<para>
Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of
resources shared via Samba do not behave in the manner they might expect. MS Windows network
-adminstrators are often confused regarding network access controls and what is the best way to
+administrators are often confused regarding network access controls and what is the best way to
provide users with the type of access they need while protecting resources from the consequences
of untoward access capabilities.
</para>
provide a means of interoperability and interchange of data between two operating environments
that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead
the purpose was an is to provide a sufficient level of exchange of data between the two environments.
-What is available today extends well beyond early plans and expections, yet the gap continues to
+What is available today extends well beyond early plans and expectations, yet the gap continues to
shrink.
</para>
operating system supports them. If not, then this option will not be
available to you. Current Unix technology platforms have native support
for POSIX ACLs. There are patches for the Linux kernel that provide
- this also. Sadly, few Linux paltforms ship today with native ACLs and
+ this also. Sadly, few Linux platforms ship today with native ACLs and
Extended Attributes enabled. This chapter has pertinent information
for users of platforms that support them.
</para>
<para>
It is good news that Samba does this to a very large extent and on top of that provides a high degree
of optional configuration to over-ride the default behaviour. We will look at some of these over-rides,
- but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore
+ but for the greater part we will stay within the bounds of default behaviour. Those wishing to explore
to depths of control ability should review the &smb.conf; man page.
</para>
Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An
operation (like read or write) will operate directly on the file referenced. Symbolic links are also
referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows
- one physical file to be known simulataneously by more than one file name.
+ one physical file to be known simultaneously by more than one file name.
</para>
</listitem>
</varlistentry>
</para>
<para>
- Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
+ Unix/Linux file and directory access permissions involves setting three (3) primary sets of data and one (1) control set.
A Unix file listing looks as follows:-
<screen>
</para>
<para>
- Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
+ Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
</para>
<para>
- The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
+ The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
</para>
The following file and directory permission based controls, if misused, can result in considerable difficulty to
diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
- re-instroduce them in a controlled fashion.
+ re-introduce them in a controlled fashion.
</para>
<table frame='all'><title>File and Directory Permission Based Controls</title>
<row>
<entry>hide unreadable</entry>
<entry><para>
- Prevents clients from seeing the existance of files that cannot be read.
+ Prevents clients from seeing the existence of files that cannot be read.
</para></entry>
</row>
<row>
<entry>hide unwriteable files</entry>
<entry><para>
- Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
+ Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual.
</para></entry>
</row>
<row>
<para>
This section deals with how to configure Samba per share access control restrictions.
- By default samba sets no restrictions on the share itself. Restrictions on the share itself
+ By default, Samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <constant>Everyone</constant> Full Control (ie: Full control, Change and Read).
<para>
Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>.
The location of this file on your system will depend on how samba was compiled. The default location
- for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
- utility has been compiled and installed on your system then you can examine the contents of this file
+ for Samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
+ utility has been compiled and installed on your system, then you can examine the contents of this file
by: <userinput>tdbdump share_info.tdb</userinput>.
</para>
<title>Share Permissions Management</title>
<para>
- The best tool for the task is platform dependant. Choose the best tool for your environmemt.
+ The best tool for the task is platform dependant. Choose the best tool for your environment.
</para>
<sect3>
After launching the MMC with the Computer Management snap-in, click on the menu item <guimenuitem>Action</guimenuitem>,
select <guilabel>Connect to another computer</guilabel>. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
- If you where already logged in with administrative privilidge this step is not offered.
+ If you where already logged in with administrative privilege this step is not offered.
</para></step>
<step><para>
<sect3>
<title>File Permissions</title>
- <para>The standard UNIX user/group/world triple and
+ <para>The standard UNIX user/group/world triplet and
the corresponding "read", "write", "execute" permissions
- triples are mapped by Samba into a three element NT ACL
+ triplets are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
the global NT group <constant>Everyone</constant>, followed
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</para>
- <para>If a permission triple (either user, group, or world)
+ <para>If a permission triplet (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
then when the <guibutton>OK</guibutton> button is pressed it will
be applied as "no permissions" on the UNIX side. If you then
view the permissions again the "no permissions" entry will appear
as the NT <command>"O"</command> flag, as described above. This
allows you to add permissions back to a file or directory once
- you have removed them from a triple component.</para>
+ you have removed them from a triplet component.</para>
<para>As UNIX supports only the "r", "w" and "x" bits of
an NT ACL then if other NT security attributes such as "Delete
<para>Once a user clicks <guibutton>OK</guibutton> to apply the
permissions Samba maps the given permissions into a user/group/world
- r/w/x triple set, and then will check the changed permissions for a
+ r/w/x triplet set, and then will check the changed permissions for a
file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
<parameter>security mask</parameter></ulink> parameter. Any bits that
were changed that are not set to '1' in this parameter are left alone
<para>
<quote>
We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
- and theres a public share, on which everyone needs to have permission to create / modify files, but only
+ and there's a public share, on which everyone needs to have permission to create / modify files, but only
root can change the file, no one else can. We need to constantly go to server to
<userinput>chgrp -R users *</userinput> and <userinput>chown -R nobody *</userinput> to allow others users to change the file.
</quote>
Now in your &smb.conf; for the share add:
<programlisting>
force create mode = 0775
- force direcrtory mode = 6775
+ force directory mode = 6775
</programlisting>
</para>
<sect2>
- <title>I have set force user and samba still makes <emphasis>root</emphasis> the owner of all the files
+ <title>I have set force user and Samba still makes <emphasis>root</emphasis> the owner of all the files
I touch!</title>
<para>
- When you have a user in 'admin users', samba will always do file operations for
+ When you have a user in 'admin users', Samba will always do file operations for
this user as <emphasis>root</emphasis>, even if <parameter>force user</parameter> has been set.
</para>
</sect2>
<pubdate>April 3 2003</pubdate>
</chapterinfo>
-<title>Advanced Network Manangement</title>
+<title>Advanced Network Management</title>
<para>
This section documents peripheral issues that are of great importance to network
<para>
<screen>
-> I have a wounderfull linux/samba server running as pdc for a network.
-> Now I would like to add remote desktop capabilites so that
+> I have a wonderful linux/samba server running as PDC for a network.
+> Now I would like to add remote desktop capabilities so that
> users outside could login to the system and get their desktop up from
> home or another country..
>
-> Is there a way to acomplish this? Do I need a windows terminal server?
+> Is there a way to accomplish this? Do I need a windows terminal server?
> Do I need to configure it so that it is a member of the domain or a
> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
> even if the computer is in a domain?
</para>
<para>
- I could testdrive their (public) RedHat machine in Italy, over a loaded
+ I could test drive their (public) RedHat machine in Italy, over a loaded
internet connection, with enabled thumbnail previews in KDE konqueror
which popped up immediately on "mouse-over". From inside that (remote X)
session I started a rdesktop session on another, a Windows XP machine.
</para>
<para>
- I recommend to testdrive NX to anybody with a only a remote interest
+ I recommend to test drive NX to anybody with a only a remote interest
in remote computing
<ulink url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
</para>
<para>
Now the best thing at the end: all the core compression and caching
technologies are released under the GPL and available as source code
- to anybody who wants to build on it! These technolgies are working,
+ to anybody who wants to build on it! These technologies are working,
albeit started from the command line only (and very inconvenient to
use in order to get a fully running remote X session up and running....)
</para>
<simplelist>
<member>No Logon Script</member>
<member>Simple universal Logon Script that applies to all users</member>
- <member>Use of a conditional Logon Script that applies per user or per group attirbutes</member>
+ <member>Use of a conditional Logon Script that applies per user or per group attributes</member>
<member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</member>
<member>User of a tool such as KixStart</member>
If the bug has anything to do with Samba behaving incorrectly as a
server (like refusing to open a file) then the log files will probably
be very useful. Depending on the problem a log level of between 3 and
-10 showing the problem may be appropriate. A higher level givesmore
+10 showing the problem may be appropriate. A higher level gives more
detail, but may use too much disk space.
</para>
where the problem occurred (if its in a library routine then
disassemble the routine that called it) and try to work out exactly
where the problem is by looking at the surrounding code. Even if you
-don't know assembly then incuding this info in the bug report can be
+don't know assembly, including this info in the bug report can be
useful.
</para>
</sect1>
<para>
To summarize, here is the simplest printing-related setup
- for<filename>smb.conf</filename> to enable basic CUPS support:
+ for <filename>smb.conf</filename> to enable basic CUPS support:
</para>
<para><screen>
<para>
Here is a slightly more complex printing-related setup
-for<filename>smb.conf</filename>. It enables general CUPS printing
+for <filename>smb.conf</filename>. It enables general CUPS printing
support for all printers, but defines one printer share which is set
up differently.
</para>
<para>
This special share is only there for my testing purposes. It doesn't
-even write the printjob to a file. It just logs the job parameters
+even write the print job to a file. It just logs the job parameters
known to Samba into the <filename>/tmp/smbprn.log</filename> file and
deletes the jobfile. Moreover, the <parameter>printer
admin</parameter> of this share is "kurt" (not the "@ntadmins" group);
Samba's Windows clients represented a really simple setup. Their only
task was to manage the "raw" spooling of all jobs handed to them by
Samba. This approach meant that the Windows clients were expected to
-prepare the printjob file in such a way that it became fit to be fed to
+prepare the print job file in such a way that it became fit to be fed to
the printing device. Here a native (vendor-supplied) Windows printer
driver for the target device needed to be installed on each and every
client.
printers and they get printed. There needs to be a file format
conversion in between. The problem is: there is no common standard for
print file formats across all manufacturers and printer types. While
-<emphasis>PostScript</emphasis> (trademark held by Adobe), and to an
-extend<emphasis>PCL</emphasis> (trademark held by HP), have developed
+<emphasis>PostScript</emphasis> (trademark held by Adobe), and, to an
+extent, <emphasis>PCL</emphasis> (trademark held by HP), have developed
into semi-official "standards", by being the most widely used PDLs
(<emphasis>Page Description Languages</emphasis>), there are still
many manufacturers who "roll their own" (their reasons may be
<title>Ghostscript -- the Software RIP for non-PostScript Printers</title>
<para>
-Here is where<emphasis>Ghostscript</emphasis> kicks in. Ghostscript is
+Here is where <emphasis>Ghostscript</emphasis> kicks in. Ghostscript is
the traditional (and quite powerful) PostScript interpreter used on
Unix platforms. It is a RIP in software, capable to do a
<emphasis>lot</emphasis> of file format conversions, for a very broad
</sect2>
<sect2>
-<title>rasterto [printerspecific]</title>
+<title>rasterto [printers specific]</title>
<para>
CUPS ships with quite some different raster drivers processing CUPS
fact I have the system-wide default printer set up to be connected to
a "devnull:/" backend: there are just too many people sending jobs
without specifying a printer, or scripts and programs which don't name
-a printer. The system-wided default deletes the job and sends a polite
-mail back to the $USER asking him to alsways specify a correct
+a printer. The system-wide default deletes the job and sends a polite
+mail back to the $USER asking him to always specify a correct
printername).
</para>
This line you may find amongst the first 40 or so lines of the PPD
file. If you have such a PPD installed, the printer shows up in the
CUPS web interface with a <emphasis>foomatic</emphasis> namepart for
-the driver description. cupsomatic is a Perlscript that runs
+the driver description. cupsomatic is a Perl script that runs
Ghostscript, with all the complicated commandline options
auto-constructed from the selected PPD and commandline options give to
the printjob.
data to printing devices. (This could be easily abused to launch a
Denial of Service attack on your printer(s), causing at least the loss
of a lot of paper and ink...) "Unknown" data are regarded by CUPS
-as<emphasis>MIME type</emphasis>
+as <emphasis>MIME type</emphasis>
<emphasis>application/octet-stream</emphasis>. While you
<emphasis>can</emphasis> send data "raw", the MIME type for these must
be one that is known to CUPS and an allowed one. The file
</varlistentry>
<varlistentry><term>laserjet.ppd</term>
-<listitem><para>all PCL printersFurther below is a discussion
+<listitem><para>all PCL printers. Further below is a discussion
of several other driver/PPD-packages suitable fur use with CUPS.
</para></listitem>
</varlistentry>
<emphasis>foomatic-rip</emphasis>. foomatic-rip is a complete re-write
of the old cupsomatic idea, but very much improved and generalized to
other (non-CUPS) spoolers. An upgrade to foomatic-rip is strongly
-adviced, especially if you are upgrading to a recent version of CUPS
+advised, especially if you are upgrading to a recent version of CUPS
too.
</para>
<para>
cupsomatic "kidnaps" the printfile after the
<emphasis>application/vnd.cups-postscript</emphasis> stage and
-deviates it through the CUPS-external, systemwide Ghostscript
+deviates it through the CUPS-external, system wide Ghostscript
installation: Therefore the printfile bypasses the "pstoraster" filter
(and thus also bypasses the CUPS-raster-drivers
"rastertosomething"). After Ghostscript finished its rasterization,
url="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/">OMNI
(http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</ulink>
(LPGL, Free) is a package made by IBM, now containing support for more
-than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow
+than 400 printers, stemming from the inheritance of IBM OS/2 Know-How
ported over to Linux (CUPS support is in a Beta-stage at
present);</para></listitem>
<title>Samba receiving Jobfiles and passing them to CUPS</title>
<para>
-Samba<emphasis>must</emphasis> use its own spool directory (it is set
+Samba <emphasis>must</emphasis> use its own spool directory (it is set
by a line similar to <parameter>path = /var/spool/samba</parameter>,
in the <parameter>[printers]</parameter> or
<parameter>[printername]</parameter> section of
<para>
The CUPS printer driver is available from the CUPS download site. Its
package name is <filename>cups-samba-[version].tar.gz</filename> . It
-is prefered over the Adobe drivers since it has a number of
+is preferred over the Adobe drivers since it has a number of
advantages:
</para>
of "1" is logged in a standard setup)</para></listitem>
<listitem><para>the Adobe driver has more options to "mis-configure" the
-PostScript generated by it (like setting it inadvertedly to
+PostScript generated by it (like setting it inadvertently to
<emphasis>Optimize for Speed</emphasis>, instead of
<emphasis>Optimize for Portability</emphasis>, which
could lead to CUPS being unable to process it)</para></listitem>
</screen></para>
<para>
-To share<emphasis>all</emphasis> printers and drivers, use the
+To share <emphasis>all</emphasis> printers and drivers, use the
<parameter>-a</parameter> parameter instead of a printer name. Since
cupsaddsmb "exports" the printer drivers to Samba, it should be
obvious that it only works for queues with a CUPS driver associated.
Running command: rpcclient localhost -N -U'root%secret' \
-c 'setdriver infotec_2105 infotec_2105'
cmd = setdriver infotec_2105 infotec_2105
- Succesfully set infotec_2105 to driver infotec_2105.
+ Successfully set infotec_2105 to driver infotec_2105.
</screen></para>
installed.</emphasis> # (for the WIN40 == Win9x/ME
architecture...)</para></listitem>
-<listitem><para><emphasis>Succesfully set [printerXPZ] to driver
+<listitem><para><emphasis>Successfully set [printerXPZ] to driver
[printerXYZ].</emphasis></para></listitem>
</orderedlist>
<itemizedlist>
<listitem><para>Avoid the <emphasis>PostScript Output Option: Optimize
-for Speed</emphasis> settting. Rather use the <emphasis>Optimize for
+for Speed</emphasis> setting. Rather use the <emphasis>Optimize for
Portability</emphasis> instead (Adobe PostScript
driver).</para></listitem>
<listitem><para>Sometimes you can choose <emphasis>PostScript Language
Level</emphasis>: in case of problems try <emphasis>2</emphasis>
instead of <emphasis>3</emphasis> (the latest ESP Ghostscript package
-handels Level 3 PostScript very well) (Adobe).</para></listitem>
+handles Level 3 PostScript very well) (Adobe).</para></listitem>
<listitem><para>Say <emphasis>Yes</emphasis> to <emphasis>PostScript
Error Handler</emphasis> (Adobe)</para></listitem>
the most interesting ones. rpcclient implements an important part of
the MS-RPC protocol. You can use it to query (and command) a Win NT
(or 2K/XP) PC too. MS-RPC is used by Windows clients, amongst other
-things, to benefit from the "Point'n' Print" features. Samba can now
+things, to benefit from the "Point'n'Print" features. Samba can now
mimic this too.
</para>
<para>
From the manpage (and from the quoted output
-of<emphasis>cupsaddsmb</emphasis>, above) it becomes clear that you
+of <emphasis>cupsaddsmb</emphasis>, above) it becomes clear that you
need to have certain conditions in order to make the manual uploading
and initializing of the driver files succeed. The two rpcclient
subcommands (<command>adddriver</command> and
</sect3>
<sect3>
-<title>Twelveth Step: Install the Printer on a Client
+<title>Twelfth Step: Install the Printer on a Client
("Point'n'Print")</title>
<para><screen>
Version:3.0a
-h this help message
-s suffix set the backup suffix
- -v veryify mode (restore if corrupt)
+ -v verify mode (restore if corrupt)
</screen></para>
UNIXes and on Mac OS X or Darwin too). It is not known as well as it
should be, that it also has a very end-user friendly interface which
allows for an easy update of drivers and PPDs, for all supported
-models, all spoolers, all operatings systems and all package formats
+models, all spoolers, all operating systems and all package formats
(because there is none). Its history goes back a few years.
</para>
their own manufacturer-provided Windows-PPD...), and that a
multifunctional device never qualifies as working "perfectly" if it
doesn't also scan and copy and fax under GNU/Linux: then this is a
-truely astonishing achievement. Three years ago the number was not
+truly astonishing achievement. Three years ago the number was not
more than 500, and Linux or UNIX "printing" at the time wasn't
anywhere near the quality it is today!
</para>
<option>-r</option> and defining a tag name. A list of branch tag names
can be found on the "Development" page of the samba web site. A common
request is to obtain the latest 3.0 release code. This could be done by
- using the following userinput.
+ using the following command:
</para>
<para>
<listitem><para>the MIT kerberos development libraries
(either install from the sources or use a package). The
- heimdal libraries will not work.</para></listitem>
+ Heimdal libraries will not work.</para></listitem>
<listitem><para>the OpenLDAP development libraries.</para></listitem>
<title>Starting the &smbd; and &nmbd;</title>
<para>You must choose to start &smbd; and &nmbd; either
- as daemons or from <application>inetd</application>Don't try
+ as daemons or from <application>inetd</application>. Don't try
to do both! Either you can put them in <filename>
inetd.conf</filename> and have them started on demand
by <application>inetd</application>, or you can start them as
<listitem><para>
Domain user access rights and file ownership / access controls can be set
- from the single Domain SAM (Security Accounts Management) database
+ from the single Domain SAM (Security Account Manager) database
(works with Domain member servers as well as with MS Windows workstations
that are domain members)
</para></listitem>
</para></listitem>
<listitem><para>
- Through the use of logon scripts users can be given transparent access to network
+ Through the use of logon scripts, users can be given transparent access to network
applications that run off application servers
</para></listitem>
<para>
<screen>
&rootprompt;<userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
-</screen>>
+</screen>
</para>
<para>
<sect3>
<title>Samba</title>
- <para>Joining a samba client to a domain is documented in
- the <link linkend="domain-member">Domain Member</link> chapter.
+ <para>Joining a Samba client to a domain is documented in
+ the <link linkend="domain-member-server">Domain Member Server</link> section of this chapter chapter.
</para>
</sect3>
</sect2>
</sect1>
-<sect1>
+<sect1 id="domain-member-server">
<title>Domain Member Server</title>
<para>
-This mode of server operation involves the samba machine being made a member
+This mode of server operation involves the Samba machine being made a member
of a domain security context. This means by definition that all user
authentication will be done from a centrally defined authentication regime.
The authentication regime may come from an NT3/4 style (old domain technology)
Please refer to the <link linkend="samba-pdc">Domain Control chapter</link>
for more information regarding how to create a domain
machine account for a domain member server as well as for information
-regarding how to enable the samba domain member machine to join the domain and
+regarding how to enable the Samba domain member machine to join the domain and
to be fully trusted by it.
</para>
</para>
<para>
-This method, allows Samba to use exactly the same mechanism that NT does. This
+This method allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.
</para>
<para>
As we are joining the domain DOM and the PDC for that domain
(the only machine that has write access to the domain SAM database)
-is DOMPDC. The <replaceable>Administrator%password</replaceable> is
+is DOMPDC, we use it for the <option>-S</option> option.
+The <replaceable>Administrator%password</replaceable> is
the login name and password for an account which has the necessary
privilege to add machines to the domain. If this is successful
you will see the message:
This command goes through the machine account password
change protocol, then writes the new (random) machine account
password for this Samba server into a file in the same directory
-in which an smbpasswd file would be stored - normally :
+in which an smbpasswd file would be stored - normally:
</para>
<para>
</para>
<para>
-Please refer to the <ulink url="winbind.html">Winbind
-paper</ulink> for information on a system to automatically
+Please refer to the <link linkend="winbind">Winbind</link> chapter
+for information on a system to automatically
assign UNIX uids and gids to Windows NT Domain users and groups.
</para>
<title>Samba ADS Domain Membership</title>
<para>
-This is a rough guide to setting up Samba 3.0 with kerberos authentication against a
-Windows2000 KDC.
+This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a
+Windows2000 KDC. A familiarity with Kerberos is assumed.
</para>
<sect2>
<note><para>
The realm must be uppercase or you will get <errorname>Cannot find KDC for
-requested realm while getting initial credentials</errorname> error
+requested realm while getting initial credentials</errorname> error.
</para></note>
<note><para>
<para>
You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
-must either be the netbios name of the KDC (ie. the hostname with no
-domain attached) or it can alternatively be the netbios name
+must either be the NetBIOS name of the KDC (ie. the hostname with no
+domain attached) or it can alternatively be the NetBIOS name
followed by the realm.
</para>
<para>
The easiest way to ensure you get this right is to add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to
-its netbios name. If you don't get this right then you will get a
+its NetBIOS name. If you don't get this right then you will get a
<errorname>local error</errorname> when you try to join the realm.
</para>
<para>
-If all you want is kerberos support in &smbclient; then you can skip
+If all you want is Kerberos support in &smbclient; then you can skip
straight to <link linkend="ads-test-smbclient">Test with &smbclient;</link> now.
<link linkend="ads-create-machine-account">Creating a computer account</link>
and <link linkend="ads-test-server">testing your servers</link>
-is only needed if you want kerberos support for &smbd; and &winbindd;.
+is only needed if you want Kerberos support for &smbd; and &winbindd;.
</para>
</sect2>
As a user that has write permission on the Samba private directory
(usually root) run:
<programlisting>
- <userinput>net join -U Administrator%password</userinput>
+ &rootprompt;<userinput>net join -U Administrator%password</userinput>
</programlisting>
</para>
<variablelist>
<varlistentry><term><errorname>ADS support not compiled in</errorname></term>
<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled
- (make clean all install) after the kerberos libs and headers are installed.
+ (make clean all install) after the Kerberos libs and headers are installed.
</para></listitem></varlistentry>
<varlistentry><term><errorname>net join prompts for user name</errorname></term>
<para>
On a Windows 2000 client try <userinput>net use * \\server\share</userinput>. You should
-be logged in with kerberos without needing to know a password. If
+be logged in with Kerberos without needing to know a password. If
this fails then run <userinput>klist tickets</userinput>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ?
</para>
<para>
On your Samba server try to login to a Win2000 server or your Samba
-server using &smbclient; and kerberos. Use &smbclient; as usual, but
-specify the <parameter>-k</parameter> option to choose kerberos authentication.
+server using &smbclient; and Kerberos. Use &smbclient; as usual, but
+specify the <parameter>-k</parameter> option to choose Kerberos authentication.
</para>
</sect2>
<para>
In the process of adding / deleting / re-adding domain member machine accounts there are
-many traps for the unwary player and there are many "little" things that can go wrong.
+many traps for the unwary player and there are many <quote>little</quote> things that can go wrong.
It is particularly interesting how often subscribers on the samba mailing list have concluded
after repeated failed attempts to add a machine account that it is necessary to "re-install"
MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type
<emphasis>Problem:</emphasis> A Windows workstation was reinstalled. The original domain machine
account was deleted and added immediately. The workstation will not join the domain if I use
the same machine name. Attempts to add the machine fail with a message that the machine already
-exists on the network - I know it doen't. Why is this failing?
+exists on the network - I know it doesn't. Why is this failing?
</para>
<para>
<pubdate>Wed Jan 15</pubdate>
</chapterinfo>
-<title>The samba checklist</title>
+<title>The Samba checklist</title>
<sect1>
<title>Introduction</title>
<para>
In the above, no allowance has been made for any session requests that
-will automatically translate to the loopback adaptor address 127.0.0.1.
+will automatically translate to the loopback adapter address 127.0.0.1.
To solve this problem change these lines to:
</para>
And yet another possible cause for failure of this test is when the subnet mask
and / or broadcast address settings are incorrect. Please check that the
network interface IP Address / Broadcast Address / Subnet Mask settings are
-correct and that Samba has correctly noted these in the <filename>log.nmb</filename> file.
+correct and that Samba has correctly noted these in the <filename>log.nmbd</filename> file.
</para>
</step>
<para>
This time we are trying the same as the previous test but are trying
it via a broadcast to the default broadcast address. A number of
-Netbios/TCPIP hosts on the network should respond, although Samba may
+NetBIOS / TCP/IP hosts on the network should respond, although Samba may
not catch all of the responses in the short time it listens. You
should see <errorname>got a positive name query response</errorname>
messages from several hosts.
<orderedlist>
<listitem>
<para>
- you have shadow passords (or some other password system) but didn't
+ you have shadow passwords (or some other password system) but didn't
compile in support for them in &smbd;
</para>
</listitem>
<listitem><para>
add the IP address of BIGSERVER to the <command>wins server</command> box in the
- advanced tcp/ip setup on the PC.
+ advanced TCP/IP setup on the PC.
</para></listitem>
<listitem><para>
enable windows name resolution via DNS in the advanced section of
- the tcp/ip setup
+ the TCP/IP setup
</para></listitem>
<listitem><para>
&author.jht;
</chapterinfo>
-<title>FastStart for the Impatient</title>
+<title>Fast Start for the Impatient</title>
<sect1>
<title>Note</title>
</sect1>
<sect1>
- <title>Related updates from microsoft</title>
+ <title>Related updates from Microsoft</title>
<itemizedlist>
<listitem><para>
<para>
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
- so long as appropriate interface scripts have been provided to &smb.conf;
+ so long as appropriate interface scripts have been provided to &smb.conf;.
</para>
<para>
There are several possible work-arounds for the operating system tools limitation. One
method is to use a script that generates a name for the Unix/Linux system group that
fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
- back to the calling samba interface. This will provide a dynamic work-around solution.
+ back to the calling Samba interface. This will provide a dynamic work-around solution.
</para>
<para>
<para>
When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
- program creates default users and groups. Notably the <constant>Administrators</constant> group,
- and gives to that group privileges necessary privilidges to perform essential system tasks.
- eg: Ability to change the date and time or to kill any process (or close too) running on the
+ program creates default users and groups, notably the <constant>Administrators</constant> group,
+ and gives that group privileges necessary privileges to perform essential system tasks.
+ eg: Ability to change the date and time or to kill (or close) any process running on the
local machine.
</para>
</para>
<para>
- When an MS Windows NT4 / W200x is made a domain member, the "Domain Adminis" group of the
+ When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
PDC is added to the local 'Administrators' group of the workstation. Every member of the
'Domain Administrators' group inherits the rights of the local 'Administrators' group when
logging on the workstation.
</para>
<para>
- The following steps describe how to make samba PDC users members of the 'Domain Admins' group?
+ The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
</para>
<orderedlist>
</para></listitem>
<listitem><para>add to this group the users that must be Administrators. For example
- if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
+ if you want joe, john and mary, your entry in <filename>/etc/group</filename> will
look like:
</para>
</para>
<para>
- Be aware that the RID parmeter is a unsigned 32 bit integer that should
+ Be aware that the RID parameter is a unsigned 32 bit integer that should
normally start at 1000. However, this rid must not overlap with any RID assigned
to a user. Verifying this is done differently depending on on the passdb backend
you are using. Future versions of the tools may perform the verification automatically,
<title>Sample &smb.conf; add group script</title>
<para>
- A script to great complying group names for use by the samba group interfaces:
+ A script to great complying group names for use by the Samba group interfaces:
</para>
<para>
thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
# Now change the name to what we want for the MS Windows networking end
-cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group
+cp /etc/group /etc/group.bak
+cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
# Now return the GID as would normally happen.
echo $thegid
</para>
<para>
- Of course it is expected that the admininstrator will modify this to suit local needs.
+ Of course it is expected that the administrator will modify this to suit local needs.
For information regarding the use of the <command>net groupmap</command> tool please
refer to the man page.
</para>
<para>
This is a common problem when the <command>groupadd</command> is called directly
- by the
samba interface script for the <parameter>add group script</parameter> in
+ by the
Samba interface script for the <parameter>add group script</parameter> in
the &smb.conf; file.
</para>
<para>
- The most common cause of failure is an attempt to add an MS Windows group acocunt
+ The most common cause of failure is an attempt to add an MS Windows group account
that has either an upper case character and/or a space character in it.
</para>
<para>
Many MS Windows network administrators have never been exposed to basic TCP/IP
networking as it is implemented in a Unix/Linux operating system. Likewise, many Unix and
-Linux adminsitrators have not been exposed to the intricacies of MS Windows TCP/IP based
+Linux administrators have not been exposed to the intricacies of MS Windows TCP/IP based
networking (and may have no desire to be either).
</para>
Every network interface must have an MAC address. Associated with
a MAC address there may be one or more IP addresses. There is NO
relationship between an IP address and a MAC address, all such assignments
-are arbitary or discretionary in nature. At the most basic level all
+are arbitrary or discretionary in nature. At the most basic level all
network communications takes place using MAC addressing. Since MAC
addresses must be globally unique, and generally remains fixed for
any particular interface, the assignment of an IP address makes sense
<para>
The <filename>/etc/hosts</filename> file is foundational to all
-Unix/Linux TCP/IP installations and as a minumum will contain
+Unix/Linux TCP/IP installations and as a minimum will contain
the localhost and local network interface IP addresses and the
primary names by which they are known within the local machine.
This file helps to prime the pump so that a basic level of name
<filename>/etc/host.conf</filename> is the primary means by
which the setting in /etc/resolv.conf may be affected. It is a
critical configuration file. This file controls the order by
-which name resolution may procede. The typical structure is:
+which name resolution may proceed. The typical structure is:
</para>
<para><screen>
hosts: files nis dns
# Alternative entries for host name resolution are:
- # hosts: files dns nis nis+ hesoid db compat ldap wins
+ # hosts: files dns nis nis+ hesiod db compat ldap wins
networks: nis files dns
ethers: nis files
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
- # corresponding computername. The address and the comptername
+ # corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
- # In addtion the share "public" in the example below must be in the
+ # In addition the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
<title>WINS Lookup</title>
<para>
-A WINS (Windows Internet Name Server) service is the equivaent of the
+A WINS (Windows Internet Name Server) service is the equivalent of the
rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
the names and IP addresses that are registered by a Windows client
if the TCP/IP setup has been given at least one WINS Server IP Address.
<para>
TCP/IP network configuration problems find every network administrator sooner or later.
-The cause can be anything from keybaord mishaps, forgetfulness, simple mistakes, and
-carelessness. Of course, noone is every deliberately careless!
+The cause can be anything from keyboard mishaps, forgetfulness, simple mistakes, and
+carelessness. Of course, no one is every deliberately careless!
</para>
<sect2>
<para>
The Windows machine was at IP Address 192.168.1.2 with netmask 255.255.255.0, the
- Samba server (Linux) was at IP Address 192.168.1.130 with netmast 255.255.255.128.
+ Samba server (Linux) was at IP Address 192.168.1.130 with netmask 255.255.255.128.
The machines were on a local network with no external connections.
</para>
Name Type Status
------------------------------------------------
SLACK <03> UNIQUE Registered
- ADMININSTRATOR <03> UNIQUE Registered
+ ADMINISTRATOR <03> UNIQUE Registered
SLACK <00> UNIQUE Registered
SARDON <00> GROUP Registered
SLACK <20> UNIQUE Registered
Given that Samba-3 has the capability to function with a scalable backend authentication
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
modes, the administrator would be well advised to consider alternatives to the use of
-Interdomain trusts simplt because by the very nature of how this works it is fragile.
-That was after all a key reason for the development and adoption of Microsoft Active Directory.
+Interdomain trusts simply because by the very nature of how this works it is fragile.
+That was, after all, a key reason for the development and adoption of Microsoft Active Directory.
</para>
</sect1>
<para>
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
-with the trusted domain. To consumate the trust relationship the administrator will launch the
+with the trusted domain. To consummate the trust relationship the administrator will launch the
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
<guibutton>Add</guibutton> button that is next to the box that is labelled
<guilabel>Trusted Domains</guilabel>. A panel will open in which must be entered the name of the remote
In order to set the Samba PDC to be the trusted party of the relationship first you need
to create special account for the domain that will be the trusting party. To do that,
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
-similiar to creating a trusted machine account. Suppose, your domain is
+similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favourite shell:
</para>
the account. You can use any password you want, but be aware that Windows NT will
not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account
-(in the stardard way depending on your configuration) and see that account's name is
+(in the standard way depending on your configuration) and see that account's name is
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
the trust by establishing it from Windows NT Server.
</para>
<para>
These are almost complete in Samba 3.0 snapshots. The main catch
- is getting winbindd to be able to allocate uid/gid's for trusted
+ is getting winbindd to be able to allocate UID/GIDs for trusted
users/groups. See the updated Samba HOWTO collection for more
details.
</para>
<listitem><para>
CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and
is being actively developed for the upcoming version of the Linux kernel. The intent of this module
- is to provide advanced network file system functionality including support for dfs (heirarchical
+ is to provide advanced network file system functionality including support for dfs (hierarchical
name space), secure per-user session establishment, safe distributed caching (oplock),
optional packet signing, Unicode and other internationalization improvements, and optional
Winbind (nsswitch) integration.
<para>
In the IT world there is often a saying that all problems are encountered because of
-poor planning. The corrollary to this saying is that not all problems can be anticpated
-and planned for. Then again, good planning will anticpate most show stopper type situations.
+poor planning. The corollary to this saying is that not all problems can be anticipated
+and planned for. Then again, good planning will anticipate most show stopper type situations.
</para>
<para>
<simplelist>
<member>Active Directory Server</member>
- <member>Group Policy Objects (in Active Direcrtory)</member>
+ <member>Group Policy Objects (in Active Directory)</member>
<member>Machine Policy objects</member>
- <member>Logon Scripts in Active Directorty</member>
+ <member>Logon Scripts in Active Directory</member>
<member>Software Application and Access Controls in Active Directory</member>
</simplelist>
<member>Greater Stability, Reliability, Performance and Availability</member>
<member>Manageability via an ssh connection</member>
<member>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</member>
- <member>Ability to implement a full single-signon architecture</member>
+ <member>Ability to implement a full single-sign-on architecture</member>
<member>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</member>
</simplelist>
A physical network segment may house several domains, each of which may span multiple network segments.
Where domains span routed network segments it is most advisable to consider and test the performance
implications of the design and layout of a network. A Centrally located domain controller that is being
-designed to serve mulitple routed network segments may result in severe performance problems if the
+designed to serve multiple routed network segments may result in severe performance problems if the
response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
the local authentication and access control server.
<title>Logon Scripts</title>
<para>
-Please refer to the section of this document on Advanced Network Adminsitration for information
+Please refer to the section of this document on Advanced Network Administration for information
regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
all users gain share and printer connections they need.
</para>
<para>
Logon scripts can be created on-the-fly so that all commands executed are specific to the
-rights and privilidges granted to the user. The preferred controls should be affected through
-group membership so that group information can be used to custom create a logong script using
+rights and privileges granted to the user. The preferred controls should be affected through
+group membership so that group information can be used to custom create a logon script using
the <parameter>root preexec</parameter> parameters to the <filename>NETLOGON</filename> share.
</para>
<substeps><step><para>Now check that all groups are recognised</para></step></substeps>
</step>
- <step><para><userinput>net rpc campire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
+ <step><para><userinput>net rpc vampire -S <replaceable>NT4PDC</replaceable> -U administrator%<replaceable>passwd</replaceable></userinput></para></step>
<step><para><userinput>pdbedit -Lv</userinput></para>
<substeps><step>
<title>Planning for Success</title>
<para>
-There are three basic choices for sites that intend to migrate from MS Windwows NT4
+There are three basic choices for sites that intend to migrate from MS Windows NT4
to Samba-3.
</para>
External server could use Active Directory or NT4 Domain
Database type
- smbpasswd, tdbsam, ldapsam, MySQLsam
+ smbpasswd, tdbsam, ldapsam, mysqlsam
Access Control Points
On the Share itself (Use NT4 Server Manager)
On the file system
Unix permissions on files and directories
- Posix ACLs enablement in file system?
+ Enable Posix ACLs in file system?
Through Samba share parameters
Not recommended - except as only resort
<para>
This document contains detailed information as well as a fast track guide to
implementing browsing across subnets and / or across workgroups (or domains).
-WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is
+WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is
NOT involved in browse list handling except by way of name to address resolution.
</para>
</para>
<para>
-For many MS Windows network administrators that statement sums up their feelings about
-NetBIOS networking precisely. For those who mastered NetBIOS networking it's fickle
-nature was just par for the course. For those who never quite managed to tame it's
-lusty features NetBIOS is like Paterson's Curse.
+For many MS Windows network administrators, that statement sums up their feelings about
+NetBIOS networking precisely. For those who mastered NetBIOS networking, its fickle
+nature was just par for the course. For those who never quite managed to tame its
+lusty features, NetBIOS is like Paterson's Curse.
</para>
<para>
<para>
In this chapter we explore vital aspects of SMB (Server Message Block) networking with
-a particular focus on SMB as implmented through running NetBIOS (Network Basic
+a particular focus on SMB as implemented through running NetBIOS (Network Basic
Input / Output System) over TCP/IP. Since Samba does NOT implement SMB or NetBIOS over
any other protocols we need to know how to configure our network environment and simply
remember to use nothing but TCP/IP on all our MS Windows network clients.
</simplelist>
<para>
-The samba application that controls/manages browse list management and name resolution is
+The Samba application that controls browse list management and name resolution is
called <filename>nmbd</filename>. The configuration parameters involved in nmbd's operation are:
</para>
</programlisting></para>
<para>
-For Samba the WINS Server and WINS Support are mutually exclusive options. Those marked with
+For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with
an '*' are the only options that commonly MAY need to be modified. Even if not one of these
-parameters is set nmbd will still do it's job.
+parameters is set <filename>nmbd</filename> will still do it's job.
</para>
</sect1>
<para>
Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging.
SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports
-NetBIOS over TCP/IP for backwards compatibility. Microsoft are intent on phasing out NetBIOS
+NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS
support.
</para>
<para>
Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP.
MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to
-affect browse list management. When running NetBIOS over TCP/IP this uses UDP based messaging.
+affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging.
UDP messages can be broadcast or unicast.
</para>
</para>
<para>
-Secondly, in those networks where Samba is the only SMB server technology
+Secondly, in those networks where Samba is the only SMB server technology,
wherever possible <filename>nmbd</filename> should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation. This is NOT a supported feature
of the Samba-3.0.0 release. Hopefully, this will become a supported feature
-of one of the samba-3 release series.
+of one of the Samba-3 release series.
</para>
<para>
-Right now samba WINS does not support MS-WINS replication. This means that
+Right now Samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one <filename>nmbd</filename>
configured as a WINS server on the network. Some sites have used multiple Samba WINS
servers for redundancy (one server per subnet) and then used
<para>
With Active Directory (ADS), a correctly functioning DNS server is absolutely
-essential. In the absence of a working DNS server that has been correctly configured
+essential. In the absence of a working DNS server that has been correctly configured,
MS Windows clients and servers will be totally unable to locate each other,
consequently network services will be severely impaired.
</para>
<listitem><para>_ldap._tcp.<emphasis>Site</emphasis>.gc.ms-dcs.<emphasis>DomainTree</emphasis></para>
<para>
- Used by MS Windows clients to locate site configuration dependant
+ Used by MS Windows clients to locate site configuration dependent
Global Catalog server.
</para>
</listitem>
</para>
<para>
-In the case where there is no WINS server all name registrations as
+In the case where there is no WINS server, all name registrations as
well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
-which the samba server name may be forcibly injected into the browse
+which the Samba server name may be forcibly injected into the browse
list of a remote MS Windows network (using the
<command>remote announce</command> parameter).
</para>
</para>
<para>
-Samba supports a feature that allows forced synchonisation
+Samba supports a feature that allows forced synchronisation
of browse lists across routed networks using the <command>remote
browse sync</command> parameter in the <filename>smb.conf</filename> file.
This causes Samba to contact the local master browser on a remote network and
subnets that have a machine participating in the workgroup. Without
one machine configured as a domain master browser each subnet would
be an isolated workgroup, unable to see any machines on any other
-subnet. It is the presense of a domain master browser that makes
+subnet. It is the presence of a domain master browser that makes
cross subnet browsing possible for a workgroup.
</para>
<para>
If you are adding Samba servers to a Windows NT Domain then
you must not set up a Samba server as a domain master browser.
-By default, a Windows NT Primary Domain Controller for a Domain
-name is also the Domain master browser for that name, and many
+By default, a Windows NT Primary Domain Controller for a domain
+is also the Domain master browser for that domain, and many
things will break if a Samba server registers the Domain master
browser NetBIOS name (<replaceable>DOMAIN</replaceable><1B>)
with WINS instead of the PDC.
to lower levels. By doing this you can tune the order of machines that
will become local master browsers if they are running. For
more details on this see the section <link linkend="browse-force-master">
-Forcing samba to be the master browser</link>
+Forcing Samba to be the master browser</link>
below.
</para>
</sect2>
<sect2 id="browse-force-master">
-<title>Forcing samba to be the master</title>
+<title>Forcing Samba to be the master</title>
<para>
Who becomes the <parameter>master browser</parameter> is determined by an election
<para>The maximum os level is 255</para>
<para>
-If you want samba to force an election on startup, then set the
+If you want Samba to force an election on startup, then set the
<parameter>preferred master</parameter> global option in &smb.conf; to <constant>yes</constant>. Samba will
then have a slight advantage over other potential master browsers
that are not preferred master browsers. Use this parameter with
-care, as if you have two hosts (whether they are windows 95 or NT or
-
samba) on the same local subnet both set with <parameter>preferred master</parameter> to
+care, as if you have two hosts (whether they are Windows 95 or NT or
+
Samba) on the same local subnet both set with <parameter>preferred master</parameter> to
<constant>yes</constant>, then periodically and continually they will force an election
in order to become the local master browser.
</para>
<para>
-
If you want samba to be a <parameter>domain master browser</parameter>, then it is
+
If you want Samba to be a <parameter>domain master browser</parameter>, then it is
recommended that you also set <parameter>preferred master</parameter> to <constant>yes</constant>, because
-samba will not become a domain master browser for the whole of your
+Samba will not become a domain master browser for the whole of your
LAN or WAN if it is not also a local master browser on its own
broadcast isolated subnet.
</para>
<para>
-It is possible to configure two samba servers to attempt to become
+It is possible to configure two Samba servers to attempt to become
the domain master browser for a domain. The first server that comes
-up will be the domain master browser. All other samba servers will
+up will be the domain master browser. All other Samba servers will
attempt to become the domain master browser every 5 minutes. They
-will find that another samba server is already the domain master
+will find that another Samba server is already the domain master
browser and will fail. This provides automatic redundancy, should
the current domain master browser fail.
</para>
</sect2>
<sect2>
-<title>Making samba the domain master</title>
+<title>Making Samba the domain master</title>
<para>
The domain master is responsible for collating the browse lists of
multiple subnets so that browsing can occur between subnets. You can
-make
samba act as the domain master by setting <parameter>domain master = yes</parameter>
+make
Samba act as the domain master by setting <parameter>domain master = yes</parameter>
in &smb.conf;. By default it will not be a domain master.
</para>
</para>
<para>
-When samba is the domain master and the master browser it will listen
+When Samba is the domain master and the master browser, it will listen
for master announcements (made roughly every twelve minutes) from local
master browsers on other subnets and then contact them to synchronise
browse lists.
</para>
<para>
-If you want samba to be the domain master then I suggest you also set
+If you want Samba to be the domain master then I suggest you also set
the <parameter>os level</parameter> high enough to make sure it wins elections, and set
-<parameter>preferred master</parameter> to <constant>yes</constant>, to get samba to force an election on
+<parameter>preferred master</parameter> to <constant>yes</constant>, to get Samba to force an election on
startup.
</para>
<para>
-Note that all your servers (including samba) and clients should be
+Note that all your servers (including Samba) and clients should be
using a WINS server to resolve NetBIOS names. If your clients are only
using broadcasting to resolve NetBIOS names, then two things will occur:
</para>
</orderedlist>
<para>
-If, however, both samba and your clients are using a WINS server, then:
+If, however, both Samba and your clients are using a WINS server, then:
</para>
<orderedlist>
<listitem>
<para>
your local master browsers will contact the WINS server and, as long as
- samba has registered that it is a domain master browser with the WINS
- server, your local master browser will receive samba's ip address
+ Samba has registered that it is a domain master browser with the WINS
+ server, your local master browser will receive Samba's IP address
as its domain master browser.
</para>
</listitem>
<programlisting>
remote announce = a.b.c.d [e.f.g.h] ...
</programlisting>
-_or_
+<emphasis>or</emphasis>
<programlisting>
remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
</programlisting>
<varlistentry><term><replaceable>a.b.c.d</replaceable> and
<replaceable>e.f.g.h</replaceable></term>
<listitem><para>is either the LMB (Local Master Browser) IP address
-or the broadcst address of the remote network.
+or the broadcast address of the remote network.
ie: the LMB is at 192.168.1.10, or the address
could be given as 192.168.1.255 where the netmask
is assumed to be 24 bits (255.255.255.0).
When the remote announcement is made to the broadcast
-address of the remote network every host will receive
+address of the remote network, every host will receive
our announcements. This is noisy and therefore
undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</para></listitem>
<para>
The <parameter>remote browse sync</parameter> parameter of
<filename>smb.conf</filename> is used to announce to
-another LMB that it must synchronise it's NetBIOS name list with our
+another LMB that it must synchronise its NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
-simultaneously the LMB on it's network segment.
+simultaneously the LMB on its network segment.
</para>
<para>
<title>WINS - The Windows Internetworking Name Server</title>
<para>
-Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
+Use of WINS (either Samba WINS <emphasis>or</emphasis> MS Windows NT Server WINS) is highly
recommended. Every NetBIOS machine registers its name together with a
-name_type value for each of of several types of service it has available.
+name_type value for each of several types of service it has available.
eg: It registers its name directly as a unique (the type 0x03) name.
-It also registers its name if it is running the lanmanager compatible
+It also registers its name if it is running the LanManager compatible
server service (used to make shares and printers available to other users)
by registering the server (the type 0x20) name.
</para>
of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
-information can only be provided via WINS _or_ via statically configured
+information can only be provided via WINS <emphasis>or</emphasis> via statically configured
<filename>lmhosts</filename> files that must reside on all clients in the
absence of WINS.
</para>
</para>
<para>
-You should set up only ONE wins server. Do NOT set the
+You should set up only ONE WINS server. Do NOT set the
<parameter>wins support = yes</parameter> option on more than one Samba
server.
</para>
the WINS service - see your NT documentation for details. Note that
Windows NT WINS Servers can replicate to each other, allowing more
than one to be set up in a complex subnet environment. As Microsoft
-refuse to document these replication protocols Samba cannot currently
+refuses to document these replication protocols, Samba cannot currently
participate in these replications. It is possible in the future that
a Samba->Samba WINS replication protocol may be defined, in which
case more than one Samba machine could be set up as a WINS server
<title>Static WINS Entries</title>
<para>
-New to Samba-3 is a tool called <command>winsedit</command> that may be used to add
-static WINS entries to the WINS database. This tool can be used also to modify entries
-existing in the WINS database.
+Adding static entries to your Samba-3 WINS server is actually fairly easy.
+All you have to do is add a line to <filename>wins.dat</filename>, typically
+located in <filename class="directory">/usr/local/samba/var/locks</filename>.
</para>
<para>
-The development of the winsedit tool was made necessary due to the migration
-of the older style wins.dat file into a new tdb binary backend data store.
+Entries in <filename>wins.dat</filename> take the form of
+
+<programlisting>
+"NAME#TYPE" TTL ADDRESS+ FLAGS
+</programlisting>
+
+where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the
+time-to-live as an absolute time in seconds, ADDRESS+ is one or more
+addresses corresponding to the registration and FLAGS are the NetBIOS
+flags for the registration.
+</para>
+
+<para>
+A typical dynamic entry looks like:
+<programlisting>
+"MADMAN#03" 1055298378 192.168.1.2 66R
+</programlisting>
+
+To make it static, all that has to be done is set the TTL to 0:
+
+<programlisting>
+"MADMAN#03" 0 192.168.1.2 66R
+</programlisting>
+</para>
+
+<para>
+Though this method works with early Samba-3 versions, there's a
+possibility that it may change in future versions if WINS replication
+is added.
</para>
</sect2>
<para>
Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
every 15 minutes. A set of election criteria is used to determine the order
-of precidence for winning this election process. A machine running Samba or
+of precedence for winning this election process. A machine running Samba or
Windows NT will be biased so that the most suitable machine will predictably
win and thus retain it's role.
</para>
<para>
Resolution of NetBIOS names to IP addresses can take place using a number
of methods. The only ones that can provide NetBIOS name_type information
-are:</para>
+are:
+</para>
<simplelist>
<member>WINS: the best tool!</member>
</simplelist>
<para>
-Alternative means of name resolution includes:</para>
+Alternative means of name resolution includes:
+</para>
<simplelist>
<member><filename>/etc/hosts</filename>: is static, hard to maintain, and lacks name_type info</member>
<member>DNS: is a good choice but lacks essential name_type info.</member>
<para>
Many sites want to restrict DNS lookups and want to avoid broadcast name
-resolution traffic. The "name resolve order" parameter is of great help here.
-The syntax of the "name resolve order" parameter is:
+resolution traffic. The <parameter>name resolve order</parameter> parameter is
+of great help here. The syntax of the <parameter>name resolve order</parameter>
+parameter is:
<programlisting>
name resolve order = wins lmhosts bcast host
</programlisting>
-_or_
+<emphasis>or</emphasis>
<programlisting>
name resolve order = wins lmhosts (eliminates bcast and host)
</programlisting>
The default is:
<programlisting>
-name resolve order = host lmhost wins bcast
+name resolve order = host lmhost wins bcast
</programlisting>
where "host" refers the the native methods used by the Unix system
to implement the gethostbyname() function call. This is normally
<para>
MS Windows 2000 and later, as with Samba 3 and later, can be
-configured to not use NetBIOS over TCP/IP. When configured this way
+configured to not use NetBIOS over TCP/IP. When configured this way,
it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
configured and operative. Browsing will NOT work if name resolution
from SMB machine names to IP addresses does not function correctly.
</para>
<sect2>
-<title>Browsing support in samba</title>
+<title>Browsing support in Samba</title>
<para>
Samba facilitates browsing. The browsing is supported by &nmbd;
means that it will collate lists from local browse masters into a
wide area network server list. In order for browse clients to
resolve the names they may find in this list, it is recommended that
-both samba and your clients use a WINS server.
+both Samba and your clients use a WINS server.
</para>
<para>
<note><para>
Nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server. MS Windows
+necessary to specifically use Samba as your WINS server. MS Windows
NT4, Server or Advanced Server 2000 or 2003 can be configured as
-your WINS server. In a mixed NT/2000/2003 server and samba environment on
+your WINS server. In a mixed NT/2000/2003 server and Samba environment on
a Wide Area Network, it is recommended that you use the Microsoft
-WINS server capabilities. In a samba-only environment, it is
+WINS server capabilities. In a Samba-only environment, it is
recommended that you use one and only one Samba server as your WINS server.
</para></note>
<title>Problem resolution</title>
<para>
-If something doesn't work then hopefully the log.nmb file will help
+If something doesn't work then hopefully the log.nmbd file will help
you track down the problem. Try a debug level of 2 or 3 for finding
problems. Also note that the current browse list usually gets stored
in text form in a file called <filename>browse.dat</filename>.
<sect2>
<title>Browsing across subnets</title>
<para>
-Since the release of Samba 1.9.17(alpha1) Samba has been
-updated to enable it to support the replication of browse lists
-across subnet boundaries. New code and options have been added to
-achieve this. This section describes how to set this feature up
-in different settings.
+Since the release of Samba 1.9.17(alpha1), Samba has supported the
+replication of browse lists across subnet boundaries. This section
+describes how to set this feature up in different settings.
</para>
<para>
To see browse lists that span TCP/IP subnets (ie. networks separated
-by routers that don't pass broadcast traffic) you must set up at least
+by routers that don't pass broadcast traffic), you must set up at least
one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
NetBIOS name to IP address translation to be done by doing a direct
query of the WINS server. This is done via a directed UDP packet on
<para>
At this point users looking in their network neighborhood on
-subnets 1 or 3 will see all the servers on all sunbets, users on
+subnets 1 or 3 will see all the servers on all subnets, users on
subnet 2 will still only see the servers on subnets 1 and 2, but not 3.
</para>
<para>
Finally, the local master browser for subnet 2 (N2_B) will sync again
-with the domain master browser (N1_C) and will recieve the missing
+with the domain master browser (N1_C) and will receive the missing
server entries. Finally - and as a steady state (if no machines
are removed or shut off) the browse lists will look like :
</para>
<title>Common Errors</title>
<para>
-Many questions are sked on the mailing lists regarding browsing. The majority of browsing
+Many questions are asked on the mailing lists regarding browsing. The majority of browsing
problems originate out of incorrect configuration of NetBIOS name resolution. Some are of
particular note.
</para>
<sect2>
-<title>How can one flush the Samba NetBIOS name cache without restarting samba?</title>
+<title>How can one flush the Samba NetBIOS name cache without restarting Samba?</title>
<para>
Samba's nmbd process controls all browse list handling. Under normal circumstances it is
-safe to restart nmbd. This will effectively flush the samba NetBIOS name cache and cause it
+safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it
to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear
in the browse list. When nmbd is taken out of service another machine on the network will
become the browse master. This new list may still have the rogue entry in it. If you really
<title>Macintosh clients?</title>
<para>
-Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now ha
ve a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
+Yes. <ulink url="http://www.thursby.com/">Thursby</ulink> now ha
s a CIFS Client / Server called <ulink url="http://www.thursby.com/products/dave.html">DAVE</ulink>
</para>
<para>
<para>
Alternatives - There are two free implementations of AppleTalk for
-several kinds of UNIX machnes, and several more commercial ones.
+several kinds of UNIX machines, and several more commercial ones.
These products allow you to run file services and print services
natively to Macintosh users, with no additional support required on
-the Macintosh. The two free omplementations are
+the Macintosh. The two free implementations are
<ulink url="http://www.umich.edu/~rsug/netatalk/">Netatalk</ulink>, and
<ulink url="http://www.cs.mu.oz.au/appletalk/atalk.html">CAP</ulink>.
What Samba offers MS
<sect2>
<title>Use latest TCP/IP stack from Microsoft</title>
-<para>Use the latest TCP/IP stack from microsoft if you use Windows
-for workgroups.
+<para>Use the latest TCP/IP stack from Microsoft if you use Windows
+for Workgroups.
</para>
<para>The early TCP/IP stacks had lots of bugs.</para>
<para>To support print queue reporting you may find
that you have to use TCP/IP as the default protocol under
-WfWg. For some reason if you leave Netbeui as the default
+WfWg. For some reason if you leave NetBEUI as the default
it may break the print queue reporting on some systems.
It is presumably a WfWg bug.</para>
</para>
<para>
-My own experience wth DefaultRcvWindow is that I get much better
+My own experience with DefaultRcvWindow is that I get much better
performance with a large value (16384 or larger). Other people have
-reported that anything over 3072 slows things down enourmously. One
+reported that anything over 3072 slows things down enormously. One
person even reported a speed drop of a factor of 30 when he went from
3072 to 8192. I don't know why.
</para>
</simplelist>
<para>
-Also, if using <application>MS OutLook</application> it is desirable to
+Also, if using <application>MS Outlook</application> it is desirable to
install the <command>OLEUPD.EXE</command> fix. This
fix may stop your machine from hanging for an extended period when exiting
-OutLook and you may also notice a significant speedup when accessing network
+Outlook and you may also notice a significant speedup when accessing network
neighborhood services.
</para>
</para>
<para>
-In addition to knowing how to configure winbind into PAM, you will learn generic PAM managment
-possibilities and in particular how to deploy tools like pam_smbpass.so to your adavantage.
+In addition to knowing how to configure winbind into PAM, you will learn generic PAM management
+possibilities and in particular how to deploy tools like pam_smbpass.so to your advantage.
</para>
<note><para>
<listitem><para>
<emphasis>session:</emphasis> primarily, this module is associated with doing things that need
- to be done for the user before/after they can be given service. Such things include the loggin
- of information concerning the opening/closing of some data exchange with a user, mountin
+ to be done for the user before/after they can be given service. Such things include the logging
+ of information concerning the opening/closing of some data exchange with a user, mounting
directories, etc.
</para></listitem>
<para>
The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control
- over how the user is authenticated. This form of the control flag is delimeted with square brackets and
+ over how the user is authenticated. This form of the control flag is delimited with square brackets and
consists of a series of value=action tokens:
</para>
</screen></para>
<para>
- Here, valueI is one of the following return values: success; open_err; symbol_err; service_err;
+ Here, value1 is one of the following return values: success; open_err; symbol_err; service_err;
system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries;
new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err;
authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort;
</para>
<para>
- The actionI can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
+ The action1 can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset.
A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
<title>PAM: login using pam_smbpass</title>
<para>
-PAM allows use of replacable modules. Those available on a sample system include:
+PAM allows use of replaceable modules. Those available on a sample system include:
</para>
<para><prompt>$</prompt><userinput>/bin/ls /lib/security</userinput>
also possible to pass information obtained within one PAM module through
to the next module in the PAM stack. Please refer to the documentation for
your particular system implementation for details regarding the specific
-capabilities of PAM in this environment. Some Linux implmentations also
+capabilities of PAM in this environment. Some Linux implementations also
provide the <filename>pam_stack.so</filename> module that allows all
authentication to be configured in a single central file. The
<filename>pam_stack.so</filename> method has some very devoted followers
<title>Remote CIFS Authentication using winbindd.so</title>
<para>
-All operating systems depend on the provision of users credentials accecptable to the platform.
+All operating systems depend on the provision of users credentials acceptable to the platform.
Unix requires the provision of a user identifier (UID) as well as a group identifier (GID).
These are both simple integer type numbers that are obtained from a password backend such
as <filename>/etc/passwd</filename>.
<title>Features and Benefits</title>
<para>
-When MS Windows NT3.5 was introduced the hot new topic was the ability to implmement
+When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
started to adopt this capability. How do we know that? By way of the number of "booboos"
(or mistakes) administrators made and then requested help to resolve.
For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
be generated using a tool called <filename>poledit.exe</filename>, better known as the
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
-dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
+disappeared again with the introduction of MS Windows Me (Millennium Edition). From
comments from MS Windows network administrators it would appear that this tool became
a part of the MS Windows Me Resource Kit.
</para>
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
startup (machine specific part) and when the user logs onto the network the user specific part
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
- to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
+ to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
the administrator to also set filters over the policy settings. No such equivalent capability
exists with NT4 style policy files.
</para>
<para>
All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
- Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
+ Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
The later introduces many new features as well as extended definition capabilities. It is
well beyond the scope of this documentation to explain how to program .adm files, for that
- the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
+ the administrator is referred to the Microsoft Windows Resource Kit for your particular
version of MS Windows.
</para>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
-This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
+This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
</para>
<para>
<para>
The tools that may be used to configure these types of controls from the MS Windows environment are:
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
- Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
+ Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
</para>
</sect2>
</para></listitem>
<listitem><para>
- Execution of start-up scripts (hidden and synchronous by defaut).
+ Execution of start-up scripts (hidden and synchronous by default).
</para></listitem>
<listitem><para>
</para></listitem>
<listitem><para>
- An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
+ An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
<simplelist>
<member>Is user a domain member, thus subject to particular policies</member>
</para>
<para>
-On HPUX you must use gcc or the HP Ansi compiler. The free compiler
-that comes with HP-UX is not Ansi compliant and cannot compile
+On HPUX you must use gcc or the HP ANSI compiler. The free compiler
+that comes with HP-UX is not ANSI compliant and cannot compile
Samba.
</para>
<!-- From an email by William Jojo <jojowil@hvcc.edu> -->
<para>
Disabling Sequential Read Ahead using <userinput>vmtune -r 0</userinput> improves
-samba performance significally.
+Samba performance significantly.
</para>
</sect2>
</sect1>
<title>Locking improvements</title>
<para>Some people have been experiencing problems with F_SETLKW64/fcntl
-when running samba on solaris. The built in file locking mechanism was
+when running Samba on Solaris. The built in file locking mechanism was
not scalable. Performance would degrade to the point where processes would
-get into loops of trying to lock a file. It woul try a lock, then fail,
+get into loops of trying to lock a file. It would try a lock, then fail,
then try again. The lock attempt was failing before the grant was
occurring. So the visible manifestation of this would be a handful of
processes stealing all of the CPU, and when they were trussed they would
</para>
<screen>
- <prompt>$ </prompt><userinput>testparam | more</userinput>
+ <prompt>$ </prompt><userinput>testparm | more</userinput>
<prompt>$ </prompt><userinput>smbclient -L //{netbios name of server}</userinput>
</screen>
</sect1>
<sect1>
-<title>Useful URL's</title>
+<title>Useful URLs</title>
<itemizedlist>
<listitem><para>See how Scott Merrill simulates a BDC behavior at
</sect1>
<sect1>
-<title>How to get off the mailinglists</title>
+<title>How to get off the mailing lists</title>
<para>To have your name removed from a samba mailing list, go to the
same place you went to to get on it. Go to <ulink
<title>NT4/200x User Profiles</title>
<para>
-To support Windowns NT4/200x clients, in the [global] section of smb.conf set the
+To support Windows NT4/200x clients, in the [global] section of smb.conf set the
following (for example):
</para>
The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using
a samba server for the profiles, you _must_ make the share specified in the logon path
browseable. Please refer to the man page for &smb.conf; in respect of the different
-symantics of %L and %N, as well as %U and %u.
+semantics of %L and %N, as well as %U and %u.
</para>
<note>
User Profiles\
Disable: Only Allow Local User Profiles
- Disable: Prevent Roaming Profile Change from Propogating to the Server
+ Disable: Prevent Roaming Profile Change from Propagating to the Server
</programlisting>
</para> </listitem>
</varlistentry>
</procedure>
<para>
-Done. You now have a profile that can be editted using the samba-3.0.0
+Done. You now have a profile that can be edited using the samba-3.0.0
<command>profiles</command> tool.
</para>
<note>
<para>
-Under NT/2K the use of mandotory profiles forces the use of MS Exchange
+Under NT/2K the use of mandatory profiles forces the use of MS Exchange
storage of mail data. That keeps desktop profiles usable.
</para>
</note>
Select a user profile you want to migrate and click on it.
</para>
-<note><para>I am using the term "migrate" lossely. You can copy a profile to
+<note><para>I am using the term "migrate" loosely. You can copy a profile to
create a group profile. You can give the user 'Everyone' rights to the
profile you copy this to. That is what you need to do, since your samba
domain is not a member of a trust relationship with your NT4 PDC.</para></note>
<title>Creating/Managing Group Profiles</title>
<para>
-Most organisations are arranged into departments. There is a nice benenfit in
+Most organisations are arranged into departments. There is a nice benefit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents.
Thus, should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the
- next logon, the effect of the provious <filename>NTConfig.POL</filename> will still be held
+ next logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held
in the profile. The effect of this is known as <emphasis>tatooing</emphasis>.
</para>
</step>
<row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
<row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
<row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
- <row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</entry></row>
+ <row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</entry></row>
</tbody>
</tgroup>
</table>
</para>
<para>
-On loging out, the users' desktop profile will be stored to the location specified in the registry
+On logging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
<title>Common Errors</title>
<para>
-THe following are some typical errors/problems/questions that have been asked.
+The following are some typical errors/problems/questions that have been asked.
</para>
<sect2>
<varlistentry>
<term>Group profiles</term>
- <listitem><para>- loaded from a cetral place</para></listitem>
+ <listitem><para>- loaded from a central place</para></listitem>
</varlistentry>
<varlistentry>
<para>
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
Outlook PST files are most often part of the profile and can be many GB in
-size. On average (in a well controlled environment) roaming profie size of
+size. On average (in a well controlled environment) roaming profile size of
2MB is a good rule of thumb to use for planning purposes. In an
undisciplined environment I have seen up to 2GB profiles. Users tend to
complain when it take an hour to log onto a workstation but they harvest
-the fuits of folly (and ignorance).
+the fruits of folly (and ignorance).
</para>
<para>
</procedure>
<para>
-afterw
ards simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
+afterw
ords simply contact to swat by using the URL <ulink url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
and the SSL connection is up.
</para>
<para>
Administrators who wish to validate their samba configuration may obtain useful information
-from the man pages for the diganostic utilities. These are available from the SWAT home page
+from the man pages for the diagnostic utilities. These are available from the SWAT home page
also. One diagnostic tool that is NOT mentioned on this page, but that is particularly
useful is <command>ethereal</command>, available from <ulink url="http://www.ethereal.com">
http://www.ethereal.com</ulink>.
<warning><para>
SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is NOT recommended
as it runs SWAT without authentication and with full administrative ability. ie: Allows
-changes to smb.conf as well as general operation with root privilidges. The option that
+changes to smb.conf as well as general operation with root privileges. The option that
creates this ability is the <option>-a</option> flag to swat. <emphasis>Do not use this in any
production environment.</emphasis>
</para></warning>
<note><para>
SWAT has context sensitive help. To find out what each parameter is for simply click the
-<guibutton>Help</guibutton> link to the left of the configurartion parameter.
+<guibutton>Help</guibutton> link to the left of the configuration parameter.
</para></note>
</sect2>
<title>Share Settings</title>
<para>
-To affect a currenly configured share, simply click on the pull down button between the
+To affect a currently configured share, simply click on the pull down button between the
<guibutton>Choose Share</guibutton> and the <guibutton>Delete Share</guibutton> buttons,
select the share you wish to operate on, then to edit the settings click on the
<guibutton>Choose Share</guibutton> button, to delete the share simply press the
<title>Printers Settings</title>
<para>
-To affect a currenly configured printer, simply click on the pull down button between the
+To affect a currently configured printer, simply click on the pull down button between the
<guibutton>Choose Printer</guibutton> and the <guibutton>Delete Printer</guibutton> buttons,
select the printer you wish to operate on, then to edit the settings click on the
<guibutton>Choose Printer</guibutton> button, to delete the share simply press the
<title>The SWAT Wizard</title>
<para>
-The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator
+The purpose if the SWAT Wizard is to help the Microsoft knowledgeable network administrator
to configure Samba with a minimum of effort.
</para>
<para>
-The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format.
+The Wizard page provides a tool for rewriting the smb.conf file in fully optimised format.
This will also happen if you press the commit button. The two differ in the the rewrite button
ignores any changes that may have been made, while the Commit button causes all changes to be
affected.
<para>
The <guibutton>Edit</guibutton> button permits the editing (setting) of the minimal set of
-options that may be necessary to create a working samba server.
+options that may be necessary to create a working Samba server.
</para>
<para>
-Finally, there are a limited set of options that will determine what type of server samba
+Finally, there are a limited set of options that will determine what type of server Samba
will be configured for, whether it will be a WINS server, participate as a WINS client, or
-operate with no WINS support. By clicking on one button you can elect to epose (or not) user
+operate with no WINS support. By clicking on one button you can elect to expose (or not) user
home directories.
</para>
<title>The View Page</title>
<para>
-This page allows the administrator to view the optimised &smb.conf; file and if you are
-particularly massochistic will permit you also to see all possible global configuration
+This page allows the administrator to view the optimised &smb.conf; file and, if you are
+particularly masochistic, will permit you also to see all possible global configuration
parameters and their settings.
</para>
<para>
Before you continue reading in this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in the
-<ulink url="Samba-PDC-HOWTO.html">Domain Control Chapter</ulink>.
+<link linkend="samba-pdc">Domain Control</link> chapter.
</para>
<sect1>
<title>Features And Benefits</title>
<para>
-This is one of the most difficult chapters to summarise. It matters not what we say here
+This is one of the most difficult chapters to summarise. It does not matter what we say here
for someone will still draw conclusions and / or approach the Samba-Team with expectations
-that are either not yet capable of being delivered, or that can be achieved for more
+that are either not yet capable of being delivered, or that can be achieved far more
effectively using a totally different approach. Since this HOWTO is already so large and
extensive, we have taken the decision to provide sufficient (but not comprehensive)
information regarding Backup Domain Control. In the event that you should have a persistent
servers and workstations periodically change the machine trust account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
-as a BDC, the PDC instance of the Domain member trust account password will not reach the
+as a BDC, the BDC instance of the Domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
overwriting of the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
</listitem>
<listitem><para>
- Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to
+ Passdb Backend is tdbsam based, BDCs use cron based "net rpc vampire" to
suck down the Accounts database from the PDC
</para>
</para>
<para>
-When MS Windows NT3.10 was first released it supported an new style of Domain Control
+When MS Windows NT3.10 was first released, it supported an new style of Domain Control
and with it a new form of the network logon service that has extended functionality.
This service became known as the NT NetLogon Service. The nature of this service has
changed with the evolution of MS Windows NT and today provides a very complex array of
<title>MS Windows NT4 Style Domain Control</title>
<para>
-Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation,
+Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate
the username and password that the user entered are valid. If the information entered
does not validate against the account information that has been stored in the Domain
-Control database (the SAM, or Security Accounts Manager database) then a set of error
+Control database (the SAM, or Security Account Manager database) then a set of error
codes is returned to the workstation that has made the authentication request.
</para>
<itemizedlist>
<listitem><para>
- On the local network that the Primary Domain Controller is on if there are many
+ On the local network that the Primary Domain Controller is on, if there are many
workstations and/or where the PDC is generally very busy. In this case the BDCs
will pick up network logon requests and help to add robustness to network services.
</para></listitem>
copy of the SAM. In the event that this update may be performed in a branch office the
change will likely be stored in a delta file on the local BDC. The BDC will then send
a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
-request the delta from the BDC and apply it to the master SAM. THe PDC will then contact
+request the delta from the BDC and apply it to the master SAM. The PDC will then contact
all the BDCs in the Domain and trigger them to obtain the update and then apply that to
their own copy of the SAM.
</para>
<para>
Several other things like a <parameter>[homes]</parameter> and a <parameter>[netlogon]</parameter> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
-chapter, for more information please refer to the chapter on Domain Control.
+chapter, for more information please refer to the chapter on <link linkend="samba-pdc">Domain Control</link>.
</para>
</sect3>
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
-act as a Backup Domain Contoller to an Active Directory Domain Controller.
+act as a Backup Domain Controller to an Active Directory Domain Controller.
</para>
</sect2>
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
-password) to the local Domain Controller, for valdation.
+password) to the local Domain Controller, for validation.
</para>
</sect2>
<para>
To retrieve the domain SID from the PDC or an existing BDC and store it in the
- secrets.tdb, execute 'net rpc getsid' on the BDC.
- </para></listitem>
+ secrets.tdb, execute:
+ </para>
+ <screen>
+ &rootprompt;<userinput>net rpc getsid</userinput>
+ </screen>
+ </listitem>
<listitem><para>
The Unix user database has to be synchronized from the PDC to the
whenever changes are made, or the PDC is set up as a NIS master
server and the BDC as a NIS slave server. To set up the BDC as a
mere NIS client would not be enough, as the BDC would not be able to
- access its user database in case of a PDC failure.
+ access its user database in case of a PDC failure. NIS is by no means
+ the only method to synchronize passwords. An LDAP solution would work
+ as well.
</para>
</listitem>
<listitem><para>
- The Samba password database in the file private/smbpasswd has to be
- replicated from the PDC to the BDC. This is a bit tricky, see the
- next section.
+ The Samba password database has to be replicated from the PDC to the BDC.
+ As said above, though possible to synchronise the <filename>smbpasswd</filename>
+ file with rsync and ssh, this method is broken and flawed, and is
+ therefore not recommended. A better solution is to set up slave LDAP
+ servers for each BDC and a master LDAP server for the PDC.
</para></listitem>
<listitem><para>
written when the SAM is copied from the PDC. The result is that the Domain member machine
on start up will find that it's passwords does not match the one now in the database and
since the startup security check will now fail, this machine will not allow logon attempts
-to procede and the account expiry error will be reported.
+to proceed and the account expiry error will be reported.
+</para>
+
+<para>
+The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
+an slave LDAP server for each BDC, and a master LDAP server for the PDC.
</para>
</sect2>
As the smbpasswd file contains plain text password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
-Ssh itself can be set up to accept *only* rsync transfer without requiring the user
+Ssh itself can be set up to accept <emphasis>only</emphasis> rsync transfer without requiring the user
to type a password.
</para>
+<para>
+As said a few times before, use of this method is broken and flawed. Machine trust
+accounts will go out of sync, resulting in a very broken domain. This method is
+<emphasis>not</emphasis> recommended. Try using LDAP instead.
+</para>
+
</sect2>
<sect2>
</para>
<para>
-From the Samba mailing list one can readilly identify many common networking issues.
+From the Samba mailing list one can readily identify many common networking issues.
If you are not clear on the following subjects, then it will do much good to read the
sections of this HOWTO that deal with it. These are the most common causes of MS Windows
networking problems:
<itemizedlist>
<listitem><para>
- <emphasis>smbpasswd</emphasis> - the plain ascii file stored used by
+ <emphasis>smbpasswd</emphasis> - the plain ASCII file stored used by
earlier versions of Samba. This file configuration option requires
a Unix/Linux system account for EVERY entry (ie: both for user and for
machine accounts). This file will be located in the <emphasis>private</emphasis>
<emphasis>tdbsam</emphasis> - a binary database backend that will be
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passdb.tdb</emphasis>. The key benefit of this binary format
- file is that it can store binary objects that can not be accomodated
+ file is that it can store binary objects that can not be accommodated
in the traditional plain text smbpasswd file. These permit the extended
account controls that MS Windows NT4 and later also have.
</para></listitem>
<para>
With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
-hierachy of domain controllers, each with their own area of delegated control. The master domain
+hierarchy of domain controllers, each with their own area of delegated control. The master domain
controller has the ability to override any down-stream controller, but a down-line controller has
control only over it's down-line. With Samba-3 this functionality can be implemented using an
LDAP based user and machine account back end.
logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
-operation; the PDB and BDC must be manually configured and changes need to be made likewise.
+operation; the PDC and BDC must be manually configured and changes need to be made likewise.
</para>
<para>
With MS Windows NT4, it is an install time decision what type of machine the server will be.
-It is possible to change the promote a BDC to a PDC and vica versa only, but the only way
+It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
to convert a domain controller to a domain member server or a stand-alone server is to
reinstall it. The install time choices offered are:
</para>
<member>Configuration of basic TCP/IP and MS Windows Networking</member>
<member>Correct designation of the Server Role (<parameter>security = user</parameter>)</member>
<member>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
- members, they do not really particpate in the security aspects of Domain logons as such)</member>
+ members, they do not really participate in the security aspects of Domain logons as such)</member>
<member>Roaming Profile Configuration</member>
<member>Configuration of System Policy handling</member>
<member>Installation of the Network driver "Client for MS Windows Networks" and configuration
the Active Directory Domain Controllers is have been partially implemented on an experimental
only basis. Please do NOT expect Samba-3 to support these protocols - nor should you depend
on any such functionality either now or in the future. The Samba-Team may well remove such
-experiemental features or may change their behaviour.
+experimental features or may change their behaviour.
</para>
</sect1>
<title>Example Configuration</title>
<programlisting>
- [globals]
+ [global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
<para>
Alternatively if you are creating account entries manually then they
have not been created correctly. Make sure that you have the entry
-correct for the machine trust account in smbpasswd file on the Samba PDC.
+correct for the machine trust account in <filename>smbpasswd</filename> file on the Samba PDC.
If you added the account using an editor rather than using the smbpasswd
utility, make sure that the account name is the machine NetBIOS name
with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
This chapter provides information regarding the types of server that Samba may be
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what, within a Samba context, terms familiar to MS Windows
-adminstrator mean. This means that it is essential also to define how critical security
+administrator mean. This means that it is essential also to define how critical security
modes function BEFORE we get into the details of how to configure the server itself.
</para>
<para>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
-hurt his toe and lodged in his sandle. He took the stone out and cursed it with a passion
+hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion
and fury fitting his anguish. The other looked at the stone and said, that is a garnet - I
can turn that into a precious gem and some day it will make a princess very happy!
</para>
<sect1>
<title>Server Types</title>
-<para>Adminstrators of Microsoft networks often refer to three
+<para>Administrators of Microsoft networks often refer to three
different type of servers:</para>
<itemizedlist>
</para></listitem>
<listitem><para>The password is converted to upper case,
- and then padded or trucated to 14 bytes. This string is
+ and then padded or truncated to 14 bytes. This string is
then appended with 5 bytes of NULL characters and split to
form two 56 bit DES keys to encrypt a "magic" 8 byte value.
The resulting 16 bytes form the LanMan hash.
</para>
<para><programlisting>
- <ulink url="smb.conf.5.html#PASSWORDLEVEL">passsword level</ulink> = <replaceable>integer</replaceable>
+ <ulink url="smb.conf.5.html#PASSWORDLEVEL">password level</ulink> = <replaceable>integer</replaceable>
<ulink url="smb.conf.5.html#USERNAMELEVEL">username level</ulink> = <replaceable>integer</replaceable>
</programlisting></para>
<para>
Here we look at common mistakes and misapprehensions that have been the subject of discussions
on the Samba mailing lists. Many of these are avoidable by doing you homework before attempting
-a Samba implementation. Some are the result of misundertanding of the English language. The
+a Samba implementation. Some are the result of misunderstanding of the English language. The
English language has many turns of phrase that are potentially vague and may be highly confusing
to those for whom English is not their native tongue.
</para>
If you want to test against something like a NT or WfWg server then
you will have to disable all but TCP on either the client or
server. Otherwise you may well be using a totally different protocol
-(such as Netbeui) and comparisons may not be valid.
+(such as NetBEUI) and comparisons may not be valid.
</para>
<para>
Hi everyone. I am running Gentoo on my server and samba 2.2.8a. Recently
I changed kernel version from linux-2.4.19-gentoo-r10 to
linux-2.4.20-wolk4.0s. And now I have performance issue with samba. Ok
-many of you will probably say that move to vanilla sources...well I ried
+many of you will probably say that move to vanilla sources...well I tried
it too and it didn't work. I have 100mb LAN and two computers (linux +
Windows2000). Linux server shares directory with DivX files, client
(windows2000) plays them via LAN. Before when I was running 2.4.19 kernel
everything was fine, but now movies freezes and stops...I tried moving
-files between server and Windows and it's trerribly slow.
+files between server and Windows and it's terribly slow.
</para>
<para>
<title>Corrupt tdb Files</title>
<para>
-Well today it happend, our first major problem using samba.
+Well today it happened, Our first major problem using samba.
Our samba PDC server has been hosting 3 TB of data to our 500+ users
[Windows NT/XP] for the last 3 years using samba, no problem.
But today all shares went SLOW; very slow. Also the main smbd kept
spawning new processes so we had 1600+ running smbd's (normally we avg. 250).
-It crashed the SUN E3500 cluster twice. After alot of searching I
-decided to <command>rm /var/locks/*.tbl</command>. Happy again.
+It crashed the SUN E3500 cluster twice. After a lot of searching I
+decided to <command>rm /var/locks/*.tdb</command>. Happy again.
</para>
<para>
-Q1) Is there any method of keeping the *.tbl files in top condition or
+Q1) Is there any method of keeping the *.tdb files in top condition or
how to early detect corruption?
</para>
<para>
-A1) Yes, run <command>tdbbackup</command> each time after stoping nmbd and before starting nmbd.
+A1) Yes, run <command>tdbbackup</command> each time after stopping nmbd and before starting nmbd.
</para>
<para>
Q2) What I also would like to mention is that the service latency seems
-alot lower then before the locks cleanup, any ideas on keeping it top notch?
+a lot lower then before the locks cleanup, any ideas on keeping it top notch?
</para>
<para>
-A2) Yes! Samba answer as for Q1!
+A2) Yes! Same answer as for Q1!
</para>
</sect1>
<title>Stand-Alone Servers</title>
<para>
-Stand-Alone servers are independant of Domain Controllers on the network.
+Stand-Alone servers are independent of Domain Controllers on the network.
They are NOT domain members and function more like workgroup servers. In many
cases a stand-alone server is configured with a minimum of security control
-with the intent that all data served will be readilly accessible to all users.
+with the intent that all data served will be readily accessible to all users.
</para>
<sect1>
<para>
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services. This means that machines that
-use this server do NOT perform a domain log onto it. Whatever logon facility
-the workstations are subject to is independant of this machine. It is however
-necessary to accomodate any network user so that the logon name they use will
+use this server do NOT perform a domain logon to it. Whatever logon facility
+the workstations are subject to is independent of this machine. It is however
+necessary to accommodate any network user so that the logon name they use will
be translated (mapped) locally on the stand-alone server to a locally known
-user name. There are several ways this cane be done.
+user name. There are several ways this can be done.
</para>
<para>
Samba tends to blur the distinction a little in respect of what is
a stand-alone server. This is because the authentication database may be
-local or on a remote server, even if from the samba protocol perspective
-the samba server is NOT a member of a domain security context.
+local or on a remote server, even if from the Samba protocol perspective
+the Samba server is NOT a member of a domain security context.
</para>
<para>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
-This means that the samba server may use the local Unix/Linux system password database
+This means that the Samba server may use the local Unix/Linux system password database
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
local smbpasswd file, or may use
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
of the local workgroup so that the machine will appear in with systems users are familiar
with. The only password backend required is the "guest" backend so as to allow default
-unprivilidged account names to be used. Given that there is a WINS server on this network
+unprivileged account names to be used. Given that there is a WINS server on this network
we do use it.
</para>
<listitem><para>
The print spooling and processing system on our print server will be CUPS.
- (Please refer to the chapter on printing for more information).
+ (Please refer to the <link linkend="CUPS-printing">CUPS Printing</link> chapter for more information).
</para></listitem>
<listitem><para>
- All printers will that the print server will service will be network
+ All printers that the print server will service will be network
printers. They will be correctly configured, by the administrator,
in the CUPS environment.
</para></listitem>
<para>
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
-samba to the CUPS print processor. Since all incoming connections will be as
-the anonymous (guest) user two things will be required:
+Samba to the CUPS print processor. Since all incoming connections will be as
+the anonymous (guest) user, two things will be required:
</para>
<itemizedlist>
-<title>Enablement for Anonymous Printing</title>
+<title>Enabling Anonymous Printing</title>
<listitem><para>
The Unix/Linux system must have a <command>guest</command> account.
The default for this is usually the account <command>nobody</command>.
<para>
Make sure you put the <filename>smb.conf</filename> file in the same place
- you specified in the<filename>Makefile</filename> (the default is to
+ you specified in the <filename>Makefile</filename> (the default is to
look for it in <filename>/usr/local/samba/lib/</filename>).
</para>
<para>
samba-vscan is a proof-of-concept module for Samba, which
uses the VFS (virtual file system) features of Samba 2.2.x/3.0
- alphaX. Of couse, Samba has to be compiled with VFS support.
+ alphaX. Of course, Samba has to be compiled with VFS support.
samba-vscan supports various virus scanners and is maintained
by Rainer Link.
</para>
The redirector sees that the file was opened with deny
none (allowing concurrent access), verifies that no
other process is accessing the file, checks that
- oplocks are enabled, then grants deny-all/read-write/ex-
- clusive access to the file. The client now performs
+ oplocks are enabled, then grants deny-all/read-write/exclusive
+ access to the file. The client now performs
operations on the cached local file.
</para>
</para>
<para>
-If files are shared between Windows clients, and either loca Unix
+If files are shared between Windows clients, and either local Unix
or NFS users, then turn opportunistic locking off.
</para>
</para>
<para>
-Level2 Oplocks provids opportunistic locking for a file that will be treated as
+Level2 Oplocks provides opportunistic locking for a file that will be treated as
<emphasis>read only</emphasis>. Typically this is used on files that are read-only or
on files that the client has no initial intention to write to at time of opening the file.
</para>
accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should
always be disabled if you are sharing a database file (e.g., Microsoft Access) between
multiple clients, as any break the first client receives will affect synchronisation of
-the entire file (not just the single record), which will result in a noticable performance
+the entire file (not just the single record), which will result in a noticeable performance
impairment and, more likely, problems accessing the database in the first place. Notably,
Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt,
disable oplocks and tune your system from that point.
<title>Example Configuration</title>
<para>
-In the following we examine two destinct aspects of samba locking controls.
+In the following we examine two distinct aspects of Samba locking controls.
</para>
<sect3>
<para>
In some sites locking problems surface as soon as a server is installed, in other sites
-locking problems may not surface for a long time. Almost without exeception, when a locking
-problem does surface it will cause embarassment and potential data corruption.
+locking problems may not surface for a long time. Almost without exception, when a locking
+problem does surface it will cause embarrassment and potential data corruption.
</para>
<para>
</para>
<para>
- Corrupted tdb. Stop all instancesd of smbd, delete locking.tdb, restart smbd.
+ Corrupted tdb. Stop all instances of smbd, delete locking.tdb, restart smbd.
</para>
</sect2>
<title>Account Information Databases</title>
<para>
-Samba-3 implements a new capability to work concurrently with mulitple account backends.
+Samba-3 implements a new capability to work concurrently with multiple account backends.
The possible new combinations of password backends allows Samba-3 a degree of flexibility
and scalability that previously could be achieved only with MS Windows Active Directory.
This chapter describes the new functionality and how to get the most out of it.
</para>
<para>
-In the course of development of Samba-3 a number of requests were received to provide the
+In the course of development of Samba-3, a number of requests were received to provide the
ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
matching Unix/Linux accounts. We called this the <emphasis>Non Unix Accounts (NUA)</emphasis>
capability. The intent was that an administrator could decide to use the <emphasis>tdbsam</emphasis>
backend and by simply specifying <emphasis>"passdb backend = tdbsam_nua, guest"</emphasis>
this would allow Samba-3 to implement a solution that did not use Unix accounts per se. Late
-in the development cycle the team doing this work hit upon some obstacles that prevents this
+in the development cycle, the team doing this work hit upon some obstacles that prevents this
solution from being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group SIDs from NT User
SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series.
</listitem>
</varlistentry>
- <varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibilty):</term>
+ <varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibility):</term>
<listitem>
<para>
There is a password backend option that allows continued operation with
<varlistentry><term>ldapsam:</term>
<listitem>
<para>
- This provides a rich directory backend for distributed account installation
+ This provides a rich directory backend for distributed account installation.
</para>
<para>
Samba-3 has a new and extended LDAP implementation that requires configuration
of OpenLDAP with a new format samba schema. The new format schema file is
- included in the <filename>~samba/examples/LDAP</filename> directory.
+ included in the <filename class="directory">examples/LDAP</filename> directory of the Samba distribution.
</para>
<para>
</para>
<para>
- These passwords can't be converted to unix style encrypted passwords. Because of that
+ These passwords can't be converted to unix style encrypted passwords. Because of that,
you can't use the standard unix user database, and you have to store the Lanman and NT
hashes somewhere else.
</para>
</para>
<para>
- Firstly, all Samba SAM (Security Account Management database) accounts require
+ Firstly, all Samba SAM (Security Account Manager database) accounts require
a Unix/Linux UID that the account will map to. As users are added to the account
- information database
samba-3 will call the <parameter>add user script</parameter>
- interface to add the account to the Samba host OS. In essence all accounts in
+ information database
, Samba-3 will call the <parameter>add user script</parameter>
+ interface to add the account to the Samba host OS. In essence, all accounts in
the local SAM require a local user account.
</para>
<para>
Samba-3 provides two (2) tools for management of User and machine accounts. These tools are
-called <filename>smbpasswd</filename> and <command>pdbedit</command>. A third tool is under
+called <command>smbpasswd</command> and <command>pdbedit</command>. A third tool is under
development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
-be announced in time for samba-3.0.1 release timing.
+be announced in time for the Samba-3.0.1 release.
</para>
<sect2>
<title>The <emphasis>smbpasswd</emphasis> Command</title>
<para>
<command>smbpasswd</command> works in a client-server mode where it contacts the
- local smbd to change the user's password on its behalf.This has enormous benefits
+ local smbd to change the user's password on its behalf. This has enormous benefits
as follows:
</para>
<title>Plain Text</title>
<para>
- Older versions of samba retrieved user information from the unix user database
+ Older versions of Samba retrieved user information from the unix user database
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
- SMB specific data is stored at all. Instead all operations are conduected via the way
- that the samba host OS will access it's <filename>/etc/passwd</filename> database.
+ SMB specific data is stored at all. Instead all operations are conducted via the way
+ that the Samba host OS will access its <filename>/etc/passwd</filename> database.
eg: On Linux systems that is done via PAM.
</para>
<title>smbpasswd - Encrypted Password Database</title>
<para>
- Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
- passwords = yes"</ulink> in Samba's <filename>smb.conf</filename> file, user account
+ Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt
+ passwords = yes</ulink> in Samba's <filename>smb.conf</filename> file, user account
information such as username, LM/NT password hashes, password change times, and account
flags have been stored in the <filename>smbpasswd(5)</filename> file. There are several
disadvantages to this approach for sites with very large numbers of users (counted
</para>
<para>
- As a general guide the Samba-Team do NOT recommend using the tdbsam backend for sites
+ As a general guide the Samba-Team does NOT recommend using the tdbsam backend for sites
that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
- in sites that require PDB/BDC implmentations that requires replication of the account
- database. Clearly, for reason of scalability the use of ldapsam should be encouraged.
+ in sites that require PDB/BDC implementations that requires replication of the account
+ database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
</para>
</sect2>
more about configuration and administration of an OpenLDAP server.
</para>
+ <note>
+ <para>
+ This section is outdated for Samba-3 schema. Samba-3 introduces a new schema
+ that has not been documented at the time of this publication.
+ </para>
+ </note>
+
<para>
This document describes how to use an LDAP directory for storing Samba user
account information traditionally stored in the smbpasswd(5) file. It is
<para>
<programlisting>
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaSamAccount' SUP top AUXILIARY
- DESC 'Samba Auxilary Account'
+ DESC 'Samba Auxiliary Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
</para>
<para>
- It is recommended that you maintain some indices on some of the most usefull attributes,
+ It is recommended that you maintain some indices on some of the most useful attributes,
like in the following example, to speed up searches made on sambaSamAccount objectclasses
(and possibly posixAccount and posixGroup as well).
</para>
<note>
<para>
- Before Samba can access the LDAP server you need to stoe the LDAP admin password
+ Before Samba can access the LDAP server you need to store the LDAP admin password
into the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
&rootprompt; <userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
ldap delete dn = no
# the machine and user suffix added to the base suffix
- # wrote WITHOUT quotes. NULL siffixes by default
+ # wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap machine suffix = ou=Systems
<title>Accounts and Groups management</title>
<para>
- As users accounts are managed thru the sambaSamAccount objectclass, you should
+ As users accounts are managed through the sambaSamAccount objectclass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</para>
<para>
Machines accounts are managed with the sambaSamAccount objectclass, just
- like users accounts. However, it's up to you to store thoses accounts
+ like users accounts. However, it's up to you to store those accounts
in a different tree of your LDAP namespace: you should use
"ou=Groups,dc=plainjoe,dc=org" to store groups and
"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
</para>
<para>
- In Samba release 3.0, the group management system is based on posix
- groups. This means that Samba makes usage of the posixGroup objectclass.
+ In Samba release 3.0, the group management system is based on POSIX
+ groups. This means that Samba makes use of the posixGroup objectclass.
For now, there is no NT-like group system management (global and local
groups).
</para>
<tgroup cols="2" align="left">
<tbody>
<row><entry><constant>lmPassword</constant></entry><entry>the LANMAN password 16-byte hash stored as a character
- representation of a hexidecimal string.</entry></row>
+ representation of a hexadecimal string.</entry></row>
<row><entry><constant>ntPassword</constant></entry><entry>the NT password hash 16-byte stored as a character
- representation of a hexidecimal string.</entry></row>
+ representation of a hexadecimal string.</entry></row>
<row><entry><constant>pwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
</entry></row>
for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
contains the correct queries to create the required tables. Use the command :
- <screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> > <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
+ <screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
+<replaceable>databasename</replaceable> < <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
</para>
</sect3>
</para>
<para>
- Additional options can be given thr
u the &smb.conf; file in the <parameter>[global]</parameter> section.
+ Additional options can be given thr
ough the &smb.conf; file in the <parameter>[global]</parameter> section.
</para>
<para>
<warning>
<para>
- Since the password for the mysql user is stored in the
+ Since the password for the MySQL user is stored in the
&smb.conf; file, you should make the the &smb.conf; file
- readable only to the user that runs samba. This is considered a security
+ readable only to the user that runs Samba This is considered a security
bug and will be fixed soon.
</para>
</warning>
- <para>Names of the columns in this table(I've added column types those columns should have first):</para>
+ <para>Names of the columns in this table (I've added column types those columns should have first):</para>
<para>
<table frame="all">
</para>
<para>
- <prompt>$ </prompt><userinput>pdbedit -e xml:filename</userinput>
+ <prompt>$ </prompt> <userinput>pdbedit -e xml:filename</userinput>
</para>
<para>
<para>
To import data, use:
- <prompt>$ </prompt><userinput>pdbedit -i xml:filename</userinput>
+ <prompt>$ </prompt> <userinput>pdbedit -i xml:filename</userinput>
</para>
</sect2>
</sect1>
<title>Users can not logon - Users not in Samba SAM</title>
<para>
- People forget to put their users in their backend and then complain samba won't authorize them.
+ People forget to put their users in their backend and then complain Samba won't authorize them.
</para>
</sect2>
<title>Users are being added to the wrong backend database</title>
<para>
- A few complaints have been recieved from users that just moved to samba-3. The following
+ A few complaints have been received from users that just moved to Samba-3. The following
&smb.conf; file entries were causing problems, new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</para>
mechanism. Printer installations executed by "Logon Scripts" are no
problem. Administrators can upload and manage drivers to be used by
clients through the familiar "Add Printer Wizard". As an additional
-benefit, driver and printer management may be run from the commandline
+benefit, driver and printer management may be run from the command line
or through scripts, making it more efficient in case of large numbers
of printers. If a central accounting of print jobs (tracking every
single page and supplying the raw data for all sorts of statistical
<listitem><para>The Unix print subsystem processes the print
job</para></listitem>
-<listitem><para>The printfile may need to be explicitely deleted
+<listitem><para>The printfile may need to be explicitly deleted
from the Samba spooling area.</para></listitem>
</orderedlist>
</para>
<para><screen>
-printing =lprng #This defines LPRng as the printing system"
+printing = lprng #This defines LPRng as the printing system"
</screen></para>
<para>
it really doesn't need to be here! (This leads to the interesting
question: <quote>What, if I by accident have to contradictory settings
for the same share?</quote> The answer is: the last one encountered by
-Sambe wins. The "winner" is shown by testparm. Testparm doesn't
+Samba wins. The "winner" is shown by testparm. Testparm doesn't
complain about different settings of the same parameter for the same
share! You can test this by setting up multiple lines for the "guest
account" parameter with different usernames, and then run testparm to
<emphasis>not</emphasis> shared. Samba does not make this
distinction. By definition, the only printers of which Samba is aware
are those which are specified as shares in
-. The reason is that Windows NT/2k/XPprof
+. The reason is that Windows NT/200x/XP Professional
clients do not normally need to use the standard SMB printer share;
rather they can print directly to any printer on another Windows NT
host using MS-RPC. This of course assumes that the printing client has
<itemizedlist>
<listitem><para>running the <emphasis>APW</emphasis> on an
-NT/2k/XPprof client (this doesn't work from 95/98/ME
+NT/200x/XP Professional client (this doesn't work from 95/98/ME
clients);</para></listitem>
<listitem><para>using the <emphasis>Imprints</emphasis>
Please take additional note of the following fact: <emphasis>Samba
does not use these uploaded drivers in any way to process spooled
files</emphasis>. Drivers are utilized entirely by the clients, who
-download and install them via the "Point 'n'Print" mechanism supported
+download and install them via the "Point'n'Print" mechanism supported
by Samba. The clients use these drivers to generate print files in the
format the printer (or the Unix print system) requires. Print files
received by Samba are handed over to the Unix printing system, which
In order to support the up- and downloading of printer driver files,
you must first configure a file share named
<parameter>[print$]</parameter>. The "public" name of this share is
-hard coded in Samba's internals (because it is hardcoded in the MS
+hard coded in Samba's internals (because it is hard coded in the MS
Windows clients too). It cannot be renamed since Windows clients are
programmed to search for a service of exactly this name if they want
to retrieve printer driver files.
share in ? And Samba has re-read its
configuration? Good. But you are not yet ready to take off. The
<emphasis>driver files</emphasis> need to be present in this share,
-too! So far it is still an empty share. Unfortunatly, it is not enough
+too! So far it is still an empty share. Unfortunately, it is not enough
to just copy the driver files over. They need to be <emphasis>set
up</emphasis> too. And that is a bit tricky, to say the least. We
will now discuss two alternative ways to install the drivers into
</para>
<itemizedlist>
-<listitem><para>select a driver from the popup list of installed
+<listitem><para>select a driver from the pop-up list of installed
drivers. <emphasis>Initially this list will be empty.</emphasis>
Or</para></listitem>
<para>
Once the APW is started, the procedure is exactly the same as the one
-you are familiar with in Wiindows (we assume here that you are
+you are familiar with in Windows (we assume here that you are
familiar with the printer driver installations procedure on Windows
NT). Make sure your connection is in fact setup as a user with
<parameter>printer admin</parameter> privileges (if in doubt, use
(possibly by using <command>smbclient</command>);</para></listitem>
<listitem><para>running the <command>rpcclient</command>
-commandline utility once with the <command>addriver</command>
+commandline utility once with the <command>adddriver</command>
subcommand,</para></listitem>
<listitem><para>running <command>rpcclient</command> a second
<filename>\\WINDOWSHOST\print$\WIN40\0\</filename>.
</para>
-<note><para> more recent drivers on Windows 2000 and Wndows XP are
+<note><para> more recent drivers on Windows 2000 and Windows XP are
installed into the "3" subdirectory instead of the "2". The version 2
of drivers, as used in Windows NT, were running in Kernel Mode.
Windows 2000 changed this. While it still can use the Kernel Mode
<para>
After this step the driver should be recognized by Samba on the print
-server. You need to be very carefull when typing the command. Don't
+server. You need to be very careful when typing the command. Don't
exchange the order of the fields. Some changes would lead to a
<computeroutput>NT_STATUS_UNSUCCESSFUL</computeroutput> error
message. These become obvious. Other changes might install the driver
<itemizedlist>
<listitem><para>from any Windows client browse Network Neighbourhood,
-finde the Samba host and open the Samba <guiicon>Printers and
+find the Samba host and open the Samba <guiicon>Printers and
Faxes</guiicon> folder. Select any printer icon, right-click and
select the printer <guimenuitem>Properties</guimenuitem>. Click on the
<guilabel>Advanced</guilabel> tab. Here is a field indicating the
driver for that printer. A drop down menu allows you to change that
-driver (be carefull to not do this unwittingly.). You can use this
+driver (be careful to not do this unwittingly.). You can use this
list to view all drivers know to Samba. Your new one should be amongst
them. (Each type of client will only see his own architecture's
list. If you don't have every driver installed for each platform, the
</sect3>
<sect3>
-<title>A sidenote: you are not bound to specific driver names</title>
+<title>A side note: you are not bound to specific driver names</title>
<para>
You can name the driver as you like. If you repeat the
<parameter>[print$]</parameter> share by moving them into the
respective subdirectories. So you <emphasis>must</emphasis> precede an
<command>smbclient ... put</command> command before each
-<command>rpcclient ... addriver</command>" command.
+<command>rpcclient ... adddriver</command>" command.
</para>
</sect3>
<para><screen>
&rootprompt;<userinput>rpcclient -U'root%xxxx' -c 'setdriver dm9110 dm9110' <replaceable>SAMBA-CUPS</replaceable></userinput>
cmd = setdriver dm9110 dm9110
- Succesfully set dm9110 to driver dm9110.
+ Successfully set dm9110 to driver dm9110.
</screen></para>
<para>
</sect1>
<sect1>
-<title>"The Proof of the Pudding lies in the Eating" (Client Driver Insta
+<title>"The Proof of the Pudding lies in the Eating" (Client Driver Install
Procedure)</title>
<para>
onto your first client machine now. But wait... let's make you
acquainted first with a few tips and tricks you may find useful. For
example, suppose you didn't manage to "set the defaults" on the
-printer, as advised in the preceeding paragraphs? And your users
+printer, as advised in the preceding paragraphs? And your users
complain about various issues (such as <quote>We need to set the paper
size for each job from Letter to A4 and it won't store it!</quote>)
</para>
(<parameter>printer admin</parameter> in )
<emphasis>before</emphasis> a client downloads the driver (the clients
can later set their own <emphasis>per-user defaults</emphasis> by
-following the procedures<emphasis>A.</emphasis>
-or<emphasis>B.</emphasis> above...). (This is new: Windows 2000 and
+following the procedures <emphasis>A.</emphasis>
+or <emphasis>B.</emphasis> above...). (This is new: Windows 2000 and
Windows XP allow <emphasis>per-user</emphasis> default settings and
the ones the administrator gives them, before they set up their own).
The "parents" of the identically looking dialogs have a slight
commas in the "description" field). After the
<command>setdriver</command> command succeeded, all is well. (The
CUPS Printing chapter has more info about the installation of printer
-drivers with the help of <command>rpccclient</command>).
+drivers with the help of <command>rpcclient</command>).
</para>
</sect2>
<listitem><para>Line 3 sets the default printer to this new network
printer (there might be several other printers installed with this
-same method and some may be local as well -- so we deside for a
+same method and some may be local as well -- so we decide for a
default printer). The default printer selection may of course be
different for different users.</para></listitem>
</itemizedlist>
<para>
Note that the second line only works if the printer
-<emphasis>infotec2105-PS</emphasis> has an already working printqueue
-on "sambacupsserver", and if the printer drivers have sucessfully been
+<emphasis>infotec2105-PS</emphasis> has an already working print queue
+on "sambacupsserver", and if the printer drivers have successfully been
uploaded (via <command>APW</command> ,
<command>smbclient/rpcclient</command> or
<command>cupsaddsmb</command>) into the
supported.</para></listitem>
<listitem><para>If you want to take advantage of WinNT printer driver
-support you also need to migrate theWin9x/ME drivers to the new
+support you also need to migrate the Win9x/ME drivers to the new
setup.</para></listitem>
<listitem><para>An existing <filename>printers.def</filename> file
project would not have been possible without significant community contribution. A not
insignificant number of ideas for inclusion (if not content itself) has been obtained
from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered.
-Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and
+Please keep publishing your Unofficial HOWTOs - they are a source of inspiration and
application knowledge that is most to be desired by many Samba users and administrators.
</para>
<para>
If all of samba and host platform configuration were really as intuitive as one might like then this
section would not be necessary. Security issues are often vexing for a support person to resolve, not
-because of the complexity of the problem, but for reason that most admininstrators who post what turns
+because of the complexity of the problem, but for reason that most administrators who post what turns
out to be a security problem request are totally convinced that the problem is with Samba.
</para>
<para><quote>
User xyzzy can map his home directory. Once mapped user xyzzy can also map
- *anyone* elses home directory!
+ *anyone* else's home directory!
</quote></para>
<para>
<para>
Samba-2.x supported a single locale through a mechanism called
-<emphasis>codepages</emphasis>. Samba-3 is destined to become a truely trans-global
+<emphasis>codepages</emphasis>. Samba-3 is destined to become a truly trans-global
file and printer sharing platform.
</para>
</para>
<para>Old windows clients used to use single-byte charsets, named
-'codepages' by microsoft. However, there is no support for
+'codepages' by Microsoft. However, there is no support for
negotiating the charset to be used in the smb protocol. Thus, you
have to make sure you are using the same charset when talking to an old client.
Newer clients (Windows NT, 2K, XP) talk unicode over the wire.
<title>Requirements</title>
<para>
-If you have a samba configuration file that you are currently
+If you have a Samba configuration file that you are currently
using... <emphasis>BACK IT UP!</emphasis> If your system already uses PAM,
<emphasis>back up the <filename>/etc/pam.d</filename> directory
contents!</emphasis> If you haven't already made a boot disk,
</para>
<para>
-Messing with the pam configuration files can make it nearly impossible
-to log in to yourmachine. That's why you want to be able to boot back
+Messing with the PAM configuration files can make it nearly impossible
+to log in to your machine. That's why you want to be able to boot back
into your machine in single user mode and restore your
<filename>/etc/pam.d</filename> back to the original state they were in if
you get frustrated with the way things are going. ;-)
&rootprompt; <userinput>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</userinput>
</para>
-<para>And, in the case of Sun solaris:</para>
+<para>And, in the case of Sun Solaris:</para>
<screen>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1</userinput>
&rootprompt;<userinput>ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1</userinput>
<sect4>
<title>Solaris</title>
-<para>Winbind doesn't work on solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
+<para>Winbind doesn't work on Solaris 9, see the <link linkend="winbind-solaris9">Portability</link> chapter for details.</para>
-<para>On solaris, you need to modify the
+<para>On Solaris, you need to modify the
<filename>/etc/init.d/samba.server</filename> startup script. It usually
only starts smbd and nmbd but should now start winbindd too. If you
have samba installed in <filename>/usr/local/samba/bin</filename>,
<para>
The <filename>/etc/pam.d/samba</filename> file does not need to be changed. I
-just left this fileas it was:
+just left this file as it was:
</para>
git.samba.org / ira / wip.git / commitdiff