Configuring Samba with LDAP</A
+></DT
+><DT
+>20.6. <A
+HREF="samba-ldap-howto.html#AEN2860"
+>Accounts and Groups management</A
+></DT
+><DT
+>20.7. <A
+HREF="samba-ldap-howto.html#AEN2865"
+>Security and sambaAccount</A
+></DT
+><DT
+>20.8. <A
+HREF="samba-ldap-howto.html#AEN2885"
+>LDAP specials attributes for sambaAccounts</A
+></DT
+><DT
+>20.9. <A
+HREF="samba-ldap-howto.html#AEN2955"
+>Example LDIF Entries for a sambaAccount</A
+></DT
+><DT
+>20.10. <A
+HREF="samba-ldap-howto.html#AEN2963"
+>Comments</A
+></DT
+></DL
+></DD
+><DT
+>21. <A
+HREF="cvs-access.html"
+>HOWTO Access Samba source code via CVS</A
+></DT
+><DD
+><DL
+><DT
+>21.1. <A
+HREF="cvs-access.html#AEN2974"
+>Introduction</A
+></DT
+><DT
+>21.2. <A
+HREF="cvs-access.html#AEN2979"
+>CVS Access to samba.org</A
+></DT
+></DL
+></DD
+><DT
+>22. <A
+HREF="groupmapping.html"
+>Group mapping HOWTO</A
+></DT
+><DT
+>23. <A
+HREF="speed.html"
+>Samba performance issues</A
+></DT
+><DD
+><DL
+><DT
+>23.1. <A
+HREF="speed.html#AEN3065"
+>Comparisons</A
+></DT
+><DT
+>23.2. <A
+HREF="speed.html#AEN3071"
+>Oplocks</A
+></DT
+><DT
+>23.3. <A
+HREF="speed.html#AEN3091"
+>Socket options</A
+></DT
+><DT
+>23.4. <A
+HREF="speed.html#AEN3098"
+>Read size</A
+></DT
+><DT
+>23.5. <A
+HREF="speed.html#AEN3103"
+>Max xmit</A
+></DT
+><DT
+>23.6. <A
+HREF="speed.html#AEN3108"
+>Locking</A
+></DT
+><DT
+>23.7. <A
+HREF="speed.html#AEN3112"
+>Share modes</A
+></DT
+><DT
+>23.8. <A
+HREF="speed.html#AEN3117"
+>Log level</A
+></DT
+><DT
+>23.9. <A
+HREF="speed.html#AEN3120"
+>Wide lines</A
+></DT
+><DT
+>23.10. <A
+HREF="speed.html#AEN3123"
+>Read raw</A
+></DT
+><DT
+>23.11. <A
+HREF="speed.html#AEN3128"
+>Write raw</A
+></DT
+><DT
+>23.12. <A
+HREF="speed.html#AEN3132"
+>Read prediction</A
+></DT
+><DT
+>23.13. <A
+HREF="speed.html#AEN3139"
+>Memory mapping</A
+></DT
+><DT
+>23.14. <A
+HREF="speed.html#AEN3144"
+>Slow Clients</A
+></DT
+><DT
+>23.15. <A
+HREF="speed.html#AEN3148"
+>Slow Logins</A
+></DT
+><DT
+>23.16. <A
+HREF="speed.html#AEN3151"
+>Client tuning</A
+></DT
+><DT
+>23.17. <A
+HREF="speed.html#AEN3183"
+>My Results</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>IV. <A
+HREF="appendixes.html"
+>Appendixes</A
+></DT
+><DD
+><DL
+><DT
+>24. <A
+HREF="portability.html"
+>Portability</A
+></DT
+><DD
+><DL
+><DT
+>24.1. <A
+HREF="portability.html#AEN3198"
+>HPUX</A
+></DT
+><DT
+>24.2. <A
+HREF="portability.html#AEN3204"
+>SCO Unix</A
+></DT
+><DT
+>24.3. <A
+HREF="portability.html#AEN3208"
+>DNIX</A
+></DT
+><DT
+>24.4. <A
+HREF="portability.html#AEN3237"
+>RedHat Linux Rembrandt-II</A
+></DT
+></DL
+></DD
+><DT
+>25. <A
+HREF="other-clients.html"
+>Samba and other CIFS clients</A
+></DT
+><DD
+><DL
+><DT
+>25.1. <A
+HREF="other-clients.html#AEN3258"
+>Macintosh clients?</A
+></DT
+><DT
+>25.2. <A
+HREF="other-clients.html#AEN3267"
+>OS2 Client</A
+></DT
+><DT
+>25.3. <A
+HREF="other-clients.html#AEN3307"
+>Windows for Workgroups</A
+></DT
+><DT
+>25.4. <A
+HREF="other-clients.html#AEN3328"
+>Windows '95/'98</A
+></DT
+><DT
+>25.5. <A
+HREF="other-clients.html#AEN3344"
+>Windows 2000 Service Pack 2</A
+></DT
+></DL
+></DD
+><DT
+>26. <A
+HREF="bugreport.html"
+>Reporting Bugs</A
+></DT
+><DD
+><DL
+><DT
+>26.1. <A
+HREF="bugreport.html#AEN3368"
+>Introduction</A
+></DT
+><DT
+>26.2. <A
+HREF="bugreport.html#AEN3378"
+>General info</A
+></DT
+><DT
+>26.3. <A
+HREF="bugreport.html#AEN3384"
+>Debug levels</A
+></DT
+><DT
+>26.4. <A
+HREF="bugreport.html#AEN3401"
+>Internal errors</A
+></DT
+><DT
+>26.5. <A
+HREF="bugreport.html#AEN3411"
+>Attaching to a running process</A
+></DT
+><DT
+>26.6. <A
+HREF="bugreport.html#AEN3414"
+>Patches</A
+></DT
+></DL
+></DD
+><DT
+>27. <A
+HREF="diagnosis.html"
+>Diagnosing your samba server</A
+></DT
+><DD
+><DL
+><DT
+>27.1. <A
+HREF="diagnosis.html#AEN3437"
+>Introduction</A
+></DT
+><DT
+>27.2. <A
+HREF="diagnosis.html#AEN3442"
+>Assumptions</A
+></DT
+><DT
+>27.3. <A
+HREF="diagnosis.html#AEN3452"
+>Tests</A
+></DT
+><DT
+>27.4. <A
+HREF="diagnosis.html#AEN3562"
+>Still having troubles?</A
+></DT
+></DL
+></DD
+></DL
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="introduction.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>General installation</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>How to Configure Samba as a NT4 Primary Domain Controller</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Type of installation"
+HREF="type.html"><LINK
+REL="PREVIOUS"
+TITLE="User and Share security level (for servers not in a domain)"
+HREF="securitylevels.html"><LINK
+REL="NEXT"
+TITLE="How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain"
+HREF="samba-bdc.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="SAMBA-PDC"
+></A
+>Chapter 7. How to Configure Samba as a NT4 Primary Domain Controller</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN591"
+></A
+>7.1. Prerequisite Reading</H1
+><P
+>Before you continue reading in this chapter, please make sure
+that you are comfortable with configuring basic files services
+in smb.conf and how to enable and administer password
+encryption in Samba. Theses two topics are covered in the
+<A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+></A
+>
+manpage and the <A
+HREF="ENCRYPTION.html"
+TARGET="_top"
+>Encryption chapter</A
+>
+of this HOWTO Collection.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN597"
+></A
+>7.2. Background</H1
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Author's Note:</I
+></SPAN
+> This document is a combination
+of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ".
+Both documents are superseded by this one.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>Versions of Samba prior to release 2.2 had marginal capabilities to act
+as a Windows NT 4.0 Primary Domain Controller
+
+(PDC). With Samba 2.2.0, we are proud to announce official support for
+Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows
+2000 clients. This article outlines the steps
+necessary for configuring Samba as a PDC. It is necessary to have a
+working Samba server prior to implementing the PDC functionality. If
+you have not followed the steps outlined in <A
+HREF="UNIX_INSTALL.html"
+TARGET="_top"
+> UNIX_INSTALL.html</A
+>, please make sure
+that your server is configured correctly before proceeding. Another
+good resource in the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+>smb.conf(5) man
+page</A
+>. The following functionality should work in 2.2:</P
+><P
+></P
+><UL
+><LI
+><P
+> domain logons for Windows NT 4.0/2000 clients.
+ </P
+></LI
+><LI
+><P
+> placing a Windows 9x client in user level security
+ </P
+></LI
+><LI
+><P
+> retrieving a list of users and groups from a Samba PDC to
+ Windows 9x/NT/2000 clients
+ </P
+></LI
+><LI
+><P
+> roving (roaming) user profiles
+ </P
+></LI
+><LI
+><P
+> Windows NT 4.0-style system policies
+ </P
+></LI
+></UL
+><P
+>The following pieces of functionality are not included in the 2.2 release:</P
+><P
+></P
+><UL
+><LI
+><P
+> Windows NT 4 domain trusts
+ </P
+></LI
+><LI
+><P
+> SAM replication with Windows NT 4.0 Domain Controllers
+ (i.e. a Samba PDC and a Windows NT BDC or vice versa)
+ </P
+></LI
+><LI
+><P
+> Adding users via the User Manager for Domains
+ </P
+></LI
+><LI
+><P
+> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
+ Active Directory)
+ </P
+></LI
+></UL
+><P
+>Please note that Windows 9x clients are not true members of a domain
+for reasons outlined in this article. Therefore the protocol for
+support Windows 9x-style domain logons is completely different
+from NT4 domain logons and has been officially supported for some
+time.</P
+><P
+>Implementing a Samba PDC can basically be divided into 2 broad
+steps.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> Configuring the Samba PDC
+ </P
+></LI
+><LI
+><P
+> Creating machine trust accounts and joining clients
+ to the domain
+ </P
+></LI
+></OL
+><P
+>There are other minor details such as user profiles, system
+policies, etc... However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking
+concepts. They will be mentioned only briefly here.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN636"
+></A
+>7.3. Configuring the Samba Domain Controller</H1
+><P
+>The first step in creating a working Samba PDC is to
+understand the parameters necessary in smb.conf. I will not
+attempt to re-explain the parameters here as they are more that
+adequately covered in <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+> the smb.conf
+man page</A
+>. For convenience, the parameters have been
+linked with the actual smb.conf description.</P
+><P
+>Here is an example <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> for acting as a PDC:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+ ; Basic server settings
+ <A
+HREF="smb.conf.5.html#NETBIOSNAME"
+TARGET="_top"
+>netbios name</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>POGO</I
+></TT
+>
+ <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+>workgroup</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>NARNIA</I
+></TT
+>
+
+ ; we should act as the domain and local master browser
+ <A
+HREF="smb.conf.5.html#OSLEVEL"
+TARGET="_top"
+>os level</A
+> = 64
+ <A
+HREF="smb.conf.5.html#PERFERREDMASTER"
+TARGET="_top"
+>preferred master</A
+> = yes
+ <A
+HREF="smb.conf.5.html#DOMAINMASTER"
+TARGET="_top"
+>domain master</A
+> = yes
+ <A
+HREF="smb.conf.5.html#LOCALMASTER"
+TARGET="_top"
+>local master</A
+> = yes
+
+ ; security settings (must user security = user)
+ <A
+HREF="smb.conf.5.html#SECURITYEQUALSUSER"
+TARGET="_top"
+>security</A
+> = user
+
+ ; encrypted passwords are a requirement for a PDC
+ <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+>encrypt passwords</A
+> = yes
+
+ ; support domain logons
+ <A
+HREF="smb.conf.5.html#DOMAINLOGONS"
+TARGET="_top"
+>domain logons</A
+> = yes
+
+ ; where to store user profiles?
+ <A
+HREF="smb.conf.5.html#LOGONPATH"
+TARGET="_top"
+>logon path</A
+> = \\%N\profiles\%u
+
+ ; where is a user's home directory and where should it
+ ; be mounted at?
+ <A
+HREF="smb.conf.5.html#LOGONDRIVE"
+TARGET="_top"
+>logon drive</A
+> = H:
+ <A
+HREF="smb.conf.5.html#LOGONHOME"
+TARGET="_top"
+>logon home</A
+> = \\homeserver\%u
+
+ ; specify a generic logon script for all users
+ ; this is a relative **DOS** path to the [netlogon] share
+ <A
+HREF="smb.conf.5.html#LOGONSCRIPT"
+TARGET="_top"
+>logon script</A
+> = logon.cmd
+
+; necessary share for domain controller
+[netlogon]
+ <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /usr/local/samba/lib/netlogon
+ <A
+HREF="smb.conf.5.html#READONLY"
+TARGET="_top"
+>read only</A
+> = yes
+ <A
+HREF="smb.conf.5.html#WRITELIST"
+TARGET="_top"
+>write list</A
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>ntadmin</I
+></TT
+>
+
+; share for storing user profiles
+[profiles]
+ <A
+HREF="smb.conf.5.html#PATH"
+TARGET="_top"
+>path</A
+> = /export/smb/ntprofile
+ <A
+HREF="smb.conf.5.html#READONLY"
+TARGET="_top"
+>read only</A
+> = no
+ <A
+HREF="smb.conf.5.html#CREATEMASK"
+TARGET="_top"
+>create mask</A
+> = 0600
+ <A
+HREF="smb.conf.5.html#DIRECTORYMASK"
+TARGET="_top"
+>directory mask</A
+> = 0700</PRE
+></P
+><P
+>There are a couple of points to emphasize in the above configuration.</P
+><P
+></P
+><UL
+><LI
+><P
+> Encrypted passwords must be enabled. For more details on how
+ to do this, refer to <A
+HREF="ENCRYPTION.html"
+TARGET="_top"
+>ENCRYPTION.html</A
+>.
+ </P
+></LI
+><LI
+><P
+> The server must support domain logons and a
+ <TT
+CLASS="FILENAME"
+>[netlogon]</TT
+> share
+ </P
+></LI
+><LI
+><P
+> The server must be the domain master browser in order for Windows
+ client to locate the server as a DC. Please refer to the various
+ Network Browsing documentation included with this distribution for
+ details.
+ </P
+></LI
+></UL
+><P
+>As Samba 2.2 does not offer a complete implementation of group mapping
+between Windows NT groups and Unix groups (this is really quite
+complicated to explain in a short space), you should refer to the
+<A
+HREF="smb.conf.5.html#DOMAINADMINGROUP"
+TARGET="_top"
+>domain admin
+group</A
+> smb.conf parameter for information of creating "Domain
+Admins" style accounts.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN679"
+></A
+>7.4. Creating Machine Trust Accounts and Joining Clients to the
+Domain</H1
+><P
+>A machine trust account is a Samba account that is used to
+authenticate a client machine (rather than a user) to the Samba
+server. In Windows terminology, this is known as a "Computer
+Account."</P
+><P
+>The password of a machine trust account acts as the shared secret for
+secure communication with the Domain Controller. This is a security
+feature to prevent an unauthorized machine with the same NetBIOS name
+from joining the domain and gaining access to domain user/group
+accounts. Windows NT and 2000 clients use machine trust accounts, but
+Windows 9x clients do not. Hence, a Windows 9x client is never a true
+member of a domain because it does not possess a machine trust
+account, and thus has no shared secret with the domain controller.</P
+><P
+>A Windows PDC stores each machine trust account in the Windows
+Registry. A Samba PDC, however, stores each machine trust account
+in two parts, as follows:
+
+<P
+></P
+><UL
+><LI
+><P
+>A Samba account, stored in the same location as user
+ LanMan and NT password hashes (currently
+ <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+>). The Samba account
+ possesses and uses only the NT password hash.</P
+></LI
+><LI
+><P
+>A corresponding Unix account, typically stored in
+ <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>. (Future releases will alleviate the need to
+ create <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entries.) </P
+></LI
+></UL
+></P
+><P
+>There are two ways to create machine trust accounts:</P
+><P
+></P
+><UL
+><LI
+><P
+> Manual creation. Both the Samba and corresponding
+ Unix account are created by hand.</P
+></LI
+><LI
+><P
+> "On-the-fly" creation. The Samba machine trust
+ account is automatically created by Samba at the time the client
+ is joined to the domain. (For security, this is the
+ recommended method.) The corresponding Unix account may be
+ created automatically or manually. </P
+></LI
+></UL
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN698"
+></A
+>7.4.1. Manual Creation of Machine Trust Accounts</H2
+><P
+>The first step in manually creating a machine trust account is to
+manually create the corresponding Unix account in
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>. This can be done using
+<B
+CLASS="COMMAND"
+>vipw</B
+> or other 'add user' command that is normally
+used to create new Unix accounts. The following is an example for a
+Linux based Samba server:</P
+><P
+> <TT
+CLASS="PROMPT"
+>root# </TT
+><B
+CLASS="COMMAND"
+>/usr/sbin/useradd -g 100 -d /dev/null -c <TT
+CLASS="REPLACEABLE"
+><I
+>"machine
+nickname"</I
+></TT
+> -s /bin/false <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+>$ </B
+></P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><B
+CLASS="COMMAND"
+>passwd -l <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+>$</B
+></P
+><P
+>On *BSD systems, this can be done using the 'chpass' utility:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><B
+CLASS="COMMAND"
+>chpass -a "<TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+>$:*:101:100::0:0:Workstation <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+>:/dev/null:/sbin/nologin"</B
+></P
+><P
+>The <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry will list the machine name
+with a "$" appended, won't have a password, will have a null shell and no
+home directory. For example a machine named 'doppy' would have an
+<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>doppy$:x:505:501:<TT
+CLASS="REPLACEABLE"
+><I
+>machine_nickname</I
+></TT
+>:/dev/null:/bin/false</PRE
+></P
+><P
+>Above, <TT
+CLASS="REPLACEABLE"
+><I
+>machine_nickname</I
+></TT
+> can be any
+descriptive name for the client, i.e., BasementComputer.
+<TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+> absolutely must be the NetBIOS
+name of the client to be joined to the domain. The "$" must be
+appended to the NetBIOS name of the client or Samba will not recognize
+this as a machine trust account.</P
+><P
+>Now that the corresponding Unix account has been created, the next step is to create
+the Samba account for the client containing the well-known initial
+machine trust account password. This can be done using the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+> command
+as shown here:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><B
+CLASS="COMMAND"
+>smbpasswd -a -m <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+></B
+></P
+><P
+>where <TT
+CLASS="REPLACEABLE"
+><I
+>machine_name</I
+></TT
+> is the machine's NetBIOS
+name. The RID of the new machine account is generated from the UID of
+the corresponding Unix account.</P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Join the client to the domain immediately</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> Manually creating a machine trust account using this method is the
+ equivalent of creating a machine trust account on a Windows NT PDC using
+ the "Server Manager". From the time at which the account is created
+ to the time which the client joins the domain and changes the password,
+ your domain is vulnerable to an intruder joining your domain using a
+ a machine with the same NetBIOS name. A PDC inherently trusts
+ members of the domain and will serve out a large degree of user
+ information to such clients. You have been warned!
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN739"
+></A
+>7.4.2. "On-the-Fly" Creation of Machine Trust Accounts</H2
+><P
+>The second (and recommended) way of creating machine trust accounts is
+simply to allow the Samba server to create them as needed when the client
+is joined to the domain. </P
+><P
+>Since each Samba machine trust account requires a corresponding
+Unix account, a method for automatically creating the
+Unix account is usually supplied; this requires configuration of the
+<A
+HREF="smb.conf.5.html#ADDUSERSCRIPT"
+TARGET="_top"
+>add user script</A
+>
+option in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. This
+method is not required, however; corresponding Unix accounts may also
+be created manually.</P
+><P
+>Below is an example for a RedHat 6.2 Linux system.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>[global]
+ # <...remainder of parameters...>
+ add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN748"
+></A
+>7.4.3. Joining the Client to the Domain</H2
+><P
+>The procedure for joining a client to the domain varies with the
+version of Windows.</P
+><P
+></P
+><UL
+><LI
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Windows 2000</I
+></SPAN
+></P
+><P
+> When the user elects to join the client to a domain, Windows prompts for
+ an account and password that is privileged to join the domain. A
+ Samba administrative account (i.e., a Samba account that has root
+ privileges on the Samba server) must be entered here; the
+ operation will fail if an ordinary user account is given.
+ The password for this account should be
+ set to a different password than the associated
+ <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> entry, for security
+ reasons. </P
+><P
+>The session key of the Samba administrative account acts as an
+ encryption key for setting the password of the machine trust
+ account. The machine trust account will be created on-the-fly, or
+ updated if it already exists.</P
+></LI
+><LI
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Windows NT</I
+></SPAN
+></P
+><P
+> If the machine trust account was created manually, on the
+ Identification Changes menu enter the domain name, but do not
+ check the box "Create a Computer Account in the Domain." In this case,
+ the existing machine trust account is used to join the machine to
+ the domain.</P
+><P
+> If the machine trust account is to be created
+ on-the-fly, on the Identification Changes menu enter the domain
+ name, and check the box "Create a Computer Account in the Domain." In
+ this case, joining the domain proceeds as above for Windows 2000
+ (i.e., you must supply a Samba administrative account when
+ prompted).</P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN763"
+></A
+>7.5. Common Problems and Errors</H1
+><P
+></P
+><P
+></P
+><UL
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>I cannot include a '$' in a machine name.</I
+></SPAN
+>
+ </P
+><P
+> A 'machine name' in (typically) <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>
+ of the machine name with a '$' appended. FreeBSD (and other BSD
+ systems?) won't create a user with a '$' in their name.
+ </P
+><P
+> The problem is only in the program used to make the entry, once
+ made, it works perfectly. So create a user without the '$' and
+ use <B
+CLASS="COMMAND"
+>vipw</B
+> to edit the entry, adding the '$'. Or create
+ the whole entry with vipw if you like, make sure you use a
+ unique User ID !
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>I get told "You already have a connection to the Domain...."
+ or "Cannot join domain, the credentials supplied conflict with an
+ existing set.." when creating a machine trust account.</I
+></SPAN
+>
+ </P
+><P
+> This happens if you try to create a machine trust account from the
+ machine itself and already have a connection (e.g. mapped drive)
+ to a share (or IPC$) on the Samba PDC. The following command
+ will remove all network drive connections:
+ </P
+><P
+> <TT
+CLASS="PROMPT"
+>C:\WINNT\></TT
+> <B
+CLASS="COMMAND"
+>net use * /d</B
+>
+ </P
+><P
+> Further, if the machine is a already a 'member of a workgroup' that
+ is the same name as the domain you are joining (bad idea) you will
+ get this message. Change the workgroup name to something else, it
+ does not matter what, reboot, and try again.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>The system can not log you on (C000019B)....</I
+></SPAN
+>
+ </P
+><P
+>I joined the domain successfully but after upgrading
+ to a newer version of the Samba code I get the message, "The system
+ can not log you on (C000019B), Please try a gain or consult your
+ system administrator" when attempting to logon.
+ </P
+><P
+> This occurs when the domain SID stored in
+ <TT
+CLASS="FILENAME"
+>private/WORKGROUP.SID</TT
+> is
+ changed. For example, you remove the file and <B
+CLASS="COMMAND"
+>smbd</B
+> automatically
+ creates a new one. Or you are swapping back and forth between
+ versions 2.0.7, TNG and the HEAD branch code (not recommended). The
+ only way to correct the problem is to restore the original domain
+ SID or remove the domain client from the domain and rejoin.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>The machine trust account for this computer either does not
+ exist or is not accessible.</I
+></SPAN
+>
+ </P
+><P
+> When I try to join the domain I get the message "The machine account
+ for this computer either does not exist or is not accessible". What's
+ wrong?
+ </P
+><P
+> This problem is caused by the PDC not having a suitable machine trust account.
+ If you are using the <TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+> method to create
+ accounts then this would indicate that it has not worked. Ensure the domain
+ admin user system is working.
+ </P
+><P
+> Alternatively if you are creating account entries manually then they
+ have not been created correctly. Make sure that you have the entry
+ correct for the machine trust account in smbpasswd file on the Samba PDC.
+ If you added the account using an editor rather than using the smbpasswd
+ utility, make sure that the account name is the machine NetBIOS name
+ with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
+ in both /etc/passwd and the smbpasswd file. Some people have reported
+ that inconsistent subnet masks between the Samba server and the NT
+ client have caused this problem. Make sure that these are consistent
+ for both client and server.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
+ I get a message about my account being disabled.</I
+></SPAN
+>
+ </P
+><P
+> This problem is caused by a PAM related bug in Samba 2.2.0. This bug is
+ fixed in 2.2.1. Other symptoms could be unaccessible shares on
+ NT/W2K member servers in the domain or the following error in your smbd.log:
+ passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
+ </P
+><P
+> At first be ensure to enable the useraccounts with <B
+CLASS="COMMAND"
+>smbpasswd -e
+ %user%</B
+>, this is normally done, when you create an account.
+ </P
+><P
+> In order to work around this problem in 2.2.0, configure the
+ <TT
+CLASS="PARAMETER"
+><I
+>account</I
+></TT
+> control flag in
+ <TT
+CLASS="FILENAME"
+>/etc/pam.d/samba</TT
+> file as follows:
+ </P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> account required pam_permit.so
+ </PRE
+></P
+><P
+> If you want to remain backward compatibility to samba 2.0.x use
+ <TT
+CLASS="FILENAME"
+>pam_permit.so</TT
+>, it's also possible to use
+ <TT
+CLASS="FILENAME"
+>pam_pwdb.so</TT
+>. There are some bugs if you try to
+ use <TT
+CLASS="FILENAME"
+>pam_unix.so</TT
+>, if you need this, be ensure to use
+ the most recent version of this file.
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN811"
+></A
+>7.6. System Policies and Profiles</H1
+><P
+>Much of the information necessary to implement System Policies and
+Roving User Profiles in a Samba domain is the same as that for
+implementing these same items in a Windows NT 4.0 domain.
+You should read the white paper <A
+HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
+TARGET="_top"
+>Implementing
+Profiles and Policies in Windows NT 4.0</A
+> available from Microsoft.</P
+><P
+>Here are some additional details:</P
+><P
+></P
+><UL
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>What about Windows NT Policy Editor?</I
+></SPAN
+>
+ </P
+><P
+> To create or edit <TT
+CLASS="FILENAME"
+>ntconfig.pol</TT
+> you must use
+ the NT Server Policy Editor, <B
+CLASS="COMMAND"
+>poledit.exe</B
+> which
+ is included with NT Server but <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>not NT Workstation</I
+></SPAN
+>.
+ There is a Policy Editor on a NTws
+ but it is not suitable for creating <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Domain Policies</I
+></SPAN
+>.
+ Further, although the Windows 95
+ Policy Editor can be installed on an NT Workstation/Server, it will not
+ work with NT policies because the registry key that are set by the policy templates.
+ However, the files from the NT Server will run happily enough on an NTws.
+ You need <TT
+CLASS="FILENAME"
+>poledit.exe, common.adm</TT
+> and <TT
+CLASS="FILENAME"
+>winnt.adm</TT
+>. It is convenient
+ to put the two *.adm files in <TT
+CLASS="FILENAME"
+>c:\winnt\inf</TT
+> which is where
+ the binary will look for them unless told otherwise. Note also that that
+ directory is 'hidden'.
+ </P
+><P
+> The Windows NT policy editor is also included with the Service Pack 3 (and
+ later) for Windows NT 4.0. Extract the files using <B
+CLASS="COMMAND"
+>servicepackname /x</B
+>,
+ i.e. that's <B
+CLASS="COMMAND"
+>Nt4sp6ai.exe /x</B
+> for service pack 6a. The policy editor,
+ <B
+CLASS="COMMAND"
+>poledit.exe</B
+> and the associated template files (*.adm) should
+ be extracted as well. It is also possible to downloaded the policy template
+ files for Office97 and get a copy of the policy editor. Another possible
+ location is with the Zero Administration Kit available for download from Microsoft.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Can Win95 do Policies?</I
+></SPAN
+>
+ </P
+><P
+> Install the group policy handler for Win9x to pick up group
+ policies. Look on the Win98 CD in <TT
+CLASS="FILENAME"
+>\tools\reskit\netadmin\poledit</TT
+>.
+ Install group policies on a Win9x client by double-clicking
+ <TT
+CLASS="FILENAME"
+>grouppol.inf</TT
+>. Log off and on again a couple of
+ times and see if Win98 picks up group policies. Unfortunately this needs
+ to be done on every Win9x machine that uses group policies....
+ </P
+><P
+> If group policies don't work one reports suggests getting the updated
+ (read: working) grouppol.dll for Windows 9x. The group list is grabbed
+ from /etc/group.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I get 'User Manager' and 'Server Manager'</I
+></SPAN
+>
+ </P
+><P
+> Since I don't need to buy an NT Server CD now, how do I get
+ the 'User Manager for Domains', the 'Server Manager'?
+ </P
+><P
+> Microsoft distributes a version of these tools called nexus for
+ installation on Windows 95 systems. The tools set includes
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Server Manager</P
+></LI
+><LI
+><P
+>User Manager for Domains</P
+></LI
+><LI
+><P
+>Event Viewer</P
+></LI
+></UL
+><P
+> Click here to download the archived file <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
+>
+ </P
+><P
+> The Windows NT 4.0 version of the 'User Manager for
+ Domains' and 'Server Manager' are available from Microsoft via ftp
+ from <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
+>
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN855"
+></A
+>7.7. What other help can I get?</H1
+><P
+>There are many sources of information available in the form
+of mailing lists, RFC's and documentation. The docs that come
+with the samba distribution contain very good explanations of
+general SMB topics such as browsing.</P
+><P
+></P
+><UL
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>What are some diagnostics tools I can use to debug the domain logon
+ process and where can I find them?</I
+></SPAN
+>
+ </P
+><P
+> One of the best diagnostic tools for debugging problems is Samba itself.
+ You can use the -d option for both smbd and nmbd to specify what
+ 'debug level' at which to run. See the man pages on smbd, nmbd and
+ smb.conf for more information on debugging options. The debug
+ level can range from 1 (the default) to 10 (100 for debugging passwords).
+ </P
+><P
+> Another helpful method of debugging is to compile samba using the
+ <B
+CLASS="COMMAND"
+>gcc -g </B
+> flag. This will include debug
+ information in the binaries and allow you to attach gdb to the
+ running smbd / nmbd process. In order to attach gdb to an smbd
+ process for an NT workstation, first get the workstation to make the
+ connection. Pressing ctrl-alt-delete and going down to the domain box
+ is sufficient (at least, on the first time you join the domain) to
+ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
+ maintains an open connection, and therefore there will be an smbd
+ process running (assuming that you haven't set a really short smbd
+ idle timeout) So, in between pressing ctrl alt delete, and actually
+ typing in your password, you can gdb attach and continue.
+ </P
+><P
+> Some useful samba commands worth investigating:
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>testparam | more</P
+></LI
+><LI
+><P
+>smbclient -L //{netbios name of server}</P
+></LI
+></UL
+><P
+> An SMB enabled version of tcpdump is available from
+ <A
+HREF="http://www.tcpdump.org/"
+TARGET="_top"
+>http://www.tcpdup.org/</A
+>.
+ Ethereal, another good packet sniffer for Unix and Win32
+ hosts, can be downloaded from <A
+HREF="http://www.ethereal.com/"
+TARGET="_top"
+>http://www.ethereal.com</A
+>.
+ </P
+><P
+> For tracing things on the Microsoft Windows NT, Network Monitor
+ (aka. netmon) is available on the Microsoft Developer Network CD's,
+ the Windows NT Server install CD and the SMS CD's. The version of
+ netmon that ships with SMS allows for dumping packets between any two
+ computers (i.e. placing the network interface in promiscuous mode).
+ The version on the NT Server install CD will only allow monitoring
+ of network traffic directed to the local NT box and broadcasts on the
+ local subnet. Be aware that Ethereal can read and write netmon
+ formatted files.
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I install 'Network Monitor' on an NT Workstation
+ or a Windows 9x box?</I
+></SPAN
+>
+ </P
+><P
+> Installing netmon on an NT workstation requires a couple
+ of steps. The following are for installing Netmon V4.00.349, which comes
+ with Microsoft Windows NT Server 4.0, on Microsoft Windows NT
+ Workstation 4.0. The process should be similar for other version of
+ Windows NT / Netmon. You will need both the Microsoft Windows
+ NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
+ </P
+><P
+> Initially you will need to install 'Network Monitor Tools and Agent'
+ on the NT Server. To do this
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel -
+ Network - Services - Add </P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Tools and Agent' and
+ click on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+ </P
+></LI
+><LI
+><P
+>Insert the Windows NT Server 4.0 install CD
+ when prompted.</P
+></LI
+></UL
+><P
+> At this point the Netmon files should exist in
+ <TT
+CLASS="FILENAME"
+>%SYSTEMROOT%\System32\netmon\*.*</TT
+>.
+ Two subdirectories exist as well, <TT
+CLASS="FILENAME"
+>parsers\</TT
+>
+ which contains the necessary DLL's for parsing the netmon packet
+ dump, and <TT
+CLASS="FILENAME"
+>captures\</TT
+>.
+ </P
+><P
+> In order to install the Netmon tools on an NT Workstation, you will
+ first need to install the 'Network Monitor Agent' from the Workstation
+ install CD.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Goto Start - Settings - Control Panel -
+ Network - Services - Add</P
+></LI
+><LI
+><P
+>Select the 'Network Monitor Agent' and click
+ on 'OK'.</P
+></LI
+><LI
+><P
+>Click 'OK' on the Network Control Panel.
+ </P
+></LI
+><LI
+><P
+>Insert the Windows NT Workstation 4.0 install
+ CD when prompted.</P
+></LI
+></UL
+><P
+> Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
+ to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set
+ permissions as you deem appropriate for your site. You will need
+ administrative rights on the NT box to run netmon.
+ </P
+><P
+> To install Netmon on a Windows 9x box install the network monitor agent
+ from the Windows 9x CD (\admin\nettools\netmon). There is a readme
+ file located with the netmon driver files on the CD if you need
+ information on how to do this. Copy the files from a working
+ Netmon installation.
+ </P
+></LI
+><LI
+><P
+> The following is a list if helpful URLs and other links:
+ </P
+><P
+></P
+><UL
+><LI
+><P
+>Home of Samba site <A
+HREF="http://samba.org"
+TARGET="_top"
+> http://samba.org</A
+>. We have a mirror near you !</P
+></LI
+><LI
+><P
+> The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Development</I
+></SPAN
+> document
+ on the Samba mirrors might mention your problem. If so,
+ it might mean that the developers are working on it.</P
+></LI
+><LI
+><P
+>See how Scott Merrill simulates a BDC behavior at
+ <A
+HREF="http://www.skippy.net/linux/smb-howto.html"
+TARGET="_top"
+> http://www.skippy.net/linux/smb-howto.html</A
+>. </P
+></LI
+><LI
+><P
+>Although 2.0.7 has almost had its day as a PDC, David Bannon will
+ keep the 2.0.7 PDC pages at <A
+HREF="http://bioserve.latrobe.edu.au/samba"
+TARGET="_top"
+> http://bioserve.latrobe.edu.au/samba</A
+> going for a while yet.</P
+></LI
+><LI
+><P
+>Misc links to CIFS information
+ <A
+HREF="http://samba.org/cifs/"
+TARGET="_top"
+>http://samba.org/cifs/</A
+></P
+></LI
+><LI
+><P
+>NT Domains for Unix <A
+HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
+TARGET="_top"
+> http://mailhost.cb1.com/~lkcl/ntdom/</A
+></P
+></LI
+><LI
+><P
+>FTP site for older SMB specs:
+ <A
+HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
+TARGET="_top"
+> ftp://ftp.microsoft.com/developr/drg/CIFS/</A
+></P
+></LI
+></UL
+></LI
+></UL
+><P
+></P
+><UL
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I get help from the mailing lists?</I
+></SPAN
+>
+ </P
+><P
+> There are a number of Samba related mailing lists. Go to <A
+HREF="http://samba.org"
+TARGET="_top"
+>http://samba.org</A
+>, click on your nearest mirror
+ and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and then click on <B
+CLASS="COMMAND"
+> Samba related mailing lists</B
+>.
+ </P
+><P
+> For questions relating to Samba TNG go to
+ <A
+HREF="http://www.samba-tng.org/"
+TARGET="_top"
+>http://www.samba-tng.org/</A
+>
+ It has been requested that you don't post questions about Samba-TNG to the
+ main stream Samba lists.</P
+><P
+> If you post a message to one of the lists please observe the following guide lines :
+ </P
+><P
+></P
+><UL
+><LI
+><P
+> Always remember that the developers are volunteers, they are
+ not paid and they never guarantee to produce a particular feature at
+ a particular time. Any time lines are 'best guess' and nothing more.
+ </P
+></LI
+><LI
+><P
+> Always mention what version of samba you are using and what
+ operating system its running under. You should probably list the
+ relevant sections of your smb.conf file, at least the options
+ in [global] that affect PDC support.</P
+></LI
+><LI
+><P
+>In addition to the version, if you obtained Samba via
+ CVS mention the date when you last checked it out.</P
+></LI
+><LI
+><P
+> Try and make your question clear and brief, lots of long,
+ convoluted questions get deleted before they are completely read !
+ Don't post html encoded messages (if you can select colour or font
+ size its html).</P
+></LI
+><LI
+><P
+> If you run one of those nifty 'I'm on holidays' things when
+ you are away, make sure its configured to not answer mailing lists.
+ </P
+></LI
+><LI
+><P
+> Don't cross post. Work out which is the best list to post to
+ and see what happens, i.e. don't post to both samba-ntdom and samba-technical.
+ Many people active on the lists subscribe to more
+ than one list and get annoyed to see the same message two or more times.
+ Often someone will see a message and thinking it would be better dealt
+ with on another, will forward it on for you.</P
+></LI
+><LI
+><P
+>You might include <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>partial</I
+></SPAN
+>
+ log files written at a debug level set to as much as 20.
+ Please don't send the entire log but enough to give the context of the
+ error messages.</P
+></LI
+><LI
+><P
+>(Possibly) If you have a complete netmon trace ( from the opening of
+ the pipe to the error ) you can send the *.CAP file as well.</P
+></LI
+><LI
+><P
+>Please think carefully before attaching a document to an email.
+ Consider pasting the relevant parts into the body of the message. The samba
+ mailing lists go to a huge number of people, do they all need a copy of your
+ smb.conf in their attach directory?</P
+></LI
+></UL
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I get off the mailing lists?</I
+></SPAN
+>
+ </P
+><P
+>To have your name removed from a samba mailing list, go to the
+ same place you went to to get on it. Go to <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+>http://lists.samba.org</A
+>,
+ click on your nearest mirror and then click on <B
+CLASS="COMMAND"
+>Support</B
+> and
+ then click on <B
+CLASS="COMMAND"
+> Samba related mailing lists</B
+>. Or perhaps see
+ <A
+HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
+TARGET="_top"
+>here</A
+>
+ </P
+><P
+> Please don't post messages to the list asking to be removed, you will just
+ be referred to the above address (unless that process failed in some way...)
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN969"
+></A
+>7.8. Domain Control for Windows 9x/ME</H1
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>The following section contains much of the original
+DOMAIN.txt file previously included with Samba. Much of
+the material is based on what went into the book <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Special
+Edition, Using Samba</I
+></SPAN
+>, by Richard Sharpe.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>A domain and a workgroup are exactly the same thing in terms of network
+browsing. The difference is that a distributable authentication
+database is associated with a domain, for secure login access to a
+network. Also, different access rights can be granted to users if they
+successfully authenticate against a domain logon server (NT server and
+other systems based on NT server support this, as does at least Samba TNG now).</P
+><P
+>The SMB client logging on to a domain has an expectation that every other
+server in the domain should accept the same authentication information.
+Network browsing functionality of domains and workgroups is
+identical and is explained in BROWSING.txt. It should be noted, that browsing
+is totally orthogonal to logon support.</P
+><P
+>Issues related to the single-logon network model are discussed in this
+section. Samba supports domain logons, network logon scripts, and user
+profiles for MS Windows for workgroups and MS Windows 9X/ME clients
+which will be the focus of this section.</P
+><P
+>When an SMB client in a domain wishes to logon it broadcast requests for a
+logon server. The first one to reply gets the job, and validates its
+password using whatever mechanism the Samba administrator has installed.
+It is possible (but very stupid) to create a domain where the user
+database is not shared between servers, i.e. they are effectively workgroup
+servers advertising themselves as participating in a domain. This
+demonstrates how authentication is quite different from but closely
+involved with domains.</P
+><P
+>Using these features you can make your clients verify their logon via
+the Samba server; make clients run a batch file when they logon to
+the network and download their preferences, desktop and start menu.</P
+><P
+>Before launching into the configuration instructions, it is
+worthwhile lookingat how a Windows 9x/ME client performs a logon:</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> The client broadcasts (to the IP broadcast address of the subnet it is in)
+ a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the
+ NetBIOS layer. The client chooses the first response it receives, which
+ contains the NetBIOS name of the logon server to use in the format of
+ \\SERVER.
+ </P
+></LI
+><LI
+><P
+> The client then connects to that server, logs on (does an SMBsessetupX) and
+ then connects to the IPC$ share (using an SMBtconX).
+ </P
+></LI
+><LI
+><P
+> The client then does a NetWkstaUserLogon request, which retrieves the name
+ of the user's logon script.
+ </P
+></LI
+><LI
+><P
+> The client then connects to the NetLogon share and searches for this
+ and if it is found and can be read, is retrieved and executed by the client.
+ After this, the client disconnects from the NetLogon share.
+ </P
+></LI
+><LI
+><P
+> The client then sends a NetUserGetInfo request to the server, to retrieve
+ the user's home share, which is used to search for profiles. Since the
+ response to the NetUserGetInfo request does not contain much more
+ the user's home share, profiles for Win9X clients MUST reside in the user
+ home directory.
+ </P
+></LI
+><LI
+><P
+> The client then connects to the user's home share and searches for the
+ user's profile. As it turns out, you can specify the user's home share as
+ a sharename and path. For example, \\server\fred\.profile.
+ If the profiles are found, they are implemented.
+ </P
+></LI
+><LI
+><P
+> The client then disconnects from the user's home share, and reconnects to
+ the NetLogon share and looks for CONFIG.POL, the policies file. If this is
+ found, it is read and implemented.
+ </P
+></LI
+></OL
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN995"
+></A
+>7.8.1. Configuration Instructions: Network Logons</H2
+><P
+>The main difference between a PDC and a Windows 9x logon
+server configuration is that</P
+><P
+></P
+><UL
+><LI
+><P
+>Password encryption is not required for a Windows 9x logon server.</P
+></LI
+><LI
+><P
+>Windows 9x/ME clients do not possess machine trust accounts.</P
+></LI
+></UL
+><P
+>Therefore, a Samba PDC will also act as a Windows 9x logon
+server.</P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>security mode and master browsers</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>There are a few comments to make in order to tie up some
+loose ends. There has been much debate over the issue of whether
+or not it is ok to configure Samba as a Domain Controller in security
+modes other than <TT
+CLASS="CONSTANT"
+>USER</TT
+>. The only security mode
+which will not work due to technical reasons is <TT
+CLASS="CONSTANT"
+>SHARE</TT
+>
+mode security. <TT
+CLASS="CONSTANT"
+>DOMAIN</TT
+> and <TT
+CLASS="CONSTANT"
+>SERVER</TT
+>
+mode security is really just a variation on SMB user level security.</P
+><P
+>Actually, this issue is also closely tied to the debate on whether
+or not Samba must be the domain master browser for its workgroup
+when operating as a DC. While it may technically be possible
+to configure a server as such (after all, browsing and domain logons
+are two distinctly different functions), it is not a good idea to
+so. You should remember that the DC must register the DOMAIN#1b NetBIOS
+name. This is the name used by Windows clients to locate the DC.
+Windows clients do not distinguish between the DC and the DMB.
+For this reason, it is very wise to configure the Samba DC as the DMB.</P
+><P
+>Now back to the issue of configuring a Samba DC to use a mode other
+than "security = user". If a Samba host is configured to use
+another SMB server or DC in order to validate user connection
+requests, then it is a fact that some other machine on the network
+(the "password server") knows more about user than the Samba host.
+99% of the time, this other host is a domain controller. Now
+in order to operate in domain mode security, the "workgroup" parameter
+must be set to the name of the Windows NT domain (which already
+has a domain controller, right?)</P
+><P
+>Therefore configuring a Samba box as a DC for a domain that
+already by definition has a PDC is asking for trouble.
+Therefore, you should always configure the Samba DC to be the DMB
+for its domain.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN1014"
+></A
+>7.8.2. Configuration Instructions: Setting up Roaming User Profiles</H2
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE!</I
+></SPAN
+> Roaming profiles support is different
+for Win9X and WinNT.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>Before discussing how to configure roaming profiles, it is useful to see how
+Win9X and WinNT clients implement these features.</P
+><P
+>Win9X clients send a NetUserGetInfo request to the server to get the user's
+profiles location. However, the response does not have room for a separate
+profiles location field, only the user's home share. This means that Win9X
+profiles are restricted to being in the user's home directory.</P
+><P
+>WinNT clients send a NetSAMLogon RPC request, which contains many fields,
+including a separate field for the location of the user's profiles.
+This means that support for profiles is different for Win9X and WinNT.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1022"
+></A
+>7.8.2.1. Windows NT Configuration</H3
+><P
+>To support WinNT clients, in the [global] section of smb.conf set the
+following (for example):</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
+></P
+><P
+>The default for this option is \\%N\%U\profile, namely
+\\sambaserver\username\profile. The \\N%\%U service is created
+automatically by the [homes] service.
+If you are using a samba server for the profiles, you _must_ make the
+share specified in the logon path browseable. </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>[lkcl 26aug96 - we have discovered a problem where Windows clients can
+maintain a connection to the [homes] share in between logins. The
+[homes] share must NOT therefore be used in a profile path.]</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1030"
+></A
+>7.8.2.2. Windows 9X Configuration</H3
+><P
+>To support Win9X clients, you must use the "logon home" parameter. Samba has
+now been fixed so that "net use/home" now works as well, and it, too, relies
+on the "logon home" parameter.</P
+><P
+>By using the logon home parameter, you are restricted to putting Win9X
+profiles in the user's home directory. But wait! There is a trick you
+can use. If you set the following in the [global] section of your
+smb.conf file:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>logon home = \\%L\%U\.profiles</PRE
+></P
+><P
+>then your Win9X clients will dutifully put their clients in a subdirectory
+of your home directory called .profiles (thus making them hidden).</P
+><P
+>Not only that, but 'net use/home' will also work, because of a feature in
+Win9X. It removes any directory stuff off the end of the home directory area
+and only uses the server and share portion. That is, it looks like you
+specified \\%L\%U for "logon home".</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1038"
+></A
+>7.8.2.3. Win9X and WinNT Configuration</H3
+><P
+>You can support profiles for both Win9X and WinNT clients by setting both the
+"logon home" and "logon path" parameters. For example:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>logon home = \\%L\%U\.profiles
+logon path = \\%L\profiles\%U</PRE
+></P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>I have not checked what 'net use /home' does on NT when "logon home" is
+set as above.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1045"
+></A
+>7.8.2.4. Windows 9X Profile Setup</H3
+><P
+>When a user first logs in on Windows 9X, the file user.DAT is created,
+as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
+These directories and their contents will be merged with the local
+versions stored in c:\windows\profiles\username on subsequent logins,
+taking the most recent from each. You will need to use the [global]
+options "preserve case = yes", "short preserve case = yes" and
+"case sensitive = no" in order to maintain capital letters in shortcuts
+in any of the profile folders.</P
+><P
+>The user.DAT file contains all the user's preferences. If you wish to
+enforce a set of preferences, rename their user.DAT file to user.MAN,
+and deny them write access to this file.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> On the Windows 95 machine, go to Control Panel | Passwords and
+ select the User Profiles tab. Select the required level of
+ roaming preferences. Press OK, but do _not_ allow the computer
+ to reboot.
+ </P
+></LI
+><LI
+><P
+> On the Windows 95 machine, go to Control Panel | Network |
+ Client for Microsoft Networks | Preferences. Select 'Log on to
+ NT Domain'. Then, ensure that the Primary Logon is 'Client for
+ Microsoft Networks'. Press OK, and this time allow the computer
+ to reboot.
+ </P
+></LI
+></OL
+><P
+>Under Windows 95, Profiles are downloaded from the Primary Logon.
+If you have the Primary Logon as 'Client for Novell Networks', then
+the profiles and logon script will be downloaded from your Novell
+Server. If you have the Primary Logon as 'Windows Logon', then the
+profiles will be loaded from the local machine - a bit against the
+concept of roaming profiles, if you ask me.</P
+><P
+>You will now find that the Microsoft Networks Login box contains
+[user, password, domain] instead of just [user, password]. Type in
+the samba server's domain name (or any other domain known to exist,
+but bear in mind that the user will be authenticated against this
+domain and profiles downloaded from it, if that domain logon server
+supports it), user name and user's password.</P
+><P
+>Once the user has been successfully validated, the Windows 95 machine
+will inform you that 'The user has not logged on before' and asks you
+if you wish to save the user's preferences? Select 'yes'.</P
+><P
+>Once the Windows 95 client comes up with the desktop, you should be able
+to examine the contents of the directory specified in the "logon path"
+on the samba server and verify that the "Desktop", "Start Menu",
+"Programs" and "Nethood" folders have been created.</P
+><P
+>These folders will be cached locally on the client, and updated when
+the user logs off (if you haven't made them read-only by then :-).
+You will find that if the user creates further folders or short-cuts,
+that the client will merge the profile contents downloaded with the
+contents of the profile directory already on the local client, taking
+the newest folders and short-cuts from each set.</P
+><P
+>If you have made the folders / files read-only on the samba server,
+then you will get errors from the w95 machine on logon and logout, as
+it attempts to merge the local and the remote profile. Basically, if
+you have any errors reported by the w95 machine, check the Unix file
+permissions and ownership rights on the profile directory contents,
+on the samba server.</P
+><P
+>If you have problems creating user profiles, you can reset the user's
+local desktop cache, as shown below. When this user then next logs in,
+they will be told that they are logging in "for the first time".</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> instead of logging in under the [user, password, domain] dialog,
+ press escape.
+ </P
+></LI
+><LI
+><P
+> run the regedit.exe program, and look in:
+ </P
+><P
+> HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
+ </P
+><P
+> you will find an entry, for each user, of ProfilePath. Note the
+ contents of this key (likely to be c:\windows\profiles\username),
+ then delete the key ProfilePath for the required user.
+ </P
+><P
+> [Exit the registry editor].
+ </P
+></LI
+><LI
+><P
+> <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>WARNING</I
+></SPAN
+> - before deleting the contents of the
+ directory listed in
+ the ProfilePath (this is likely to be c:\windows\profiles\username),
+ ask them if they have any important files stored on their desktop
+ or in their start menu. delete the contents of the directory
+ ProfilePath (making a backup if any of the files are needed).
+ </P
+><P
+> This will have the effect of removing the local (read-only hidden
+ system file) user.DAT in their profile directory, as well as the
+ local "desktop", "nethood", "start menu" and "programs" folders.
+ </P
+></LI
+><LI
+><P
+> search for the user's .PWL password-caching file in the c:\windows
+ directory, and delete it.
+ </P
+></LI
+><LI
+><P
+> log off the windows 95 client.
+ </P
+></LI
+><LI
+><P
+> check the contents of the profile path (see "logon path" described
+ above), and delete the user.DAT or user.MAN file for the user,
+ making a backup if required.
+ </P
+></LI
+></OL
+><P
+>If all else fails, increase samba's debug log levels to between 3 and 10,
+and / or run a packet trace program such as tcpdump or netmon.exe, and
+look for any error reports.</P
+><P
+>If you have access to an NT server, then first set up roaming profiles
+and / or netlogons on the NT server. Make a packet trace, or examine
+the example packet traces provided with NT server, and see what the
+differences are with the equivalent samba trace.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1081"
+></A
+>7.8.2.5. Windows NT Workstation 4.0</H3
+><P
+>When a user first logs in to a Windows NT Workstation, the profile
+NTuser.DAT is created. The profile location can be now specified
+through the "logon path" parameter. </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>[lkcl 10aug97 - i tried setting the path to
+\\samba-server\homes\profile, and discovered that this fails because
+a background process maintains the connection to the [homes] share
+which does _not_ close down in between user logins. you have to
+have \\samba-server\%L\profile, where user is the username created
+from the [homes] share].</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>There is a parameter that is now available for use with NT Profiles:
+"logon drive". This should be set to "h:" or any other drive, and
+should be used in conjunction with the new "logon home" parameter.</P
+><P
+>The entry for the NT 4.0 profile is a _directory_ not a file. The NT
+help on profiles mentions that a directory is also created with a .PDS
+extension. The user, while logging in, must have write permission to
+create the full profile path (and the folder with the .PDS extension)
+[lkcl 10aug97 - i found that the creation of the .PDS directory failed,
+and had to create these manually for each user, with a shell script.
+also, i presume, but have not tested, that the full profile path must
+be browseable just as it is for w95, due to the manner in which they
+attempt to create the full profile path: test existence of each path
+component; create path component].</P
+><P
+>In the profile directory, NT creates more folders than 95. It creates
+"Application Data" and others, as well as "Desktop", "Nethood",
+"Start Menu" and "Programs". The profile itself is stored in a file
+NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
+its purpose is currently unknown.</P
+><P
+>You can use the System Control Panel to copy a local profile onto
+a samba server (see NT Help on profiles: it is also capable of firing
+up the correct location in the System Control Panel for you). The
+NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
+turns a profile into a mandatory one.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>[lkcl 10aug97 - i notice that NT Workstation tells me that it is
+downloading a profile from a slow link. whether this is actually the
+case, or whether there is some configuration issue, as yet unknown,
+that makes NT Workstation _think_ that the link is a slow one is a
+matter to be resolved].</P
+><P
+>[lkcl 20aug97 - after samba digest correspondence, one user found, and
+another confirmed, that profiles cannot be loaded from a samba server
+unless "security = user" and "encrypt passwords = yes" (see the file
+ENCRYPTION.txt) or "security = server" and "password server = ip.address.
+of.yourNTserver" are used. Either of these options will allow the NT
+workstation to access the samba server using LAN manager encrypted
+passwords, without the user intervention normally required by NT
+workstation for clear-text passwords].</P
+><P
+>[lkcl 25aug97 - more comments received about NT profiles: the case of
+the profile _matters_. the file _must_ be called NTuser.DAT or, for
+a mandatory profile, NTuser.MAN].</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1094"
+></A
+>7.8.2.6. Windows NT Server</H3
+><P
+>There is nothing to stop you specifying any path that you like for the
+location of users' profiles. Therefore, you could specify that the
+profile be stored on a samba server, or any other SMB server, as long as
+that SMB server supports encrypted passwords.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN1097"
+></A
+>7.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</H3
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Potentially outdated or incorrect material follows</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>The default logon path is \\%N\%U. NT Workstation will attempt to create
+a directory "\\samba-server\username.PDS" if you specify the logon path
+as "\\samba-server\username" with the NT User Manager. Therefore, you
+will need to specify (for example) "\\samba-server\username\profile".
+NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
+is more likely to succeed.</P
+><P
+>If you then want to share the same Start Menu / Desktop with W95, you will
+need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
+this has its drawbacks: i created a shortcut to telnet.exe, which attempts
+to run from the c:\winnt\system32 directory. this directory is obviously
+unlikely to exist on a Win95-only host].</P
+><P
+> If you have this set up correctly, you will find separate user.DAT and
+NTuser.DAT files in the same profile directory.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>[lkcl 25aug97 - there are some issues to resolve with downloading of
+NT profiles, probably to do with time/date stamps. i have found that
+NTuser.DAT is never updated on the workstation after the first time that
+it is copied to the local workstation profile directory. this is in
+contrast to w95, where it _does_ transfer / update profiles correctly].</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1107"
+></A
+>7.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</H1
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/docbook-dsssl/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>Possibly Outdated Material</B
+></TH
+></TR
+><TR
+><TD
+> </TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> This appendix was originally authored by John H Terpstra of
+ the Samba Team and is included here for posterity.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE :</I
+></SPAN
+>
+The term "Domain Controller" and those related to it refer to one specific
+method of authentication that can underly an SMB domain. Domain Controllers
+prior to Windows NT Server 3.1 were sold by various companies and based on
+private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
+Microsoft-specific ways of distributing the user authentication database.
+See DOMAIN.txt for examples of how Samba can participate in or create
+SMB domains based on shared authentication database schemes other than the
+Windows NT SAM.</P
+><P
+>Windows NT Server can be installed as either a plain file and print server
+(WORKGROUP workstation or server) or as a server that participates in Domain
+Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
+The same is true for OS/2 Warp Server, Digital Pathworks and other similar
+products, all of which can participate in Domain Control along with Windows NT.</P
+><P
+>To many people these terms can be confusing, so let's try to clear the air.</P
+><P
+>Every Windows NT system (workstation or server) has a registry database.
+The registry contains entries that describe the initialization information
+for all services (the equivalent of Unix Daemons) that run within the Windows
+NT environment. The registry also contains entries that tell application
+software where to find dynamically loadable libraries that they depend upon.
+In fact, the registry contains entries that describes everything that anything
+may need to know to interact with the rest of the system.</P
+><P
+>The registry files can be located on any Windows NT machine by opening a
+command prompt and typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT\></TT
+> dir %SystemRoot%\System32\config</P
+><P
+>The environment variable %SystemRoot% value can be obtained by typing:</P
+><P
+><TT
+CLASS="PROMPT"
+>C:\WINNT></TT
+>echo %SystemRoot%</P
+><P
+>The active parts of the registry that you may want to be familiar with are
+the files called: default, system, software, sam and security.</P
+><P
+>In a domain environment, Microsoft Windows NT domain controllers participate
+in replication of the SAM and SECURITY files so that all controllers within
+the domain have an exactly identical copy of each.</P
+><P
+>The Microsoft Windows NT system is structured within a security model that
+says that all applications and services must authenticate themselves before
+they can obtain permission from the security manager to do what they set out
+to do.</P
+><P
+>The Windows NT User database also resides within the registry. This part of
+the registry contains the user's security identifier, home directory, group
+memberships, desktop profile, and so on.</P
+><P
+>Every Windows NT system (workstation as well as server) will have its own
+registry. Windows NT Servers that participate in Domain Security control
+have a database that they share in common - thus they do NOT own an
+independent full registry database of their own, as do Workstations and
+plain Servers.</P
+><P
+>The User database is called the SAM (Security Access Manager) database and
+is used for all user authentication as well as for authentication of inter-
+process authentication (i.e. to ensure that the service action a user has
+requested is permitted within the limits of that user's privileges).</P
+><P
+>The Samba team have produced a utility that can dump the Windows NT SAM into
+smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
+/pub/samba/pwdump on your nearest Samba mirror for the utility. This
+facility is useful but cannot be easily used to implement SAM replication
+to Samba systems.</P
+><P
+>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
+can participate in a Domain security system that is controlled by Windows NT
+servers that have been correctly configured. Almost every domain will have
+ONE Primary Domain Controller (PDC). It is desirable that each domain will
+have at least one Backup Domain Controller (BDC).</P
+><P
+>The PDC and BDCs then participate in replication of the SAM database so that
+each Domain Controlling participant will have an up to date SAM component
+within its registry.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="samba-bdc.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>User and Share security level (for servers not in a domain)</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="type.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Type of installation</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="PREVIOUS"
+TITLE="LanMan and NT Password Encryption in Samba"
+HREF="pwencrypt.html"><LINK
+REL="NEXT"
+TITLE="User and Share security level (for servers not in a domain)"
+HREF="securitylevels.html"></HEAD
+><BODY
+CLASS="PART"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="pwencrypt.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="PART"
+><A
+NAME="TYPE"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+>II. Type of installation</H1
+><DIV
+CLASS="PARTINTRO"
+><A
+NAME="AEN547"
+></A
+><H1
+>Introduction</H1
+><P
+>Samba can operate in various SMB networks. This part contains information on configuring samba
+for various environments.</P
+></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>6. <A
+HREF="securitylevels.html"
+>User and Share security level (for servers not in a domain)</A
+></DT
+><DT
+>7. <A
+HREF="samba-pdc.html"
+>How to Configure Samba as a NT4 Primary Domain Controller</A
+></DT
+><DD
+><DL
+><DT
+>7.1. <A
+HREF="samba-pdc.html#AEN591"
+>Prerequisite Reading</A
+></DT
+><DT
+>7.2. <A
+HREF="samba-pdc.html#AEN597"
+>Background</A
+></DT
+><DT
+>7.3. <A
+HREF="samba-pdc.html#AEN636"
+>Configuring the Samba Domain Controller</A
+></DT
+><DT
+>7.4. <A
+HREF="samba-pdc.html#AEN679"
+>Creating Machine Trust Accounts and Joining Clients to the
+Domain</A
+></DT
+><DD
+><DL
+><DT
+>7.4.1. <A
+HREF="samba-pdc.html#AEN698"
+>Manual Creation of Machine Trust Accounts</A
+></DT
+><DT
+>7.4.2. <A
+HREF="samba-pdc.html#AEN739"
+>"On-the-Fly" Creation of Machine Trust Accounts</A
+></DT
+><DT
+>7.4.3. <A
+HREF="samba-pdc.html#AEN748"
+>Joining the Client to the Domain</A
+></DT
+></DL
+></DD
+><DT
+>7.5. <A
+HREF="samba-pdc.html#AEN763"
+>Common Problems and Errors</A
+></DT
+><DT
+>7.6. <A
+HREF="samba-pdc.html#AEN811"
+>System Policies and Profiles</A
+></DT
+><DT
+>7.7. <A
+HREF="samba-pdc.html#AEN855"
+>What other help can I get?</A
+></DT
+><DT
+>7.8. <A
+HREF="samba-pdc.html#AEN969"
+>Domain Control for Windows 9x/ME</A
+></DT
+><DD
+><DL
+><DT
+>7.8.1. <A
+HREF="samba-pdc.html#AEN995"
+>Configuration Instructions: Network Logons</A
+></DT
+><DT
+>7.8.2. <A
+HREF="samba-pdc.html#AEN1014"
+>Configuration Instructions: Setting up Roaming User Profiles</A
+></DT
+></DL
+></DD
+><DT
+>7.9. <A
+HREF="samba-pdc.html#AEN1107"
+>DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A
+></DT
+></DL
+></DD
+><DT
+>8. <A
+HREF="samba-bdc.html"
+>How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</A
+></DT
+><DD
+><DL
+><DT
+>8.1. <A
+HREF="samba-bdc.html#AEN1143"
+>Prerequisite Reading</A
+></DT
+><DT
+>8.2. <A
+HREF="samba-bdc.html#AEN1147"
+>Background</A
+></DT
+><DT
+>8.3. <A
+HREF="samba-bdc.html#AEN1155"
+>What qualifies a Domain Controller on the network?</A
+></DT
+><DD
+><DL
+><DT
+>8.3.1. <A
+HREF="samba-bdc.html#AEN1158"
+>How does a Workstation find its domain controller?</A
+></DT
+><DT
+>8.3.2. <A
+HREF="samba-bdc.html#AEN1161"
+>When is the PDC needed?</A
+></DT
+></DL
+></DD
+><DT
+>8.4. <A
+HREF="samba-bdc.html#AEN1164"
+>Can Samba be a Backup Domain Controller?</A
+></DT
+><DT
+>8.5. <A
+HREF="samba-bdc.html#AEN1168"
+>How do I set up a Samba BDC?</A
+></DT
+><DD
+><DL
+><DT
+>8.5.1. <A
+HREF="samba-bdc.html#AEN1185"
+>How do I replicate the smbpasswd file?</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>9. <A
+HREF="ads.html"
+>Samba as a ADS domain member</A
+></DT
+><DD
+><DL
+><DT
+>9.1. <A
+HREF="ads.html#AEN1203"
+>Installing the required packages for Debian</A
+></DT
+><DT
+>9.2. <A
+HREF="ads.html#AEN1209"
+>Installing the required packages for RedHat</A
+></DT
+><DT
+>9.3. <A
+HREF="ads.html#AEN1218"
+>Compile Samba</A
+></DT
+><DT
+>9.4. <A
+HREF="ads.html#AEN1230"
+>Setup your /etc/krb5.conf</A
+></DT
+><DT
+>9.5. <A
+HREF="ads.html#AEN1240"
+>Create the computer account</A
+></DT
+><DD
+><DL
+><DT
+>9.5.1. <A
+HREF="ads.html#AEN1244"
+>Possible errors</A
+></DT
+></DL
+></DD
+><DT
+>9.6. <A
+HREF="ads.html#AEN1256"
+>Test your server setup</A
+></DT
+><DT
+>9.7. <A
+HREF="ads.html#AEN1261"
+>Testing with smbclient</A
+></DT
+><DT
+>9.8. <A
+HREF="ads.html#AEN1264"
+>Notes</A
+></DT
+></DL
+></DD
+><DT
+>10. <A
+HREF="domain-security.html"
+>Samba as a NT4 domain member</A
+></DT
+><DD
+><DL
+><DT
+>10.1. <A
+HREF="domain-security.html#AEN1286"
+>Joining an NT Domain with Samba 2.2</A
+></DT
+><DT
+>10.2. <A
+HREF="domain-security.html#AEN1350"
+>Samba and Windows 2000 Domains</A
+></DT
+><DT
+>10.3. <A
+HREF="domain-security.html#AEN1355"
+>Why is this better than security = server?</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="pwencrypt.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>LanMan and NT Password Encryption in Samba</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+> </TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>User and Share security level (for servers not in a domain)</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Stackable VFS modules</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Optional configuration"
+HREF="optional.html"><LINK
+REL="PREVIOUS"
+TITLE="Passdb XML plugin"
+HREF="pdb-xml.html"><LINK
+REL="NEXT"
+TITLE="Storing Samba's User/Machine Account information in an LDAP Directory"
+HREF="samba-ldap-howto.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="pdb-xml.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="samba-ldap-howto.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="VFS"
+></A
+>Chapter 19. Stackable VFS modules</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2651"
+></A
+>19.1. Introduction and configuration</H1
+><P
+>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
+Samba passes each request to access the unix file system thru the loaded VFS modules.
+This chapter covers all the modules that come with the samba source and references to
+some external modules.</P
+><P
+>You may have problems to compile these modules, as shared libraries are
+compiled and linked in different ways on different systems.
+I currently tested them against GNU/linux and IRIX.</P
+><P
+>To use the VFS modules, create a share similar to the one below. The
+important parameter is the <B
+CLASS="COMMAND"
+>vfs object</B
+> parameter which must point to
+the exact pathname of the shared library object. For example, to use audit.so:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> [audit]
+ comment = Audited /data directory
+ path = /data
+ vfs object = /path/to/audit.so
+ writeable = yes
+ browseable = yes</PRE
+></P
+><P
+>Further documentation on writing VFS modules for Samba can be found in
+docs directory of the Samba source distribution.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2659"
+></A
+>19.2. Included modules</H1
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2661"
+></A
+>19.2.1. audit</H2
+><P
+>A simple module to audit file access to the syslog
+facility. The following operations are logged:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>share</TD
+></TR
+><TR
+><TD
+>connect/disconnect</TD
+></TR
+><TR
+><TD
+>directory opens/create/remove</TD
+></TR
+><TR
+><TD
+>file open/close/rename/unlink/chmod</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2669"
+></A
+>19.2.2. recycle</H2
+><P
+>A recycle-bin like modules. When used any unlink call
+will be intercepted and files moved to the recycle
+directory instead of beeing deleted.</P
+><P
+>Supported options:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>vfs_recycle_bin:repository</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:keeptree</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:versions</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:touch</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:maxsize</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:exclude</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:exclude_dir</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:noversions</DT
+><DD
+><P
+>FIXME</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2706"
+></A
+>19.2.3. netatalk</H2
+><P
+>A netatalk module, that will ease co-existence of samba and
+netatalk file sharing services.</P
+><P
+>Advantages compared to the old netatalk module:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD
+></TR
+><TR
+><TD
+>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2713"
+></A
+>19.3. VFS modules available elsewhere</H1
+><P
+>This section contains a listing of various other VFS modules that
+have been posted but don't currently reside in the Samba CVS
+tree for one reason ot another (e.g. it is easy for the maintainer
+to have his or her own CVS tree).</P
+><P
+>No statemets about the stability or functionality any module
+should be implied due to its presence here.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2717"
+></A
+>19.3.1. DatabaseFS</H2
+><P
+>URL: <A
+HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php"
+TARGET="_top"
+>http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A
+></P
+><P
+>By <A
+HREF="mailto:elorimer@css.tayloru.edu"
+TARGET="_top"
+>Eric Lorimer</A
+>.</P
+><P
+>I have created a VFS module which implements a fairly complete read-only
+filesystem. It presents information from a database as a filesystem in
+a modular and generic way to allow different databases to be used
+(originally designed for organizing MP3s under directories such as
+"Artists," "Song Keywords," etc... I have since applied it to a student
+roster database very easily). The directory structure is stored in the
+database itself and the module makes no assumptions about the database
+structure beyond the table it requires to run.</P
+><P
+>Any feedback would be appreciated: comments, suggestions, patches,
+etc... If nothing else, hopefully it might prove useful for someone
+else who wishes to create a virtual filesystem.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2725"
+></A
+>19.3.2. vscan</H2
+><P
+>URL: <A
+HREF="http://www.openantivirus.org/"
+TARGET="_top"
+>http://www.openantivirus.org/</A
+></P
+><P
+>samba-vscan is a proof-of-concept module for Samba, which
+uses the VFS (virtual file system) features of Samba 2.2.x/3.0
+alphaX. Of couse, Samba has to be compiled with VFS support.
+samba-vscan supports various virus scanners and is maintained
+by Rainer Link.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="pdb-xml.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="samba-ldap-howto.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Passdb XML plugin</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="optional.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Storing Samba's User/Machine Account information in an LDAP Directory</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
--- /dev/null
+/*
+ * Auditing VFS module for samba. Log selected file operations to syslog
+ * facility.
+ *
+ * Copyright (C) Tim Potter, 1999-2000
+ * Copyright (C) Alexander Bokovoy, 2002
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <sys/stat.h>
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#endif
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <syslog.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+#include <string.h>
+#include <includes.h>
+#include <vfs.h>
+
+#ifndef SYSLOG_FACILITY
+#define SYSLOG_FACILITY LOG_USER
+#endif
+
+#ifndef SYSLOG_PRIORITY
+#define SYSLOG_PRIORITY LOG_NOTICE
+#endif
+
+/* Function prototypes */
+
+static int audit_connect(struct connection_struct *conn, const char *svc, const char *user);
+static void audit_disconnect(struct connection_struct *conn);
+static DIR *audit_opendir(struct connection_struct *conn, const char *fname);
+static int audit_mkdir(struct connection_struct *conn, const char *path, mode_t mode);
+static int audit_rmdir(struct connection_struct *conn, const char *path);
+static int audit_open(struct connection_struct *conn, const char *fname, int flags, mode_t mode);
+static int audit_close(struct files_struct *fsp, int fd);
+static int audit_rename(struct connection_struct *conn, const char *old, const char *new);
+static int audit_unlink(struct connection_struct *conn, const char *path);
+static int audit_chmod(struct connection_struct *conn, const char *path, mode_t mode);
+static int audit_chmod_acl(struct connection_struct *conn, const char *name, mode_t mode);
+static int audit_fchmod(struct files_struct *fsp, int fd, mode_t mode);
+static int audit_fchmod_acl(struct files_struct *fsp, int fd, mode_t mode);
+
+/* VFS operations */
+
+static struct vfs_ops default_vfs_ops; /* For passthrough operation */
+static struct smb_vfs_handle_struct *audit_handle;
+
+static vfs_op_tuple audit_ops[] = {
+
+ /* Disk operations */
+
+ {audit_connect, SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_LOGGER},
+ {audit_disconnect, SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_LOGGER},
+
+ /* Directory operations */
+
+ {audit_opendir, SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_LOGGER},
+ {audit_mkdir, SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_LOGGER},
+ {audit_rmdir, SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_LOGGER},
+
+ /* File operations */
+
+ {audit_open, SMB_VFS_OP_OPEN, SMB_VFS_LAYER_LOGGER},
+ {audit_close, SMB_VFS_OP_CLOSE, SMB_VFS_LAYER_LOGGER},
+ {audit_rename, SMB_VFS_OP_RENAME, SMB_VFS_LAYER_LOGGER},
+ {audit_unlink, SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_LOGGER},
+ {audit_chmod, SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_LOGGER},
+ {audit_fchmod, SMB_VFS_OP_FCHMOD, SMB_VFS_LAYER_LOGGER},
+ {audit_chmod_acl, SMB_VFS_OP_CHMOD_ACL, SMB_VFS_LAYER_LOGGER},
+ {audit_fchmod_acl, SMB_VFS_OP_FCHMOD_ACL, SMB_VFS_LAYER_LOGGER},
+
+ /* Finish VFS operations definition */
+
+ {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+/* VFS initialisation function. Return vfs_op_tuple array back to SAMBA. */
+
+vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops,
+ struct smb_vfs_handle_struct *vfs_handle)
+{
+ *vfs_version = SMB_VFS_INTERFACE_VERSION;
+ memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops));
+
+ audit_handle = vfs_handle;
+
+ openlog("smbd_audit", LOG_PID, SYSLOG_FACILITY);
+ syslog(SYSLOG_PRIORITY, "VFS_INIT: vfs_ops loaded\n");
+ return audit_ops;
+}
+
+/* VFS finalization function. */
+void vfs_done(connection_struct *conn)
+{
+ syslog(SYSLOG_PRIORITY, "VFS_DONE: vfs module unloaded\n");
+}
+
+/* Implementation of vfs_ops. Pass everything on to the default
+ operation but log event first. */
+
+static int audit_connect(struct connection_struct *conn, const char *svc, const char *user)
+{
+ syslog(SYSLOG_PRIORITY, "connect to service %s by user %s\n",
+ svc, user);
+
+ return default_vfs_ops.connect(conn, svc, user);
+}
+
+static void audit_disconnect(struct connection_struct *conn)
+{
+ syslog(SYSLOG_PRIORITY, "disconnected\n");
+ default_vfs_ops.disconnect(conn);
+}
+
+static DIR *audit_opendir(struct connection_struct *conn, const char *fname)
+{
+ DIR *result = default_vfs_ops.opendir(conn, fname);
+
+ syslog(SYSLOG_PRIORITY, "opendir %s %s%s\n",
+ fname,
+ (result == NULL) ? "failed: " : "",
+ (result == NULL) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_mkdir(struct connection_struct *conn, const char *path, mode_t mode)
+{
+ int result = default_vfs_ops.mkdir(conn, path, mode);
+
+ syslog(SYSLOG_PRIORITY, "mkdir %s %s%s\n",
+ path,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_rmdir(struct connection_struct *conn, const char *path)
+{
+ int result = default_vfs_ops.rmdir(conn, path);
+
+ syslog(SYSLOG_PRIORITY, "rmdir %s %s%s\n",
+ path,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_open(struct connection_struct *conn, const char *fname, int flags, mode_t mode)
+{
+ int result = default_vfs_ops.open(conn, fname, flags, mode);
+
+ syslog(SYSLOG_PRIORITY, "open %s (fd %d) %s%s%s\n",
+ fname, result,
+ ((flags & O_WRONLY) || (flags & O_RDWR)) ? "for writing " : "",
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_close(struct files_struct *fsp, int fd)
+{
+ int result = default_vfs_ops.close(fsp, fd);
+
+ syslog(SYSLOG_PRIORITY, "close fd %d %s%s\n",
+ fd,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_rename(struct connection_struct *conn, const char *old, const char *new)
+{
+ int result = default_vfs_ops.rename(conn, old, new);
+
+ syslog(SYSLOG_PRIORITY, "rename %s -> %s %s%s\n",
+ old, new,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_unlink(struct connection_struct *conn, const char *path)
+{
+ int result = default_vfs_ops.unlink(conn, path);
+
+ syslog(SYSLOG_PRIORITY, "unlink %s %s%s\n",
+ path,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_chmod(struct connection_struct *conn, const char *path, mode_t mode)
+{
+ int result = default_vfs_ops.chmod(conn, path, mode);
+
+ syslog(SYSLOG_PRIORITY, "chmod %s mode 0x%x %s%s\n",
+ path, mode,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_chmod_acl(struct connection_struct *conn, const char *path, mode_t mode)
+{
+ int result = default_vfs_ops.chmod_acl(conn, path, mode);
+
+ syslog(SYSLOG_PRIORITY, "chmod_acl %s mode 0x%x %s%s\n",
+ path, mode,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_fchmod(struct files_struct *fsp, int fd, mode_t mode)
+{
+ int result = default_vfs_ops.fchmod(fsp, fd, mode);
+
+ syslog(SYSLOG_PRIORITY, "fchmod %s mode 0x%x %s%s\n",
+ fsp->fsp_name, mode,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
+
+static int audit_fchmod_acl(struct files_struct *fsp, int fd, mode_t mode)
+{
+ int result = default_vfs_ops.fchmod_acl(fsp, fd, mode);
+
+ syslog(SYSLOG_PRIORITY, "fchmod_acl %s mode 0x%x %s%s\n",
+ fsp->fsp_name, mode,
+ (result < 0) ? "failed: " : "",
+ (result < 0) ? strerror(errno) : "");
+
+ return result;
+}
--- /dev/null
+/*
+ * AppleTalk VFS module for Samba-3.x
+ *
+ * Copyright (C) Alexei Kotovich, 2002
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <sys/stat.h>
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#endif
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+#include <string.h>
+#include <includes.h>
+#include <vfs.h>
+
+#define APPLEDOUBLE ".AppleDouble"
+#define ADOUBLEMODE 0777
+
+/* atalk functions */
+
+static int atalk_build_paths(TALLOC_CTX *ctx, const char *path,
+ const char *fname, char **adbl_path, char **orig_path,
+ SMB_STRUCT_STAT *adbl_info, SMB_STRUCT_STAT *orig_info);
+
+static int atalk_unlink_file(const char *path);
+
+static struct vfs_ops default_vfs_ops; /* For passthrough operation */
+static struct smb_vfs_handle_struct *atalk_handle;
+
+static int atalk_get_path_ptr(char *path)
+{
+ int i = 0;
+ int ptr = 0;
+
+ for (i = 0; path[i]; i ++) {
+ if (path[i] == '/')
+ ptr = i;
+ /* get out some 'spam';) from win32's file name */
+ else if (path[i] == ':') {
+ path[i] = '\0';
+ break;
+ }
+ }
+
+ return ptr;
+}
+
+static int atalk_build_paths(TALLOC_CTX *ctx, const char *path, const char *fname,
+ char **adbl_path, char **orig_path,
+ SMB_STRUCT_STAT *adbl_info, SMB_STRUCT_STAT *orig_info)
+{
+ int ptr0 = 0;
+ int ptr1 = 0;
+ char *dname = 0;
+ char *name = 0;
+
+ if (!ctx || !path || !fname || !adbl_path || !orig_path ||
+ !adbl_info || !orig_info)
+ return -1;
+#if 0
+ DEBUG(3, ("ATALK: PATH: %s[%s]\n", path, fname));
+#endif
+ if (strstr(path, APPLEDOUBLE) || strstr(fname, APPLEDOUBLE)) {
+ DEBUG(3, ("ATALK: path %s[%s] already contains %s\n", path, fname, APPLEDOUBLE));
+ return -1;
+ }
+
+ if (fname[0] == '.') ptr0 ++;
+ if (fname[1] == '/') ptr0 ++;
+
+ *orig_path = talloc_asprintf(ctx, "%s/%s", path, &fname[ptr0]);
+
+ /* get pointer to last '/' */
+ ptr1 = atalk_get_path_ptr(*orig_path);
+
+ sys_lstat(*orig_path, orig_info);
+
+ if (S_ISDIR(orig_info->st_mode)) {
+ *adbl_path = talloc_asprintf(ctx, "%s/%s/%s/",
+ path, &fname[ptr0], APPLEDOUBLE);
+ } else {
+ dname = talloc_strdup(ctx, *orig_path);
+ dname[ptr1] = '\0';
+ name = *orig_path;
+ *adbl_path = talloc_asprintf(ctx, "%s/%s/%s",
+ dname, APPLEDOUBLE, &name[ptr1 + 1]);
+ }
+#if 0
+ DEBUG(3, ("ATALK: DEBUG:\n%s\n%s\n", *orig_path, *adbl_path));
+#endif
+ sys_lstat(*adbl_path, adbl_info);
+ return 0;
+}
+
+static int atalk_unlink_file(const char *path)
+{
+ int ret = 0;
+
+ become_root();
+ ret = unlink(path);
+ unbecome_root();
+
+ return ret;
+}
+
+static void atalk_add_to_list(name_compare_entry **list)
+{
+ int i, count = 0;
+ name_compare_entry *new_list = 0;
+ name_compare_entry *cur_list = 0;
+
+ cur_list = *list;
+
+ if (cur_list) {
+ for (i = 0, count = 0; cur_list[i].name; i ++, count ++) {
+ if (strstr(cur_list[i].name, APPLEDOUBLE))
+ return;
+ }
+ }
+
+ if (!(new_list = calloc(1,
+ (count == 0 ? 1 : count + 1) * sizeof(name_compare_entry))))
+ return;
+
+ for (i = 0; i < count; i ++) {
+ new_list[i].name = strdup(cur_list[i].name);
+ new_list[i].is_wild = cur_list[i].is_wild;
+ }
+
+ new_list[i].name = strdup(APPLEDOUBLE);
+ new_list[i].is_wild = False;
+
+ free_namearray(*list);
+
+ *list = new_list;
+ new_list = 0;
+ cur_list = 0;
+}
+
+static void atalk_rrmdir(TALLOC_CTX *ctx, char *path)
+{
+ int n;
+ char *dpath;
+ struct dirent **namelist;
+
+ if (!path) return;
+
+ n = scandir(path, &namelist, 0, alphasort);
+ if (n < 0) {
+ return;
+ } else {
+ while (n --) {
+ if (strcmp(namelist[n]->d_name, ".") == 0 ||
+ strcmp(namelist[n]->d_name, "..") == 0)
+ continue;
+ if (!(dpath = talloc_asprintf(ctx, "%s/%s",
+ path, namelist[n]->d_name)))
+ continue;
+ atalk_unlink_file(dpath);
+ free(namelist[n]);
+ }
+ }
+}
+
+/* Disk operations */
+
+/* Directory operations */
+
+DIR *atalk_opendir(struct connection_struct *conn, const char *fname)
+{
+ DIR *ret = 0;
+
+ ret = default_vfs_ops.opendir(conn, fname);
+
+ /*
+ * when we try to perform delete operation upon file which has fork
+ * in ./.AppleDouble and this directory wasn't hidden by Samba,
+ * MS Windows explorer causes the error: "Cannot find the specified file"
+ * There is some workaround to avoid this situation, i.e. if
+ * connection has not .AppleDouble entry in either veto or hide
+ * list then it would be nice to add one.
+ */
+
+ atalk_add_to_list(&conn->hide_list);
+ atalk_add_to_list(&conn->veto_list);
+
+ return ret;
+}
+
+static int atalk_rmdir(struct connection_struct *conn, const char *path)
+{
+ BOOL add = False;
+ TALLOC_CTX *ctx = 0;
+ char *dpath;
+
+ if (!conn || !conn->origpath || !path) goto exit_rmdir;
+
+ /* due to there is no way to change bDeleteVetoFiles variable
+ * from this module, gotta use talloc stuff..
+ */
+
+ strstr(path, APPLEDOUBLE) ? (add = False) : (add = True);
+
+ if (!(ctx = talloc_init_named("remove_directory")))
+ goto exit_rmdir;
+
+ if (!(dpath = talloc_asprintf(ctx, "%s/%s%s",
+ conn->origpath, path, add ? "/"APPLEDOUBLE : "")))
+ goto exit_rmdir;
+
+ atalk_rrmdir(ctx, dpath);
+
+exit_rmdir:
+ talloc_destroy(ctx);
+ return default_vfs_ops.rmdir(conn, path);
+}
+
+/* File operations */
+
+static int atalk_rename(struct connection_struct *conn, const char *old, const char *new)
+{
+ int ret = 0;
+ char *adbl_path = 0;
+ char *orig_path = 0;
+ SMB_STRUCT_STAT adbl_info;
+ SMB_STRUCT_STAT orig_info;
+ TALLOC_CTX *ctx;
+
+ ret = default_vfs_ops.rename(conn, old, new);
+
+ if (!conn || !old) return ret;
+
+ if (!(ctx = talloc_init_named("rename_file")))
+ return ret;
+
+ if (atalk_build_paths(ctx, conn->origpath, old, &adbl_path, &orig_path,
+ &adbl_info, &orig_info) != 0)
+ return ret;
+
+ if (S_ISDIR(orig_info.st_mode) || S_ISREG(orig_info.st_mode)) {
+ DEBUG(3, ("ATALK: %s has passed..\n", adbl_path));
+ goto exit_rename;
+ }
+
+ atalk_unlink_file(adbl_path);
+
+exit_rename:
+ talloc_destroy(ctx);
+ return ret;
+}
+
+static int atalk_unlink(struct connection_struct *conn, const char *path)
+{
+ int ret = 0, i;
+ char *adbl_path = 0;
+ char *orig_path = 0;
+ SMB_STRUCT_STAT adbl_info;
+ SMB_STRUCT_STAT orig_info;
+ TALLOC_CTX *ctx;
+
+ ret = default_vfs_ops.unlink(conn, path);
+
+ if (!conn || !path) return ret;
+
+ /* no .AppleDouble sync if veto or hide list is empty,
+ * otherwise "Cannot find the specified file" error will be caused
+ */
+
+ if (!conn->veto_list) return ret;
+ if (!conn->hide_list) return ret;
+
+ for (i = 0; conn->veto_list[i].name; i ++) {
+ if (strstr(conn->veto_list[i].name, APPLEDOUBLE))
+ break;
+ }
+
+ if (!conn->veto_list[i].name) {
+ for (i = 0; conn->hide_list[i].name; i ++) {
+ if (strstr(conn->hide_list[i].name, APPLEDOUBLE))
+ break;
+ else {
+ DEBUG(3, ("ATALK: %s is not hidden, skipped..\n",
+ APPLEDOUBLE));
+ return ret;
+ }
+ }
+ }
+
+ if (!(ctx = talloc_init_named("unlink_file")))
+ return ret;
+
+ if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path,
+ &adbl_info, &orig_info) != 0)
+ return ret;
+
+ if (S_ISDIR(orig_info.st_mode) || S_ISREG(orig_info.st_mode)) {
+ DEBUG(3, ("ATALK: %s has passed..\n", adbl_path));
+ goto exit_unlink;
+ }
+
+ atalk_unlink_file(adbl_path);
+
+exit_unlink:
+ talloc_destroy(ctx);
+ return ret;
+}
+
+static int atalk_chmod(struct connection_struct *conn, const char *path, mode_t mode)
+{
+ int ret = 0;
+ char *adbl_path = 0;
+ char *orig_path = 0;
+ SMB_STRUCT_STAT adbl_info;
+ SMB_STRUCT_STAT orig_info;
+ TALLOC_CTX *ctx;
+
+ ret = default_vfs_ops.chmod(conn, path, mode);
+
+ if (!conn || !path) return ret;
+
+ if (!(ctx = talloc_init_named("chmod_file")))
+ return ret;
+
+ if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path,
+ &adbl_info, &orig_info) != 0)
+ return ret;
+
+ if (!S_ISDIR(orig_info.st_mode) && !S_ISREG(orig_info.st_mode)) {
+ DEBUG(3, ("ATALK: %s has passed..\n", orig_path));
+ goto exit_chmod;
+ }
+
+ chmod(adbl_path, ADOUBLEMODE);
+
+exit_chmod:
+ talloc_destroy(ctx);
+ return ret;
+}
+
+static int atalk_chown(struct connection_struct *conn, const char *path, uid_t uid, gid_t gid)
+{
+ int ret = 0;
+ char *adbl_path = 0;
+ char *orig_path = 0;
+ SMB_STRUCT_STAT adbl_info;
+ SMB_STRUCT_STAT orig_info;
+ TALLOC_CTX *ctx;
+
+ ret = default_vfs_ops.chown(conn, path, uid, gid);
+
+ if (!conn || !path) return ret;
+
+ if (!(ctx = talloc_init_named("chown_file")))
+ return ret;
+
+ if (atalk_build_paths(ctx, conn->origpath, path, &adbl_path, &orig_path,
+ &adbl_info, &orig_info) != 0)
+ return ret;
+
+ if (!S_ISDIR(orig_info.st_mode) && !S_ISREG(orig_info.st_mode)) {
+ DEBUG(3, ("ATALK: %s has passed..\n", orig_path));
+ goto exit_chown;
+ }
+
+ chown(adbl_path, uid, gid);
+
+exit_chown:
+ talloc_destroy(ctx);
+ return ret;
+}
+
+static vfs_op_tuple atalk_ops[] = {
+
+ /* Directory operations */
+
+ {atalk_opendir, SMB_VFS_OP_OPENDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {atalk_rmdir, SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* File operations */
+
+ {atalk_rename, SMB_VFS_OP_RENAME, SMB_VFS_LAYER_TRANSPARENT},
+ {atalk_unlink, SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
+ {atalk_chmod, SMB_VFS_OP_CHMOD, SMB_VFS_LAYER_TRANSPARENT},
+ {atalk_chown, SMB_VFS_OP_CHOWN, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* Finish VFS operations definition */
+
+ {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+/* VFS initialisation function. Return vfs_op_tuple array back to SAMBA. */
+vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops,
+ struct smb_vfs_handle_struct *vfs_handle)
+{
+ *vfs_version = SMB_VFS_INTERFACE_VERSION;
+ memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops));
+
+ atalk_handle = vfs_handle;
+
+ DEBUG(3, ("ATALK: vfs module loaded\n"));
+ return atalk_ops;
+}
+
+/* VFS finalization function. */
+void vfs_done(connection_struct *conn)
+{
+ DEBUG(3, ("ATALK: vfs module unloaded\n"));
+}
--- /dev/null
+/*
+ * Recycle bin VFS module for Samba.
+ *
+ * Copyright (C) 2001, Brandon Stone, Amherst College, <bbstone@amherst.edu>.
+ * Copyright (C) 2002, Jeremy Allison - modified to make a VFS module.
+ * Copyright (C) 2002, Alexander Bokovoy - cascaded VFS adoption,
+ * Copyright (C) 2002, Juergen Hasch - added some options.
+ * Copyright (C) 2002, Simo Sorce
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#define ALLOC_CHECK(ptr, label) do { if ((ptr) == NULL) { DEBUG(0, ("recycle.bin: out of memory!\n")); errno = ENOMEM; goto label; } } while(0)
+
+static int vfs_recycle_debug_level = DBGC_VFS;
+
+#undef DBGC_CLASS
+#define DBGC_CLASS vfs_recycle_debug_level
+
+static const char *delimiter = "|"; /* delimiter for options */
+
+/* One per connection */
+
+typedef struct recycle_bin_struct
+{
+ TALLOC_CTX *ctx;
+ char *repository; /* name of the recycle bin directory */
+ BOOL keep_dir_tree; /* keep directory structure of deleted file in recycle bin */
+ BOOL versions; /* create versions of deleted files with identical name */
+ BOOL touch; /* touch access date of deleted file */
+ char *exclude; /* which files to exclude */
+ char *exclude_dir; /* which directories to exclude */
+ char *noversions; /* which files to exclude from versioning */
+ SMB_OFF_T maxsize; /* maximum file size to be saved */
+} recycle_bin_struct;
+
+/* VFS operations */
+static struct vfs_ops default_vfs_ops; /* For passthrough operation */
+
+static int recycle_connect(struct connection_struct *conn, const char *service, const char *user);
+static void recycle_disconnect(struct connection_struct *conn);
+static int recycle_unlink(connection_struct *, const char *);
+
+#define VFS_OP(x) ((void *) x)
+
+static vfs_op_tuple recycle_ops[] = {
+
+ /* Disk operations */
+ {VFS_OP(recycle_connect), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {VFS_OP(recycle_disconnect), SMB_VFS_OP_DISCONNECT, SMB_VFS_LAYER_TRANSPARENT},
+
+ /* File operations */
+ {VFS_OP(recycle_unlink), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
+
+ {NULL, SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+};
+
+static BOOL check_bool_param(const char *value)
+{
+ if (strwicmp(value, "yes") == 0 ||
+ strwicmp(value, "true") == 0 ||
+ strwicmp(value, "1") == 0)
+ return True;
+
+ return False;
+}
+
+/**
+ * VFS initialisation function.
+ *
+ * @retval initialised vfs_op_tuple array
+ **/
+vfs_op_tuple *vfs_init(int *vfs_version, struct vfs_ops *def_vfs_ops,
+ struct smb_vfs_handle_struct *vfs_handle)
+{
+ DEBUG(10, ("Initializing VFS module recycle\n"));
+ *vfs_version = SMB_VFS_INTERFACE_VERSION;
+ memcpy(&default_vfs_ops, def_vfs_ops, sizeof(struct vfs_ops));
+ vfs_recycle_debug_level = debug_add_class("vfs_recycle_bin");
+ if (vfs_recycle_debug_level == -1) {
+ vfs_recycle_debug_level = DBGC_VFS;
+ DEBUG(0, ("vfs_recycle: Couldn't register custom debugging class!\n"));
+ } else {
+ DEBUG(0, ("vfs_recycle: Debug class number of 'vfs_recycle': %d\n", vfs_recycle_debug_level));
+ }
+
+ return recycle_ops;
+}
+
+/**
+ * VFS finalization function.
+ *
+ **/
+void vfs_done(connection_struct *conn)
+{
+ DEBUG(10,("Called for connection %d\n", SNUM(conn)));
+}
+
+static int recycle_connect(struct connection_struct *conn, const char *service, const char *user)
+{
+ TALLOC_CTX *ctx = NULL;
+ recycle_bin_struct *recbin;
+ char *servicename;
+ char *tmp_str;
+
+ DEBUG(10, ("Called for service %s (%d) as user %s\n", service, SNUM(conn), user));
+
+ if (!(ctx = talloc_init_named("recycle bin"))) {
+ DEBUG(0, ("Failed to allocate memory in VFS module recycle_bin\n"));
+ return 0;
+ }
+
+ recbin = talloc(ctx,sizeof(recycle_bin_struct));
+ if ( recbin == NULL) {
+ DEBUG(0, ("Failed to allocate memory in VFS module recycle_bin\n"));
+ return -1;
+ }
+ recbin->ctx = ctx;
+
+ /* Set defaults */
+ recbin->repository = talloc_strdup(ctx, ".recycle");
+ ALLOC_CHECK(recbin->repository, error);
+ recbin->keep_dir_tree = False;
+ recbin->versions = False;
+ recbin->touch = False;
+ recbin->exclude = "";
+ recbin->exclude_dir = "";
+ recbin->noversions = "";
+ recbin->maxsize = 0;
+
+ /* parse configuration options */
+ servicename = talloc_strdup(recbin->ctx, lp_servicename(SNUM(conn)));
+ DEBUG(10, ("servicename = %s\n",servicename));
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "repository")) != NULL) {
+ recbin->repository = talloc_sub_conn(ctx, conn, tmp_str);
+ ALLOC_CHECK(recbin->repository, error);
+ trim_string(recbin->repository, "/", "/");
+ DEBUG(5, ("recycle.bin: repository = %s\n", recbin->repository));
+ }
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "keeptree")) != NULL) {
+ if (check_bool_param(tmp_str) == True)
+ recbin->keep_dir_tree = True;
+ DEBUG(5, ("recycle.bin: keeptree = %s\n", tmp_str));
+ }
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "versions")) != NULL) {
+ if (check_bool_param(tmp_str) == True)
+ recbin->versions = True;
+ DEBUG(5, ("recycle.bin: versions = %s\n", tmp_str));
+ }
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "touch")) != NULL) {
+ if (check_bool_param(tmp_str) == True)
+ recbin->touch = True;
+ DEBUG(5, ("recycle.bin: touch = %s\n", tmp_str));
+ }
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "maxsize")) != NULL) {
+ recbin->maxsize = strtoul(tmp_str, NULL, 10);
+ if (recbin->maxsize == 0) {
+ recbin->maxsize = -1;
+ DEBUG(5, ("recycle.bin: maxsize = -infinite-\n"));
+ } else {
+ DEBUG(5, ("recycle.bin: maxsize = %ld\n", (long int)recbin->maxsize));
+ }
+ }
+ if ((tmp_str = lp_parm_string(servicename, "vfs_recycle_bin", "exclude")) != NULL) {
+ recbin->exclude = talloc_strdup(ctx, tmp_str);
+ ALLOC_CHECK(recbin->exclude, error);
+ DEBUG(5, ("recycle.bin: exclude = %s\n", recbin->exclude));
+ }
+ if ((tmp_str = lp_parm_string(servicename,"vfs_recycle_bin", "exclude_dir")) != NULL) {
+ recbin->exclude_dir = talloc_strdup(ctx, tmp_str);
+ ALLOC_CHECK(recbin->exclude_dir, error);
+ DEBUG(5, ("recycle.bin: exclude_dir = %s\n", recbin->exclude_dir));
+ }
+ if ((tmp_str = lp_parm_string(servicename,"vfs_recycle_bin", "noversions")) != NULL) {
+ recbin->noversions = talloc_strdup(ctx, tmp_str);
+ ALLOC_CHECK(recbin->noversions, error);
+ DEBUG(5, ("recycle.bin: noversions = %s\n", recbin->noversions));
+ }
+
+ conn->vfs_private = (void *)recbin;
+ return default_vfs_ops.connect(conn, service, user);
+
+error:
+ talloc_destroy(ctx);
+ return -1;
+}
+
+static void recycle_disconnect(struct connection_struct *conn)
+{
+ DEBUG(10, ("Disconnecting VFS module recycle bin\n"));
+ if (conn->vfs_private) {
+ talloc_destroy(((recycle_bin_struct *)conn->vfs_private)->ctx);
+ conn->vfs_private = NULL;
+ }
+ default_vfs_ops.disconnect(conn);
+}
+
+static BOOL recycle_directory_exist(connection_struct *conn, const char *dname)
+{
+ SMB_STRUCT_STAT st;
+
+ if (default_vfs_ops.stat(conn, dname, &st) == 0) {
+ if (S_ISDIR(st.st_mode)) {
+ return True;
+ }
+ }
+
+ return False;
+}
+
+static BOOL recycle_file_exist(connection_struct *conn, const char *fname)
+{
+ SMB_STRUCT_STAT st;
+
+ if (default_vfs_ops.stat(conn, fname, &st) == 0) {
+ if (S_ISREG(st.st_mode)) {
+ return True;
+ }
+ }
+
+ return False;
+}
+
+/**
+ * Return file size
+ * @param conn connection
+ * @param fname file name
+ * @return size in bytes
+ **/
+static SMB_OFF_T recycle_get_file_size(connection_struct *conn, const char *fname)
+{
+ SMB_STRUCT_STAT st;
+ if (default_vfs_ops.stat(conn, fname, &st) != 0) {
+ DEBUG(0,("recycle.bin: stat for %s returned %s\n", fname, strerror(errno)));
+ return (SMB_OFF_T)0;
+ }
+ return(st.st_size);
+}
+
+/**
+ * Create directory tree
+ * @param conn connection
+ * @param dname Directory tree to be created
+ * @return Returns True for success
+ **/
+static BOOL recycle_create_dir(connection_struct *conn, const char *dname)
+{
+ int len;
+ mode_t mode;
+ char *new_dir = NULL;
+ char *tmp_str = NULL;
+ char *token;
+ char *tok_str;
+ BOOL ret = False;
+
+ mode = S_IREAD | S_IWRITE | S_IEXEC;
+
+ tmp_str = strdup(dname);
+ ALLOC_CHECK(tmp_str, done);
+ tok_str = tmp_str;
+
+ len = strlen(dname);
+ new_dir = (char *)malloc(len + 1);
+ ALLOC_CHECK(new_dir, done);
+ *new_dir = '\0';
+
+ /* Create directory tree if neccessary */
+ for(token = strtok(tok_str, "/"); token; token = strtok(NULL, "/")) {
+ safe_strcat(new_dir, token, len);
+ if (recycle_directory_exist(conn, new_dir))
+ DEBUG(10, ("recycle.bin: dir %s already exists\n", new_dir));
+ else {
+ DEBUG(5, ("recycle.bin: creating new dir %s\n", new_dir));
+ if (default_vfs_ops.mkdir(conn, new_dir, mode) != 0) {
+ DEBUG(1,("recycle.bin: mkdir failed for %s with error: %s\n", new_dir, strerror(errno)));
+ ret = False;
+ goto done;
+ }
+ }
+ safe_strcat(new_dir, "/", len);
+ }
+
+ ret = True;
+done:
+ SAFE_FREE(tmp_str);
+ SAFE_FREE(new_dir);
+ return ret;
+}
+
+/**
+ * Check if needle is contained exactly in haystack
+ * @param haystack list of parameters separated by delimimiter character
+ * @param needle string to be matched exactly to haystack
+ * @return True if found
+ **/
+static BOOL checkparam(const char *haystack, const char *needle)
+{
+ char *token;
+ char *tok_str;
+ char *tmp_str;
+ BOOL ret = False;
+
+ if (haystack == NULL || strlen(haystack) == 0 || needle == NULL || strlen(needle) == 0) {
+ return False;
+ }
+
+ tmp_str = strdup(haystack);
+ ALLOC_CHECK(tmp_str, done);
+ token = tok_str = tmp_str;
+
+ for(token = strtok(tok_str, delimiter); token; token = strtok(NULL, delimiter)) {
+ if(strcmp(token, needle) == 0) {
+ ret = True;
+ goto done;
+ }
+ }
+done:
+ SAFE_FREE(tmp_str);
+ return ret;
+}
+
+/**
+ * Check if needle is contained in haystack, * and ? patterns are resolved
+ * @param haystack list of parameters separated by delimimiter character
+ * @param needle string to be matched exectly to haystack including pattern matching
+ * @return True if found
+ **/
+static BOOL matchparam(const char *haystack, const char *needle)
+{
+ char *token;
+ char *tok_str;
+ char *tmp_str;
+ BOOL ret = False;
+
+ if (haystack == NULL || strlen(haystack) == 0 || needle == NULL || strlen(needle) == 0) {
+ return False;
+ }
+
+ tmp_str = strdup(haystack);
+ ALLOC_CHECK(tmp_str, done);
+ token = tok_str = tmp_str;
+
+ for(token = strtok(tok_str, delimiter); token; token = strtok(NULL, delimiter)) {
+ if (!unix_wild_match(token, needle)) {
+ ret = True;
+ goto done;
+ }
+ }
+done:
+ SAFE_FREE(tmp_str);
+ return ret;
+}
+
+/**
+ * Touch access date
+ **/
+static void recycle_touch(connection_struct *conn, const char *fname)
+{
+ SMB_STRUCT_STAT st;
+ struct utimbuf tb;
+ time_t currtime;
+
+ if (default_vfs_ops.stat(conn, fname, &st) != 0) {
+ DEBUG(0,("recycle.bin: stat for %s returned %s\n", fname, strerror(errno)));
+ return;
+ }
+ currtime = time(&currtime);
+ tb.actime = currtime;
+ tb.modtime = st.st_mtime;
+
+ if (default_vfs_ops.utime(conn, fname, &tb) == -1 )
+ DEBUG(0, ("recycle.bin: touching %s failed, reason = %s\n", fname, strerror(errno)));
+ }
+
+/**
+ * Check if file should be recycled
+ **/
+static int recycle_unlink(connection_struct *conn, const char *inname)
+{
+ recycle_bin_struct *recbin;
+ char *file_name = NULL;
+ char *path_name = NULL;
+ char *temp_name = NULL;
+ char *final_name = NULL;
+ char *base;
+ int i;
+ SMB_BIG_UINT dfree, dsize, bsize;
+ SMB_OFF_T file_size, space_avail;
+ BOOL exist;
+ int rc = -1;
+
+ file_name = strdup(inname);
+ ALLOC_CHECK(file_name, done);
+
+ if (conn->vfs_private)
+ recbin = (recycle_bin_struct *)conn->vfs_private;
+ else {
+ DEBUG(0, ("Recycle bin not initialized!\n"));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ if(!recbin->repository || *(recbin->repository) == '\0') {
+ DEBUG(3, ("Recycle path not set, purging %s...\n", file_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ /* we don't recycle the recycle bin... */
+ if (strncmp(file_name, recbin->repository, strlen(recbin->repository)) == 0) {
+ DEBUG(3, ("File is within recycling bin, unlinking ...\n"));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ file_size = recycle_get_file_size(conn, file_name);
+ /* it is wrong to purge filenames only because they are empty imho
+ * --- simo
+ *
+ if(fsize == 0) {
+ DEBUG(3, ("File %s is empty, purging...\n", file_name));
+ rc = default_vfs_ops.unlink(conn,file_name);
+ goto done;
+ }
+ */
+
+ /* FIXME: this is wrong, we should check the hole size of the recycle bin is
+ * not greater then maxsize, not the size of the single file, also it is better
+ * to remove older files
+ */
+ if(recbin->maxsize > 0 && file_size > recbin->maxsize) {
+ DEBUG(3, ("File %s exceeds maximum recycle size, purging... \n", file_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ /* FIXME: this is wrong: moving files with rename does not change the disk space
+ * allocation
+ *
+ space_avail = default_vfs_ops.disk_free(conn, ".", True, &bsize, &dfree, &dsize) * 1024L;
+ DEBUG(5, ("space_avail = %Lu, file_size = %Lu\n", space_avail, file_size));
+ if(space_avail < file_size) {
+ DEBUG(3, ("Not enough diskspace, purging file %s\n", file_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+ */
+
+ /* extract filename and path */
+ path_name = (char *)malloc(PATH_MAX);
+ ALLOC_CHECK(path_name, done);
+ *path_name = '\0';
+ safe_strcpy(path_name, file_name, PATH_MAX);
+ base = strrchr(path_name, '/');
+ if (base == NULL) {
+ base = file_name;
+ safe_strcpy(path_name, "/", PATH_MAX);
+ }
+ else {
+ *base = '\0';
+ base++;
+ }
+
+ DEBUG(10, ("recycle.bin: fname = %s\n", file_name)); /* original filename with path */
+ DEBUG(10, ("recycle.bin: fpath = %s\n", path_name)); /* original path */
+ DEBUG(10, ("recycle.bin: base = %s\n", base)); /* filename without path */
+
+ if (matchparam(recbin->exclude, base)) {
+ DEBUG(3, ("recycle.bin: file %s is excluded \n", base));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ /* FIXME: this check will fail if we have more than one level of directories,
+ * we shoud check for every level 1, 1/2, 1/2/3, 1/2/3/4 ....
+ * ---simo
+ */
+ if (checkparam(recbin->exclude_dir, path_name)) {
+ DEBUG(3, ("recycle.bin: directory %s is excluded \n", path_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ temp_name = (char *)malloc(PATH_MAX);
+ ALLOC_CHECK(temp_name, done);
+ safe_strcpy(temp_name, recbin->repository, PATH_MAX);
+
+ /* see if we need to recreate the original directory structure in the recycle bin */
+ if (recbin->keep_dir_tree == True) {
+ safe_strcat(temp_name, "/", PATH_MAX);
+ safe_strcat(temp_name, path_name, PATH_MAX);
+ }
+
+ exist = recycle_directory_exist(conn, temp_name);
+ if (exist) {
+ DEBUG(10, ("recycle.bin: Directory already exists\n"));
+ } else {
+ DEBUG(10, ("recycle.bin: Creating directory %s\n", temp_name));
+ if (recycle_create_dir(conn, temp_name) == False) {
+ DEBUG(3, ("Could not create directory, purging %s...\n", file_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+ }
+
+ final_name = (char *)malloc(PATH_MAX);
+ ALLOC_CHECK(final_name, done);
+ snprintf(final_name, PATH_MAX, "%s/%s", temp_name, base);
+ DEBUG(10, ("recycle.bin: recycled file name%s\n", temp_name)); /* new filename with path */
+
+ /* check if we should delete file from recycle bin */
+ if (recycle_file_exist(conn, final_name)) {
+ if (recbin->versions == False || matchparam(recbin->noversions, base) == True) {
+ DEBUG(3, ("recycle.bin: Removing old file %s from recycle bin\n", final_name));
+ if (default_vfs_ops.unlink(conn, final_name) != 0) {
+ DEBUG(1, ("recycle.bin: Error deleting old file: %s\n", strerror(errno)));
+ }
+ }
+ }
+
+ /* rename file we move to recycle bin */
+ i = 1;
+ while (recycle_file_exist(conn, final_name)) {
+ snprintf(final_name, PATH_MAX, "%s/Copy #%d of %s", temp_name, i++, base);
+ }
+
+ DEBUG(10, ("recycle.bin: Moving %s to %s\n", file_name, final_name));
+ rc = default_vfs_ops.rename(conn, file_name, final_name);
+ if (rc != 0) {
+ DEBUG(3, ("recycle.bin: Move error %d (%s), purging file %s (%s)\n", errno, strerror(errno), file_name, final_name));
+ rc = default_vfs_ops.unlink(conn, file_name);
+ goto done;
+ }
+
+ /* touch access date of moved file */
+ if (recbin->touch == True )
+ recycle_touch(conn, final_name);
+
+done:
+ SAFE_FREE(file_name);
+ SAFE_FREE(path_name);
+ SAFE_FREE(temp_name);
+ SAFE_FREE(final_name);
+ return rc;
+}
--- /dev/null
+#!/bin/sh
+
+INSTALLPERMS=$1
+BASEDIR=$2
+LIBDIR=$3
+shift
+shift
+shift
+
+for p in $*; do
+ p2=`basename $p`
+ echo Installing $p as $LIBDIR/$p2
+ cp -f $p $LIBDIR/
+ chmod $INSTALLPERMS $LIBDIR/$p2
+done
+
+
+cat << EOF
+======================================================================
+The modules are installed. You may uninstall the modules using the
+command "make uninstallmodules" or "make uninstall" to uninstall
+binaries, man pages, shell scripts and modules.
+======================================================================
+EOF
+
+exit 0
--- /dev/null
+#!/bin/sh
+#4 July 96 Dan.Shearer@UniSA.edu.au
+
+INSTALLPERMS=$1
+BASEDIR=$2
+LIBDIR=$3
+shift
+shift
+shift
+
+if [ ! -d $LIBDIR ]; then
+ echo Directory $LIBDIR does not exist!
+ echo Do a "make installmodules" or "make install" first.
+ exit 1
+fi
+
+for p in $*; do
+ p2=`basename $p`
+ if [ -f $LIBDIR/$p2 ]; then
+ echo Removing $LIBDIR/$p2
+ rm -f $LIBDIR/$p2
+ if [ -f $LIBDIR/$p2 ]; then
+ echo Cannot remove $LIBDIR/$p2 ... does $USER have privileges?
+ fi
+ fi
+done
+
+
+cat << EOF
+======================================================================
+The modules have been uninstalled. You may restore the modules using
+the command "make installmodules" or "make install" to install
+binaries, modules, man pages and shell scripts.
+======================================================================
+EOF
+
+exit 0
--- /dev/null
+. basicsmb.fns
+
+password=samba
+(test_smb_conf_setup && test_smbpasswd $password ) || exit 1
+
+rm -f $prefix/testdir/preexec_touch
+
+mode=PREEXEC
+(test_listfilesauth $mode) || exit 1
+
+if [ -f $prefix/testdir/preexec_touch ]; then
+ rm -f $prefix/testdir/preexec_touch
+else
+ exit 1;
+fi
+
+mode=PREEXEC_close
+(test_listfilesauth $mode) || exit 1
+
+if [ -f $prefix/testdir/preexec_touch ]; then
+ rm -f $prefix/testdir/preexec_touch
+else
+ exit 1;
+fi
+
+mode=PREEXEC_cl_fail
+(test_listfilesauth_should_deny $mode) || exit 1
+
--- /dev/null
+preexec = /bin/sh PREFIX/lib/preexec
--- /dev/null
+preexec close = yes
+preexec = /bin/sh PREFIX/lib/preexec_does_not_exist
\ No newline at end of file
--- /dev/null
+preexec close = yes
+preexec = /bin/sh PREFIX/lib/preexec
--- /dev/null
+ valid users = WHOAMI
--- /dev/null
+#!/bin/sh
+echo "Test worked" > PREFIX/testdir/preexec_touch
git.samba.org / ira / wip.git / commitdiff